Horizontal Internal Audit of Protection of Personal Information in Small Departments

June 2014
Office of the Comptroller General

Table of Contents

Executive Summary

The objective of this audit was to assess compliance with the Policy on Privacy Protection and related directives in selected small departments.

Why This Is Important

Privacy is important to Canadians. As stated in paragraph 3.1 of the Policy on Privacy Protection:

"Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to the personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust in government."

Key Findings

Overall, accountability frameworks supporting the protection of personal information varied across the departments assessed. Although most of them have established clear responsibilities for decision making and for managing the administration of the Privacy Act and its related policy and directives, opportunities for improvement exist with respect to updating departmental delegation orders and increasing awareness of roles and responsibilities related to privacy.

New and substantially modified programs and activities were rare in the departments assessed, and only a few privacy impact assessments were conducted in the scope period. Risk management practices varied with respect to the identification, assessment and mitigation of privacy impacts and risks for all new or modified programs and activities that involve the use of personal information.

Overall, the effectiveness of management practices and controls to ensure adequate handling and protection of personal information varied across the departments assessed. Although the departments generally had appropriate practices in place to manage information for non-administrative purposes, access rights should be strengthened, as should privacy notices. The understanding of privacy breaches and the implementation of related protocols could also be improved.

Most of the departments had adequate procedures in place to ensure consistent reporting on the administration of the Privacy Act through annual reporting to Parliament. Monitoring at the departmental level was informal and was considered appropriate for most departments, given their size and mandate. Opportunities exist to strengthen monitoring mechanisms in some departments.

The Treasury Board of Canada Secretariat (the Secretariat) provides departments with sufficient guidance for developing sound practices for the protection of personal information. In order to improve the understanding of policy requirements, the Secretariat has delivered various outreach and leadership activities to departments, and monitors compliance with the policy and its related directives through the analysis and review of public reporting documents required by the Privacy Act and through other available departmental documentation, such as Treasury Board submissions. The Secretariat reviewed the Policy on Privacy Protection in 2012-2013. Future revisions of the Policy on Privacy Protection could consider privacy issues associated with the advancement of technology.

Conclusion

Overall, compliance with the Policy on Privacy Protection and related directives varies across small departments. Compliance allows departments to mitigate privacy impacts and risks by ensuring the effective protection and management of personal information. For that reason, it is important to strengthen accountability structures and controls where opportunities for improvements exist.

Conformance with Professional Standards

This audit engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

Anthea English, CPA, CA

Assistant Comptroller General and Chief Audit Executive

Internal Audit Sector, Office of the Comptroller General

Background

The Horizontal Internal Audit of the Protection of Personal Information in Small Departments was identified and approved in the Office of the Comptroller General (OCG) Three-Year Risk-Based Internal Audit Plan 2012–15.

Personal information is information about an identifiable individual that is recorded in any form. Personal information can include many things such as an individual's name, address, race, education or personal identification number (e.g. Social Insurance Number). The Privacy Act, which came into force in 1983, ensures there are appropriate safeguards for the personal information that is gathered by the federal government.Footnote 1

According to paragraph 3.2 and 3.3 of the Policy on Privacy Protection,

"the Supreme Court of Canada has characterized the Privacy Act as 'quasi-constitutional' because of the role privacy plays in the preservation of a free and democratic society. Privacy protection in this sense means limiting government interventions into the private lives of Canadians to lawful and necessary purposes. It also means that government is to ensure a high standard of care for personal information under the control of government institutions. The government also has to respond to requests for access to personal information. Sound information management plays a key role in facilitating the exercise of access rights under the Privacy Act and ensuring privacy protection."

"[…] Under the Privacy Act, the Treasury Board President is the designated minister responsible for preparing policy instruments concerning the operation of the Privacy Act and its Regulations. The Privacy Act establishes that policy and guidelines are the appropriate vehicles for supporting its administration."

Departments are expected to put in place sound management practices with respect to the handling and protection of personal information. The Treasury Board of Canada Secretariat (the Secretariat) is responsible for issuing direction and guidance to government institutions with respect to the administration of the Privacy Act and the interpretation of the policy.

