Government of Canada

Foreign Affairs, Trade and Development Canada

www.international.gc.ca

Internal Audit of Management of Personal Information

Final Report
June 2012


Acronyms and Abbreviations

ATIP
Access to Information and Privacy
CFOB
Chief Financial Officer Branch
CIDA
Canadian International Development Agency
EDRMS
Enterprise Document and Records Management System
HRB
Human Resources Branch
IMTB
Information Management Technology Branch
OCAE
Office of the Chief Audit Executive
PIA
Privacy Impact Assessment
PIB
Personal Information Bank
TB
Treasury Board
CSIMS
Corporate Security, Infrastructure and Management Services Division

Executive Summary

In accordance with its approved Risk-Based Audit Plan for 2011-14, the Office of the Chief Audit Executive (OCAE) at the Canadian International Development Agency (CIDA) conducted an internal audit of the Management of Personal Information.  The audit objective was to provide reasonable assurance that CIDA complies with the Privacy Act and related Federal Government policies and directives regarding personal information management.

The Privacy Act and related policies and directives support the Government's commitment to ensure that personal information is secured, used and maintained in a consistent and appropriate manner.  Expected results include sound management practices made up of policies, procedures, clear responsibilities and accountabilities and a governance structure.

The Agency has an appropriate governance structure for the management of personal information, and work is ongoing on the Agency's Privacy Action Plan.   A Privacy Protocol has been developed and approved. The Agency has policies, directives and guides which can be found on the Agency's intranet.

Through a delegation instrument, accountabilities under the Privacy Act have been delegated. While personal information roles and responsibilities have been defined for specific groups across the Agency, all employees have responsibilities under the Privacy Act of which they need to be aware.

Various kinds of training is available across the Agency, including on the requirements of the Treasury Board Policy on Information Management, access controls, and document handling and retention. The Access to Information and Privacy (ATIP) Division provides training to CIDA employees, but this is focussed on access to information rather than privacy. While there is information and guidance on the Agency's website, no regular communication around personal information awareness is in place.

Lack of a Privacy Impact Assessment (PIA) framework has led to PIA requirements not being implemented or clearly understood. A PIA was conducted for Information Management Technology Branch (IMTB) on Human Resources Branch's (HRB's) database for managing employees' information in 2009, but none of the required notification and registration steps were undertaken.

Personal Information collected, used and disclosed at the Agency was in line with various requirements of the Privacy Act, Privacy Regulations and TB policies, directives and guides. The Agency has several methods to safeguard physical information including locked cabinets, operational areas and central records. In addition, the Agency uses an Enterprise Document and Records Management System (EDRMS) together with a specific Human Resources Branch (HRB) database to manage and safeguard personal information.

The report provides detailed findings and recommendations. The list of recommendations and corresponding management action plan are included in Appendix A.

Audit Conclusion

The Agency generally complies with some of the requirements of the Privacy Act and related Federal Government policies and directives regarding personal information management. Several instances were found where controls, processes and procedures were not in place, not consistently applied, or needed to be strengthened. Furthermore, awareness within the Agency of the Privacy Act and related policies and directives could be improved.

Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusion provided and contained in this report. The audit conclusion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management. The conclusion is applicable only to the entity examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit and conforms with the International Standards for Professional Practice of Internal Auditing of the Institute of Internal Auditors. The evidence gathered was sufficient to provide senior management with proof of the conclusion derived from the internal audit.

Chief Audit Executive


1.0 Background

The Audit of Management of Personal Information was part of the 2011-14 Risk-Based Audit Plan recommended by the Audit Committee, and approved by the President on March 25, 2011. This audit was initiated as a follow-up to preliminary work undertaken by the OCAE in 2007, which identified specific gaps in the management of personal information at CIDA. Since then, work has been ongoing on an Agency-wide Privacy Action Plan and Framework.

The Privacy Act and related policies and directives support the Government's commitment to protect the privacy of individuals with respect to personal information held by Government institutions, and to provide right of access to that information. For CIDA, these individuals include employees, consultants, cooperants and interns. As the management of personal information is the responsibility of all CIDA employees, we examined not only the ATIP Division, but also the processes and procedures across Agency branches which have responsibilities relating to the management of personal information.

