Directive on Service and Digital

Articulates how Government of Canada organizations manage service delivery, information and data, information technology, and cyber security in the digital era.
Date modified: 2019-08-02

Supporting tools

Guidelines:

Mandatory procedures:

More information

Policy:

Topic:

Hierarchy

Archives

This directive replaces:

View all inactive instruments
Print-friendly XML

Note to reader

The Policy on Service and Digital and the Directive on Service and Digital took effect on April 1, 2020. They replace the:

  • Policy Framework on Information and Technology;
  • Policy on Management of Information Technology;
  • Policy on Information Management;
  • Policy on Service;
  • Policy on Acceptable Network and Device Use;
  • Directive on Management of Information Technology;
  • Directive on Information Management Roles and Responsibilities; and,
  • Directive on Recordkeeping.

1. Effective date

  • 1.1This directive takes effect on April 1, 2020.
  • 1.2This directive replaces the following Treasury Board policy instruments:
    • 1.2.1Directive on Management of Information Technology, April 1, 2009
    • 1.2.2.Directive on Information Management Roles and Responsibilities, October 8, 2007
    • 1.2.3Directive on Recordkeeping, June 1, 2009
    • 1.2.4Policy on Acceptable Network and Device Use, October 1, 2013, Appendices A, B, C, and D.

2. Authorities

  • 2.1This directive is issued pursuant to the same authority indicated in section  2 of the Policy on Service and Digital.
  • 2.2The Treasury Board of Canada has delegated to the President of the Treasury Board of Canada the authority to issue, amend, and rescind this directive.
  • 2.3The Treasury Board of Canada has delegated to the Chief Information Officer of Canada the authority to issue, amend, and rescind supporting instruments, including standards, mandatory procedures and other appendices.

3. Objectives and expected results

  • 3.1The objectives indicated in section 3 of the Policy on Service and Digital apply to this directive.
  • 3.2The expected results indicated in section 3 of the Policy on Service and Digital apply to this directive.

4. Requirements

  • 4.1Enterprise governance, planning and reporting

    Enterprise architecture review

    • 4.1.1The departmental Chief Information Officer (CIO) is responsible for:
      • 4.1.1.1Chairing a departmental architecture review board that is mandated to review and approve the architecture of all departmental digital initiatives and ensure their alignment with enterprise architectures.
      • 4.1.1.2Submitting to the Government of Canada enterprise architecture review board proposals concerned with the design, development, installation and implementation of digital initiatives:
        • 4.1.1.2.1Where the department is willing to invest a minimum of the following amounts to address the problem or take advantage of the opportunity:
          • 4.1.1.2.1.1$2.5  million dollars for departments that do not have an approved Organizational Project Management Capacity Class or that have an approved Organizational Project Management Capacity Class of 1  according to the Directive on the Management of Projects and Programmes;
          • 4.1.1.2.1.2$5  million dollars for departments that have an approved Organizational Project Management Capacity Class of 2;
          • 4.1.1.2.1.3$10  million dollars for departments that have an approved Organizational Project Management Capacity Class of 3;
          • 4.1.1.2.1.4$15  million dollars for the Department of National Defence;
          • 4.1.1.2.1.5$25  million dollars for departments that have an approved Organizational Project Management Capacity Class of 4;
        • 4.1.1.2.2That involve emerging technologies;
        • 4.1.1.2.3That require an exception under this directive or other directives under the policy;
        • 4.1.1.2.4That are categorized at the protected B level or below‎ using a deployment model other than public cloud for application hosting (including infrastructure), application deployment, or application development; or
        • 4.1.1.2.5As directed by the CIO of Canada.
      • 4.1.1.3Ensuring that proposals submitted to the Government of Canada enterprise architecture review board have first been assessed by the departmental architecture review board where one has been established.
      • 4.1.1.4Ensuring that proposals to the Government of Canada enterprise architecture review board are submitted after review of concept cases for digital projects according to the “Mandatory Procedures for Concept Cases for Digital Projects” and before the development of a Treasury Board submission or departmental business case.
      • 4.1.1.5Ensuring that departmental initiatives submitted to the Government of Canada enterprise architecture review board are assessed against and meet the requirements of Appendix A: Mandatory Procedures for Enterprise Architecture Assessment and Appendix B: Mandatory Procedures for Application Programming Interfaces.

