SecureKey Concierge – Credential Broker Service


Executive Summary

The Credential Broker Service is an anonymous authentication service which protects privacy. The goal of Cyber Authentication Renewal is to provide end-users choice in the credentials they use to authenticate online to Government of Canada programs and services and to provide Government of Canada departments and agencies with the flexibility to determine authentication solutions commensurate with the security needs of their programs and services. SecureKey Concierge, allows end users to access Government of Canada online services using credentials they already hold with financial institutions. Through the implementation of this commercial service in the spring of 2012, the Government of Canada is able to leverage the considerable industry investment taking place in cyber authentication technology. This is providing individuals with a client–centric, secure online credential authentication solution at a significantly reduced cost to the Crown.

The personal information collected by the Broker has no contextual sensitivities and is never combined with identifying information about the user.  In addition, the identifiers, such as for example, the Name and Recovery Question that the Department or Agency holds, which form part of the Authentication Request, are not disclosed to the Bank.


Under the initial Program Activity Architecture developed for Shared Services Canada, SecureKey will be a Program of the strategic outcome, “Mandated services are delivered in a consolidated and standardized manner to support the delivery of Government of Canada programs and services for Canadians”, under the Activity, “Efficient and effective IT infrastructure services are delivered across Government of Canada”. This Program Activity is further described as enterprise-wide consolidation in the areas of email, data centres and telecommunications. It improves the overall efficiency, reliability and security of IT infrastructure.

Transformation, Service Strategy and Design, Enterprise Architecture is Shared Services Canada’s branch responsible for delivering this activity but the Treasury Board of Canada Secretariat, Chief Information Officer Branch, has the lead for the Government of Canada Cyber Authentication Initiative.

The Privacy Impact Assessment approval authority resides with the President of Shared Services Canada and her designated delegate is the Director of Access to Information and Privacy.

The legal authority for Shared Services Canada to collect personal information for this program derives from Order-in-Council No. 2011-0877 made pursuant to the Public Service Rearrangement and Transfer of Duties Act.  On June 29, 2012, the Shared Services Canada Act received Royal Assent and is now Shared Services Canada’s legal authority to collect personal information for its programs.

Privacy Risk Mitigation

The Privacy Impact Assessment has been prepared in close consultation with the Treasury Board Secretariat and the analysis of the risks was made against the ten universal privacy and fair information practice principles of the Canadian Standards Association Model Code for the Protection of Personal Information.  In addition, the Privacy Impact Assessment includes details on the technology such as the service design, the threat analysis and description of the technical safeguards provided to protect personal information. Shared Services Canada takes the protection of Canadians’ information very seriously and is committed to taking further action to mitigate the low residual privacy risks that were identified in the process.

To openly account for the personal information collected for this program, the proposed new Personal Information Bank 607 for SecureKey Concierge is currently being reviewed and finalized.