Notify needs a specific Privacy Statement

[YedidaZalik]

Currently Notify is using the same privacy statement as the CDS website, and is not specific to the needs of Notify, federal depts and p/ts.

We need to:

• [x] determine the content/ important information for the privacy statement [here] (https://docs.google.com/document/d/189sdq6I0kgYa99czkbqwt0_ZVx8tr6I5Hu1ceZt8eFI/edit#)
• [x] clarify how the privacy statement interacts with the security statement and terms of use
• [x] compare with UK Notify statements in case helpful
• [x] design the content and content hierarchy and put the content into plain language
• [x] review the content for legal accuracy with TBS legal, and make any required changes (this may take several rounds of revisions)
• [x] assess the potential of Notify's privacy statement to provide a template for other platform products (review by Sarah H, Nisa)
• [x] Review by OCIO, Privacy Data Protection Division
• [x] Incorporate any relevant feedback
• [x] Send to linguistic services and translate the statement with input
• [x] French Content Review by @amazingphilippe
• [x] Publish new version on GC Articles
• [x] Clear Cache

[yaelberger-commits]

Ideas from @jimleroyer and @sastels for technical guidance to add to the SLA, specifically around sending SMS

Jimmy Royer 17 hours ago I will update if I think of more but on top of my head: Their options between dedicated vs non-dedicated long code. Their rate of SMS / second they can send with (>20 sms/sec) or without a dedicated long code (1 sms / 2 sec). If they batch send, they need to be aware of our technical SLA/SLA. If they batch send, they need to throttle on their end or they could have their service back into trial mode. This should be in our SLA. They need to send notifications to long code that can receive mobile text message else we could have their service back into trial mode if there are too many noise. This should be in our SLA. SMS is a faulty technology that can't guarantee delivery. Notify gets receipts for some delivered messages, but not for all delivered messages. There might be carriers failures, it is not an infrastructure maintained by one with the same level of quality across the different networks. We are at their mercy. SMS is a faulty technology that can't guarantee trust, at least in Canada. Someone else could impersonate your service easily. Sending international costs more and would probably reduce the agreed quota of free SMS a service can send through Notify. Sending international is less guaranteed delivery or might simply not work. One notification is not necessarily equal to one SMS. Sending long text will divide your messages into multipart and count for multiple SMS, hence increasing your usage of free SMS. It is usually 160 7-bit characters limit. Using special characters might translate to more restricted limit, more here to read for example. It's possible a number you send to won't receive your notification if another service from Notify sent one and was blocked as a consequence. (edited) :raised_hands::skin-tone-2: 1

Steve Astels 17 hours ago There's at least a couple things IMO hitting our api too much - they should use the bulk api instead of hitting the single sms api a lot SMSs go out slowly (20/s for all of Notify) Checking the response they get back from the api to ensure it was accepted Following due diligence in verifying their numbers are correct, are mobile, and are removed from their list if they fail.

[yaelberger-commits]

Added more legislative requirements, off to Sharly for review, then over to Legal. Asked to document the process Security statement cross referencing old with Sharly notes.

[adriannelee]

Taking the privacy statement to content critique today.

For the security statement, have some questions for Sharly.

[adriannelee]

Sending Sharly the new privacy statement. Will wait for the other items

[yaelberger-commits]

Sharly approved Privacy Statement to go to legal

[yaelberger-commits]

Privacy Statement still with Legal. Sharly will need to update when it comes back. Yedida did documentation (spreadsheet) of the work

[yaelberger-commits]

Blocked by TBS legal review

[yaelberger-commits]

Unified accounts work could affect these docs so there is a dependency there, could feed into this

[yaelberger-commits]

Hey team! Please add your planning poker estimate with ZenHub @YedidaZalik @sharlychan-cds

[yaelberger-commits]

Demoing this to the team and others today

[yaelberger-commits]

Comments for Sharly to resolve with Nisa, then going to ATIP for review today

[sharlychan-cds]

Nisa has reviewed! Sent to TBS ATIP today :)

[jimleroyer]

ATIP replied today and Sharly will take a look.

[yaelberger-commits]

Contact ATIP to see timelines Incorporate changes from @sharlychan-cds Nisa review Translation Could publish an interim version this sprint

[adriannelee]

Sharly is adding a couple of new clauses and figuring out who needs heads up.

[adriannelee]

Sent to OCIO on Friday, waiting to hear back. Sharly expects it to be a quick turnaround. Moving to blocked

[jzbahrai]

@sharlychan-cds to give an update

[jzbahrai]

going to Product Policy tomorrow. After that the changes will be incorporated by Yedida

[amazingphilippe]

Sharly and Yedida should work on this together. Then needs to go back to OCIO PDPD (update with acronyms)

[YedidaZalik]

@sharlychan-cds and I finalized stmt with help from Nisa. Attached here(https://docs.google.com/document/d/1v16uAbITpXYLoX5_C3yRu0F7DbKB536H/edit#heading=h.3znysh7 Sent to translation with request to return by Sept 6 Need to get list of other services ready to link

[yaelberger-commits]

Back from translation Sept. 6, with @amazingphilippe for FR content review

[yaelberger-commits]

Yedida will publish, along with supporting doc and security statement on GC Articles today

[YedidaZalik]

Privacy statement now on GC articles at EN -Privacy notice for staff using GC Notify FR -Avis de confidentialité à l’intention du personnel utilisant GC Notification along with their 2 supporting docs Other services used by GC Notify Autres services utilisés par GC Notification

I've done a check of all 4 docs but they need to be reviewed by a fresh set of eyes. The original google docs are: Final version Notify Privacy Statement EN Final version Notify Privacy Statement FR Other services EN Other services FR

Once they pass review, we'll publish at same time as Security docs. Dave S. gives these steps for publishing: Rename published original to old Then publish new Then ask Dave to clear cache

[amazingphilippe]

Reviewed and ready for Dave to clear cache on Article's side