A Privacy Impact Assessment (PIA) was developed for the Departmental computer network known as SIGNET–D. This network is used primarily for unsecured information processing, storage, and management as well as unsecured messaging. The SIGNET D network is nearly 15 years old and has gone through several revisions. A revised PIA has been developed and is currently being reviewed. The revised PIA does not only address the SIGNET D Network, but it also addresses the messaging and email systems which were not part of the originally developed PIA. Its Executive Summary will be posted on this website as soon as possible.
The privacy assessment report that was initially developed for the SIGNET D network provided an insight into possible risks to personal information and recommended appropriate courses of action.
The assessment was part of the Department’s commitment to protection of personal information. It also met the Management of Information Technology Security (MITS) requirements obligating departmental major services to undergo a security and privacy assessment at this point.
The overall assessment of the SIGNET–D network was that there were limited low risks found during the assessment and that these can be addressed while the network is in operation.
Personal information on SIGNET is of three types:
In general, shared drives represent a medium level of risk that requires additional protection and structured management. These may be achieved by the following elements:
The network (SIGNET–D) is currently designated for Protected “A” information and as such, the Information Protection Center (IPC) at DFAIT has developed plans to continually scan the shared drives using special software tools and identify information such as SIN numbers, and other highly important personal information. The plan is to issue “cyber infractions” to those users who store high–risk personal information on the shared drives. All information of protected “B” and “C” nature must reside on a separate network designated as SIGNET C–5. IPC has consulted with the Departmental legal advisors at JUS, and has received a blessing to proceed with the planned initiative / mitigation.
The above recommended mitigations approach will ensure that the personal information will be collected, stored and managed with significantly lower levels of risks.
Department will develop a process by which employees are provided an opportunity to review a Privacy Notice Statement (PNS) prior to providing their personal information to receive proper privileges and accounts on the network.
DFAIT employees using the shared drives to store their own personal information must be advised regarding the nature of the shared drives and potential risks.
Proper policies need to be developed as part of management of personal information on SIGNET to reflect existing roles and responsibilities, as well as accountability in alignment with TBS Management Accountability Framework (MAF). The existing Departmental policy on The Network Acceptable Use Policy (NAUP) requires enhancement as a result of this PIA and select others (e.g. Voice Messaging) that recognize that the existing policy has a security focus only. The users of the network need additional information regarding management of their own personal information as well as comprehensive privacy notice statements that inform the users of their roles and responsibilities and accountability.