      Planning

      • 4.1.1.6Approving the IT and information or data component of all departmental strategies, plans, initiatives, projects, procurements and spending authority requests.
      • 4.1.1.7Producing the departmental IT expenditure report and on-going Application Portfolio Management update reports.
      • 4.1.1.8Ensuring that departmental IT investments, service development and improvement initiatives are informed by and integrated into departmental business planning.

      Enterprise participation

      • 4.1.1.9Participating, as a service provider or as a service client, in the conception, planning, evolution and oversight of enterprise-wide IT services and solutions.
      • 4.1.1.10Advising the CIO of Canada about decisions, plans, strategies, directions, progress, risks and challenges related to initiatives that affect the provision or use of IT services in or across departments.
  • 4.2Client-centric service design and delivery
    • 4.2.1The designated official for service, in collaboration with other officials as necessary, is responsible for:

      Client-centric service

      • 4.2.1.1Ensuring that client feedback, including in-service client feedback, client satisfaction surveys and user experience testing, is collected and used to improve services according to TBS direction and guidance.
      • 4.2.1.2Ensuring that newly designed or redesigned online services provide real-time application status to clients according to TBS direction and guidance.

      Service inventory

      • 4.2.1.3Developing and annually updating a departmental service inventory according to TBS direction and guidance.
      • 4.2.1.4Working with TBS to make the departmental service inventory available through the Government of Canada open government portal according to TBS direction and guidance.

      Service standards

      • 4.2.1.5Ensuring the development, management and regular review of service standards, related targets and performance information, for all services and all service delivery channels in use, according to TBS direction and guidance.
      • 4.2.1.6Ensuring the reporting of real-time performance information for service standards is available on the department’s web presence, in accordance with TBS direction and guidance.

      Service review

      • 4.2.1.7Ensuring that each service is regularly reviewed with clients, partners and stakeholders, in collaboration with the departmental CIO, as appropriate, at least once every five years to identify opportunities for improvement, including redesign for client-centricity, digital enablement, online availability and uptake, efficiency, partnership arrangements, and alternate approaches to service delivery.
  • 4.3Open and strategic management of information and data
    • 4.3.1The departmental CIO, in collaboration with other departmental officials as necessary, is responsible for:

      Strategic management of information

      • 4.3.1.1Establishing departmental information architecture in alignment with prescribed enterprise-wide standards.
      • 4.3.1.2Ensuring digital systems are the preferred means of creating, capturing and managing information.
      • 4.3.1.3Ensuring information and data are managed to enable data interoperability, reuse and sharing to the greatest extent possible within and with other departments across the government to avoid duplication and maximize utility, while respecting security and privacy requirements.
      • 4.3.1.4Ensuring departmental information is created in an accessible format, where appropriate, in accordance with TBS guidance.
      • 4.3.1.5Establishing and maintaining taxonomies or classification structures to manage, store, search, and retrieve information and data in all formats according to prescribed enterprise-wide standards.
      • 4.3.1.6Documenting life cycle management practices within the department that align with the nature or purpose of the information or data, and that address accountability, stewardship, performance measurement, reporting, and legal requirements.
      • 4.3.1.7Establishing, implementing and maintaining retention periods for all information and data, as appropriate, according to format.
      • 4.3.1.8Developing a documented disposition process and performing regular disposition activities for all information and data, as required.

      Protection

      • 4.3.1.9Protecting information and data by documenting and mitigating risks, and by taking into consideration the business value of the information, legal and regulatory risks, access to information, security of information, and the protection of personal information.

