In accordance with its approved Risk-Based Audit Plan for 2011-14, the Office of the Chief Audit Executive (OCAE) at the Canadian International Development Agency (CIDA) conducted an internal audit of the Management of Personal Information. The audit objective was to provide reasonable assurance that CIDA complies with the Privacy Act and related Federal Government policies and directives regarding personal information management.
The Privacy Act and related policies and directives support the Government's commitment to ensure that personal information is secured, used and maintained in a consistent and appropriate manner. Expected results include sound management practices made up of policies, procedures, clear responsibilities and accountabilities and a governance structure.
The Agency has an appropriate governance structure for the management of personal information, and work is ongoing on the Agency's Privacy Action Plan. A Privacy Protocol has been developed and approved. The Agency has policies, directives and guides which can be found on the Agency's intranet.
Through a delegation instrument, accountabilities under the Privacy Act have been delegated. While personal information roles and responsibilities have been defined for specific groups across the Agency, all employees have responsibilities under the Privacy Act of which they need to be aware.
Various kinds of training is available across the Agency, including on the requirements of the Treasury Board Policy on Information Management, access controls, and document handling and retention. The Access to Information and Privacy (ATIP) Division provides training to CIDA employees, but this is focussed on access to information rather than privacy. While there is information and guidance on the Agency's website, no regular communication around personal information awareness is in place.
Lack of a Privacy Impact Assessment (PIA) framework has led to PIA requirements not being implemented or clearly understood. A PIA was conducted for Information Management Technology Branch (IMTB) on Human Resources Branch's (HRB's) database for managing employees' information in 2009, but none of the required notification and registration steps were undertaken.
Personal Information collected, used and disclosed at the Agency was in line with various requirements of the Privacy Act, Privacy Regulations and TB policies, directives and guides. The Agency has several methods to safeguard physical information including locked cabinets, operational areas and central records. In addition, the Agency uses an Enterprise Document and Records Management System (EDRMS) together with a specific Human Resources Branch (HRB) database to manage and safeguard personal information.
The report provides detailed findings and recommendations. The list of recommendations and corresponding management action plan are included in Appendix A.
The Agency generally complies with some of the requirements of the Privacy Act and related Federal Government policies and directives regarding personal information management. Several instances were found where controls, processes and procedures were not in place, not consistently applied, or needed to be strengthened. Furthermore, awareness within the Agency of the Privacy Act and related policies and directives could be improved.
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusion provided and contained in this report. The audit conclusion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management. The conclusion is applicable only to the entity examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit and conforms with the International Standards for Professional Practice of Internal Auditing of the Institute of Internal Auditors. The evidence gathered was sufficient to provide senior management with proof of the conclusion derived from the internal audit.
Chief Audit Executive
The Audit of Management of Personal Information was part of the 2011-14 Risk-Based Audit Plan recommended by the Audit Committee, and approved by the President on March 25, 2011. This audit was initiated as a follow-up to preliminary work undertaken by the OCAE in 2007, which identified specific gaps in the management of personal information at CIDA. Since then, work has been ongoing on an Agency-wide Privacy Action Plan and Framework.
The Privacy Act and related policies and directives support the Government's commitment to protect the privacy of individuals with respect to personal information held by Government institutions, and to provide right of access to that information. For CIDA, these individuals include employees, consultants, cooperants and interns. As the management of personal information is the responsibility of all CIDA employees, we examined not only the ATIP Division, but also the processes and procedures across Agency branches which have responsibilities relating to the management of personal information.
The Privacy Act and Privacy Regulations provide the legal framework for the collection, retention, use and disclosure of personal information, and apply to federal government institutions. In addition to the Privacy Act and Privacy Regulations, there are several TB policies and directives which impact directly on privacy and personal information, including:
The Policy on Privacy Protection and Directive on Privacy Practices specify federal institution requirements with regard to sound management practices (including policies and protocols), clear responsibilities (including accountabilities), privacy awareness (including training, awareness and communication), as well as monitoring compliance and public reporting. Under the Privacy Act, institutions have monitoring and reporting requirements, including the responsibility to prepare an annual report to Parliament. This report, on the administration of the Act, must also be provided to the Treasury Board. Further, institutions are required to prepare new or modified personal information banks (PIB) descriptions and report to TB on these, as well as provide a statistical report on their administration of the Privacy Act.
