Technical and legal assessments

Date adopted: 
August 15, 2020
Last update: 
October 1, 2020

This page provides guidance on some of the technical and legal assessments you may need to complete before launching a service or website to the public.

Privacy Impact Assessment (PIA)

When to conduct a PIA

Almost all services and websites must have a PIA completed before they go live. On the rare occasion there is an exemption, we still recommend you complete this assessment to ensure your users and their data are protected.

You must complete this assessment if your service or website is required to adhere to the Access to Information and Protection of Privacy Act (ATIPP).

How to get a PIA completed

First, you need to determine who will head up the PIA process. They will organize and lead its research and completion. This can be done in-house by a project team member or you can hire a vendor to complete this work.

Your eServices team lead will review options with you in discovery.

Security and Threat Risk Assessment (STRA)

When to conduct a STRA

If your website or service will make changes to the eServices platform, you may need a STRA. Contact your eServices team lead and describe your project. They will advise if you need to complete the assessment.

How to get a STRA completed

Determine who will head up the STRA process.

This work can be completed in-house or you may need to hire a vendor to complete the assessment. Contact the government's Chief Information Security Officer (CISO) for guidance on which option you should take. The CISO will consult with your eServices team lead.

You'll coordinate addressing the recommended remediation tasks to the CISO's satisfaction.

We also recommend you discuss the service or website with the Information Privacy Commissioner (IPC). This maintains transparency and encourages collaboration.

When the STRA is complete, we'll review the government's service agreement template with the department operating the service and make adjustments as needed.

The department signs the agreement and submits it to eServices for sign-off. The department and eServices must keep a final version for their own records.

Payment Card Industry (PCI) compliance audit

When to conduct a PCI

If your service or website takes money, you must complete a PCI compliance audit.

How to get a PCI audit completed

Determine who will coordinate the PCI compliance audit.

  1. Confirm an audit is required.
  2. Complete the PCI self-assessment questionnaire (SAQ)
  3. Submit the completed PCI SAQ to the Department of Finance (eServices will provide you with a contact)
  4. Finance will review it and make a decision.

eServices will support you in these following steps.

  1. Once you can proceed, your project manager can set up a Bambora merchant account for development purposes. This is sometimes known a sandbox account. This sandbox account can be turned into a live account before your service or website goes to a public beta.
  2. Work with eServices to select a qualified service provider. For payment services, you'll look for a vendor that has specifically identified PCI and Data Security Standard (DSS) responsibilities.
  3. Once you have a vendor, review responsibilities with the service providers.
  4. If necessary, arrange PCI training for the department managing the service. This is particularly important for staff who will regularly operate the service.
  5. Your developer may need to create a payment form template. This will depend on the interface design of your service or website. We'll advise you on how to proceed with this.
  6. Complete the necessary application forms for your department's merchant account. These forms can include those for Moneris as well as applications for individual credit cards and whatever else is necessary. Have these completed forms approved by the Department of Finance.
  7. Review the PCI SAQ, all of the financial documents, and walk through an end-to-end demonstration with the Government of Yukon PCI Steering Committee. The committee will then make a decision to approve and sign-off on this work.

Final approval from your director on all assessments

Before you proceed to public beta, your director should be made aware of any audits or assessments performed on the service or website. Your director will approve and sign-off on the assessment documents.

Write a data collection notice for your service start page

You must write a data collection notice for the service start page.

You may need to consult with your legal team to make sure your notice complies with Government of Yukon acts and legislation.

The government automatically retains data on its eServices platform for 12 months. Confirm with the department service owner that this will work for your purposes.

If you need to adjust the data retention schedule, submit your request to eservices@gov.yk.ca. We'll look into making the required adjustment to our platform's reporting system.