During the preparation of the OCG's Three-Year Risk-Based Internal Audit Plan 2012–15, managers in small departments voiced concern about their ability to comply with the Privacy Act and its related regulations because of the relatively limited resources of small departments. As a result of technological advances, government departments collect, access, and manipulate personal data on a significantly larger scale which heightens the challenges of appropriately protecting such information.

Audit Objective and Scope

The objective of the audit was to assess compliance with the Policy on Privacy Protection and related directives in selected small departments.

The scope of this audit included the collective suite of management processes that are in place to support departments in their efforts to comply with the Policy on Privacy Protection and related directives.

This audit did not examine the adequacy of threat and risk assessments nor did it assess whether record disposal authorities were being applied appropriately. Such an examination would be more suited to an information management or security audit. Finally, this audit did not assess the adequacy of the procedures in place to respond to requests under the Privacy Act because these requests are typically focussed on access to information rather than privacy matters.

The primary scope period was the 2012–13 fiscal year. Plans and processes implemented for that year were also taken into consideration to supplement evidence, as required, as was each department's annual report on the administration of the Privacy Act for 2011–12, the most recent reports available at the time.

Eight small departments were reviewed during the audit. These departments were selected based on a self-identification and a risk assessment exercise which included consultations with the Office of the Privacy Commissioner of CanadaFootnote 2. The Secretariat was also included as part of this audit because of its role in providing policy and functional guidance to departments.

Appendix A provides a list of the departments examined, their mandate and examples of the type of personal information collected.

Appendix B provides a list of the lines of enquiry and related audit criteria used to assess the audit objective.

Detailed Findings and Recommendations

Finding 1: Accountability

The Policy on Privacy Protection requires that clear responsibilities in government institutions be established for decision making and for managing the administration of the Privacy Act and its regulations. Clear accountability frameworks help increase the likelihood that personal information is protected by employees at all levels of the department.

The audit examined the extent to which small departments have established accountability frameworks, including roles, responsibilities and tools, to support the protection of personal information in the department.

Privacy responsibilities were appropriately delegated in most departments.

Pursuant to section 73 of the Privacy Act, the head of a government institution may, by order, designate employees to exercise or perform certain powers, duties or functions in his or her stead, as outlined in Appendix B of the Policy on Privacy Protection. This order, which must be signed by the current head of the department, allows the designated employees to legally discharge those duties delegated to them.

Most of the departments assessed had delegation orders that reflected the reality of roles and responsibilities in the department, and that were signed by the current head of the department. Two departments had outdated delegation orders, which raise concerns that necessary discussions about privacy management aren't occurring with the head of the institution. In both departments, changes in department heads, as well as reorganizations, suggest that the delegation orders need to be reviewed and revised, and outdated roles and responsibilities need to be addressed.

Awareness of roles and responsibilities related to the administration of the Privacy Act varied across departments.

Under the policy, departments are expected to have defined roles and responsibilities for decision making and for managing the administration of the Privacy Act and its related regulations. Clearly defined roles and responsibilities, combined with training and tools such as formal procedures or templates, enhance employee awareness of privacy requirements and increase the likelihood of compliance with those requirements.

In the departments examined, responsibility for the administration of the Privacy Act was assigned differently from department to department. In some departments, responsibility for privacy matters fell under the corporate services function; in others, under the information management and information technology function. In all of the departments assessed, responsibility for the administration of the Privacy Act was combined with responsibility for the administration of the Access to Information Act.

The representation of privacy at the senior management level also differed among the departments examined. In some, the privacy representative was at a level that gave him or her access to the senior management forum, which potentially increased the attention given to privacy concerns in the department. In one department, the director general of the Corporate Management Branch was the information management and privacy champion. This role increases the likelihood that privacy concerns receive appropriate attention and are integrated into all functions in the department.

Most of the departments examined had documented the roles and responsibilities of employees who had functional responsibility under the Act. These roles and responsibilities were generally found in work descriptions. In some departments, functional specialists had to acknowledge their delegated responsibilities in writing. In some departments, confirmation that employees had discussed their responsibilities under the Privacy Act with their supervisor was included in performance appraisal forms.

