Item - 2018.EX36.9

The Executive Committee recommends that:  

1.  City Council request the City Manager, in consultation with the Deputy City Managers, the Chief Financial Officer, the City Solicitor, the City Clerk and the Chief Information Officer, to establish prioritized criteria for the migration of SilverDane records, such criteria to include employment positions, name of correspondent, subject matter, date and timeframe, and implement the plan with City Divisions.

2.  City Council request the Chief Information Officer, in consultation with the Treasurer, to inform City Divisions on the business process for the extraction of information from SilverDane, based on the established criteria to ensure compliance for Payment Card Information.

The City must become Payment Card Industry (PCI) compliant by December 31, 2018 or risk its ability to use credit cards to process payment transactions. It further risks breaching contract terms with Moneris, the City's payment card processing services provider, and be subject to increasing penalties and fines as a result.

One of the Payment Card Industry standards that the City must meet, is to guarantee that no credit card information of any kind is stored anywhere on the City's network. In conducting an audit of the City's network and systems, unredacted credit card information was found on the SilverDane Archive (SilverDane).  SilverDane cannot be searched for credit card information nor can the credit card information be removed in order, to satisfy the Payment Card Industry requirements. 

SilverDane contains emails, attachments, calendars and notes from the City's legacy GroupWise system including relatively recent documents from 2011-15.  The system's search capability cannot meet the Payment Card Industry compliance requirements to remove all credit card. The only option available is to 'unplug' the system from the City's network which could cause the system to fail and the loss of the records contained in it. 

The City is under statutory obligations to preserve, and make accessible, records until they are scheduled for destruction under Section 201 of the City of Toronto Act, 2006 and Municipal Code Chapter 217, Schedule A.  SilverDane contains records that are scheduled with various retention periods into the future.  Staff is seeking authority from Council, to change the various retention periods to one retention period for SilverDane content, as listed in Appendix 1, in order for the City to become Payment Card Industry compliant.