TB provides direction and guidance to government institutions with respect to the administration of the Privacy Act and the interpretation of related policies. As part of its administrative role, TB publishes an annual index of personal information, reviews new and modified PIBs, and assigns registration numbers to new PIBs.
The Office of the Privacy Commissioner is responsible for enforcing the Privacy Act as well as ensuring the gathering and handling of personal information in the public sector does not violate the privacy rights of Canadians.
Management of personal information across the Agency is coordinated by the ATIP Division within the Corporate Secretariat. The ATIP Division is accountable for developing and ensuring compliance with policies, procedures and guidelines, and for promoting awareness of the Privacy Act. The Information Management and Technology Branch (IMTB), and the incorporate Security, Infrastructure and Management Services Division (CSIMS) of the Chief Financial Officer Branch (CFOB), support sound management practices in the handling of information, including personal information, and provide guidance and control measures. Business owners of PIBs are accountable for proper processing which includes collection, use, disclosure, safeguard, retention and disposal. All Agency employees have a responsibility to ensure that personal information is secured, used and maintained according to the policies, procedures and guidelines.
Following preliminary work undertaken by the OCAE in 2007, the Agency developed a Privacy Action Plan with 15 actions. According to the most recent status update of the Privacy Action Plan in October 2011, there has been some progress towards completion of the 15 actions, including the completion and approval of the Agency's Privacy Protocol and the review and update of the ATIP Liaison job descriptions. However, most of the key elements, such as building privacy compliance across the Agency and the Privacy Awareness Campaign, are either ongoing or have been postponed.
To provide reasonable assurance that CIDA complies with the Privacy Act and related Federal Government policies and directives regarding personal information management.
The scope for this audit was developed initially as a follow-up to the preliminary work undertaken by the OCAE in 2007. After a risk assessment/control identification undertaken by the OCAE, it was decided to include compliance criteria around the collection, use and disclosure, and safeguarding of personal information across the Agency. The ATIP Division has an established and documented process for answering personal information requests, with only a minimal amount of requests received each year. We therefore considered that ATIP personal information requests was a low risk area, and only limited work was undertaken in this regard. It was also determined that only limited work would be conducted around retention and disposal, as this will be covered in the audit of information management which is part of the 2012-15 Risk-Based Audit Plan.
The Audit of Management of Personal Information was conducted in accordance with TB policy, directives and standards on internal audit, and conforms to the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors. The evidence gathered was sufficient to provide senior management with proof of the conclusion derived from the internal audit.
The audit methodology included, but was not limited to:
The audit criteria are the benchmarks used to assess the adequacy and effectiveness of the management of personal information across the Agency. The criteria were developed after conducting a risk assessment, and are based on the requirements of the Privacy Act, Privacy Regulations and various TB directives, policies and guidelines. The audit criteria were provided to the auditees and are presented in Appendix B.
The Privacy Act and Privacy Regulations form the legislative basis for the handling of personal information. In addition, there are TB policies, directives and guides, which further describe the requirements under the Privacy Act and Privacy Regulations. Specifically the TB Policy on Privacy Protection has, amongst its expected results, sound management practices with respect to the handling and protection of personal information.These practices include policies, procedures, clear responsibilities and accountabilities, training and awareness, and reporting and monitoring. The training and awareness component should also include a communication plan (including deliverables and timeframes) to ensure that all those involved in the handling of personal information have the tools and resources to carry out their responsibilities. As with all legislation, policies and directives, there are various reporting requirements for monitoring compliance. Specifically, the Directive on Privacy Practices facilitates the implementation and public reporting of consistent and sound privacy management practices.
The Agency has an appropriate governance structure for the management of privacy and personal information. Management BoardFootnote 2, Corporate Management Committee and IM/IT Senior Advisory Committee have clear Terms of Reference with specific elements related to privacy and personal information. We found that the updates on the Privacy Action Plan were tabled and discussed at Corporate Management Committee.
Policies, procedures and guidelines aid staff to effectively discharge their personal information responsibilities. We found that the Agency's Privacy Protocol had been tabled and approved at Management Board in February 2012. The Protocol is intended to ensure that the collection, use or disclosure of non-administrative personal information is carried out in compliance with the Privacy Act, the Privacy Regulations and TB Directive on Privacy Procedures. The Agency has several CIDA guides, policies and directives which include a personal information component. These include the Information Security Guide and Policy on Information Assurance. To date, both the CIDA Privacy Breach Guidelines and the CIDA Security Policy remain in draft.
All employees have responsibilities under the Privacy Act for the management and handling of personal information, and need to be aware of these. The Privacy Action Plan states that privacy responsibilities need to be assigned strategically across the Agency. At a senior level, we found that accountabilities under the Privacy Act have been delegated through a delegation instrument. This instrument delegates responsibilities and accountabilities to the President, the Corporate Secretary and the Agency ATIP Coordinator. Further, the day-to-day administrative responsibilities of the Privacy Act have been delegated to the Agency ATIP Coordinator. We found that personal information roles and responsibilities have been defined for specific groups across the Agency (including ATIP Division, Human Resources, and ATIP liaison officers). Generic job descriptions of support staff (including CR-04, AS-01 to AS-04) have been amended to include specific personal information responsibilities.
Training at the Agency includes components of privacy and the handling of personal information. Training provided by IMTB includes the requirements of the TB Policy on Information Management. However, it includes only a limited component on the handling of personal information. IMTB also provides EDRMSFootnote 3 training on access controls, document handling and retention. In addition, the ATIP Division provides targeted training to ATIP liaison officers across the Agency. We found, however, that this training focussed on the process for access to information requests, rather than privacy and personal information. The ATIP Division is also responsible for providing an ATIP awareness session, which again is focussed on access to information rather than privacy. Recently, an awareness campaign around security, information management and ATIP was undertaken.
All new employees must undertake EDRMS training in which access controls and handling of information, including sensitive and personal information, are discussed. This training provides staff with the necessary tools to correctly use EDRMS and ensure protection of the information contained therein.
The Agency has several CIDA guides, policies and directives, information and guidance, which include personal information and privacy components, and these can be found on the Agency's intranet site. This information can be found on the Corporate Secretariat, IMTB and Departmental Security sites. We found that the ATIP Division's intranet page includes links to the Privacy Act and the Privacy Protocol, while the Departmental Security site has a link to the TB Government Security Policy. We found, however, that there is no regular communication to CIDA employees to improve awareness on the importance of appropriate handling of personal information and the resources available online.
The TB Guidelines for Privacy Breaches define a privacy breach as involving improper or unauthorized collection, use, disclosure, retention and/or disposal of personal information. Further, the guidelines detail several situations which could lead to a privacy breach. These include inadequate security and access controls for information in hard or electronic format, insufficient measures to control access and editing rights to personal information, and low level of privacy awareness among institutional staff that handle personal information.
We found, through testing, that a small number of performance appraisals held within EDRMS did not have appropriate access controls, and could therefore be accessed by those without a 'need to know'. Once this issue was identified by the audit, the Chief Information Officer conducted an investigation and immediately ensured corrective action was taken. Further, the ATIP coordinator has ensured that the necessary required follow-up is being undertaken.
A privacy awareness program, including a communication plan with clear deliverables and timeframes should be developed and implemented.
The TB Directive on Privacy Impact Assessment provides guidance to ensure privacy implications are appropriately identified, assessed and resolved on new or substantially modified programs or activities involving personal information.
Requirements of the directive include establishing a Privacy Impact Assessment (PIA) framework which takes into consideration the responsibility for establishing Personal Information Banks (PIBs), and is commensurate with the level of risk related to privacy and the program or activity undertaken. A PIA should be initiated:
We found that although a PIAFootnote 4 was completed in 2009 on HRB's database for managing employees' information, the required notification and registration steps were not undertakenFootnote 5. Further, due to a lack of a formal and communicated PIA frameworkFootnote 6, and a lack of awareness of the PIA requirements, we found some new Agency programs, such as the Global Citizens Program within Partnerships with Canadians Branch, have not undertaken a PIA for their new call for proposal process.