In one department, roles and responsibilities were not clearly documented and clearly understood by employees. This department was reorganized, and staff reductions had taken place without the new roles and responsibilities relating to the administration of the Privacy Act being formally communicated. Clearly defining and documenting employees' roles and responsibilities means that employees know what is expected of them, which in turn increases the likelihood that they will comply with the legislation and the related policy and directives.

Most departments provided some form of training to both functional specialists and other employees, but some departments provided none. Although annual training for functional specialists is not mandatory, it can promote compliance with legislation and the related policy and directives. Some departments had sound practices in place to keep staff up-to-date on privacy matters. These practices included the distribution of regular privacy bulletins to all personnel, and dedicated training and awareness days on privacy-related matters (e.g., Data Privacy Day). One department also encouraged an employee to pursue certification by an international privacy institute.

Privacy-related tools (e.g., procedures and templates) existed, to varying degrees of formality, in most departments. Employee awareness and use of these tools also varied across departments. For the few departments where awareness and use of the tools was noted as a concern, employees indicated that this stemmed from the tools not being widely disseminated or from confusion on the part of employees about their roles and responsibilities.

Privacy clauses were generally included in contracts with private sector organizations and in agreements with other government departments.

The Policy on Privacy Protection states that, when personal information is involved, departments are responsible for establishing measures to ensure that they meet the requirements of the Privacy Act when contracting with private sector organizations, or when establishing agreements or arrangements with public sector organizations.

Based on a sample of contracts with private sector organizations where the department was the contracting authority, privacy clauses were adequate for most departments assessed. Processes and tools for meeting the requirements of the Privacy Act were available to employees when contracting with private sector organizations. In particular, Public Works and Government Services Canada has developed templates and a Standard Acquisition Clauses and Conditions Manual for use by departments when contracting with private sector organizations.

Based on the limited sample of agreements with public sector organizations examined, privacy clauses as required in the Policy on Privacy Protection were, for the most part, included in the agreements. Departments would however benefit from establishing departmental procedures to ensure that consideration is consistently given to the need for such privacy clauses when developing interdepartmental agreements. When selecting a sample of agreements to examine, the audit team noted that some departments could not produce a complete listing of their intergovernmental agreements/arrangements as these were not centrally tracked. This limited the extent of audit testing.

Overall, accountability frameworks, including roles, responsibilities and tools to support the protection of personal information varied across the departments assessed.

Opportunities for improvements exist for some departments with respect to updating their delegation orders and increasing awareness of roles and responsibilities related to privacy.

Recommendations

  1. Departments should ensure that delegation orders are updated and appropriately approved.
  2. Departments should ensure that roles and responsibilities are appropriately documented and that employees are aware of them and have the necessary tools to discharge their responsibilities.

Finding 2: Risk Management

Federal government institutions routinely perform broad risk management activities and develop risk profiles related to their programs and activities. The Privacy Impact Assessment (PIA) is the component of risk management that focuses on compliance with the Privacy Act requirements and assessing the privacy implications of new, or substantially modified, programs and activities involving personal information. Conducting a PIA helps ensure that risks are adequately considered and mitigated before a new initiative is implemented.

Departments must also identify, describe and publicly report on the personal information banks (PIBs) that align with the personal information collected through new or modified programs.

This audit examined whether departments have adequate procedures in place to identify, assess and mitigate privacy impacts and risks for all new or modified programs and activities that involve the use, or intended use, of personal information for administrative purposesFootnote 3.

PIAs were not always conducted when necessary and were not always timely.

PIAs help ensure that privacy implications are appropriately identified, assessed and resolved before a new, or substantially modified, program or activity that involves the use of personal information is implemented. Departments must conduct a PIA for any new or substantially modified program or activity when personal information is used as, or is intended to be used as, part of a decision-making process.

In general, the departments assessed have specific and enduring mandates. New or substantially revised programs are therefore infrequent. When PIAs were required, however, we found that departments did not always complete them before a new initiative was implemented. In some cases, PIAs were conducted after the program or system was already in place. In other cases, the PIA was started before the initiative was put in place but was not completed or approved before the initiative was launched. In some instances, a PIA was not conducted for new programs and major program redesigns.

The Secretariat has developed a checklist that departments can use to determine whether a PIA is required. Although most departments had adopted this checklist or had developed a similar one, few of them had documented that they were using the checklist, including in cases where a PIA was required or considered.

The absence of a completed PIA leads to the risk that an initiative will be implemented without a thorough consideration of its potential impact on the personal information held by the department.

PIBs are managed in compliance with legislation and policy.

The Privacy Act defines a PIB as "a collection or grouping of personal information." Under the Act, heads of government institutions are required to identify, describe and publicly report their PIBs in Info Source.Footnote 4 Departments must also ensure that they have the legal authority to request, gather and use personal information.

During the scope period, the PIBs in the departments sampled were generally static, reflecting the departments' stable mandates and programs. All of the departments had established the legal authority for their PIBs. All of the departments sampled had informal procedures for managing PIBs, supported by the Secretariat in its oversight role.

Overall, risk management as it relates to the identification, assessment and mitigation of privacy impacts and risks was inconsistent in the departments examined. Given the nature and mandate of the departments examined, the PIBs were static and appropriately managed.

Improvements can be made to ensure that privacy risks are consistently assessed and mitigated. PIAs should be consistently completed and should be conducted in a timely manner.

Recommendations

  1. Departments should ensure that PIAs are considered and conducted appropriately when developing new, or substantially modified, programs and activities.

Finding 3: Management Practices

Strong management practices ensure that personal information under the control of government institutions is protected appropriately.

This audit examined whether departments have effective practices and controls to ensure the adequate handling and protection of personal information. Specifically, controls surrounding information for non-administrative purposes, access rights, privacy notices and breaches were assessed.

Departments generally have appropriate practices to collect, use and disclose personal information for non-administrative purposes.

Under the Policy on Privacy Protection, departments are responsible for establishing a privacy protocol within the government institution for the collection, use or disclosure of personal information for non-administrative purposes. A non-administrative purpose is the use of personal information for a purpose that is not related to any decision-making process that directly affects the individual, for example, for research and statistical purposes.

All but one of the departments assessed have established privacy protocols for the collection, use or disclosure of personal information for non-administrative purposes. With a protocol, the collection, use and disposal of information is more likely to be appropriately managed.

In all of the departments examined in this audit, all references to personal indicators had been appropriately removed from the information collected for non-administrative purposes to ensure that the information was anonymous or was aggregated. By doing so, personal information is more likely to be appropriately protected.

Improvements to the management of access rights are required in some departments.

Departments are responsible for limiting access to and use of personal information by administrative, technical and physical means to protect the information and an individual's privacy.

Most of the departments examined were found to have systems in place to set and administer electronic access rights and physical access rights. However, in some cases, these systems were not always managed in a way that ensured that only those with a need to know had access to files containing personal information. In particular, in some departments, controls assessed over electronic and physical access rights did not ensure that these were maintained (e.g. procedures for providing or removing access rights existed but no evidence was found of procedures being followed) or up-dated (e.g. no procedures to trigger the removal of access rights when an employee leaves a position). Further, the safeguards surrounding the access controls over physical files containing employees' personal information were examined and found to be insufficient in some departments, as the files could not be tracked once checked-out.

As well, in all three departments that had regional offices, access rights were managed more informally in the regions than they were at headquarters. Based on interviews and an examination of established procedures, access to secure file storage areas, for example, was not monitored or restricted.

Privacy notices can be improved.

Departments are responsible for notifying the individual whose personal information is collected of the purpose and authority for the collection, any uses or disclosures that are consistent with the original purpose or unrelated to the original purpose, any legal or administrative consequences for refusing to provide the personal information, and the rights of access to, correction of and protection of personal information under the Privacy Act. This notification is done through privacy notices. Departments are responsible for adapting the privacy notice for either written or verbal communication at the time of collection. Written notices are to include a reference to the PIB described in Info Source.

In most of the departments examined, the privacy notices were sufficient. However, only some departments referenced the related PIB in privacy notices. Referencing the PIBs in privacy notices provides individuals who submit personal information with information on the consequences and uses of their personal information and precisions on where to request and obtain information on their personal data being held by a department.

Similarly, privacy notices should be included in forms used to collect Social Insurance Numbers (SINs) from employees for their employee file, or from contractors in accordance with the Income Tax Act. Although most departments were compliant with the Directive on Social Insurance Number as a whole, some departments were collecting SINs using forms that did not contain privacy notices. Given that the SIN is a key piece of personal information it is important that individuals are informed through privacy notices of the purpose and authority to collect this information.

Although privacy breach guidelines were in place in most departments, they were not consistently implemented with respect to documenting and reporting the breaches and remedial actions.

A privacy breach involves the improper or unauthorized collection, use, disclosure, retention or disposal of personal information. A breach may be the result of inadvertent errors or malicious actions by employees, third parties, partners in information-sharing agreements or intruders. Under the Directive on Privacy Practices, departments are responsible for safeguarding against breaches through effective privacy practices, and establishing a plan for addressing privacy breaches should they occur.

Most of the departments assessed had developed privacy breach guidelines. During the scope period, half of the departments assessed experienced a privacy breach. The nature of the breaches that occurred ranged from examples where an individual's personal information was inadvertently posted on a departmental website to an individual's personal information being released to a third party. Interviews with staff and examination of files indicated that remedial action was taken, however opportunities to reinforce the importance of safeguarding personal information and to improve the documentation and reporting of the breach and the remedial actions exist.

Overall, the effectiveness of management practices and controls to ensure adequate handling and protection of personal information varied across departments.

Although the departments examined generally had appropriate practices for managing information for non-administrative purposes, opportunities for improvement exist with respect to access rights, privacy notices along with documenting and reporting privacy breaches and remedial actions.

Recommendations

  1. Departments should ensure that access rights are appropriate and effective for the protection of personal information.
  2. Departments should ensure that privacy notices comply with the Directive on Privacy Practices and the Directive on Social Insurance Number.
  3. Departments should ensure that all privacy breaches are managed appropriately. This includes documentation and reporting of the breach and remedial actions taken to address it.

Finding 4: Monitoring and Reporting

Monitoring allows departments to assess whether they are meeting policy and directive requirements in place to support appropriate administration of the Privacy Act. Continuous review and improvement of processes over time helps ensure that the information gathered and processes in place are useful, relevant and provide value to departments.

The audit examined whether departments have adequate procedures in place to ensure consistent monitoring and reporting of the administration of the Privacy Act.

Monitoring is done informally.

Heads or their delegates are responsible for monitoring compliance with the policy as it relates to the administration of the Privacy Act. All of the departments examined indicated that they monitor privacy matters. Given their size and mandate, departments indicated that their monitoring is largely done informally. In some departments that have broader mandates, a more formal monitoring mechanism could assist in reducing the risk of non-compliance with policy and legislative requirements.

Some departments indicated that access to information and privacy (ATIP) coordinators, who have functional responsibility over privacy matters, used general management committees or informal contact with their colleagues in other areas of the organization to keep abreast of changes in the department that might have privacy implications. Similarly, some departments also indicated that the multiple roles and responsibilities of the ATIP coordinator (who often holds the position of Director of Corporate Services or an equivalent position) and the small size of their department made it easier to monitor privacy in their organization.

All of the departments examined indicated that, in accordance with the requirements of the policy, they prepare and table in Parliament an annual report on the administration of the Act. They also indicated that this annual report is their only formal monitoring tool. The report deals primarily with requests made under the Privacy Act. It does not contain information on day-to-day monitoring or information on privacy breaches. All of the departments sampled were generally compliant with the reporting requirements of the policy (that they prepare an annual report on the administration of the Privacy Act).

In two departments, privacy concerns were a standing agenda item at meetings of management-level committees. This regular consideration of privacy matters ensures that management has a mechanism for ongoing monitoring of privacy concerns.

Overall, monitoring at the departmental level is informal and is considered appropriate for most of the departments examined, given their size and mandate. Most departments also met the Secretariat's mandatory reporting requirements.

Opportunities exist to strengthen monitoring mechanisms in some departments.

Recommendations

  1. Departments should assess whether their monitoring mechanisms are appropriate for the size and complexity of the department's mandate and the risks associated with the personal information administered.

