Review and benchmarking of privacy management: chapter 4

3. Findings and Recommendations

Overall, the necessary policy framework and key management processes for personal information are in place. For instance, ECCC has a sound Privacy Policy Framework (PPF), which has been communicated across the Department. Since management performed its own assessment in 2013, a number of related controls and safeguards have been implemented or improved.

As well, the benchmarking exercise has established that ECCC is the only department that has fully implemented its PPF, which covers key TBS guidelines. ECCC has also established the required governance and communicated roles and responsibilities to employees through awareness and training.

However, the benchmarking has also demonstrated that a further analysis of personal information collected under procurement and staffing processes could be beneficial, since ECCC was identified as collecting the most information.  Also, the review has identified two areas for improvement: guidance on the processes related to the collection of Social Insurance Numbers (SINs), and the monitoring of Privacy Impact Assessments (PIAs).

3.1 Privacy Policy Framework

The TB Policy on Privacy Protection requires heads of institution to establish management practices to ensure that the Privacy Act is administered in a consistent manner. In order to meet this requirement, ECCC has developed and implemented a Privacy Policy Framework (PPF) which details processes, including roles and responsibilities for all those involved in managing personal information. The PPF was implemented in November 2012, with the last document to be implemented under the PPF being the Breach Protocol in September 2013.

The benchmarking exercise has highlighted that ECCC is one of six departments (out of seven) that have developed a PPF, supported by a set of internal directives and a protocol including:

• Internal Directive on PIA;
• Internal PIA Approval Process;
• Internal Directive Privacy Practices; and
• Privacy Breach Protocol.

The TB Policy on Privacy Protection also requires departments to comply with the specific terms and conditions related to the use of Social Insurance Number (SINs) and the specific restrictions with regard to their collection, use and disclosure. While ECCC has implemented a PPF that includes most of the requirements found in the Privacy Act and TB policies, the processes for the collection, use and disclosure of SINs are not defined.

One of the recommendations of the management assessment was to modify the process for collecting and transmitting personal information (such as SINs). In response to this recommendation, the HRB has changed their processes for collecting and transmitting sensitive information and are now requesting this type of information over the telephone, eliminating any potential paper trail. However, this new process is not reflected in the PPF; therefore, employees who are not aware may be collecting personal information in an inappropriate manner. This may also increase the risk of intentional or even accidental release of SINs.

3.2 Governance, Roles and Responsibilities

According to the Privacy Act, heads of institutions may choose to delegate any of their powers, duties or functions. Furthermore, if a decision is made to delegate, a delegation order must be signed and the delegated officers or employees must be at an appropriate level to fulfil the duty.

As identified in the benchmarking, all seven departments have a formal delegation order in place. At ECCC, the order was approved in September 2013 and delegates full authority to the Deputy Minister, Associate Deputy Minister, Director General of the Corporate Secretariat, Director of ATIP and Manager of ATIP for all assignable privacy responsibilities. A clear organizational structure also exists for the ATIP group, and a separate team is now dedicated to privacy incidents.

In addition, TBS has assigned a series of responsibilities to executives and senior managers who manage programs or activities involving the creation and handling of personal information. These responsibilities are set out in both the TB Policy on Privacy Protection and the Directive on Privacy Practices.

While ECCC has not established a specific privacy oversight body, as recommended under the related MAF guidance and criteria, overall ECCC has established key elements of governance which define roles and responsibilities as well as more detailed directives and processes. These are documented in ECCC’s Privacy Policy Framework and communicated through different methods, such as training and awareness sessions, the ATIP intranet site, the ECOLLAB and News@ECCC.

3.3 Disclosure and Collection of Personal Information

Pursuant to section 4 of the Privacy Act, personal information can only be collected if it relates directly to an operating program or activity. In addition, when information is collected under subsection 5(2) of the Act, the individual must also be informed of the purpose for which the information is being collected.  The TB Policy on Privacy Protection further states that departments should ensure that appropriate privacy protection clauses are included in contracts or agreements that may involve intergovernmental or trans-border flows of personal information.

The review has confirmed that personal information for staffing and procurement activities is being collected only for operational program purposes.  As well, ECCC has adopted a disclaimer for both staffing and procurement that also serves to inform managers of their obligations to safeguard the information.

As a result of the management assessment, the following additional controls have been implemented for the collection and transmission of personal information for staffing and procurement:

• Rather than collecting copies of personal identification, ECCC requires hiring managers to sign a letter attesting to the fact that they have viewed the identification (mostly done for Fast Track Staffing [FTS]);
• FTS and procurement employees use the secure printing when dealing with personal information;
• SINs are provided over the telephone by employees (only during the FTS process);
• Unnecessary personal information has been removed from FTS and procurement communications; and,
• Access to personal information for both FTS and procurement employees has been restricted to those with a demonstrable business need.

The benchmarking results highlighted that most departments inform individuals that their personal information will be protected through a privacy protection clause included in the forms/contracts used. While ECCC normally informs individuals either by phone or by email for both staffing and procurement activities, this practice conforms to the policy requirements and the Privacy Act. 

3.4 Privacy Impact Assessments

The TBS Directive on Privacy Impact Assessments (PIA) requires that heads of institutions establish a PIA and approval process that:

• is commensurate with the level of risk related to the privacy invasiveness of the institution’s programs or activities; and,
• ensures the PIA is completed by the senior official or executive responsible in the institution for new or substantially modified programs or activities.

PIAs assist program managers with their responsibilities for the proper management of personal information.  PIAs are basically a risk management tool which focuses on assessing compliance with the requirements of the Privacy Act. PIAs also help decision makers avoid privacy risks and provide the information necessary to make informed decisions. By ensuring that PIAs are conducted, ECCC can help anticipate the public’s reaction to privacy implications and therefore prevent costly program, service or process redesign.

In 2012, ECCC developed its Internal Directive on PIA as well as the Internal PIA Approval Process. These documents have been communicated to employees through ECOLLAB and ECCC’s internal website. The directive requires that a process be in place where PIAs are:

• initiated or updated by branch heads;
• approved by both the ATIP Coordinator and the branch heads; and
• tracked by the ATIP Manager.

The directive also requires the following information to be tracked on an ongoing basis:

• number of PIAs initiated;
• number of PIAs modified;
• number of PIAs submitted for approval to TBS;
• number of PIAs submitted for approval to the Office of the Privacy Commissioner;
• number of PIAs approved by TBS; and
• number of PIAs approved by the Office of the Privacy Commissioner.

Although processes and practices are documented and have been communicated to employees, the AEB was unable to determine whether the above information is being monitored. As a result, it is difficult to determine if all the necessary PIAs as being duly initiated and completed.

3.5 Awareness and Training

According to Treasury Board policies and directives, all employees who handle personal information or are involved in the design and implementation of systems that handle personal information must be made fully aware of their obligations.

The benchmarking highlighted that all seven departments hold training and awareness sessions. Some departments make it mandatory for all new employees and provide the training as part of their orientation. The following provide some of the best practices from other departments regarding training of employees:

• Part of the intensive program for new inspectors (Prep-School).
• By request and tailor-made (divisional).
• Awareness sessions at management/governance tables.
• In conjunction with IM awareness training.
• Monthly meetings with ATIP Liaison officers to answer any questions.
• Tutorial provided with the statement, and posting on the internal web page.

Four departments, including ECCC, send reminders to employees regarding privacy breaches. At ECCC, all new employees must take the mandatory online Security Awareness Briefing, which explains employee responsibilities, including access controls and handling of information. Over 90% of ECCC employees have completed this mandatory training.

In addition, focused training sessions were held with Human Resources, Finance (including Procurement) and IM&IT Security employees.  Additional targeted privacy training is also being delivered to various departmental employees based on their involvement with personal information.  Security and privacy awareness is also being raised through various communication articles.

3.6 Information Holdings

As per the TBS Directive on Privacy Practices, departments should limit access to and the use of personal information by administrative, technical and physical means to protect the information and individuals’ privacy. TB and ECCC policies also require departments to produce annually details of the organization, programs, functions and information holdings of the Department.

The benchmarking highlighted that ECCC is following many best practices, such as disk encryption on laptops and USB/portable drives to mitigate the risk of compromising personal information. This is in response to recommendations emanating from the management assessment mentioned previously.  To date, more than 3,900 laptops have been configured with full disk encryption, and more are planned.

As required, all departments including ECCC identify and describe personal information in personal information banks (PIBs) on an annual basis.