      Recordkeeping

      • 4.3.1.10Identifying information of business value, based on an analysis of the functions and activities carried out by a department to enable or support its legislated mandate.
      • 4.3.1.11Maximizing the removal of access restrictions on departmental information that has been identified as having archival value before the information is transferred to Library and Archives Canada as part of planned disposition activities.
      • 4.3.1.12Ensuring that an approved Government of Canada enterprise information management solution is used to document business activities, decisions and decision-making processes.
      • 4.3.1.13Identifying, establishing, implementing and maintaining designated corporate repositories in which information of business value is managed throughout its life cycle while respecting privacy and security requirements.
      • 4.3.1.14Ensuring that the quality of information is managed and preserved to satisfy the requirements and expectations of users to meet operational needs, responsibilities, and long-term retention requirements.
    • 4.3.2Managers are responsible for:
      • 4.3.2.1Informing employees of their duty to document their activities and decisions of business value.
    • 4.3.3Employees are responsible for:
      • 4.3.3.1Documenting their activities and decisions of business value.
  • 4.4Leveraging technology
    • 4.4.1The departmental CIO is responsible for:

      Strategic IT management

      • 4.4.1.1Providing IT services that are responsive to departmental priorities and to the needs of program delivery and business.
      • 4.4.1.2Ensuring that decisions and actions regarding IT are guided by the CIO of Canada’s enterprise-wide plan and prioritization of Government of Canada demand for IT services and assets.
      • 4.4.1.3Adopting, as applicable, enterprise solutions within their respective department.
      • 4.4.1.4Developing and maintaining departmental IT management practices and processes, as informed by ITIL (Information Technology Infrastructure Library) and COBIT (Control Objectives for Information and Related Technology), while prioritizing IT asset management, the IT service catalogue and IT service costing and pricing, as appropriate.
      • 4.4.1.5Developing, implementing and sustaining departmental strategies for producing or using appropriate enterprise IT services and solutions, based on the integrated service, information, IT and cyber security departmental plan.
      • 4.4.1.6Collaborating on digitally enabled business transformation with the business owner and other stakeholders.
      • 4.4.1.7Identifying emerging technologies that could potentially contribute to the strategic and business goals of the department and the Government of Canada.
      • 4.4.1.8Ensuring that IT services are designed and managed to support interoperability.

      Cloud services

      • 4.4.1.9Supporting the use of cloud services first by ensuring they are:
        • 4.4.1.9.1Identified and evaluated as a principal delivery option when initiating new departmental, enterprise, and community of interest cluster IT investments, initiatives, strategies and projects;
        • 4.4.1.9.2Adopted when they are the most effective option to meet business needs; and
        • 4.4.1.9.3Compliant with appropriate federal privacy and security legislation, policies and standards.
      • 4.4.1.10Ensuring computing facilities located within the geographic boundaries of Canada or within the premises of a Government of Canada department located abroad, such as a diplomatic or consular mission, be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C or is Classified.

      Network and device use

      • 4.4.1.11Drafting notices to authorized network and device users to inform them of:
        • 4.4.1.11.1Expectations for acceptable and unacceptable use of Government of Canada electronic networks and devices, including a link to the Policy on Services and Digital and instructions to consult Appendix C: Examples of Acceptable Network and Device Use (non-exhaustive list) and Appendix D: Examples of Unacceptable Network and Device Use (non-exhaustive list).
        • 4.4.1.11.2Electronic network monitoring practices applied by their own department or by Shared Services Canada (SSC) according to Appendix E: Privacy and Monitoring of Network and Device Use.

      Alternative IT services

      • 4.4.1.12Ensuring compliance with procedures established for accessing alternatives to SSC service delivery mechanisms, as necessary.