The Privacy Act and Privacy Regulations provide the legal framework for the collection, retention, use and disclosure of personal information, and apply to federal government institutions. In addition to the Privacy Act and Privacy Regulations, there are several TB policies and directives which impact directly on privacy and personal information, including:

  • Policy on Privacy Protection;
  • Policy on Government Security;
  • Policy on Information Management;
  • Directive on Privacy Practices;
  • Directive on Privacy Impact Assessment; and
  • Guidelines for Privacy Breaches

The Policy on Privacy Protection and Directive on Privacy Practices specify federal institution requirements with regard to sound management practices (including policies and protocols), clear responsibilities (including accountabilities), privacy awareness (including training, awareness and communication), as well as monitoring compliance and public reporting. Under the Privacy Act, institutions have monitoring and reporting requirements, including the responsibility to prepare an annual report to Parliament. This report, on the administration of the Act, must also be provided to the Treasury Board. Further, institutions are required to prepare new or modified personal information banks (PIB) descriptions and report to TB on these, as well as provide a statistical report on their administration of the Privacy Act.

Treasury Board and Office of the Privacy Commissioner

TB provides direction and guidance to government institutions with respect to the administration of the Privacy Act and the interpretation of related policies. As part of its administrative role, TB publishes an annual index of personal information, reviews new and modified PIBs, and assigns registration numbers to new PIBs.

The Office of the Privacy Commissioner is responsible for enforcing the Privacy Act as well as ensuring the gathering and handling of personal information in the public sector does not violate the privacy rights of Canadians.

Personal Information across the Agency

Management of personal information across the Agency is coordinated by the ATIP Division within the Corporate Secretariat. The ATIP Division is accountable for developing and ensuring compliance with policies, procedures and guidelines, and for promoting awareness of the Privacy Act. The Information Management and Technology Branch (IMTB), and the incorporate Security, Infrastructure and Management Services Division (CSIMS) of the Chief Financial Officer Branch (CFOB), support sound management practices in the handling of information, including personal information, and provide guidance and control measures. Business owners of PIBs are accountable for proper processing which includes collection, use, disclosure, safeguard, retention and disposal. All Agency employees have a responsibility to ensure that personal information is secured, used and maintained according to the policies, procedures and guidelines.

CIDA's Privacy Action Plan

Following preliminary work undertaken by the OCAE in 2007, the Agency developed a Privacy Action Plan with 15 actions. According to the most recent status update of the Privacy Action Plan in October 2011, there has been some progress towards completion of the 15 actions, including the completion and approval of the Agency's Privacy Protocol and the review and update of the ATIP Liaison job descriptions. However, most of the key elements, such as building privacy compliance across the Agency and the Privacy Awareness Campaign, are either ongoing or have been postponed.

2.0 Audit Objective, Scope, Approach and Criteria

2.1 Objective

To provide reasonable assurance that CIDA complies with the Privacy Act and related Federal Government policies and directives regarding personal information management.

2.2 Scope

The scope for this audit was developed initially as a follow-up to the preliminary work undertaken by the OCAE in 2007. After a risk assessment/control identification undertaken by the OCAE, it was decided to include compliance criteria around the collection, use and disclosure, and safeguarding of personal information across the Agency. The ATIP Division has an established and documented process for answering personal information requests, with only a minimal amount of requests received each year. We therefore considered that ATIP personal information requests was a low risk area, and only limited work was undertaken in this regard. It was also determined that only limited work would be conducted around retention and disposal, as this will be covered in the audit of information management which is part of the 2012-15 Risk-Based Audit Plan.

2.3 Approach and Methodology

The Audit of Management of Personal Information was conducted in accordance with TB policy, directives and standards on internal audit, and conforms to the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors. The evidence gathered was sufficient to provide senior management with proof of the conclusion derived from the internal audit.

The audit methodology included, but was not limited to:

  • Reviewing relevant TB and Agency  policies, guidelines and instructions;
  • Reviewing the ongoing and completed work relating to the Agency's Privacy Action Plan;
  • Interviewing representatives of ATIP Division, IMTB, CSIMS Division of CFOB, HRB, the Grants Contributions and Contracting Management Division of CFOB (both for professional services contracts and cooperants), Partnerships with Canadians Branch and Corporate Secretariat;
  • File testingFootnote 1 conducted in HRB based on a judgmental sample;
  • Gathering of information and analysis; and
  • Validating of key findings.

2.4 Audit Criteria

The audit criteria are the benchmarks used to assess the adequacy and effectiveness of the management of personal information across the Agency. The criteria were developed after conducting a risk assessment, and are based on the requirements of the Privacy Act, Privacy Regulations and various TB directives, policies and guidelines. The audit criteria were provided to the auditees and are presented in Appendix B.


3.0 Main Audit Findings and Recommendations

3.1 Privacy Framework

The Privacy Act and Privacy Regulations form the legislative basis for the handling of personal information. In addition, there are TB policies, directives and guides, which further describe the requirements under the Privacy Act and Privacy Regulations. Specifically the TB Policy on Privacy Protection has, amongst its expected results, sound management practices with respect to the handling and protection of personal information.These practices include policies, procedures, clear responsibilities and accountabilities, training and awareness, and reporting and monitoring. The training and awareness component should also include a communication plan (including deliverables and timeframes) to ensure that all those involved in the handling of personal information have the tools and resources to carry out their responsibilities. As with all legislation, policies and directives, there are various reporting requirements for monitoring compliance. Specifically, the Directive on Privacy Practices facilitates the implementation and public reporting of consistent and sound privacy management practices.

Governance

The Agency has an appropriate governance structure for the management of privacy and personal information. Management BoardFootnote 2, Corporate Management Committee and IM/IT Senior Advisory Committee have clear Terms of Reference with specific elements related to privacy and personal information.  We found that the updates on the Privacy Action Plan were tabled and discussed at Corporate Management Committee.

Policies and Procedures

Policies, procedures and guidelines aid staff to effectively discharge their personal information responsibilities. We found that the Agency's Privacy Protocol had been tabled and approved at Management Board in February 2012. The Protocol is intended to ensure that the collection, use or disclosure of non-administrative personal information is carried out in compliance with the Privacy Act, the Privacy Regulations and TB Directive on Privacy Procedures. The Agency has several CIDA guides, policies and directives which include a personal information component. These include the Information Security Guide and Policy on Information Assurance. To date, both the CIDA Privacy Breach Guidelines and the CIDA Security Policy remain in draft.

Accountabilities, Roles and Responsibilities

All employees have responsibilities under the Privacy Act for the management and handling of personal information, and need to be aware of these. The Privacy Action Plan states that privacy responsibilities need to be assigned strategically across the Agency. At a senior level, we found that accountabilities under the Privacy Act have been delegated through a delegation instrument. This instrument delegates responsibilities and accountabilities to the President, the Corporate Secretary and the Agency ATIP Coordinator. Further, the day-to-day administrative responsibilities of the Privacy Act have been delegated to the Agency ATIP Coordinator. We found that personal information roles and responsibilities have been defined for specific groups across the Agency (including ATIP Division, Human Resources, and ATIP liaison officers). Generic job descriptions of support staff (including CR-04, AS-01 to AS-04) have been amended to include specific personal information responsibilities.

Training, Awareness and Communication

Training at the Agency includes components of privacy and the handling of personal information. Training provided by IMTB includes the requirements of the TB Policy on Information Management. However, it includes only a limited component on the handling of personal information. IMTB also provides EDRMSFootnote 3 training on access controls, document handling and retention. In addition, the ATIP Division provides targeted training to ATIP liaison officers across the Agency. We found, however, that this training focussed on the process for access to information requests, rather than privacy and personal information. The ATIP Division is also responsible for providing an ATIP awareness session, which again is focussed on access to information rather than privacy. Recently, an awareness campaign around security, information management and ATIP was undertaken.

All new employees must undertake EDRMS training in which access controls and handling of information, including sensitive and personal information, are discussed. This training provides staff with the necessary tools to correctly use EDRMS and ensure protection of the information contained therein.

The Agency has several CIDA guides, policies and directives, information and guidance, which include personal information and privacy components, and these can be found on the Agency's intranet site. This information can be found on the Corporate Secretariat, IMTB and Departmental Security sites. We found that the ATIP Division's intranet page includes links to the Privacy Act and the Privacy Protocol, while the Departmental Security site has a link to the TB Government Security Policy. We found, however, that there is no regular communication to CIDA employees to improve awareness on the importance of appropriate handling of personal information and the resources available online.

