Audit of Program-Led Privacy Action Plans

Audit Objective

The objective of this engagement was to provide assurance that the program-led privacy action plans are progressing or have been implemented as reported in the latest available updates.

Summary of Key Findings

• All items approved in the initial plan had an associated status update.
• The action plans are not managed as integrated projects but as a group of branch specific tasks. Accountability for cross-branch action items is often unclear and creates a risk of gaps or duplication of effort.
• The risk environment has changed significantly since the initial plans were approved but the action plans have not been reassessed and updated to take this into account.
• Status reports are based on self-assessments and many items are over-reported, particularly draft documents pending approval.
• Status reports do not provide the correct level of detail to either senior management or line managers to monitor the implementation of the action plans.

Audit Conclusion

The audit team concludes that work is progressing on the implementation of the program specific privacy action plans but not always as reported in the status updates. Progress with respect to horizontal action items is dependent on the strength of the ad hoc networks in place. Department-wide and horizontal action items would benefit from a more formal approach to managing the associated tasks.

Recommendations

• Assistant Deputy Ministers (ADMs) of all stakeholder branches should reconfirm the risks associated with the stewardship of protected information within the Department and use the resulting assessment to coordinate updates to each of the program specific privacy action plans.
• ADMs of all stakeholder branches should coordinate the development of work plans that will assign tasks under each action item in the updated plans. Each task should be assigned to a single owner with clear expectations about deliverables, timelines and accountability. Where inter-branch coordination is required, formal mechanisms for resolving issues should be considered.
• The co-chairs of the Privacy and Information Security Committee (PISC) should develop a standard reporting template for use by managers accountable for action items that will facilitate the compilation of a meaningful update report to senior management.
• The co-chairs of PISC should ensure that detailed work plans are in place that will support reporting and accountability requirements and provide sufficient detail to accountable managers to enable monitoring of progress against the action plans.

1.1 Context

Privacy protection is critical to maintaining Canadians’ trust—an essential precursor to their willingness to share information with others. Businesses, governments and the non-profit sector all collect and store personal information to facilitate the programs and services they provide to Canadians. The Government of Canada’s commitment to privacy protection is reinforced in legislation through the Privacy Act and the Department’s enabling legislation.

ESDC is the custodian of detailed personal records and, as such, has numerous controls in place to protect the personal information data holdings that the Department manages. The Department’s IBP for 2012–15 identified privacy as one of five risk themes. The Plan stated that: ‘the implementation of program-led privacy action plans, modernization of privacy policies and processes and the identification and assessment of privacy risks associated with program and policy priorities, remain a priority.

As part of the departmental privacy renewal strategy a decision was made in July 2012 to develop and implement program-led privacy action plans for the eight major departmental programs. As a result, multiple branches are involved in each of the eight program-led privacy action plans; therefore, horizontal coordination among branches is critical to successful implementation.

Implementation of the identified tasks in each program-led privacy action plan is the responsibility of each branch and unit that has been assigned that task. Each program provides updates to PISC on the progress. PISC co-chairs provide progress updates to the Corporate Management Committee (CMC).

Along with the horizontal risks that affect all employees and programs, there are specific legislative and process risks that affect only certain programs. Each of the Department’s major business lines has specific risks and requirements with respect to the protection of personal information.

Program-led privacy action plans were developed and approved in 2012 to address specific risks for the following programs:

• Employment Insurance (EI) Part I,
• EI Part II – Labour Market Development Agreements (LMDAs),
• Canada Pension Plan (CPP),
• Canada Pension Plan Disability (CPPD),
• Old Age Security (OAS),
• Social Insurance Number/Social Insurance Registry (SIN/SIR),
• Canada Student Loans Program (CSLP), and
• Canada Education Savings Program (CESP).

1.2 Audit Objective

The objective of this engagement was to provide assurance that the program-led privacy action plans are progressing or have been implemented as reported in the latest available updates.

1.3 Scope

The scope of this engagement was limited to the management and execution of the program-led privacy action plans developed for EI Part I, EI Part II - LMDAs, CPP, CPPD, OAS, SIN/SIR, CSLP and CESP. Additionally, Internal Audit examined the oversight of the plans and the assignment of tasks within those plans. The audit team did not review horizontal Department-wide initiatives led by enabling services except to confirm the existence and coordination of those initiatives which are listed as a dependency in the program-led privacy action plans.

1.4 Methodology

This audit used a number of methodologies including: interviews with selected managers and staff, document review and analysis.

Representatives from Citizen Service Branch, Corporate Secretariat, Income Security and Social Development Branch, Innovation, Information, and Technology Branch, Integrity Services Branch, Learning Branch, Processing and Payment Services Branch, Skills and Employment Branch and Ontario Region were interviewed in order to have a comprehensive view of the operational environment. Interviews took place between November 2013 and February 2014.

2.1 Accountability for action items needs to be clarified

Effective management requires that clear tasks are assigned to a single owner who has the resources and authority to carry out the task. In the update reports presented to CMC, most action items had multiple stakeholders listed and many had two or more branches listed as leads.

The update reports presented were a high-level summary. The audit team expected that detailed plans would underpin the high-level summary and would show work breakdown structures, timelines, and responsible managers. The team was informed by all coordinators that the update report was the entire plan and that detailed work plans were not prepared.

The audit team also reviewed existing documentation which supported the November update report. This documentation was provided on a branch and item by item basis. The audit team observed that where planned actions were under the control of a single branch, the branch coordinator was able to confirm that the associated tasks were assigned to a single owner. However, where planned actions required coordinated efforts among branches the associated actions were not clearly assigned to a single owner. The exception to this are items relating to Privacy Impact Assessments (PIA) and Information Sharing Agreements (ISA). Both the PIA and ISA renewal strategies have steering committees which coordinate and clarify tasks to be completed at the branch level.

The authority structures within the Department follow branch boundaries. All program-led privacy action plans included tasks that cut across those boundaries but there were no mechanisms in place to clarify assignment of tasks and to address any challenges arising from competing priorities. PISC is a subcommittee of CMC that serves as a forum for the discussion of issues relating to privacy. The terms of reference for PISC do not empower it to make decisions about the implementation of the program-led privacy action plans or the assignment of tasks within those plans.

The audit team was informed of numerous ad hoc networks that meet to discuss various aspects of the action plans. It was evident from the documents provided that the various action plans are progressing but it was difficult to assess if tasks are on target. The lack of clarity surrounding the assignment of tasks among stakeholders within the larger action items means that it was difficult to determine who was accountable for what, unless the item was entirely under the control of a single branch.

The audit team concludes that more clarity is needed with respect to the delineation and assignment of tasks within the action plans, particularly where there are multiple stakeholders or co-leads. Formal project management may be needed in some cases but most tasks are currently managed as part of the day to day responsibilities of established business units. Establishing clearer expectations including work breakdown structures with milestones, deadlines and a clear owner of each task should lead to faster implementation and identification of issues and challenges. The current environment of shared responsibility for action items creates a risk of gaps or duplication of effort in the absence of clear expectations and accountabilities.

2.2 Privacy plans need to be updated

The initial risk assessments were compiled in the fall of 2011 leading to the creation of the eight program-led privacy action plans in May 2012. The audit team was informed that the risk assessment sessions were done quickly and that many of the participants felt that the process was rushed.

Interviews also revealed that participation of key branches was limited by the available personnel. Some key participants were unavailable to provide input during the in-person sessions which created potential knowledge and expertise gaps.

The resulting plans were compiled from known action items already underway at the time of the risk sessions. There was insufficient documentation available for the audit team to assess whether the 2011 sessions were comprehensive enough to discover all of the risks related to privacy. However, the risk assessments confirmed that the actions under way would address known risks, and the relative priority of certain items changed as a result of the analysis.

There have been changes in the risk environment since those initial risk sessions and more changes are underway. Various information technology upgrades and transformation initiatives have changed the tools in use by employees. Responses to various security incidents have raised the profile of information management and protection of personal information. The creation of Shared Services Canada has changed the environment for information technology infrastructure. The departure of employees through workforce adjustment has also affected the risk environment in the Department.

The initial risk assessments were a good building block to address privacy risks in the Department. However, the risk assessments were based on conditions that existed more than two years ago. Some of those risks are undoubtedly unchanged, but the strategies to mitigate those risks will be affected by the current operating environment of the Department.

2.3 Progress reporting needs to provide better information to managers

The eight action plans were approved by CMC in July 2012. At the time, semi-annual update reports scheduled for November and May were requested by CMC to be presented at PISC. The audit team examined the November 2013 updates to confirm the accuracy of the status of items reported in the updates.

The audit team confirmed that all items in the approved 2012 plans remain as reportable items in the November 2013 updates. Some of the items have been expanded to describe work accomplished in greater detail. The assessment of the accuracy of the update is addressed below.

For the November 2013 update, there were two reporting templates and rating guides in use. The rating scales are not fully comparable as one scale does not report delays and the other has only one category of ‘in process’. The rating guides and reporting were discussed at PISC but there was no direction given regarding which guide should be used.