Policy on security, privacy and artificial intelligence – October 2025

FC Morissette Consulting respects its commitments under the GoC’s ProServices program to safeguard client information.  

Respecting these commitments means:

  • Maintaining appropriate organization security screening / clearance via PSPC’s Contract Security Program (CSP). 
  • Ensuring all personnel who access sensitive or protected information have valid security status. 
  • Applying appropriate IT security controls when processing, storing, transmitting, or accessing protected or classified information. 
  • Not processing or storing protected/ classified information electronically unless written approval is granted by GoC authorities. 
  • If subcontracting, only doing so with prior written permission when the subcontract involves GoC security requirements. 
  • Adhering to document safeguarding requirements (physical and electronic) as specified in contract clauses. 
  • Maintaining oversight, review, and audit readiness of security / privacy controls during contract performance. 

Client information management – security and privacy

To safely manage client information and data, this means:

  • I have Secret-level security clearance (currently valid until February 2035).
  • I store sensitive deliverables and client data only on client-approved platforms. This usually means GoC platforms (e.g., GCdocs, GC SharePoint, GC Teams) built to handle Protected B or higher information.  Clients usually give me access to these platforms through client-issued hardware, GoC VPN and/or network access.
  • Any client information I hold, own or manage is limited to Protected A or non-classified information. This client information is stored on my Microsoft 365 and OneDrive accounts, which are in line with Government of Canada security standards. These platforms are approved for Protected A (and in some cases Protected B) information, but in my own practice I limit storage to Protected A only. All data is encrypted, access-controlled, and safeguarded consistent with PSPC’s Contract Security Program requirements.
  • I do not store or manage client’s Protected B or higher, or security-classified information, on my systems.
  • If a client inadvertently sends me Protected B or higher, or security-classified information, I will advise them of the situation and follow their guidance to resolve the issue to their satisfaction.
  • When in doubt, I clarify the sensitivity and classification level of the information with clients.

Use of artificial intelligence – quality, security and privacy

As a ProServices supplier, I recognize that the Government of Canada is evolving its approach to artificial intelligence (AI). To maintain trust and compliance, I apply the following principles when using AI tools in the delivery of services:

  • I disclose when and how AI tools are used to accelerate and support contract deliverables.
  • AI-assisted outputs used to accelerate and support deliverables are reviewed, validated, and approved by me to ensure accuracy, fairness, and appropriateness.
  • I remain fully responsible for final deliverables to the client, regardless of whether AI tools supported the work.

To support client projects, this means:

  • I sometimes use AI tools (ex. ChaptGPT, Gemini, Perplexity accounts) to accelerate development of unclassified and anonymized work (ex. research and analysis, drafting documents or templates, analyzing public frameworks, creating training material).
  • AI-assisted outputs usually serve as a first rough draft or base for my further work to develop a final product.
  • All final products are developed, edited, finalized, validated, and approved by me before delivery to clients.
  • No Protected B or higher, or security-classified information, is entered into AI tools.
  • For Protected A or non-classified information entered into AI tools- no identifiable organization or client information (ex. names, emails, HR records, financial data) is entered into AI tools.
  • For Protected A or non-classified information entered into AI tools – I anonymize the information wherever practical (ex. “Organization X”, “Team XYZ” or “Employee A/B” instead of real names or titles).

I use AI tools to accelerate my work and lower the cost to clients. I only charge clients for work performed, as per contract terms. If a client instructs me to not use AI tools to support their project, I will charge the full amount of time and effort needed to deliver as requested.

I periodically update these security, privacy and AI practices to align with evolving Treasury Board and PSPC guidance and requirements in these areas.