Step 1: Develop a use case and evaluation criteria
To begin the SaaS adoption process, you’ll need to clearly define your needs and requirements for a SaaS tool.
This process has 3 purposes:
- To help you determine what kind of SaaS tool you need
- To help your ministry’s privacy, security, legal and risk management team evaluate your chosen SaaS tool later in the process
- To make sure your adoption process remains compliant and competitive
Connect with the people who will be using the tool
First, speak to the tool’s future user base. Make sure you’re all in agreement about the features and functionality required for a SaaS tool to effectively meet your needs.
Things to consider:
- The need to integrate with your current software and systems
- The learning curve of the tool and if it matches the abilities of the people using it to day-to-day, or the time and capacity they can devote to training
- The tool has appropriate accessibility features for people using adaptive software or hardware
- The requirement for external users, like a client group or program partners
Develop the use case
Your use case should outline how a SaaS tool would be used to solve a problem or achieve a goal. It shouldn’t be a recommendation of one particular SaaS tool. Your ministry’s Business Analyst may be able to help you with this step.
Address these questions in your use case:
- Why do you want to use SaaS?
- How do you want to use SaaS?
- How does your need for SaaS connect with the mandate of your branch, division or ministry?
- What are the objectives and outcomes for the SaaS tool?
- How will you measure the success of your objectives and outcomes?
- Who will benefit from the SaaS tool?
- Who will use the SaaS tool? How many users do you anticipate?
- What features and functionality do you need the SaaS tool to have?
- What types of information will you be using with the SaaS tool and what are their security classifications? How will this information be used? Your Ministry Information Security Officer (MISO) and Ministry Privacy Officer (MPO) can help you with this question. In general, Protected C data should not be stored, transmitted or shared in SaaS tools
- Who will have access to the information stored in the SaaS tool?
- Do you have a budget? How do the SaaS costs fit into your budget?
- What will happen to the data stored in the SaaS tool if you stop using the tool?
Develop the evaluation criteria
Take a look at your use case and identify the requirements that you have outlined. These requirements will form the criteria that you will use to evaluate potential SaaS tools and vendors during your procurement process.
Your criteria might include:
Cost. What type of pricing model are you looking for? What is your budget?
Location of processed or hosted information. Is the SaaS tool hosted in Canada (including all data and associated backups)? Is the data ever routed out of Canada for processing? A privacy impact assessment (PIA) needs to be conducted before sensitive personal information can be hosted and processed outside of Canada
Access control. Which single sign-on (SSO) service will you use for users to login to the SaaS tool?
Configurability. Do you want the SaaS to support custom configurations? If so, do you control them or does the vendor?
Encryption. How is the data secured (both in transit and at rest)?
Exit strategy. If you stop using the SaaS tool, how will you retrieve B.C. government data? Are there any associated costs?
Licensing. Are there any restrictions on the total number of user accounts you can have, or the number of users who can use the SaaS tool at the same time? How are new users added? How are accounts closed or transferred if someone moves to a new team or ministry?
You can also consider other criteria that is specific to your use case.
You may also contact your Ministry Procurement Specialist to help with the development of your evaluation criteria.
Step 2: Research and estimate
In this step, you’ll look for potential SaaS tools that fit the business needs you identified in your use case and evaluation criteria. This will help you make informed decisions and secure approval from your ministry Expense Authority (EA).
To make sure any future procurement for your SaaS tool is fair, open and transparent, try to avoid discussing specific requirements, evaluation criteria or budget with vendors. Use this time to do general research. What SaaS tools are available in the market which might fit your needs? It’s also good to gather general information about costs to help form your estimates.
Explore and compare SaaS tools
Begin your research by using the SaaS directory or researching options online. Try to find at least 3 potential SaaS tools that could meet your needs.
Check for a Corporate Supply Arrangement
Now is the time to find out if there are any Corporate Supply Arrangements (CSA) managed by the Procurement Service Branch. You can use a CSA to acquire a SaaS tool that fits your use case.
If there’s a CSA available to you, you can make your purchase under the framework of that CSA. Contact your Ministry’s Procurement Specialist if you need additional information about how to use CSAs.
Check for a Multi-Use List
The Province might have a list of SaaS vendors who are pre-qualified. Using this list can expedite your procurement process.
Contact your Ministry’s Procurement Specialist if you want to explore this option.
Check for an existing privacy impact assessment and a security threat and risk assessment
To adopt a SaaS tool, you’ll need to complete your own privacy impact assessment (PIA), security threat and risk assessment (STRA) and arrange for a legal review of your chosen vendor’s terms and conditions. We explain this process in detail in Step 4.
For now, check the SaaS directory to see if a PIA or STRA has already been prepared for any of the SaaS tools you’re interested in.
Existing PIAs and STRAs aren’t always transferrable to your own assessments, but they often provide useful information that you can use to speed up your own assessment process. You may need to complete a new PIA or STRA if your use case, the type of data which may be processed by the SaaS tool or the location where data will be stored represents a significant change from the use case in the existing PIA or STRA.
Contact your Ministry Privacy Officer (MPO) or Ministry Information Security Officer (MISO) if you have any questions about finding or using existing assessments.
A note about using prior legal reviews
It’s important to remember that legal advice isn’t transferrable from one file to the next. The Legal Services Branch reviews each file for their own risks. Risks are assessed by legal counsel based on the particular circumstances of a client’s file like the use case, the type of Provincial data involved and the value and duration of a contract.
Research a variety of potential SaaS tools that may fit your use case to estimate and document how much it might cost to adopt any of these tools. Try to cost out at least 3 potential SaaS tools to prepare your estimate.
Plan for SaaS expenses accurately
Your estimated costs should represent the entire amount of time you expect to subscribe to a SaaS tool.
For example, if you want to use a SaaS tool for the next two years, the cost estimate should include the total price for the two-year subscription, along with any additional expenses for upgrades or add-ons.
Accurate cost estimates are important because:
- The procurement process varies based on the expected expenses for a SaaS tool
- Your ministry Expense Authority (EA) must approve your cost estimates before you can proceed with the SaaS adoption process
How to estimate costs
Contact SaaS vendors or do online research to find information about costs.
- How much is the subscription fee?
- How long do you plan to have the subscription?
- Do you plan to renew the subscription?
- Are there any add-on features you need to pay for?
- Do you need to pay more to add additional users to a subscription?
- Do you think you may upgrade to a more expensive subscription?
Document your estimation process
Keep a record of your analysis to show what steps you took to find and estimate the costs for a variety of potential SaaS tools.
Get expense authority approval
After estimating your costs, reach out to your ministry’s Expense Authority (EA) to obtain approval for your budget.
Send them your estimates and the documentation you collected that shows the steps you took to find and estimate the costs.
Step 3: Conduct your procurement process
After you’ve received expense authority approval for your estimated costs, it’s time to conduct your procurement process to identify the SaaS tool you will purchase.
You’ll now need to gather quotes for potential SaaS tools that meet your use case needs and evaluation criteria. You should attempt to obtain a minimum of 3 quotes.
Obtaining quotes can be done through vendor websites or by directly contacting vendors through phone or email.
Each quote should cover the total cost of the tool for the entire duration of your intended subscription. Make sure you mention specific services and functionality requirements in your request to receive an accurate quote. This can include details such as how many people require access and any extra features you want to incorporate into the subscription.
In many cases, the quotes you receive will closely resemble or match the estimates gathered in Step 2.
If collecting 3 quotes is not possible
In the case your best efforts do not lead to finding 3 quotes, you may need to use a non-competitive approach and issue a direct award.
In this case, it’s critical to have sufficient documentation to support the decision of why you have opted for a direct award. Record the reasons that prevented the collection of 3 quotes, including any failed attempts to obtain them from vendors.
Direct awards are publicly disclosed, including contract details and the justification for the direct award.
Step 4: Complete compliance assessments and legal review
Where this is not possible, some risks must be approved by Legal Services Branch or Risk Management Branch, while others will be considered business or financial risks, which you will escalate to your executive leadership for review and approval.
- In paper form
- Presented to you in the form of a click-through which must be accepted before you may begin using the SaaS tool
- Embedded in a link on the vendor’s website
Regardless of the form the terms are delivered in, it represents a contract between the vendor and the Province as their customer.
- User rights and responsibilities
- Use of personal data
- Liability for damages
- Payment details
- Opt-out policies
- Security policies
- Wait for Legal Services to review the material you have provided. They will probably need to ask you some questions to complete their review. You may need to reach out to other stakeholders or the vendor to help answer these questions
Risk management assessment
A Privacy Impact Assessment (PIA) is a step-by-step review process to make sure that any personal information collected, used, stored or shared through your chosen SaaS tool is protected as required by the Freedom of Information and Protection of Privacy Act (FOIPPA).
Completing a PIA involves working with privacy experts to identify, evaluate and manage privacy risks.
Each ministry is responsible for completing their own PIA, either for a SaaS tool or for a specific use case (how they plan to use the SaaS tool).
For example, if Ministry A has completed a PIA on a SaaS tool and you are from Ministry B, you may need to do a PIA for Ministry B. How a SaaS tool is being used may also need to be assessed separately.
Contact your Ministry Privacy Officer (MPO) if you have questions about PIA requirements.
- Start by checking to see if a PIA has already been completed and is listed in the SaaS directory for your chosen SaaS tool. You may be able to use existing PIAs to help you complete your own PIA
- Start drafting your PIA in the Digital PIA application
- Contact your MPO and ask them to work with you to complete the PIA process. You may need to reach out to the SaaS vendor, your Ministry Information Security Officer (MISO) or other subject matter experts to answer questions in the PIA
- Once the PIA template is complete, your MPO will contact a privacy analyst from the Privacy, Compliance and Training (PCT) Branch to review and finalize the assessment
- After the Privacy, Compliance and Training Branch has completed their review of the PIA, it will be returned to you for ministry or program area signing. The individuals who provide these signatures vary by use case. Contact your MPO to determine who will be required to sign
Learn more about the PIA process.
You must complete a Security Threat and Risk Assessment (STRA) for your SaaS tool.
The outcome of the security assessment is a Statement of Acceptable Risk (SOAR) that identifies the potential security risks of the proposed tool and how those risks will be mitigated.
- Contact your Ministry Information Security Officer (MISO) and ask for a SOAR template.
- Work with your MISO to complete the template for your SaaS tool. Depending on the risks identified during this step, your MISO may also require the completion of a more comprehensive STRA
- Follow the instructions on the template for signing and submitting the completed SOAR
Learn more about the STRA and SOAR process.
Disclaimer: This is general guidance for all ministries. It’s advisable to consult the specialists from your ministry to understand what your process will entail.
Step 5: Purchase a license
What licensing means
SaaS tools are licensed through the purchase of a subscription. What this means is that usually, to get a license to use a SaaS tool, you pay for a subscription that allows you to use the tool for a set period of time.
You are responsible for renewal. If a renewal clause was indicated in your original procurement documentation, you may renew the subscription. Renewals must be for a limited period of time. Keep in mind that many SaaS tools will renew your subscription automatically if this language can’t be negotiated out of the contract.
Follow the purchasing procedure used in your Ministry. Refer to the guidance for online purchases in the B.C. government’s Purchase Card Manual.
When licensing your SaaS tool, pay attention:
- Which product tier or version you’re licensing
- The billing cycle you choose (monthly, quarterly or yearly billing)
- The number of user accounts you need
Complete the following steps before you create an account with the SaaS tool or make any payments to the SaaS vendor:
- Document the evaluation process that led to the selection of the SaaS tool you’re adopting. Your documentation should follow the requirements outlined in the administrative records classification system, section 1070-20
- Complete the contract pre-approval process, in accordance with internal processes in your ministry or organization
- Make sure you have all the necessary agreements signed, in accordance with internal processes in your ministry or organization
- Send the signed copies of the agreements to your finance team so they can set up the contract in the Corporate Financial System (CFS)
- Your finance team will arrange for the SaaS tool to be licensed. They may contact you if they need more information
After you have your SaaS tool
After subscribing to your SaaS tool, it’s time to integrate it into workflows and systems.