Finding 5: Central Agency Guidance

Central agency advice and guidance is required to ensure that departments are implementing the Policy on Privacy Protection as intended and that the requirements are applied consistently across government. Central agency leadership is key to ensuring that departments keep abreast of tools and techniques for protecting personal information in the care of government and that they share their management practices.

The audit assessed whether the Secretariat has procedures in place to fulfill its role of monitoring compliance with the policy, reviewing the policy and providing sufficient guidance to departments.

The Secretariat delivered various outreach activities to departments as needed.

In accordance with the Policy on Privacy Protection, the Secretariat provided leadership, advice, and guidance for departmental implementation of the Policy on Privacy Protection. The Secretariat has an outreach function that presents over 50 information sessions a year to functional specialists across the federal public service. The Secretariat has also published a Privacy Toolkit, which includes guidance documents for consideration of privacy in contracting and in information sharing arrangements.

The Secretariat is fulfilling its monitoring role.

The Policy on Privacy Protection requires that the Secretariat monitor compliance with all aspects of this policy by analyzing and reviewing public reporting documents required under the Privacy Act and other information. The Secretariat reviews the annual reports on the administration of the Act and provides recommendations for improvements. Likewise, the Secretariat reviews the submissions of information on each department's PIBs, which are then published in Info Source. The Secretariat also receives departmental PIAs and assesses them for completeness against the core PIA template provided in Appendix C of the Directive on Privacy Impact Assessment.

The reporting requirements for the annual reports on the administration of the Privacy Act do not require departments to report on the number of privacy breaches incurred, or the overall management of the protection of personal information in the department. It was noted during the audit that the specific nature of the report may limit the gathering of additional information on the broader state of privacy in the government as a whole that could assist the Secretariat's ability to tailor its outreach activities and monitor compliance with policy requirements. Currently, the Secretariat reviews both the annual reports and the Info Source submission for compliance with mandatory reporting requirements. The Secretariat also tracks improvements from year to year and identifies how departments could improve in relation to reporting requirements.

The Secretariat's Management Accountability Framework (MAF) provides a more qualitative review of departmental practices regarding privacy protection through the Privacy subsection of Area of Management 12: Information Management. This Area of Management is not one of the ten core MAF elements but is periodically included as part of the annual departmental MAF exercise, most recently in fiscal year 2006–07. Evidence provided indicated that previous MAF feedback on privacy resulted in enhanced tools and governance in departments.

The Secretariat reviewed the policy and certain related directives five years following the implementation of the policy.

The Policy on Privacy Protection came into effect on April 1, 2008. The Secretariat reviewed the policy in fiscal year 2012–13, as required by the policy itself. That review included a detailed risk assessment. Because the Policy on Privacy Protection is largely based on the legislative requirements set out in the Privacy Act, which was originally passed in Parliament in 1983, only minor modifications were made to the policy. The policy and the related directives may therefore not address the privacy issues associated with the advancements in technology that have occurred over the years. As a result, the Secretariat could address emerging risks through future revisions of the policy or through additional guidance.

The Secretariat provides sufficient guidance to small departments and is fulfilling all of its mandatory roles and responsibilities.

Conclusion

Overall, compliance with the Policy on Privacy Protection and related directives varies across small departments. Compliance allows departments to mitigate privacy impacts and risks by ensuring the effective protection and management of personal information. For that reason, it is important to strengthen accountability structures and controls where opportunities for improvements exist.

Management Response

The findings and recommendations of this audit were presented to each of the eight small departments included in the scope of the audit, as well as to the Secretariat, because of its role as a central agency.

Management has agreed with the findings included in this report and will take action to address all applicable recommendations.

Appendix A: Departments Included in the Audit

The following organizations were examined in the audit. Included for each are the number of PIBs (as of Fall 2012) and a description of PIB holdings beyond the standard PIBs containing employee personal information held by all organizations.

1. Canadian Human Rights Commission (CHRC)

Mandate: The CHRC promotes the core principle of equal opportunity and works to prevent and remedy discrimination in Canada.

Number of PIBs: 51

Nature of PIBs: The CHRC holds personal information of individuals involved in complaints and investigations, as well as discrimination prevention forums organized by the commission.

2. Canadian Transportation Agency (CTA)

Mandate: The CTA is an independent, quasi-judicial tribunal and economic regulator for a wide range of matters involving air, rail and marine modes of transportation under the authority of Parliament, as set out in the Canada Transportation Act and other legislation.

Number of PIBs: 55

Nature of PIBs: The CTA holds personal information of individuals and agents (such as lawyers consultants, and mediators) involved in disputes and investigations.

3. Immigration and Refugee Board of Canada (IRB)

Mandate: The IRB is an independent tribunal established to resolve immigration and refugee cases.

Number of PIBs: 53

Nature of PIBs: The IRB also holds personal information related to admissibility hearing, immigration appeals, as well as persons who may be contracted to provide interpreter services to the IRB.

4. Library and Archives Canada (LAC)

Mandate: LAC collects and preserves Canada's documentary heritage, and makes it accessible to all Canadians.

Number of PIBs: 93

Nature of PIBs: LAC holds personal information related to a wide variety of Government of Canada activities such as former members of the armed forces, individuals who have donated to LAC, as well as personal information contained in the documents held for other government departments.

5. The National Battlefields Commission (NBC)

Mandate: The objectives of the NBC are to develop the five main components (historic, cultural, recreational, natural and scientific) of National Battlefields Park.

Number of PIBs: 37

Nature of PIBs: The NBC holds personal information related to those who have registered for special activities, volunteered for NBC productions, and donated to the commission.

6. The Office of the Correctional Investigator of Canada (OCI)

Mandate: The OCI is primarily responsible to investigate and bring resolution to individual offender complaints.

Number of PIBs: 49

Nature of PIBs: The OCI holds personal information of current or former federally-sentenced offenders involved in complaints and investigations, as well as individuals involved in the nomination for the Ed McIsaac Human Rights in Corrections Award.

7. Veterans Review and Appeal Board (VRAB)

Mandate: The VRAB has full and exclusive jurisdiction to hear, determine and deal with all applications for review and appeal that may be made to the Board. The Board also adjudicates duty-related pension applications under the authority of the Royal Canadian Mounted Police Pension Continuation Act and the Royal Canadian Mounted Police Superannuation Act.

Number of PIBs: 49

Nature of PIBs: The VRAB holds personal information related to Veterans, Canadian Armed Forces and Royal Canadian Mounted Police members, and their families related to applications for Review, Appeal, and Reconsideration, or for compassionate awards.

8. Western Economic Diversification Canada (WD)

Mandate: WD promotes the development and diversification of the economy of Western Canada and advances the interests of the West in national economic policy, program and project development and implementation.

Number of PIBs: 61

Nature of PIBs: WD holds personal information of representatives of clients and/or projects, private sector companies, organizations, associations, other levels of government, and groups that have applied for and/or been approved for funding assistance.

Appendix B: Lines of Enquiry and Related Criteria

The objective of the audit was to assess compliance with the Policy on Privacy Protection (PPP) and related directives.

The audit criteria are presented below, by line of enquiry.

Line of Enquiry Criteria Source
1. Accountability
Departments have established clear responsibilities for decision making and managing the operation of the Privacy Act and its regulations.
1.1 Deputy heads have adequately delegated the duties or functions under the Privacy Act. PPP6.1.1
1.2 Employees of government institutions who have functional responsibility for the administration of the Privacy Act are aware of policies, procedures and legal responsibilities under the Act. PPP 6.2.2
1.3 Measures are established, when personal information is involved, to ensure that the government institution meets the requirements of the Privacy Act when contracting with private sector organizations, or when establishing agreements or arrangements with public sector organizations. PPP 6.2.10
1.4 Appropriate privacy protection clauses are included in contracts or agreements that may involve intergovernmental or trans-border flows of personal information. PPP 6.2.11
2. Management of Privacy Risks
Departments have adequate procedures in place for the identification, assessment and mitigation of privacy impacts and risks for all new or modified programs and activities that involve the use of personal information.
2.1 Procedures exist to ensure that, when applicable, privacy impact assessments (PIAs) and multi-institutional PIAs are developed, maintained and published. PPP 6.2.14
2.2 Procedures exist to ensure that departments are consulting with TBS on any proposal for the establishment or revocation of an exempt bank, and submitting a specific request to the President of the Treasury Board with regard to the proposal. PPP 6.2.16
3. Management Practices
Departments have effective practices and controls to ensure the adequate handling and protection of personal information.
3.1 Written policies and procedures are in place directing employees of the government institution to manage personal information subject to the Privacy Act. PPP 6.2.3 to 6.2.7
3.2 Procedures are in place to ensure that the Privy Council Office is consulted prior to making decisions to exclude Cabinet confidences. PPP 6.2.8
3.3 Measures are in place to ensure compliance with the specific terms and conditions related to the use of the Social Insurance Number and the specific restrictions with regard to its collection, use and disclosure. PPP 6.2.13
3.4 Departments have established privacy protocols for the collection, use or disclosure of personal information for non-administrative purposes, including research, statistical, audit and evaluation purposes. PPP 6.2.15
4. Monitoring and Reporting
Departments have adequate procedures in place to ensure consistent monitoring and reporting on the administration of the Privacy Act through the institution's annual reports to Parliament.
4.1 Deputy heads or their delegates ensure that monitoring of compliance with this PPP as it relates to the administration of the Privacy Act is performed. PPP 6.3.1
4.2 Deputy heads or their delegates ensure that all of the reporting requirements under the Privacy Act are respected. PPP 6.3.2
5. Central Agency Guidance
The Treasury Board Secretariat of Canada has adequate procedures in place to ensure that government organizations subject to the PPP and its supporting directives receive adequate support and guidance.
5.1 The Secretariat has procedures in place to monitor compliance with all aspects of the policy. PPP 6.3.3
5.2 The Secretariat will review the policy, its related directives, standards and guidelines, and their effectiveness, five years following the implementation of the policy. When substantiated by risk analysis, the Secretariat will also ensure that an evaluation is conducted. PPP 6.3.4
5.3 The Secretariat adequately discharges its responsibility for issuing direction and guidance to government institutions with respect to the administration of the Privacy Act and the interpretation of this policy. PPP 8.1

Appendix C: References

Policies and Directives

  1. Policy on Privacy Protection
  2. Directive on Privacy Practices
  3. Directive on Privacy Impact Assessment
  4. Directive on Social Insurance Number
  5. Directive on Privacy Requests and Correction of Personal Information

Background Material

  1. Info Source
  2. Management Accountability Framework Round IV (2006) – Area of Management 12
  3. Privacy Toolkit
  4. Standard Acquisition Clauses and Conditions (SACC) Manual

Appendix D: Recommendations by Department and Risk Ranking

The full names of the departments are provided in Appendix A. The following table presents the departments to which the audit recommendations apply and assigns risk rankings of high, medium or low to each recommendation. The determination of risk rankings was based on the relative priorities of the recommendations and the extent to which the recommendations indicate non-compliance with Treasury Board policies.

Recommendation Small Departments To Which This Recommendation Applies Priority
1. Departments should ensure that delegation orders are updated and appropriately approved. LAC, NBC High
2. Departments should ensure that roles and responsibilities are appropriately documented and should ensure that employees are aware of them and have the necessary tools to discharge their responsibilities. LAC, NBC High
3. Departments should ensure that PIAs are considered and conducted appropriately when developing new, or substantially modified, programs and activities. CTA, IRB, LAC, NBC, OCI, VRAB High
4. Departments should ensure that access rights are appropriate and effective for the protection of personal information. IRB, LAC, NBC High
5. Departments should ensure that privacy notices comply with the Directive on Privacy Practices and the Directive on Social Insurance Number. CHRC, CTA, NBC, OCI, WD Medium
6. Departments should ensure that all privacy breaches are managed appropriately. This includes documentation and reporting of the breach and remedial actions taken to address it. IRB, LAC, NBC High
7. Departments should assess whether their monitoring mechanisms are appropriate for the size and complexity of the department's mandate and the risks associated with the personal information administered. IRB, LAC Medium
Date modified: