Audit of Privacy Practices
Final report
Office of the Chief Audit Executive
June 2021
Executive Summary
In accordance with Global Affairs Canada’s approved 2020-2022 Risk-based Audit Plan, the Office of the Chief Audit Executive conducted an Audit of Privacy Practices.
Background
Global Affairs Canada (GAC or the ‘department’) collects, uses, shares, and retains sensitive personal information in relation to Canadians, employees, and their families. The protection and proper handling of that information is vital in upholding the department’s reputation and standing – with citizens, employees, international diplomatic partners and trading partners.
While privacy and information management have long been strategic initiatives of the department, the importance has been heightened in the wake of the current global health pandemic. Pressures arising from COVID-19, including the need to revise business practices to ensure that employees and programs can collaborate and share information virtually, are accelerating the digitalization efforts. These changes in business practices and technologies can introduce new organizational risks. For every evolution in a business practice involving personal information there are potential privacy pitfalls that need to be managed.
Objective and Scope
The objective of the audit was to provide assurance that the department has policies, procedures, processes, and controls in place to support compliance with the Privacy Act and the effective delivery of programs and services. The audit examined privacy policies, procedures, processes, and systems in place between April 2018 and December 2020.
Although privacy is a shared responsibility within the department, the focus of the audit was on the governance and risk management activities of the department’s Access to Information and Privacy Division, as the delegated authority for the management of privacy.
Areas of Enquiry and Assurance Rating*
Text alternative
Rating Definition:
Met - There is sufficient evidence to support audit expectations defined in the criteria.
Partially Met - There is some evidence to support the audit expectations defined in the criteria but improvements are required.
Not Met - There is insufficient evidence to support audit expectations defined in the criteria.
Conclusion
The department has put some policies, procedures, processes, and controls in place to support departmental compliance with the Privacy Act and the delivery of programs and services involving the handling of personal information. There are however opportunities to strengthen the privacy practices through the implementation of a privacy management framework, the adoption of an internal privacy impact assessment policy and the development of a strategic privacy plan which considers emerging risks, privacy awareness and resource capacity.
Recommendations
- The Director General and Corporate Secretary should finalize and implement a Privacy Management Framework to support the management and monitoring of departmental privacy practices.
- The Director General and Corporate Secretary should develop and implement a departmental Privacy Impact Assessment policy to strengthen privacy risk management practices.
- The Director General and Corporate Secretary should develop a strategic plan to align privacy management with key departmental data and digital initiatives, to raise privacy awareness, and to identify adequate resources.
Statement of Conformance
The audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the quality assurance and improvement program.
Findings and Recommendations
This section sets out the key findings. It is divided into three areas related to oversight provided by a privacy management framework, risk management and the importance of privacy impact assessments, and strategic and operational planning.
1. Oversight – Privacy Management Framework
Under the Treasury Board of Canada’s (TB) Policy on Privacy Protection, heads of institutions are required to monitor compliance with the administration of the Privacy Act. Compliance monitoring requires a policy instrument or infrastructure that sets out privacy expectations. Most commonly, this is accomplished through the implementation of a privacy management framework. The framework should document and assign roles and responsibilities and should set out the basis for determining departmental structures, resources, and metrics to be used to measure and monitor privacy compliance. It also helps to promote good governance, accountability, and the continuous oversight of privacy practices.
In 2018-2019, the Access to Information and Privacy Division identified the need for a centralized, co-ordinated, and coherent approach to privacy management across all programs. Shortly thereafter, it began developing a Privacy Management Framework to better standardize and unify the department’s privacy practices and policies. To date, that framework remains in draft.
Although the department has elements of internal controls and risk management practices in place to support compliance with the Privacy Act (see Section 2), those elements are not connected, organized, or supported in such a manner to allow for proper oversight. The sheer complexity of the department’s operations and the diverse nature of its privacy practices requires a framework to reduce inconsistencies, close gaps in compliance and to manage the risk of a privacy breach.
In addition, the Access to Information and Privacy Division does not have all the tools it needs, such as specific internal policies and fully documented procedures, to properly oversee compliance with departmental privacy practices. The analysis completed showed that the division has limited ways in which to identify and document plans, programs, or activities that present a potential privacy risk to individuals or the organization. While privacy impact assessments serve as a reasonable proxy for such activities, the division does not systematically monitor privacy impact assessment performance, as such recommendations arising from the assessments are not tracked for implementation.
Recommendation 1
The Director General and Corporate Secretary should finalize and implement a Privacy Management Framework to support the management and monitoring of departmental privacy practices.
2. Risk - Privacy Management Practices
2.1 Privacy Impact Assessment
Treasury Board’s Policy on Privacy Protection expects heads of institutions to establish practices for the protection and management of personal information. Across government, privacy risk management and internal controls vary by organization however they should include, at a minimum, a privacy impact assessment development and approval process, and plans and procedures for addressing privacy breaches.
A Privacy Impact Assessment is used in the design of a program or service, to assist Program officials in identifying and analyzing potential privacy risks. It is arguably the most important tool available to institutions to manage privacy risks, and to support compliance with the Privacy Act.
The department relies on Treasury Board’s Directive to guide the performance of privacy impact assessments. The Access to Information and Privacy Division provides a link to the Directive on its homepage and in Modus, and supplements the Treasury Board’s Directive with guidance embedded in the department’s standard privacy impact assessment template -- an annotated copy of Appendix C of the Treasury Board Directive. While the Treasury Board’s Directive sets out general obligations and requirements for the performance of privacy impact assessments, it is intended as a government-wide framework for privacy assessments. It does not take into consideration important criteria such as the department’s mandate, programs, or services. Nor does it account for particularities in the department’s practices, processes, and people.
The majority of organizations with a formal policy have integrated the results of the privacy impact assessments into their overall risk management framework. They also tend to have centralized controls in place to ensure continuous compliance monitoring. Privacy impact assessment policies help create and formalize linkages between key corporate services such as information technology, information management, and strategic policy and planning – all of which can serve as critical gateways for the performance of privacy impact assessments. As well, organizations with policies tend to have far more mature processes and practices. In the absence of formal policy obligations, the processes and practices of less mature institutions rely heavily on program intuition and an employee’s recognition of the need for a privacy impact assessment. As such, the approach to privacy impact assessments for less mature institutions remains ad hoc.
The department’s process falls somewhere in between these two ends; it is neither ad hoc nor optimized. The department has an established process, but the process lacks important elements to support compliance. For example, the Access to Information and Privacy Division created a privacy questionnaire to allow the program areas and the division to determine whether a privacy impact assessment is required when designing a program or a service. However, program areas or functional areas may not be aware of the obligations under the Directive and they may not be aware of the responsibilities within the privacy impact assessment process or of the existence of the privacy questionnaire. As it stands, the quality of the assessments, and the way an assessment is completed (including whether an assessment is initiated at all) is largely dependent on the knowledge and motivation of individual programs/functions and employees.
The department would benefit from having a departmental policy to support the initiation, performance, review, and monitoring of privacy impact assessments. Without a policy it can lead to shortcomings in the performance of privacy impact assessments. The absence of a policy can also have a direct and measurable impact on the effectiveness and quality of privacy impact assessments completed, and on the extent to which they are conducted (See Recommendation 2).
2.2 Privacy Breaches
Treasury Board’s Directive on Privacy Practices also requires federal institutions to establish plans and procedures for addressing privacy breaches. This requirement usually falls to an institution’s Access to Information and Privacy (ATIP) Coordinator. ATIP Coordinators and their offices are responsible for investigating and managing the life cycle of a privacy breach and for notifying Treasury Board Secretariat and the Office of the Privacy Commissioner, when required. They are the single liaison for the institution when notifying central agencies.
Breaches for Last Three Fiscal Years:
- 2017-18 – 3 breaches
- 2018-19 – 2 breaches
- 2019-20 – 2 breaches
The audit included an examination of recently reported breaches (see text box). A privacy breach involves any improper or unauthorized collection, use, disclosure, retention or disposal of personal information. While breaches often involve a security incident, they are not limited to a breach of data security. Privacy breaches, whether intentional or inadvertent, can impact reputations. Risks to an individual in the event of a breach may include reputational harm, financial harm and, in some cases, personal prejudice or persecution. For an organization a breach may result in a decrease in public confidence, embarrassment, and a loss of credibility.
The department has a formal breach reporting process and published breach reporting procedures, as set out in the Access to Information and Privacy Division’s Guidelines for Privacy Breaches. However, the breach protocols are highly dependent on the discovery or realization of a breach. In the 2019-2020 Annual Report to Parliament, the Privacy Commissioner noted that the number of privacy breaches reported may only represent a small portion of what might be happening considering the significant volumes of personal information of a highly sensitive nature that the department manages. They note that action should be taken to address any issues related to systemic under-reporting (see section related to Strategic Planning and Awareness).
In summary, effective risk management practices are critical to the protection and management of personal information. While the department has processes and breach reporting protocols in place, there is an opportunity to improve its privacy risk management practices through the development of formal policy that clearly define roles and responsibilities, requirements and expectations.
Recommendation 2
The Director General and Corporate Secretary should develop and implement a departmental Privacy Impact Assessment policy to strengthen privacy risk management practices.
3. Strategic and Operational Planning
3.1 Strategic Planning
Strategic planning allows a function to clearly link itself to the organization’s most pressing priorities, to create awareness and to improve its ability to identify and adapt to new privacy risks. The audit examined the degree to which the Access to Information and Privacy Division was engaged in strategic privacy planning as a central element of the departmental privacy management framework.
The Access to Information and Privacy Division is engaged in planning activities. While the focus has been on immediate and urgent operational issues, the division also had some professionally led and structured strategic planning activities in recent years. However, the division has not yet been extensively involved in a fulsome strategic planning exercise to link the data initiatives at the department. It was also noted that many departmental initiatives centered on the use of data do not expressly include privacy considerations, or for that matter provisions for the proper handling of personal information.
Digital technologies have drastically changed the needs and behaviours of Canadians. Expectations surrounding the delivery of programs, goods and services have also changed. As a result, federal institutions are being asked to quickly build their data management expertise, and to devise new ways of unlocking the value of their data holdings. These efforts are expected to fundamentally transform the way in which federal departments operate. According to the department’s Data Strategy, the mission is to empower employees to collect, access, analyze, and use high quality data to inform program decision making. This goals speaks not only to expectations within the department to better collect and use data, but of the significant changes underway which will impact privacy practices.
Aligning and integrating privacy into strategic decision-making is critical to ensure that programs and activities resulting from strategic initiatives take privacy into account. A longer-term strategic privacy plan would provide clarity, direction, awareness and focus to the Access to Information and Privacy Division’s informal plans and priorities. It would also help drive the strategic alignment of privacy with important departmental data management initiatives (see Recommendation 3).
3.2. Operational Planning
As of March 2020, the Access to Information and Privacy Division employed 58 full-time equivalents. The vast majority of its staff however are dedicated to meeting the department’s numerous access to information demands. A few resources are dedicated to privacy compliance and governance, a staffing complement that, in comparison with other federal institutions of similar size, is incommensurate with the department’s privacy risks and responsibilities. These responsibilities include responding to privacy incidents and breaches, and providing privacy advice and recommendations to hundreds of program officials in relation to new program activities.
According to management, a lack of staff has precluded it from engaging in more active compliance monitoring, quality control, follow-ups, and evaluations. Limitations in monitoring may also be depriving the division of some of the inputs it needs for strategic planning. It will be important for the division to identity adequate resources to deliver on its mandate.
Recommendation 3:
The Director General and Corporate Secretary should develop a strategic plan to align privacy management with key departmental data and digital initiatives, to raise privacy awareness, and to identify adequate resources.
Conclusion
The department has put some policies, procedures, processes and controls in place to support departmental compliance with the Privacy Act and the delivery of programs and services involving the handling of personal information. There are however opportunities to strengthen the privacy practices through the implementation of a privacy management framework, the adoption of an internal privacy impact assessment policy and the development of a strategic privacy plan which considers emerging risks, privacy awareness and resource capacity.
Appendix A: About the Audit
Objective
The objective of the audit was to provide assurance that the department has policies, procedures, processes, and controls in place to support compliance with the Privacy Act and the effective delivery of programs and services.
Scope
The audit assessed department-wide privacy policies, procedures, processes, and systems – in place between April 2018 and December 2020 – that support compliance with the Privacy Act and the effective delivery of programs and services. Its focus was on the policy and governance activities of the Access to Information and Privacy Division as the department’s delegated authority for the management of privacy practices under the Privacy Act.
While the audit, as designed, considered the privacy practices of the Department as a whole, it did not include an in-depth assessment of the personal information handling practices of individual programs or corporate services at GAC. Nor did it include an examination of security or safeguards surrounding the department’s personal information holdings. An Audit of IT security and threat and vulnerability management was completed in June 2019, and audits of individual programs and corporate services have been incorporated into the department’s risk-based audit plans.
Criteria
The criteria were developed following the completion of the detailed risk assessment and considered the audit criteria related to the Management Accountability Framework developed by the Office of Comptroller General of the Treasury Board Secretariat. The audit criteria were discussed and agreed upon with the auditees as follows.
Audit Criteria are reasonable and attainable expectations against which compliance, the adequacy of controls and overall performance are assessed. These audit criteria are based on acts and regulations, policy, guidelines, generally recognized industry norms, results of previous audits or other criteria developed in consultation with Program management. The following criteria were assessed during this audit and form the basis for developing audit observations and recommendations.
- Met – the audit evidence sufficiently supports the audit criteria’s expectations as being met (for example, appropriate controls were found, commensurate with the risk, and they are operating effectively).
- Partially met – the audit evidence mostly supports the audit criteria’s expectations but improvements are required (for example, some controls are in place and some are operating effectively) – recommendations made.
- Not met – the audit evidence is insufficient to support the audit criteria’s expectations – (for example, controls re not in place or not operating effectively) – risk exposure is high – recommendations made.
| Audit Criteria | Met / Partially Met / Not Met |
|---|---|
| 1. The department has a governance regime in place to ensure the proper oversight, review, and management of activities involving the collection, use and disclosure of personal information. | Partially Met |
| 1.1 The Department has a privacy plan or strategy to address emerging privacy issues and obligations and special events. | Partially Met |
| 1.2 The Department has a privacy management framework in place to support the management and monitoring of privacy practices organization-wide. | Partially Met |
| 1.3 Human resources allocated to privacy policy, governance and the management of privacy practices are commensurate with departmental privacy risks. | Partially Met |
| 2. The department has risk management practices and internal controls in place to support compliance with the Privacy Act and its supporting policies and directives. | Partially Met |
| 2.1 The Department has a privacy impact assessment policy and process in place to identify, assess and mitigate the privacy risks associated with new or modified activities that involve the use of personal information. | Partially Met |
| 2.2 The Department has plans and procedures in place for the evaluation, investigation, and reporting of privacy breaches. | Met |
| 2.3 The Department has developed and implemented internal controls to help identify and report organizational practices that might contravene the Privacy Act and/or its supporting policies and directives. | Met |
Approach and Methodology
The audit was conducted in conformity with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective is achieved.
Appendix B: Recommendations and Management Response and Action Plan
| Audit Recommendation | Management Response | Management Action Plan | Area Responsible | Expected Completion Date |
|---|---|---|---|---|
| 1. The Director General and Corporate Secretary should finalize and implement a Privacy Management Framework to support the management and monitoring of departmental privacy practices. | Management agrees with the recommendation. | The Access to Information and Privacy Division (DCP) will take steps to complete the Draft GAC Privacy Management Framework. The draft Framework will be expanded to include specific factors that are uniquely applicable to GAC and shape the approach to privacy. Privacy Guiding Principles and Fair Information Practices will be added to the Framework. The Framework will be expanded to include a set of mechanisms to protect personal information at GAC. Once implemented, the Framework will help achieve compliance with various privacy law, regulations, policies and directives in-scope for GAC, and it will reflect the value GAC places on the protection of personal information, thereby engendering trust. | Corporate Secretary (DCD) | December 2021 Including senior management review and approval. |
| 2. The Director General and Corporate Secretary should develop and implement a departmental Privacy Impact Assessment policy to strengthen privacy risk management practices. | Management agrees with the recommendation. | DCP will develop a GAC Privacy Impact Assessment policy. This policy will be tailored to the specific and unique circumstances of GAC while using the Treasury Board Secretariat Directive on Privacy Impact Assessment and the Office of the Privacy Commissioner’s Expectations: the OPC’s Guide to the Privacy Impact Assessment Process as a guiding principle and foundation. DCP would also point out that PIAs are generally done by outside consultants, take considerable time and expense. Privacy Policy developed a Privacy Analysis tool based on using the Privacy Questionnaire that programs complete as an initial step in the privacy process. This approach enables stakeholders to dedicate their resources to the areas where the risks and potential harms for individuals are most significant and to mitigate these risks, creating better outcomes and more effective protection of personal information. We are able to provide structured and constructive advice on dozens of activities and initiatives using this tool. We have timely turnaround and minimal cost to the programs. The purpose of the Privacy Analysis tool will be documented and communicated to programs. A Privacy Risk Management Analysis will be undertaken. Risk factors will be identified that will include the amount of personal information involved; the sensitivity of the personal information; the size of the population and whether the population is considered vulnerable; the impact on individuals; and the length of the program. When the risk analysis has been undertaken a Roadmap for High-risk Programs will be developed. This Roadmap will consider accountability; limiting collection of personal information; use and how information may be shared and with whom; and storage and retention. That would cover use of third party providers hosting GAC collection of personal information. The Plan would also take into account the unique environment at GAC where much of its work is undertaken in missions outside of Canada with various international privacy considerations. | Corporate Secretary (DCD) | March 2022 |
| 3. The Director General and Corporate Secretary should develop a strategic plan to align privacy management with key departmental data and digital initiatives, to raise privacy awareness, and to identify adequate resources. | Management agrees with the recommendation. | When Recommendation1 and 2 are complete, a higher level Strategic Plan will be developed. This plan will identify linkages to key departmental initiatives and activities. In particular, attention will be focussed on data and digital initiatives. DCP will be meeting very soon with Cloud Operations group in order to make sure that privacy is embedded in the proposed future state of Cloud Operations within GAC. It will be necessary to continue to work closely with IM/IT. The current relationship with IM/IT has been strengthened and a privacy review is a necessary step in receiving a Software Assessment Management approval. It is crucial that this relationship continue and grow. Strategic planning will identify adequate resources to operationalize the main objectives. The division is already in the process of increasing its capacity by adding new resources through recruitment. Training is a key component to accomplishing Recommendation 2 and 3. A training program would be developed, in both official languages, explaining the privacy process at GAC. Training would include the important elements to consider when consulting DCP, including whether personal information is being collected, the sensitivity of the information, how it will be collected, used, shared, stored and disposed. DCP Management can use the training modules to integrate the privacy process into strategic and senior departmental initiatives and activities. The impact of training must be measured using attendance and other metrics. Metrics give management a powerful picture of what is occurring in the Department. DCP will develop a privacy awareness program that would reinforces the privacy message through reminders; continued advertisement; and mechanisms such as quizzes, posters, flyers, and lobby video screens. Reinforcement of this message ensure greater privacy awareness, which can effectively reduce the risk of privacy breach or accidental disclosure. When implemented effectively, training and awareness programs can communicate beyond what is written in privacy policies and procedures to shape expected behaviors and best practices. Where possible, integration with other training and awareness programs would reinforce the messaging. | Corporate Secretary (DCD) | June 2022 |