The TB Guidelines for Privacy Breaches define a privacy breach as involving improper or unauthorized collection, use, disclosure, retention and/or disposal of personal information. Further, the guidelines detail several situations which could lead to a privacy breach. These include inadequate security and access controls for information in hard or electronic format, insufficient measures to control access and editing rights to personal information, and low level of privacy awareness among institutional staff that handle personal information.

We found, through testing, that a small number of performance appraisals held within EDRMS did not have appropriate access controls, and could therefore be accessed by those without a 'need to know'. Once this issue was identified by the audit, the Chief Information Officer conducted an investigation and immediately ensured corrective action was taken. Further, the ATIP coordinator has ensured that the necessary required follow-up is being undertaken.

Recommendation 1

A privacy awareness program, including a communication plan with clear deliverables and timeframes should be developed and implemented.

Monitoring and Reporting

Privacy Impact Assessment

The TB Directive on Privacy Impact Assessment provides guidance to ensure privacy implications are appropriately identified, assessed and resolved on new or substantially modified programs or activities involving personal information.

Requirements of the directive include establishing a Privacy Impact Assessment (PIA) framework which takes into consideration the responsibility for establishing Personal Information Banks (PIBs), and is commensurate with the level of risk related to privacy and the program or activity undertaken. A PIA should be initiated:

  • For a program or activity when personal information is used for or is intended to be used as part of a decision making process that directly affects the individual;
  • Upon modification to existing programs or activities where personal information is used or intended to be used for an administrative purpose; and
  • When contracting out or transferring a program or activities to another level of government or the private sector.

We found that although a PIAFootnote 4 was completed in 2009 on HRB's database for managing employees' information, the required notification and registration steps were not undertakenFootnote 5. Further, due to a lack of a formal and communicated PIA frameworkFootnote 6, and a lack of awareness of the PIA requirements, we found some new Agency programs, such as the Global Citizens Program within Partnerships with Canadians Branch, have not undertaken a PIA for their new call for proposal process.

While we identified some of the required components for TB reporting, there were no formal mechanisms (PIA framework, internal reporting on personal information) in place to effectively monitor and report on the management of personal information across the Agency.

Personal Information Banks

All personal information under the Agency's control should be identified and described in classes of personal information or in PIBs. Any development process for new or substantially modified PIBs should be aligned with the development and approval of the Privacy Impact Assessment (PIA).

The Agency is required to provide, to TB, an annual update of current, new or amended PIBs. The Agency last provided an update in 2011. TB uses published PIAs, updates to PIBs, and annual reports for monitoring compliance with the Privacy Act and in conducting Management Accountability Framework assessments.

Monitoring

In order to ensure effective protection and management of personal information, the TB Policy on Privacy Protection states that institutions should identify, assess, monitor and mitigate privacy risks. In addition, the TB Policy on Government Security states that the management of security, including security of information, requires the continuous assessment of risks and the implementation, monitoring and maintenance of appropriate internal management controls. These mechanisms could include security sweeps of operational areas, self-audits and regular monitoring of access controls. Recently, ATIP Division's efforts have been dedicated to the large volume of Agency ATIP requests, the requirements of public reporting and the implementation of the Privacy Action Plan, and as such, we were unable to identify evidence of personal information monitoring activities.

Recommendation 2

Mechanisms should be developed, including a privacy impact assessment framework, to ensure that the Agency complies with TB monitoring, reporting and notification requirements, relating to the management of personal information,

3.2 Administration of Personal Information

Collection

We found that personal information collected related directly to an Agency activity, and was collected directly from individuals, with the appropriate consent. In addition, we found that the intended purpose for the collection was clearly stated. The Agency uses the prescribed Government of Canada and TB forms when collecting paper-based information from individuals. When information is collected in electronic format, the Agency includes a privacy disclaimer with clearly stated intended purposes.

Use and Disclosure

We found that the personal information under the Agency's control was only used or disclosed with the consent of the individual to whom it relates.

Safeguarding

In order to ensure that personal information is only accessible and used by authorized employees, controls should be appropriate to safeguard the information. The Agency has several methods to safeguard physical or electronic information, including locked cabinets, an employee pass system to enter operational areas, a central records office and EDRMS.

We found that the Compensation and Benefits section within HRB has a secured operational area accessible only by authorized employees. In addition, access to electronic files concerning employees, maintained by HRB, was appropriately controlled. We found however, that certain branch staff who require access to information on employees within their branch could access information on all employees within the Agency. Management Board is aware of this issue and corrective action is being taken.

Appendix A: List of Recommendations and Management Action Plan

Recommendation Responsibility Proposed Management Measures Target Date
1. A privacy awareness program, including a communication plan with clear deliverables and timeframes should be developed and implemented. Corporate Secretary
  • Review ongoing training sessions and raise privacy awareness;
    • To add to the existing employee training efforts to build awareness on Access to Information obligations, the ATIP Office will include 2-3 slides on privacy compliance every time it conducts general or specific training presentations to CIDA employees. The ATIP Office will explore different ways to raise awareness among CIDA employees in 2012-2013 such as, for example, awareness campaigns (e.g. Entre-Nous messages, information kiosk in the Lobby) working with communications, information management, among others, to move this forward.
Sept.- Oct 2012
  • Develop an online privacy training tool (session for all employees)
    • In addition to in person training, the ATIP Office will explore ways to offer training session for all employees, whether at first login on a workstation, and/or on the ATIP intranet webpage and work with communications, information management, and IT to implement this tool.
  • The ATIP office has recently dedicated a senior resource to focus more specifically on further advancing the implementation of the Privacy Action Plan in a timely manner to ensure CIDA improves its compliance with the Privacy Act. This includes addressing these audit recommendations.
April 2013
2. Mechanisms should be developed, including a privacy impact assessment framework, to monitor and report on the management of personal information. Corporate Secretary
  • Establish a Privacy Impact Assessment Framework (including a PIA status table; training, etc.)
    • Building on existing work undertaken since 2010 under the Privacy Action plan, including the Privacy Protocol, the ATIP Office will establish a privacy impact assessment framework and provide clearer guidelines for Branches to comply to the Treasury Board Secretariat (TBS) Directive on Privacy Impact Assessment. The CIDA PIA Framework will among others, feature an inventory of PIAs that have been completed, are being completed and need to be initiated.
April 2013
  • Develop a questionnaire to help determine when PIAs are required and to facilitate better coordination with the Certification Accreditation Program (CAP) process in line with new guidelines in the April 2010 TBS directive on PIAs (April 2013)
    • The ATIP Office will develop a questionnaire to help units in CIDA identify areas where PIAs are required and steps that explain the process to complete these within the CAP process.
  • The ATIP office has recently dedicated a senior resource to focus more specifically on further advancing the implementation of the Privacy Action Plan in a timely manner to ensure CIDA improves its compliance with the Privacy Act. This includes addressing these audit recommendations
April 2013

Appendix B: Audit Criteria

1.0 Th e Agency has a Privacy Framework in place supporting the effective management of personal information.

2.0 The Agency is effectively processing personal information in compliance with the Privacy Act and related Federal Government policies and directives regarding Personal Information Management.

Footnotes

Footnote 1

File testing was limited to HRB as the consultant's and cooperants databases were being wound up. A management decision to move these to arm's length has been made.

Return to footnote 1 referrer

Footnote 2

Management Board is CIDA's senior forum for:
• Strategic direction-setting for the Agency;
• Official-level decision-making on all corporate policy, program and management issues in CIDA; and
• Oversight of CIDA activities and performance.

Return to footnote 2 referrer

Footnote 3

Enterprise Document and Records Management System, which is CIDA's electronic document management system.

Return to footnote 3 referrer

Footnote 4

PIA was completed in 2009 on behalf of IMTB which identified potential risks and personal information banks held within the database.

Return to footnote 4 referrer

Footnote 5

The requirements in 2009 came from the Privacy Impact Assessment Policy (now replaced by the Directive on Privacy Impact Assessments). The required steps at the time were to make summaries of the PIA results available to the public in a timely manner, ensure descriptions of PIBs are accurate and up to date and provide a final copy of PIA to the Privacy Commissioner.

Return to footnote 5 referrer

Footnote 6

Per TB Directive on Privacy Impact Assessment, heads of government institutions are responsible for establishing a PIA framework. This framework should include a development and approval process which takes into consideration the responsibility within the institution for establishing PIBs, and is commensurate with the level of risk of the program or activity. Further, the PIA once complete should be approved, posted on the Agency website, and the report provided to TB and Office of the Privacy Commissioner.

Return to footnote 6 referrer