Contribute to the SaaS Directory
Update the SaaS directory to include all relevant information about your adoption process.
This information helps other B.C. public service teams learn more about the SaaS tool you’re using and helps them find and adopt their own SaaS.
This data also helps us identify opportunities for organization-wide agreements and better pricing with vendors.
When you add your information to the SaaS Directory, you must identify who is taking responsibility for managing the SaaS tool.
The individual you identify should become familiar with using the tool and will be the main point of contact with the SaaS vendor. Their responsibilities may also include managing the SaaS contract, adding or removing users from the account and managing use of the tool. For larger SaaS adoptions (for example at a departmental or organizational scale), this role may be filled by a product owner.
It may also be useful to identify someone who will lead training initiatives and help new team members get started with using the tool.
You may also need a developer to coordinate any integrations with existing infrastructure or to fulfill any minor development requirements for the SaaS.
Create an implementation plan
Clearly set out a process to deliver the SaaS and provide training to users.
You should identify:
- Which people or roles should adopt the SaaS
- Projects or work that should be done using the new SaaS
- The level of skill users should have to use the SaaS
- What training is available to users
For larger adoption projects, you may also want to identify which teams or departments will be implementing the SaaS solution first, if you are delivering the tool to users in phases.
Provide guidelines for appropriate use
Give the people who will be using the SaaS tool instructions on how it should be used.
This may include information about:
- Which activities or tasks can be done using the SaaS
- Which types of data can be used or stored in the SaaS (based on the data’s information security classification or other criteria)
- Any features or functionality that can’t be used (for example, for security, privacy or legal reasons)
- How records and information will be organized within the SaaS
Encourage employee adoption
Introducing a new SaaS tool may be destabilizing for some users.
You can encourage and support employees as they adapt to the new SaaS tool by:
- Embracing change management techniques and adult education principles
- Explaining the reasons for choosing the new SaaS, its importance and why now is the best time to make the switch
- Highlighting the benefits and functionality to show how it can help them in their work
Track SaaS adoption success
Tracking SaaS adoption will help you understand how the SaaS is being used and whether there are individuals who need more support.
Identify metrics that you can use to track how successfully the SaaS tool is being adopted.
Key metrics might include:
- How many users have adopted the SaaS
- How many training sessions have been delivered to users
- How many technical issues were reported and how many were resolved
- How has work or team morale been impacted by the SaaS
Set deadlines for when you want to reach specific milestones in your metrics. Consider the short and long-term future of your SaaS solution.
Encourage learning and discovery
Learning how to use a new SaaS tool takes time. Some people enjoy the process of learning how to use a new tool and they’ll be your early adopters. Others may be intimidated by the idea or may feel like they don’t have the time, energy or capacity to learn something new.
Support users with their learning process by:
- Helping them find their learning style and providing them with training resources that match it
- Giving users time to explore the layout and functionality
- Creating communication channels for users to ask questions and troubleshoot problems
- Providing practice assignments that teach basic features and build user confidence
- Leveraging vendor resources such as virtual demonstrations, training materials and support
The SaaS Community of Practice is a growing community of B.C government employees who are passionate about promoting SaaS adoption and compliance.
Being involved in this community offers the opportunity to ask questions, share knowledge and talk to other SaaS users about your experiences finding, procuring and implementing SaaS.
While it’s true that the vendor has likely tested the functionality of the solution, this does not necessarily mean that the solution will work perfectly for every organization using it. It’s important that your SaaS solution is quality assured by your team to verify that it meets your specific needs and requirements.
Monitor the SaaS tool’s performance and user experience to ensure its long-term success and effectiveness within your organization by:
- Overseeing ongoing contract management to develop a clear understanding of what’s working and what isn’t
- Reviewing the security, privacy and legal compliance assessments of your SaaS solution to ensure that the SaaS still meets the Province’s requirements
- Gathering user feedback to understand how the tool is being used in day-to-day work and whether there are any issues that need to be addressed. Consider scheduling check-ins at the 2 week, 1 month and 3 month mark after implementation to maintain open communication and address any concerns