    Planning for and responding to a cyber security event

    • 4.4.2The designated official for cyber security, in collaboration with the departmental CIO and Chief Security Officer as appropriate, is responsible for:
      • 4.4.2.1Ensuring that cyber security requirements and appropriate measures are applied in a risk-based, lifecycle approach to protect IT services, in accordance with the Directive on Security Management, Appendix B: Mandatory Procedures for Information Technology Security Control.
      • 4.4.2.2Ensuring departmental plans, processes and procedures are in place for responding to cyber security events and reporting of incidents to the appropriate authorities and affected stakeholders, in accordance with the Government of Canada Cyber Security Event Management Plan.
      • 4.4.2.3Undertaking immediate action within the department as directed to assess impacts, including whether there has been a privacy breach, and implement mitigation measures in response to cyber security events.
      • 4.4.2.4Liaising with the access to information and privacy office in the department and the Office of the Privacy Commissioner when there has been a material privacy breach.
  • 4.5Supporting workforce capacity and capability
    • 4.5.1The departmental CIO is responsible for:
      • 4.5.1.1Providing functional leadership in the department on the development and sustainability of the IT and information communities through talent management and community development strategies.

5. Roles of other government organizations

  • 5.1The roles of other government organizations in relation to this directive are described in section 5 of the Policy on Service and Digital.

6. Application

  • 6.1This directive applies to departments as defined in section 2 of the Financial Administration Act unless otherwise excluded by other acts, regulations or orders in council.
  • 6.2Requirement 4.4.1.11 only applies to the core public administration as defined in section 11.1 of the FAA, unless otherwise excluded by specific acts, regulations or orders-in-council. Other departments or separate agencies not subject to these provisions are encouraged to meet these requirements as good practice.
  • 6.3Small departments and agencies:
    • 6.3.1For the purposes of this directive, small departments and agencies are defined as organizations that have reference levels including revenues credited to the vote of less than $300 million per year or that have been, for the purposes of this directive, designated as small departments or agencies by the President of the Treasury Board upon recommendation of the Secretary of the Treasury Board;
    • 6.3.2Organizations whose reference levels change so as to bring them above or below the $300 million threshold will not be redefined as large or small departments or agencies unless their reference levels remain above or below the threshold for three consecutive years, to allow for stability and transition, unless otherwise determined by the President of the Treasury Board upon the recommendation of the Secretary of the Treasury Board;
    • 6.3.3With regard to small departments and agencies, this directive applies as per subsection 6.1 with the exception of section 4.1.1.1.
  • 6.4Agents of Parliament
    • 6.4.1The heads of the following organizations are solely responsible for monitoring and ensuring compliance with this directive within their organizations:
      • Office of the Auditor General
      • Office of the Chief Electoral Officer
      • Office of the Commissioner of Lobbying of Canada
      • Office of the Commissioner of Official Languages
      • Office of the Information Commissioner of Canada
      • Office of the Privacy Commissioner of Canada
      • Office of the Public Sector Integrity Commissioner of Canada
    • 6.4.2With regard to agents of Parliament the following do not apply: 4.1.1.1, 4.1.1.2, 4.1.1.3, 4.1.1.4, 4.1.1.5, 4.1.1.10, 4.4.1.2, and 4.4.1.12

7. References

  • 7.1The references in relation to this directive are described in section 7 of the Policy on Service and Digital.

8. Enquiries


Appendix A: Mandatory Procedures for Enterprise Architecture Assessment

Provides an assessment framework for the review of digital initiatives to be used by departmental architecture review boards and the Government of Canada enterprise architectural review board: Mandatory Procedures for Enterprise Architecture Assessment

Appendix B: Mandatory Procedures on Application Programming Interfaces

Provides direction on the development of Application Programming Interfaces (APIs): Mandatory Procedures on Application Programming Interfaces

Appendix C: Examples of Acceptable Network and Device Use (non-exhaustive list)

Provides employees with examples of acceptable uses of government electronic networks and devices: Examples of Acceptable Network and Device Use (non-exhaustive list)

Appendix D: Examples of Unacceptable Network and Device Use (non-exhaustive list of examples)

Provides employees with examples of unacceptable uses of government electronic networks and devices: Examples of Unacceptable Network and Device Use (non-exhaustive list of examples)

Appendix E: Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Notices

Provides direction for departments to notify users how their use of government networks and devices is monitored: Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Notices

Date modified: