Audit of Access to Information and Privacy (ATIP) Management
Date: June, 2014
Project #: 14-02
PDF Version (317 Kb, 29 Pages)
Table of contents
- Acronyms
- Executive Summary
- 1. Background
- 2. Audit Objective and Scope
- 3. Approach and Methodology
- 4. Conclusion
- 5. Findings and Recommendations
- 6. Management Action Plan
- Appendix A: Audit Criteria
- Appendix B: Assessment Against Treasury Board Best Practices
- Appendix C: Relevant Legislation, Regulations, Directives and Guidance
Acronyms
AANDC |
Aboriginal Affairs and Northern Development Canada |
---|---|
ADM |
Assistant Deputy Minister |
ALO |
ATIP Liaison Officer |
ATIP |
Access to Information and Privacy |
ATI |
Access to Information |
ATP |
Access to Privacy |
FTE |
Full Time Equivalents |
HRSDC |
Human Resources and Skills Development Canada |
OIC |
Office of the Information Commissioner |
PIA | Privacy Impact Assessment |
Executive Summary
Background
An Audit of Access to Information and Privacy (ATIP) Management was included in Aboriginal Affairs and Northern Development Canada's ("AANDC's" or the "Department's") 2014-2015 to 2016-2017 Risk-Based Audit Plan, approved by the Deputy Minister on February 6, 2014. This audit was identified as a priority as there has not been a recent audit of this area and because of the inherent complexity of ATIP management due to a number of factors including:
- Legislative requirements;
- Number of stakeholders in the process;
- Unpredictability of requests in both complexity and volume; and
- Visibility and potential impact on the Department.
The legislative requirements applicable to ATIP are contained within the Access to Information (ATI) Act and thePrivacy Act. Both have been in place in Canada since 1983 and apply to all government institutions listed in Schedule I of the respective Acts. The purpose of the ATI Act is to provide a right of access to information under the control of the Government of Canada, based on the principles that government information should be available to the public and necessary exceptions to the right of access should be limited and specific. In addition, the Act establishes that decisions on the disclosure of information should be reviewed independently of government by the Office of the Information Commissioner of Canada (OIC).The Privacy Actwas enacted to extend the laws that protect the privacy of individuals with respect to the personal information held and controlled by the Government of Canada, and to provide a right of access to that information.
The management of AANDC's ATIP requests is carried out by the Department's ATIP Directorate, which falls under the mandate of the Corporate Secretariat. The ATIP Director reports to the Department's Corporate Secretary, who in turns reports to the Deputy Minister. The ATIP Directorate has corporate responsibility for providing a diverse range of support and services, including responses to access to information and privacy requests. The Directorate establishes policies, procedures and practices related to the departmental compliance with the Access to Information Act, and the Privacy Act. All requests pursuant to the Acts are processed through the Directorate, using input gathered from the various applicable departmental Sectors and Regions. Each Sector and Region has a designated an ATIP Liaison Officer (ALO) who works directly with the ATIP Directorate. That individual is responsible to coordinate the retrieval, review and submission of the required information back to the ATIP Directorate.
The Privacy Policy Unit within the ATIP Directorate provides advice and guidance to the Department on a number of privacy-related topics such as conducting Privacy Impact Assessments and educating and promoting awareness of privacy and privacy-related issues throughout the Department.
Audit Objective and Scope
The objective of the audit was to assess the adequacy of the governance, risk management, and control framework in place to support ATIP management in the Department and the extent to which they support compliance with legislative, Treasury Board and departmental requirements. In addition, the objective of the audit was to provide an assessment of the operating effectiveness of controls in place to manage the processing and continuous improvement of ATIP requests.
The scope of the audit included the activities under the Department's responsibility that are related to the management of ATIP. Specifically, the audit assessed the adequacy and operating effectiveness of the governance, risk management and control framework in place to support the management of ATIP requests.
Consistent with the audit objective, the scope of this audit considered the following four assertions:
- The adequacy of governance, risk management and controls framework for the management of ATIP requests to support compliance with legislative, Treasury Board and departmental requirements and to mitigate the risk that excluded or exempted information is disclosed.
- The operating effectiveness of governance, risk management and control framework for the management of ATIP requests in place to support compliance with legislative, Treasury Board and departmental requirements and to mitigate the risk of that excluded or exempted information is disclosed.
- The adequacy of the governance, risk management and control framework for the protection of personal information to support compliance with Treasury Board and departmental requirements and to mitigate the risk of privacy breaches.
- The adequacy of procedures in place with a view to supporting the efficient processing of ATIP requests.
The audit did not include an assessment of:
- the accuracy or completeness of completed ATIP requests; and
- the responsibilities for the protection of personal information that fall outside of the scope of the ATIP Directorate's responsibilities.
Statement of Conformance
The Audit of ATIP Management conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
Observations
Prior to 2011-12, the Department had been cited by the Office of the Information Commissioner for having substantial deficiencies in its management of ATIP and had regularly failed to meet its statutory obligations. In 2011-12, AANDC focused efforts on improving the ATIP management process. As described in this report, these efforts have had a positive impact on the Department's ability to meet its statutory obligations in recent years and the deficiencies raised by the OIC have been largely addressed.
With the ATIP Directorate's recent focus on ensuring compliance with legislation and policy requirements, there has been limited work on identifying and addressing opportunities to drive efficiencies within management of ATIP requests across the entire Department. While the achievements of the Directorate should be commended, it is also important to recognize that the Directorate is now well positioned to move beyond the focus of compliance to one of maintaining compliance while driving efficiencies.
Conclusion
The audit found that, overall, the governance, risk management, and control framework in place to support the compliance of ATIP management with legislative, Treasury Board and departmental requirements are adequate and operating effectively. The audit did, however, identify opportunities for improvement in the following areas: Policies and Procedures; Training and Guidance; and, Efficiency and Continuous Improvement.
Recommendations
The audit team identified areas where management control practices and processes could be improved, resulting in the following three recommendations:
- The Corporate Secretary should undertake a thorough review of ATIP policies and procedures with a view to identifying and addressing any gaps, inconsistencies or other improvement opportunities within the materials. In addition to the current practice of addressing issues on an as-needed basis, a schedule should also be developed which would require an appropriately periodic review of policies and procedures.
- The Corporate Secretary should review, and update as applicable, the training programs offered by the ATIP Directorate. This would include:
- Enhancing the Sectors' and Regions' access to hands-on training and guidance. In developing these enhancements, it is recommended that Regional/Sectoral representatives are solicited for their input.
- Conducting an assessment regarding the sufficiency of the privacy training program relative to the Directorate's responsibility to educate and promoting awareness of privacy and privacy-related issues throughout the Department.
- The Corporate Secretary should clarify expectations, roles and responsibilities for driving efficiencies within ATIP Management, and establish related objectives and practices designed to improve process efficiency. Practices could include facilitating the sharing of best practices between Regions and Sectors; reporting on the ATIP Directorate's performance against internal service standards; and, tracking the Department-wide level of effort required to process requests in order to monitor and identify improvements to efficiency.
Management Response
Management is in agreement with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address them. The management action plan has been integrated in this report.
1. Background
An Audit of Access to Information and Privacy (ATIP) Management was included in Aboriginal Affairs and Northern Development Canada's ("AANDC" or "the Department") 2014-2015 to 2016-2017 Risk-Based Audit Plan, approved by the Deputy Minister on February 6, 2014. This audit was identified as a priority as there has not been a recent audit of this area and because of the inherent complexity of ATIP management due to a number of factors including:
- Legislative requirements;
- Number of stakeholders in the process;
- Unpredictability of requests in both complexity and volume; and
- Visibility and potential impact on the Department.
1.1 Summary of Legislation
Access to Information (ATI) Act
The Access to Information Act has been in place in Canada since 1983 and applies to all government institutions listed in Schedule I of the Act. The purpose of the ATI Act is to provide a right of access to information under the control of the Government of Canada, based on the principles that government information should be available to the public and necessary exceptions to the right of access should be limited and specific. In addition, the Act establishes that decisions on the disclosure of information should be reviewed independently of government by the Office of the Information Commissioner of Canada (OIC). As part of this responsibility, the OIC investigates complaints about federal institutions' handling of access requests.
Interpretation of the Act requires the legal expertise of departmental counsel and the Information Law and Privacy section of Justice Canada. In addition, the Treasury Board Secretariat's Information and Privacy Policy Division provides implementation advice to departments. The Act is intended to complement existing methods of accessing government information. For example, the public and the media continue to request and receive information from communications units and other offices in government departments.
Privacy Act
The Privacy Act has been in place in Canada since 1983 and applies to all government institutions listed in schedule I of the Act. This Act was enacted to extend the laws that protect the privacy of individuals with respect to the personal information held and controlled by the Government of Canada, and to provide a right of access to that information.
Interpretation of the Act requires the legal expertise of departmental counsel and the Information Law and Privacy section of Justice Canada. In addition, the Treasury Board Secretariat's Information and Privacy Policy Division provides implementation advice to government departments. Through the application of the Privacy Act, government departments and staff are directed to follow best practices with respect to the collection, use and disclosure of personal information. This has become more important since the advent of the Internet and the use of technology for managing personal information in government. The Office of the Privacy Commissioner of Canada is responsible for overseeing compliance with the Privacy Act and will conduct independent investigations into complaints from individuals with respect to federal public sector compliance with the Act.
1.2 Access to Information and Privacy Requests in the Federal Government
In 2012-13, there were 110,500Footnote 1 ATIP Requests across the Federal Government. Roughly half of these requests related to ATI and half to Access to Privacy (ATP).
During the same year, AANDC received 793 ATIP requests, 648 (81.7%) of which related to information requests. The table below, developed based on information provided in departmental Reports to Parliament, provides statistics for a selection of federal departments, including AANDC. The statistics demonstrate the variability in number of requests and number of pages reviewed per request across a sample of federal departments. It also demonstrates that, while AANDC's volume of ATIP requests for 2012-13 was very similar to Industry Canada and Human Resources and Skills Development Canada (HRSDC), the Department's deemed refusal rate stands out insofar as it was reported as 0%. It also demonstrates that the number of Full Time Equivalents (FTEs) within AANDC's ATIP Directorate is within the range of peer organizations based on the volume of requests. Finally, it shows that the Department experienced a relatively higher ratio of complaints to requests than the other organizations.
AANDC | Heritage | Industry | HRSDC | Transport | |
---|---|---|---|---|---|
Number of requests carried over from previous fiscal year | 83 | 92 | 220 | 112 | 304 |
Number of new requests | 648 | 237 | 741 | 746 | 2,197 |
Number of requests completed | 623 | 273 | 860 | 630 | 1,419 |
Number of pages reviewed for requests completed | 397,850 | 50,161 | 2,828,056 | 112,087 | 94,392 |
Deemed refusal rate* | 0% | 31 (11%) | 130 (15%) | 49 (7.8%) | 304 (21%) |
Number of consultation requests received (from other organizations) | 220 | 156 | 774 | 194 | 32 |
Number (and ratio) of requests that required extension notices to the OIC | 173 (28%) | 136 (50%) | 255 (30%) | 101 (16%) | 798 (56%) |
Number of complaints registered with the OIC | 45 | 7 | 39 | 20 | 72 |
Ratio of complaints to requests | 7% | 3% | 5% | 3% | 3% |
Number of Employees, full and part time, dedicated to ATI operations at year end | 10 | 9 | 21 | 10 | 19 |
Requests per FTE | 64.8 | 26.3 | 35.3 | 74.6 | 115.6 |
* Subsection 10(3) of the ATI provides that where a government institution fails to give access to a record, or notice as to why access will not be granted within the time limits, the institution is deemed to have refused access. |
1.3 Overview of the ATIP Request Process
There are up to 11 steps associated with processing an ATIP request. The Department's ATIP Directorate, along with Sectors and Regions, has responsibility to complete these steps. In order to meet the 30 day response time required under the legislation, the ATIP Directorate has developed timelines and a critical path for the completion of these steps as depicted in the following graphic:
As depicted above, upon receipt of an ATIP request, the ATIP Directorate completes an assessment of the request and identifies which Regions or Sectors are responsible to provide the requested information. The ATIP Liaison Officer(s) ("ALO(s)") from the responsible Region and/or Sector reviews the request and forwards it to the appropriate individual(s) within the Region/Sector to compile the requested information.
Each responsible Region/Sector completes an Impact Statement, which is signed by the responsible senior manager (Senior Assistant Deputy Minister, Assistant Deputy Minister, Regional Director General, etc), and provides this to the ATIP Directorate. The Impact Statement identifies key information about the request including information considered sensitive as well as information that may be considered exempted or excluded. Exemptions are intended to protect information relating to a particular public or private interest such as confidential information provided by a third party or information that may be injurious to the defence of Canada. Certain information is specifically excluded from the scope of the Act and includes such information as Cabinet confidences and information available for purchase by the public.
While requests are generally required to be completed and released within 30 days of receipt by the Department, the legislation includes time extensions, which can be applied under various scenarios. For example, an extension of an additional 60 days can be applied if the Department needs to consult with other government departments or third parties, such as a First Nation, in order to complete the request.
1.4 Role of the ATIP Directorate
The management of AANDC's ATIP requests is carried out by the Department's ATIP Directorate, which falls under the mandate of the Corporate Secretariat. The ATIP Director reports to the Department's Corporate Secretary, who in turns reports to the Deputy Minister. The ATIP Directorate has corporate responsibility for providing a diverse range of support and services, including responses to access to information and privacy requests.
In addition to the Director, there are approximately 21 FTEs within the ATIP Directorate, including consultants and staffing agency personnel. Approximately 15 FTEs are responsible for the processing of ATIP requests, and approximately six FTEs are allocated to the Privacy Policy Unit. The ATIP Directorate establishes policies, procedures and practices related to the departmental compliance with the Access to Information Act and the Privacy Act. All requests pursuant to the Acts are processed through the ATIP Directorate, using input gathered from the various applicable departmental Sectors and Regions. As such, while the ATIP Directorate is responsible for coordinating responses to ATIP requests, all departmental senior management play a role in ensuring available requested documentation is provided to the ATIP Directorate in a timely manner.
The Privacy Policy Unit within the ATIP Directorate provides advice and guidance to the Department on a number of privacy-related topics such as conducting Privacy Impact Assessments and educating and promoting awareness of privacy and privacy-related issues throughout the Department.
1.5 Role of Regions and Sectors
Each Sector and Region within the Department has a role in processing ATIP requests that involve records within their respective organizations. As noted above, once they receive a call-out for records from the ATIP Directorate, it is the Region's/Sector's responsibility to identify and compile the appropriate records as well as obtain the ADM's sign-off on the implications of the request. They are also required to work with the Department's Communications Branch on any sensitive items where media lines may be required. Each Sector and Region has designated an ATIP Liaison Officer" CGE ALO who works directly with the ATIP Directorate. That individual is responsible to coordinate the retrieval, review and submission of the required information back to the ATIP Directorate.
1.6 Context
Prior to 2011-12, the Department had been cited by the Office of the Information Commissioner for having substantial deficiencies in its management of ATIP as it had failed to meet its statutory obligations. In 2011-12, AANDC focused efforts on improving the ATIP management process. Along with changes in staff and level of leadership within the ATIP Directorate, the Department updated and improved its ATIP policies and procedures, training and oversight practices. Table A below indicates the improvements realized from 2010-11 to 2013-14. This includes a significant rise in the number of requests being processed by roughly the same number of FTEs within the ATIP Directorate. Of note is the improvement in the proportion of requests that are completed within the initial 30 day time limit, and particularly the continual increase of requests completed within the first 15 days (well before the initial 30 day deadline). As described later in this report, the positive impact of these changes in the Department's ability to meet its statutory obligations is also supported by the results of this audit.
TABLE A:
Processing time |
2010-11 | 2011-12 | 2012-13 | 2013-14 | ||
---|---|---|---|---|---|---|
Access to Information Requests | # of Requests Processed | 278 | 518 | 623 | 586 | |
% of Information requests completed within 30 days | Within 30 Days | 34% | 53% | 69% | 63% | |
1-15 Days | No data | 16% | 25% | 27% | ||
Ratio of Extensions to New Requests | 33% | 55% | 29% | 38% | ||
# of pages reviewed for all requests completed | No Data | 305,134 | 397,850 | 324,047 | ||
# of Employees* dedicated, full and part time, to ATI Activities | No Data | 14 | 10 | 13 |
Processing time |
2010-11 | 2011-12 | 2012-13 | 2013-14 | ||
---|---|---|---|---|---|---|
Privacy Requests | # of Requests Processed | 70 | 222 | 166 | 94 | |
% of Privacy requests completed within 30 days | Within 30 Days | 49% | 74% | 83% | 95% | |
1-15 Days | No data | 18% | 20% | 40% | ||
Ratio of Extensions to New Requests | 16% | 23% | 5% | 4% | ||
# of pages reviewed for all requests completed | No Data | 41,950 | 28,334 | 11,867 | ||
# of Employees* dedicated, full and part time, to Privacy | No Data | 19 | 10 | 5 | ||
*Does not include Students or Consultants/Staffing Agencies |
2. Audit Objective and Scope
2.1 Audit Objective
The objective of the audit was to assess the adequacy of the governance, risk management, and control framework in place to support ATIP management in the Department and the extent to which they support compliance with legislative, Treasury Board and departmental requirements. In addition, the objective of the audit was to provide an assessment of the operating effectiveness of controls in place to manage the processing and continuous improvement of ATIP requests.
2.2 Audit Scope
The scope of the audit included the activities under the Department’s responsibility that are related to the management of ATIP. Specifically, the audit assessed the adequacy and operating effectiveness of the governance, risk management and control framework in place to support the management of ATIP requests.
Consistent with the audit objective, the scope of this audit considered the following four assertions:
- The adequacy of governance, risk management and controls framework for the management of ATIP requests to support compliance with legislative, Treasury Board and departmental requirements and to mitigate the risk that excluded or exempted information is disclosed.
- The operating effectiveness of governance, risk management and control framework for the management of ATIP requests, in place to support compliance with legislative, Treasury Board and departmental requirements and to mitigate the risk of that excluded or exempted information is disclosed.
- The adequacy of the governance, risk management and control framework for the protection of personal information to support compliance with Treasury Board and departmental requirements and to mitigate the risk of privacy breaches.
- The adequacy of procedures in place with a view to supporting the efficient processing of ATIP requests.
The Audit Period of coverage was April 1, 2012 to March 31, 2014.
The audit did not include an assessment of:
- the accuracy or completeness of completed ATIP requests; and
- the responsibilities for the protection of personal information that fall outside of the scope of the ATIP Directorate’s responsibilities.
3. Approach and Methodology
The audit was conducted in accordance with the requirements of the Treasury Board Policy on Internal Audit and followed the Internal Auditing Standards for the Government of Canada. The audit examined sufficient, relevant evidence and obtained sufficient information to provide a reasonable level of assurance in support of the audit conclusion.
The principal audit techniques used included:
- Interviews with key management and staff in the Corporate Secretariat as well as a sample of Sectors and Regions;
- A review of ATIP-related documentation including relevant legislation, regulations, directives and guidance (see Appendix C for a listing)and Reports to Parliament; and
- Examination of a sample of ATIP requests from the fiscal year 2013-14.
The approach used to address the audit objective included the development of audit criteria against which observations and conclusions were drawn. The audit criteria developed for this audit are included in Appendix A.
4. Conclusion
The audit found that, overall, the governance, risk management, and control framework in place to support the compliance of ATIP management with legislative, Treasury Board and departmental requirements are adequate and operating effectively. The audit did, however, identify opportunities for improvement in the following areas: Policies and Procedures; Training and Guidance; and Efficiency and Continuous Improvement.
5. Findings and Recommendations
Based on the evidence gathered through examination of documentation, interviews and analysis, each of the four audit criteria (detailed in Appendix A) was assessed and concluded upon. Where a difference between the audit criterion and the observed practice was found, the risk of the gap was evaluated and used to develop the conclusion and corresponding recommendations for improvement.
This section provides the results of audit work, with a focus on those areas where gaps were observed and recommendations for improvement were identified. It is organized around four thematic areas as follows:
Governance and Oversight – The adequacy of regular monitoring and oversight practices is key to assessing the extent to which the Department is able to assess not only its own performance in managing ATIP requests but also to its ability to identify and manage risks associated with processing ATIP requests in a timely and effective manner. This theme addresses elements of Audit Criteria 1 and 2.
Departmental ATIP Policies and Procedures – The adequacy of formal documentation in terms of their design and communication to the appropriate parties, as well as the extent to which observed practices (e.g. file testing) provided evidence of their effectiveness was key to assessing the governance, controls and risk management framework. This theme addresses elements of Audit Criteria 1 to 3.
Training and Support – The adequacy of the training programs, training courses and related support provided to departmental employees with ATIP responsibilities was key to assessing the extent to which these employees were provided with a clear understanding of their roles and responsibilities. As such, training and support was an important element of assessing the governance, risk management and controls framework. This theme addresses elements of Audit Criteria 1 and 3.
Efficiency and Continuous Improvement – This theme is associated with the efficiency-related area of the audit scope. As such, it addresses all elements of Audit Criterion 4 and the performance management elements of Audit Criterion 1.
5.1 Governance and Oversight Practices
The audit team expected the Department to have established regular monitoring and oversight activities related to the management of ATIP requests. These activities should be supported by accurate and timely reporting, and serve to promote the identification, assessment and management of risks associated with ATIP requests.
The audit evidence indicated that weekly ATIP meetings are led by the Corporate Secretary and the ATIP Director with the Associate Deputy Minister. These meetings serve as the primary forum for senior level monitoring of the ATIP request management process. Additional attendees may include representatives from the Deputy Minister's Office, the Communications Branch, and the Litigation Management and Resolution Branch. During these meetings, ATIP activities and the status of requests are discussed with the ATIP Director. While every new request is discussed, particular attention is focused on requests involving potentially sensitive or otherwise significant information. The review of ATIP activities and requests that occurs at these meetings is an important practice in the management of ATIP-related risks and an effective mechanism to help ensure that appropriate internal stakeholders are notified and engaged in a timely fashion in cases where potentially sensitive information is involved.
In terms of reporting, the audit identified that summary reports are provided for purposes of discussion at the weekly meetings. These reports provide a synopsis of ATIP requests including changes since the previous weekly report (e.g. summaries of all new requests, completed requests, and extensions, etc). In addition, the audit noted that the ATIP function feeds the Corporate Secretariat annual Business Plan, and reports on these elements in the Department's Quarterly Reports. Finally, the ATIP Directorate is required to produce detailed annual reports to Parliament outlining the performance of activities related to complying with the obligations set forth in the Access to Information Act and the Privacy Act.
Based on the observed evidence, the audit team found the governance and oversight mechanisms in place to be adequate and effective in the management of the ATIP function.
5.2 Departmental ATIP Policies and Procedures
Design/Adequacy Assessment
The audit team expected the Department to have established well-designed and appropriately communicated policies and procedures to aid in the management of ATIP requests. This included an expectation that such policies and procedures reflect applicable government-wide (i.e. Treasury Board) requirements and the Department's approach to managing the risks associated with the release of sensitive information.
The audit evidence indicated that the ATIP Directorate had established a number of policies and procedures to aid in the management of ATIP requests. Overall, these policies and procedures were found to be concise, easy to understand and they provided clear direction on roles and responsibilities. These policies and procedures are posted on the departmental intranet and accessible to all employees.
The audit team also conducted a thorough assessment of departmental ATIP policies and procedures against Treasury Board (TB) requirements. These requirements are identified based on the TB Directive on the Administration of the Access to Information Act, the TB Policy on Access to Information, and the TB Directive on Privacy Requests and Correction of Personal Information. When assessed against the 21 requirements derived from these documents, the audit found the policies and procedures fully met 17 of the requirements. Four of the requirements were assessed as being partially met as follows:
- Limited information is included in policies and procedures around obstruction of the right of access to informationFootnote 2;
- ATIP employee handbook does not include procedures to notify the Information Commissioner if an extension greater than 30 days has been given for a request; and,
- Limited information is included in the employee handbook on how to close out a completed file (such as a close-out checklist), including the required documents to be kept on file, and the procedures for posting the request summaries on the departmental website (as required by the Acts).
The ATIP Directorate has also established policies and procedures related to its responsibility for the protection of personal information. A key document is the Privacy Impact Policy and Procedures Manual (the "Manual"). While the Manual was assessed as providing useful guidance, a review of the Manual identified a few issues related to Privacy Impact Assessments (PIA) as follows:
Responsibility to ensure completion of Privacy Impact Assessments:
- The Manual indicates that responsibility for completion of PIAs falls to the ATIP Directorate. However, in practice, this is contrary to the ATIP Directorate's interpretation that its responsibility is to act in the role of an advisory function with respect to PIAs.
Senior Privacy Committee:
- The Manual indicates that the ATIP Director is responsible to submit completed PIAs to the Senior Privacy Committee for approval and to ensure that any recommendations approved by the Senior Privacy Committee are implemented. However, there is currently no such committee in place.
Approval of Privacy Impact Assessments:
- The Manual does not define who, within a Sector/Region, is responsible to approve a PIA prior to it being submitted to the ATIP Directorate. In practice, it appears that such approval is generally provided by the program or project sponsor.
The issues in the Manual related to PIAs increase the likelihood that required PIAs are not completed or that PIAs that are completed are not subject to appropriate approval and oversight. In this scenario, personal information collected and maintained by the Department may not be adequately protected.
Finally, the audit identified that there is no formal process or established schedule to update ATIP policies and procedures. While Management has indicated that the departmental ATI policies and procedures have been updated within the last two years, there is no scheduled review and update that would serve to complement the ad hoc updates that occur from time to time.
Effectiveness Assessment
To assess the operational effectiveness of ATIP policies and procedures, a random sample of paper files related to 25 ATIP requests was examined. The audit team expected to find that the files contained documentation demonstrating compliance with applicable Treasury Board and departmental requirements. For example, the files should contain evidence that completed and approved Impact Statements were obtained, required timelines were respected, and sufficient due diligence (i.e. evidence of personal identity in the case of a privacy-related request) was conducted.
Overall, the audit team's file testing identified that documentation was on file to support the operating effectiveness of management's key controls. For example, it was observed that all 25 sample requests were completed within the required time frame and the final release letter for all 25 sample requests was approved by the ATIP Coordinator.
However, the testing did identify some exceptions. In a number of cases, these exceptions could be linked back to the policy and procedure issues as noted earlier in this Section. For example:
- Three of the 15 files that related to access to information requests had extensions, however, only one of the three had a letter on file that clearly indicated that the Information Commissioner was notified of the extension.
- Notifying the Information Commissioner is a requirement under the ATI Act. This issue was also noted to the Department in the 2010-11 Report Card issued by the Office of the Information Commissioner
- Three of the 10 sample requests that related to privacy did not have evidence on file to support that the identity of the requestor was confirmed.
- It is a Treasury Board requirement that Departments establish procedures to confirm that the requestor has the right to make the request including validation of the requestor's identity. Without documentation on file confirming the results of such procedures, there is an increased risk of a privacy breach.
- Nine of the 25 requests did not have copies of the impact statements in the paper files. As the ATIP Directorate is currently transitioning to storing some information electronically, all nine impact statements were subsequently found to be stored electronically.
- There is currently no direction on how to ensure file completeness and the identification of which information is paper and which is electronic. Without a consistent approach to ensuring that files are complete (i.e. demonstrating paper and any applicable electronic files), there is an increased risk that a file will not sufficiently demonstrate compliance with requirements.
Recommendation:
1. The Corporate Secretary should undertake a thorough review of ATIP policies and procedures with a view to identifying and addressing any gaps, inconsistencies or other improvement opportunities within the materials. In addition to the current practice of addressing issues on an as-needed basis, a schedule should also be developed which would require an appropriately periodic review of policies and procedures.
5.3 Training and Support
The audit team expected to find that training programs were in place to ensure key stakeholders understand and acknowledge their roles and responsibilities related to ATIP and the protection of personal information; and that Sectors/Regions are provided with access to assistance in the interpretation or discharge of their responsibilities should the need arise.
The ATIP Directorate has developed an ATIP training session, ATIP 101, which outlines the legislative requirements and responsibilities for the management of ATIP requests. This training material is available on the departmental intranet and, recently, additional steps have been taken to further formalize this training. Specifically, ATIP 101 training is now managed by the Department's Learning and Development Directorate and is part of the Department's "Recommended Training". Having the training sessions managed through the Learning and Development Directorate has assisted with increasing the accessibility of training sessions and the accountability of participants for completing scheduled training. Further, classifying ATIP 101 training as "recommended" helps to raise the profile and demand for this training across AANDC. The table below provides a summary of ATIP training delivered in 2013-14:
Number of ATIP Learning Sessions | 8 (6 at HQ, 2 Video Conferences) |
---|---|
Participants | 90 (77 HQ, 13 Regional) |
HQ Sectors Represented | 7 (out of 8) |
Regions Represented | 1 (outof 10) |
Although Sectors and Regions provided the audit team with positive feedback on the current training, many interviewees also indicated that expanding the practical component of the training would be beneficial. This would involve more direction on how to effectively discharge ATIP responsibilities as they exist at the Sectoral/Regional level. Such responsibilities include how to: approach a search for records; manage/coordinate requests; and, manage ATIP timelines, etc. This was identified as an opportunity to better support the consistency of practices across the Department and to promote identification of process improvements. As such, to the extent that the current training program does not adequately support the practical responsibilities within Sectors/Regions, there is an increased risk that practices will not reflect an optimal level of consistency or that process improvement opportunities will not be highlighted.
In addition to the training developed for the management of ATIP requests, the Directorate has developed a training session to promote the awareness and responsibilities around the protection of personal information and the requirements if a breach of personal information should occur. While a training program has been established for this purpose, and is generally offered on a "by request" basis, this training has not been delivered in the recent past. Given the ATIP Directorate's responsibility to educate and promote awareness of privacy and privacy-related issues throughout the Department, there is possibility that an ad hoc approach to privacy-related training may not be sufficient to address this responsibility with the result of an increased risk that private information may not be protected.
In terms of support, audit interviews with Sectors and Regions indicated positive feedback regarding support provided by the ATIP Directorate. A majority stated they were comfortable to contact the ATIP Director for assistance when needed. In addition, interviewees also indicated that if a training need arose and there was not a scheduled ATIP training session, the ATIP Directorate would provide one-on-one training.
The audit found that training and support offered to departmental stakeholders generally met the requirements; however, there are opportunities to expand the practical component of ATIP 101 training and to confirm the sufficiency of privacy-related training in light of the ATIP Directorate's responsibility for privacy awareness.
Recommendation:
2. The Corporate Secretary should review, and update as applicable, the training programs offered by the ATIP Directorate. This would include:
- Enhancing the Sectors' and Regions' access to hands-on training and guidance. In developing these enhancements, it is recommended that Regional/Sectoral representatives are solicited for their input.
- Conducting an assessment regarding the sufficiency of the privacy training program relative to the Directorate's responsibility to educate and promoting awareness of privacy and privacy-related issues throughout the Department.
5.4 Efficiency and Continuous Improvement
AANDC, in common with many federal government departments, must continually work to fulfill its mandate while supporting the government's commitment to cost-reduction, cost-containment and ensuring value for money. With the ATIP Directorate's recent focus on ensuring compliance with legislation and policy requirements, there has been limited focus identifying and addressing opportunities to drive efficiencies within management of ATIP requests across the entire Department. While the achievements of the Directorate should be commended, it is also important to recognize that the Directorate is now well positioned to move beyond the focus of compliance to one of maintaining compliance while driving efficiencie
Assessing the Departmental Impact of Processing ATIP Requests
As part of the analysis on the efficiency and continuous improvement, the audit first attempted to gain an understanding of the true cost of processing ATIP requests to the Department. While volumetric data related to ATIP requests was readily available (e.g. number of requests and number of pages) as were operating costs directly associated with the ATIP Directorate, the current data tracking and collection practices in the Department for ATIP requests was found to be insufficient to support the calculation of an accurate level of effort, or cost estimate, as not all inputs to the request process are currently tracked. As such, the audit team undertook an independent exercise to approximate this cost for the most recently completed fiscal year, 2013-14.
In addition to identifying costs associated with the ATIP Directorate, the audit team identified the implications on Regions/Sectors based on the two major ATIP-related activities, information gathering and information review. To gain insight to the cost of information gathering, the audit team reviewed a sample of 21 Impact Statements, as prepared by various Sectors/Regions, to identify the estimated search time, and level of employee performing the search. To gain insight on the costs of information review, the audit team developed and circulated a brief costing survey to a relatively small sample of five Regions/Sectors. This survey provided the Sector's/Region's estimates regarding the amount of time required to review an ATIP request, and the level of employee performing such a review. Using this data, along with available volumetric data and salary/benefits information, the audit team calculated the approximate the cost of processing ATIP requests overall, and per request.
The approach to identifying estimated costs described above did not include all of the inputs to the ATIP request process. For example, costs and time associated with communications reviews, ATIP Liaison Officer ALO coordination, routing and approval of impact statements by ADMs or the time invested by the Corporate Secretary, were not addressed. As such, the resulting estimated costs, as presented in the following table, are considered "minimums".
2013-14 | ||
---|---|---|
Cost of the ATIP DirectorateFootnote 3: | ||
Staff salaries – Access to Information and Privacy | $1,234,762 | |
Operations and Maintenance, and Capital | $198,266 | $1,433,028 |
Regions & Sectors - Estimated Cost of Information Gathering: | ||
Estimated cost per request | $106 | |
Estimated time per request | 2.8 hours | |
Number of requests closed during the year | 686 | |
Total for Information Gathering | $72,716 (1,921 hrs) |
|
Regions and Sectors – Estimated Cost of Information ReviewFootnote 4 | ||
Estimated cost per page | $1.00 | |
Estimated time per page | 1.2 minutes | |
Number of pages reviewed during the year | 345,110 | |
Total for Information Review | $345,110 (6,902 hrs) |
|
Minimum Financial Impact – Total | $1,850,854 | |
Minimum Financial Impact – Per Request | $2,698 |
Based on the results of the audit team's cost estimation exercise, the minimum cost of processing ATIP requests in 2013-14 was approximately $1.8 million. It also highlights that an opportunity cost of nearly 9,000 hours is borne by Regions/Sectors.
Promoting Efficiencies
While the costing exercise described above provides some insight to the costs of ATIP processing, the Directorate will need to take further steps in order to advance opportunities for continuous improvement and to realize efficiencies that will benefit the entire Department. The following are examples of techniques that would normally be leveraged to support the identification of efficiency opportunities:
- Expand ATIP-related performance measures and data collection to include all inputs to the request process. This would involve expanding data collection beyond that which is required to demonstrate/support compliance;
- Report on performance against key internal service standardsFootnote 5 with a view to identifying trends or opportunities for improvement; and,
- Actively solicit input from Sectors and Regions regarding best practices, lessons learned, and/or challenges regarding the processing of ATIP requests. One area noted during interviews as warranting discussion was the practice of sending call-outs for information to multiple Sectors/Regions. This means that even if a Sector/Region has no information to provide, they are still required to complete the impact statement, have it approved by the responsible ADM and submit it to the ATIP Directorate.
While there is no single solution or approach to promoting continuous improvement, resource capacity challenges across the Department require that consideration is given to identifying opportunities for efficiency in all areas, including ATIP management. Further to its Study of Best Practices for ATI Requests, the Treasury Board Secretariat indicated "periodic assessments of resource requirements (human, financial, technological) are conducted, and business cases are developed as necessary, to support the effective administration of the access to information program" as a best practice. This was the only best practice (within the scope of this audit) that AANDC did not meet or partially meet. See Appendix B for additional details on these best practices.
As described above, the ATIP Directorate has made considerable progress in ensuring overall compliance with legislation, and there is now the opportunity to improve process efficiency, while maintaining compliance.
Recommendation:
3. The Corporate Secretary should clarify expectations, roles and responsibilities for driving efficiencies within ATIP Management, and establish related objectives and practices designed to improve process efficiency. Practices could include facilitating the sharing of best practices between Regions and Sectors; reporting on the ATIP Directorate's performance against internal service standards; and, tracking the Department-wide level of effort required to process requests in order to monitor and identify improvements to efficiency.
6. Management Action Plan
Recommendations | Management Response / Actions | Responsible Manager (Title) |
Planned Implementation Date |
---|---|---|---|
1. The Corporate Secretary should undertake a thorough review of ATIP policies and procedures with a view to identifying and addressing any gaps, inconsistencies or other improvement opportunities within the materials. In addition to the current practice of addressing issues on an as-needed basis, a schedule should also be developed, which would require an appropriately periodic review of policies and procedures. | 1. The Corporate Secretariat will conduct a thorough review of ATIP policies and procedures once every fiscal year. If, however, there are legislative or TBS policy amendments, the Corporate Secretariat will review on an ad hoc basis. In particular, the Corporate Secretariat will review the following:
|
Corporate Secretary | August 2014 |
2. The Corporate Secretariat will update the ATIP Operations manual to reflect any gaps and to ensure consistency with the Treasury Board Secretariat Directive on the Administration of the Access to Information Act.
|
August 2014 | ||
2. The Corporate Secretary should review, and update as applicable, the training programs offered by the ATIP Directorate. This would include:
|
The Corporate Secretariat will review and update as applicable the training programs offered by the ATIP Directorate on an annual basis. In particular, the Corporate Secretariat will take the following actions: | Corporate Secretary | |
a. Convene a series of conference calls/meetings with regional/sectoral representatives for input and feedback on the specific improvements or needs for an ATIP training program; and | July 2014 | ||
b. Assess the sufficiency of the ATIP training program, and add further content and substance to the ATIP training program, which focus on promoting awareness of privacy and privacy-related issues throughout the Department.
|
September 2014 | ||
3. The Corporate Secretary should clarify expectations, roles and responsibilities for driving efficiencies within ATIP Management, and establish related objectives and practices designed to improve process efficiency. Practices could include facilitating the sharing of best practices between Regions and Sectors; reporting on the ATIP Directorate's performance against internal service standards; and tracking the Department-wide level of effort required to process requests in order to monitor and identify improvements to efficiency. | 1. The Corporate Secretariat will develop a comprehensive regional/sectoral operations manual that will ensure uniform best practices for the processing and retrieval of ATIP records across the Department for ATIP Liaison Officers in the sectors and regions. | Corporate Secretary | October 2014 |
2. The Corporate Secretariat will add further details on compliance with additional internal ATIP service standards to its quarterly reports. Further, the Corporate Secretariat will continue to report on performance against internal service standards in the Corporate Secretariat's quarterly reports, Treasury Board Secretariat statistical reports and Annual Reports to Parliament. Quarterly: Add additional internal service standards to quarterly report. Report adherence to internal service standards in Q1 to Q4 reports. May 2015 and every May thereafter: File TBS statistical report. June 2014 and every June thereafter: File Annual Reports to Parliament |
September 2014 | ||
3. The Corporate Secretariat will liaise with the Treasury Board Secretariat Information and Privacy Policy Division (IPPD) to determine the options for tracking the Department-wide level of effort required to process requests in order to monitor and identify improvements to efficiency. | July 2014 |
Appendix A: Audit Criteria
To ensure an appropriate level of assurance to meet the audit objective, the following criteria were developed to address each of the assertions included within the scope of the audit (as provided in Section 2.2 of this Report) as follows:
Criterion #1 – There is an adequate governance, risk management and controls framework for the management of ATIP requests to support compliance with legislative, Treasury Board and departmental requirements and to mitigate the risk of that excluded or exempted information is disclosed.
1.1 ATIP policies and procedures have been formally documented and communicated and are consistent with applicable government policies, regulations, guidelines and legislation for ATIP.
1.2 Roles and responsibilities are clearly defined (including division of responsibility between ATIP unit and sectors/regions) and understood by key stakeholders in the management of ATIP requests.
1.3 Procedures are in place to ensure that policies and procedures are reviewed and updated (as required) on a regular basis.
1.4 Delegation of Authority for ATIP has been formally documented and approved by the Minister.
1.5 Escalation procedures have been established to address situations where there are conflicting views on the interpretation of ATIP requirements (i.e. the designation of information as Excluded or Exempted.
1.6 Procedures are in place to address complaints and instances of Excluded or Exempted information disclosed in error.
1.7 Training programs have been established to ensure key stakeholders with ATIP responsibilities understand, and acknowledge, their roles and responsibilities.
1.8 Regular monitoring and oversight activities related to the management of ATIP requests are undertaken by the Department.
1.9 Accurate and timely reports are used in the oversight and monitoring the management of ATIP requests.
1.10 Performance measures are in place to measure and monitor performance of the management of ATIP requests.
1.11 Procedures are in place to identify, assess and manage risks, including the release of sensitive information, associated with ATIP requests, and include notification to appropriate internal stakeholders.
Criterion #2 – The governance, risk management and controls framework for the management of ATIP requests is operating effectively to support compliance with legislative, Treasury Board and departmental requirements and mitigate the risk of that excluded or exempted information is disclosed.
2.1 Standardized controls/procedures are in place to assess, request information and monitor status of ATIP requests.
2.2 Controls and procedures to ensure requests are processed in a timely manner, information packages are complete and excluded or exempted information is identified and not disclosed as part of information package.
2.3 Controls and procedures to ensure that OPI has final review of information package prior to release, information is appropriately approved prior to release, internal stakeholders are notified when sensitive information is to be released and a complete record of the request is maintained including support for decisions made regarding the request.
Criterion #3 – There is an adequate governance, risk management and controls framework for the protection of personal information to support compliance with Treasury Board and departmental requirements and to mitigate the risk of privacy breaches.
3.1 Policies and procedures related to the protection of personal information, including privacy breaches, have been formally documented and communicated and are consistent with applicable government policies, regulations and guidelines for the protection of private information.
3.2 Roles and responsibilities are clearly defined (including division of responsibility between ATIP unit and sectors/regions) and understood by key stakeholders in the protection of personal information.
3.3 Procedures are in place to ensure that policies and procedures are reviewed and updated (as required) on a regular basis.
3.4 Training programs have been established to ensure key stakeholders understand and acknowledge their roles and responsibilities related to the protection of personal information.
Criterion #4 – Adequate procedures have been developed with a view to supporting the efficient processing of ATIP requests.
4.1 Performance measures are in place to measure and monitor performance of the management of ATIP requests in support of continuous improvement.
4.2 Procedures are in place to engage and obtain regular feedback from program officers on the ATIP process in order to identify issues and opportunities for improvement.
4.3 Analysis of complex or difficult files (missed deadlines, complaints files) is undertaken by the ATIP unit in order to identify opportunities for improvement
Appendix B: Assessment Against Treasury Board Best Practices
Best Practice: | Result |
---|---|
1. The Access to Information Coordinator has full authority delegated by the head of the institution for the administration of the Access to Information Act. | Met |
2. The head of the institution delegates functions as far down within the Access to Information Office as possible. For example, extension and third party notices can be delegated to Access to Information Officers as well as to the Coordinator. | Met |
3. Access to information commitments and performance measures are included in the performance management agreements of senior officials to increase their engagement and accountability. | Out of Scope |
4. Regular performance reports are provided to senior management on the processing of requests. | Met |
5. A process for particular requests is established that is conducive to timely responses and will not cause undue delays. The process is designed to notify officials of the imminent disclosure of records rather than for approval. This process is simple, with clearly defined responsibilities and timelines for each step of the process. | Met |
6. Clear procedures are established and made available to all employees. | Met |
7. A restricted number of requests are subject to particular treatment. The identification of these requests is based on the content of the records, and not on the identity or source (media, academia, business, organization, public) of the requester. | Met |
8. Requirements for communication products (such as Qs and As or QP Cards) are identified as early as possible in order that they may be developed at the same time as the records are being processed. | Met |
9. Communication requirements are kept separate and distinct from access to information requirements. The Access to Information Office is not responsible for the coordination or the preparation of communication products for specific subject matter. | Met |
10. Regular follow ups with officials are made using the most expeditious means (telephone, e-mail, fax, electronic documentation, meetings, etc.) to ensure timeliness. | Met |
11. Where approval is not being sought (i.e. delegated authority was given to the ATIP Coordinator), only the release package is forwarded to senior officials for information to streamline the process. | Met |
12. Where approval is not being sought (i.e. delegated authority was given to the ATIP Coordinator), the response to the requester is sent by the date set in accordance with the established process for particular requests or by the statutory deadline, whichever is sooner. | Met |
13. The Access to Information Office regularly meets the key players, including officials from the offices of the head and deputy head, Communications and Parliamentary Affairs, to discuss complex issues and explain the provisions of the Access to Information Act. | Met |
14. The performance of officials is monitored and the process is assessed as required to ensure its efficiency and that it fully meets the requirements of the Act. | Partial |
15. Training and briefing sessions are provided to employees, senior officials and staff of the offices of the head and deputy head on their roles and responsibilities relating to the Access to Information Act. | Met |
16. Different approaches are used to heighten access to information awareness, including written procedures, information sessions, and reference material posted on the institution's Intranet and Internet sites. | Met |
17. Periodic assessments of resource requirements (human, financial, technological) are conducted, and business cases are developed as necessary, to support the effective administration of the access to information program. | Not Met |
18. Various strategies (such as internal development programs, mentoring, coaching and collective staffing) are employed to recruit and retain access to information employees. | Out of Scope |
Appendix C: Relevant Legislation, Regulations, Directives and Guidance
Privacy Act
Access to Information Act
Access to Information Regulations;
Treasury Board Policy on Access to Information
Treasury Board Directive on the Administration of the Access to Information Act
Treasury Board Directive on Privacy Practices
Report on the Treasury Board Secretariat Study of Best Practices for Access to Information Requests Subject to Particular Processing
AANDC-Privacy Impact Assessment Policy and Procedures Manual
AANDC - Privacy Notice and Consent Guidelines - Government On-Line
Access to Information Request Internal Guidelines
Amendment to the Access to Information Act
ATIP- Employee Handbook
AANDC - Inform Source Guidelines - Access to Information and Privacy Division
Privacy Breach Guidelines - ATIP Division
Privacy Request Guidelines – 2013
Service Standards
Policy on Privacy Protection
Directive on Privacy Requests and Correction of Personal Information