While we identified some of the required components for TB reporting, there were no formal mechanisms (PIA framework, internal reporting on personal information) in place to effectively monitor and report on the management of personal information across the Agency.
All personal information under the Agency's control should be identified and described in classes of personal information or in PIBs. Any development process for new or substantially modified PIBs should be aligned with the development and approval of the Privacy Impact Assessment (PIA).
The Agency is required to provide, to TB, an annual update of current, new or amended PIBs. The Agency last provided an update in 2011. TB uses published PIAs, updates to PIBs, and annual reports for monitoring compliance with the Privacy Act and in conducting Management Accountability Framework assessments.
In order to ensure effective protection and management of personal information, the TB Policy on Privacy Protection states that institutions should identify, assess, monitor and mitigate privacy risks. In addition, the TB Policy on Government Security states that the management of security, including security of information, requires the continuous assessment of risks and the implementation, monitoring and maintenance of appropriate internal management controls. These mechanisms could include security sweeps of operational areas, self-audits and regular monitoring of access controls. Recently, ATIP Division's efforts have been dedicated to the large volume of Agency ATIP requests, the requirements of public reporting and the implementation of the Privacy Action Plan, and as such, we were unable to identify evidence of personal information monitoring activities.
Mechanisms should be developed, including a privacy impact assessment framework, to ensure that the Agency complies with TB monitoring, reporting and notification requirements, relating to the management of personal information,
We found that personal information collected related directly to an Agency activity, and was collected directly from individuals, with the appropriate consent. In addition, we found that the intended purpose for the collection was clearly stated. The Agency uses the prescribed Government of Canada and TB forms when collecting paper-based information from individuals. When information is collected in electronic format, the Agency includes a privacy disclaimer with clearly stated intended purposes.
We found that the personal information under the Agency's control was only used or disclosed with the consent of the individual to whom it relates.
In order to ensure that personal information is only accessible and used by authorized employees, controls should be appropriate to safeguard the information. The Agency has several methods to safeguard physical or electronic information, including locked cabinets, an employee pass system to enter operational areas, a central records office and EDRMS.
We found that the Compensation and Benefits section within HRB has a secured operational area accessible only by authorized employees. In addition, access to electronic files concerning employees, maintained by HRB, was appropriately controlled. We found however, that certain branch staff who require access to information on employees within their branch could access information on all employees within the Agency. Management Board is aware of this issue and corrective action is being taken.
|Recommendation||Responsibility||Proposed Management Measures||Target Date|
|1. A privacy awareness program, including a communication plan with clear deliverables and timeframes should be developed and implemented.||Corporate Secretary||
||Sept.- Oct 2012|
|2. Mechanisms should be developed, including a privacy impact assessment framework, to monitor and report on the management of personal information.||Corporate Secretary||
1.0 Th e Agency has a Privacy Framework in place supporting the effective management of personal information.
2.0 The Agency is effectively processing personal information in compliance with the Privacy Act and related Federal Government policies and directives regarding Personal Information Management.
File testing was limited to HRB as the consultant's and cooperants databases were being wound up. A management decision to move these to arm's length has been made.
Management Board is CIDA's senior forum for:
• Strategic direction-setting for the Agency;
• Official-level decision-making on all corporate policy, program and management issues in CIDA; and
• Oversight of CIDA activities and performance.
Enterprise Document and Records Management System, which is CIDA's electronic document management system.
PIA was completed in 2009 on behalf of IMTB which identified potential risks and personal information banks held within the database.
The requirements in 2009 came from the Privacy Impact Assessment Policy (now replaced by the Directive on Privacy Impact Assessments). The required steps at the time were to make summaries of the PIA results available to the public in a timely manner, ensure descriptions of PIBs are accurate and up to date and provide a final copy of PIA to the Privacy Commissioner.
Per TB Directive on Privacy Impact Assessment, heads of government institutions are responsible for establishing a PIA framework. This framework should include a development and approval process which takes into consideration the responsibility within the institution for establishing PIBs, and is commensurate with the level of risk of the program or activity. Further, the PIA once complete should be approved, posted on the Agency website, and the report provided to TB and Office of the Privacy Commissioner.