Internal Audit of the Management of Personal Information

Internal Audit & Accountability Branch
1 June 2017

I. Background

Introduction

  1. Immigration, Refugees and Citizenship Canada (IRCC) delivers programs in Canada and at Canadian missions overseas to Canadians and persons that apply to visit or immigrate to Canada. The core programs include: Permanent Resident (i.e. economic and family class); Temporary Resident (temporary resident visas, study permits, work permits), Citizenship, Refugee, Passport, and a number of sub-programs under each. In terms of volumes, in 2015, 271,845 permanent residents were admitted to Canada; approximately 1.5 million applications were processed for persons seeking temporary resident visas to come to Canada; and in fiscal-year 2015-16, 4.8 million passports were issued; and 252,602 citizenship grant and 61,254 confirmations of proof of citizenship decisions were rendered.
  2. To deliver these programs, the Department collects personal information and supporting documentation to process applications. The lifecycle of personal information collected, regardless of the program, is illustrated in Figure 1.

Figure1 – Management lifecycle of personal information at IRCC:

Management lifecycle of personal information at IRCC Described below
Figure 1 – Cycle de vie de la gestion des renseignements personnels à IRCC
1. Objet

IRCC fournit de l’information au grand public sur les divers programmes

  • Définition des renseignements personnels aux fins de l’administration des programmes.
  • Autorisation de recueillir des renseignements personnels.
  • Détermination de la raison pour laquelle des renseignements sont requis.
2. Collecte

Les clients présentent des demandes aux programmes et soumettent des documents à l’appui

  • Obtenir le consentement du demandeur pour recueillir et utiliser les renseignements.
  • Limiter la collecte à ce qui est requis pour rendre une décision.
3. Utilisation et communication

Les renseignements sont traités et communiqués selon les besoins

  • L’utilisation et l’échange des renseignements recueillis sont effectués en fonction des principaux objectifs pour lesquels ils ont été requis.
4. Conservation et élimination

Les renseignements sont stockés ou détruits conformément à des critères établis

  • La conservation et l’élimination des renseignements personnels sont conformes aux calendriers de conservation et d’élimination approuvés.
5. Exactitude

IRCC recueille les renseignements personnels nécessaires directement auprès des clients, et les valide s’ils sont recueillis de manière indirecte

  • Veiller à ce que les renseignements personnels sont exacts, à jour et complets.
6. Mesures de protection

IRCC protège les renseignements et accorde l’accès à ces derniers selon le principe du « besoin de savoir »

  • Des contrôles appropriés sont conçus et mis en œuvre pour protéger les renseignements sur papier et en format électronique contre toute utilisation non autorisée.
  1. Personal information is defined as information about an identifiable individual that is recorded in any format and could include an individual’s name, place and date of birth, marital and family status, contact details, relevant biographical, medical or financial information, and any other identifying number assigned to the individual. The Privacy Act requires appropriate management safeguards for the protection of personal information that is collected by the federal government. As such, the proper management and use of personal information is important because any document provided by a client or obtained as part of the decision-making process may contribute to the final decision. Therefore, IRCC must protect the privacy of individuals with respect to their personal information under the Department’s control.

II. Audit objective, scope and methodology

Audit objective and scope

  1. The audit objective was to determine whether IRCC is meeting its responsibilities to manage personal information in the administration of the Permanent Resident, Temporary Resident and Citizenship Grants programs as required by the Privacy Act and relevant regulations, policies, and directives.
  2. The scope covered the period from January 1, 2015 to June 30, 2016. This time period was expanded until February 2017 in some cases to account for more current information. The audit focused on assessing the extent to which IRCC is integrating the applicable portions of sections 4 to 8 of the Privacy Act and its supporting policies and directives into the management of selected programs delivered under the Permanent Resident program (Economic and Family Class), Temporary Resident program (study permits and work permits), and Citizenship grants program.
  3. Personal information collected to administer the Passport Program, the management of IRCC employee personal information, the management of documents stored at Canadian Visa Offices overseas, and Information Technology security components were excluded from the audit scope.

Methodology

  1. The following audit procedures were performed:
    • Interviews with a number of IRCC officials at National Headquarters and at IRCC offices across Canada.
    • Site visits were conducted to Centralized Network offices in Sydney, Nova Scotia; Vegreville, Alberta; Mississauga, Ontario; Ottawa, Ontario; and Montreal, Quebec.
    • Site visits were conducted to Domestic Network offices in Halifax, Nova Scotia; Montreal, Quebec; Edmonton, Alberta; and Etobicoke, Ontario.
    • An examination of 498 application files from three IRCC programs to assess compliance.
    • A review of a sample of information sharing agreements in place between IRCC and partner organizations to assess compliance; and
    • A documentation review of the IRCC Privacy Framework, Personal Information Banks, Retention and Disposal Schedules, as well as various reports and plans that were applicable during the audit scope period.

Statement of Conformance

  1. The audit is in conformance with the Internal Auditing Standards for the Government of Canada as supported by the results of the quality assurance and improvement program.

III. Audit findings and recommendations

Purpose, collection, use and disclosure of personal information

  1. Criteria: It was expected that personal information had been collected, used and disclosed in accordance with the identified purpose.
  2. Conclusion: Overall, IRCC communicated the purposes for which personal information was collected, and managed the use and disclosure of information in accordance with expectations. Areas for improvement were noted related to providing consistent information regarding privacy statements and notifying the general public and program applicants of their right to file a complaint with the Privacy Commissioner with respect to the handling of their personal information.

Identification of the purpose of collecting information

  1. The Department has various means to inform the general public and applicants why it is collecting personal information and how this information will be used. The Treasury Board Directive on Privacy Impact Statements requires federal institutions to perform a Privacy Impact Assessment (PIA) when implementing a new program or substantially modifying an existing program that manages personal information. The PIA is a risk assessment tool used to evaluate potential privacy impacts. The summaries of all completed PIAs are posted on the departmental website.
  2. In addition, the information gathered from PIA contributes to the development of a program Personal Information Bank (PIB) or the revision of an existing one. A PIB is a collection of personal information organized or retrievable by the name of an individual or by an identifying number or symbol assigned to the individual. The PIB must be shared with the Privacy Commissioner of Canada and approved by Treasury Board Secretariat before being posted on the Info Source section of the departmental website. Info Source documentation must be developed and posted on-line by government institutions subject to the Access to Information Act and Privacy Act to provide information about the functions, programs, activities and related information holdings maintained by the department. PIBs describe the purposes for which the information will be collected, how the information will be used, and the retention and disposition standards.
  3. Lastly, the application forms and kits available to IRCC program applicants contain privacy notice statements related to the collection of personal information.
  4. The audit identified inconsistencies between privacy notice statements on application forms and information provided in PIBs. In some cases, application form privacy notice statements referred to information generally provided on the Info Source section of the departmental website; while in other cases, the privacy notice statement referred to PIBs that were no longer available on the departmental website.
  5. There were also inconsistencies in the headings and descriptions used for the privacy notice statements. Different headings included Protected Personal Information, Protected Information, Personal Information Bank, or Disclosure. One application form had no heading but did provide information related to why information was being collected, with a reference to the PIB.
  6. The Treasury Board Directive on Privacy Practices identifies the five main components of information that should be provided to individuals whose personal information is collected directly. These include:
    • the purpose and authority for the collection;
    • the uses and disclosures consistent with the original purpose;
    • legal or administrative consequences for refusing to provide the personal information;
    • the right of access to, correction and protection of personal information under the Act; and
    • the right to file a complaint to the Privacy Commissioner of Canada regarding the handling of the individual’s personal information
  7. None of the application forms reviewed included all five elements required under the Directive. By having incomplete and inconsistent information on application forms, the general public and IRCC program applicants may lack knowledge of their rights related to the Privacy Act. IRCC officials are currently developing departmental Privacy Notice Guidelines to address the components specified in the Directive.
  8. Recommendation 1. Immigration, Refugees and Citizenship Canada should:
    1. Finalize and communicate the departmental Privacy Notice Guidelines document; and
    2. Review all privacy notice statements to ensure that they contain all required elements of the Privacy Notice Guidelines, and are consistent with active Personal Information Banks.

The collection of personal information

  1. The Department manages personal information collected directly from applicants on application forms. These forms generally provide information to applicants regarding why their personal information is needed to make a decision, and how it would be treated.
  2. In the application files reviewed, for cases where personal information was collected indirectly from other sources, it was done in accordance with the Privacy Act and in compliance with approved PIBs to deliver a specific program. These included: the collection of tax filing information from the Canada Revenue Agency with the individual’s consent to support IRCC decision making; the collection of port of entry information from the Canada Border Services Agency (CBSA) to process citizenship applications; and, the collection of information from educational institutions to determine compliance with study permit requirements.
  3. Several application forms indicate that in addition to the required information, applicants could also provide additional documentation that they believe could better inform the application decision. A common example of an applicant providing additional information is for spousal sponsorship applications whereby principal applicants often provide photographs and joint bank account statements to show documented proof of a relationship. This additional information is not formally captured in the approved PIBs or the Retention and Disposition Schedules. These Schedules identify how long information should be kept before it is destroyed or archived.
  4. In the application files reviewed, one-third (33 percent) of the citizenship files included additional information that had been provided by an applicant. IRCC officials confirmed that they accept and retain additional documentation provided by applicants because the information may be required at a later date in the process.
  5. However, there is no formal guidance on how program officers should handle the additional documentation provided by applicants. As such, officers use their discretion and, in the majority of cases, officers decide to keep the information on file as additional support for their decision rather than destroy it. As a result, IRCC maintains information that has no retention and disposition schedule and that should not be maintained in accordance with the program’s PIB.

Use and disclosure of personal information

  1. The Department used the personal information that was provided by applicants in a manner consistent with the purposes for which it was collected. Furthermore, the information collected was disclosed in accordance with what was communicated publicly. The Department obtained the consent of applicants via a signature at the time the personal information was collected for program decision-making purposes.
  2. A review of 498 application files from selected programs found no evidence that, in the course of processing and reviewing applications, personal information had been used for purposes other than the ones for which it was collected. Furthermore, the Department was operating in accordance with the principles of how information should be disclosed as per the Privacy Act and related directives. The Department informed applicants through PIBs and privacy notice statements on application forms that the information collected may be shared with other government institutions and/or with other third party institutions.
  3. IRCC shares information with federal partners such as the Royal Canadian Mounted Police, the CBSA, and Canadian Security Intelligence Service, for the purpose of enforcing provisions of the Immigration and Refugee Protection Act (IRPA) and to mitigate potential program security risks. Information sharing reinforces IRCC program integrity in the decision-making process.
  4. Information shared between IRCC and its federal program partners is governed by formal information sharing arrangements that authorize information sharing activities, and outline the terms and conditions under which personal information can be disclosed. A sample of information sharing arrangements with federal partners was examined. All incorporated privacy clauses as required by the Treasury Board of Canada Secretariat’s Guidance on Preparing Information Sharing Agreements Involving Personal Information.

Retention and disposition of personal information

  1. Criteria: It was expected that appropriate retention standards and disposition methods were in place and operating as intended.
  2. Conclusion: Overall, IRCC established Retention and Disposition Schedules and Personal Information Banks to manage application files. Areas for improvement were identified related to the alignment of PIBs to the operational realities of the Department; and the finalization and implementation of a retention and disposition strategy for documents stored electronically.
  3. According to IRCC guidance, Reading a Retention & Disposition Schedule, “… retention and disposition are the basis of sound information management. These two terms are complementary – we dispose of information we do not need to make room for what we do need to conduct our programs.”
  4. The Department has created 18 Retention and Disposition Schedules to support the management of personal information in delivering programs. These schedules identify key program functions, activities, the types of information that can be collected, and the duration that each type of information should be retained by the Government of Canada. These schedules also outline the time period after which information collected or produced by the department may either be transferred to the Library and Archives of Canada or destroyed.

Paper file management

  1. According to the Citizenship Retention and Disposition Schedule, records relating to an individual’s application for citizenship (including personal information collected) are to be retained for a minimum period of 150 years. The retention period commences on the date after the application is completed. At the end of the retention period, the applicant’s file is to be transferred to the care and control of the Library and Archives of Canada.
  2. The Citizenship PIB indicates that citizenship applications are to be microfilmed during the first 90 days following collection and the paper copies are to be securely destroyed. At the Case Processing Centre in Sydney, Nova Scotia, there is a backlog of approximately 500,000 completed paper application files to be microfilmed. This situation was caused by different factors including a lack of resources to conduct this work. Consequently, the Citizenship PIB does not align with the operational realities of the Department and communicates unrealistic expectations to the public.
  3. Recommendation 2. Immigration, Refugees and Citizenship Canada should review and update all Personal Information Banks to ensure that they set out realistic timelines aligned to the operational realities of the Department. The updated Personal Information Banks should be communicated and monitored to ensure implementation.

Electronic file management

  1. Information collected related to the three programs is entered into GCMS and stored electronically in GCDOCS, which is the information management system used at IRCC. Since GCMS was, until recently, considered to be a system under development, information entered into the system was not to be removed. As of April 1, 2016, there were over 35 million electronic documents stored in GCDOCS from GCMS and the number was estimated to be growing at a rate of approximately one million per month.
  2. Now that GCMS is no longer a system under development, Departmental officials are currently developing system functionality to support retention and disposition requirements for information entered in GCMS and stored electronically in GCDOCS.
  3. Recommendation 3. Immigration, Refugees and Citizenship Canada should finalize and implement a retention and disposition strategy for information entered into GCMS and stored electronically in GCDOCS.

Safeguarding personal information

  1. Criteria: It was expected that IRCC implemented controls to safeguard personal information in paper and electronic formats against unauthorized use.
  2. Conclusion: Overall, IRCC established and implemented controls to restrict access to its facilities where personal information is stored. Controls have also been established and implemented to manage employee access to GCMS. Opportunities for improvement related to the management of employee access to applicant personal information, physical storage, and access to information in GCMS.

Paper files

  1. Security protocols over personal information varied across the 10 offices visited as part of the audit. Examples of controls working as intended included:
    • Physical measures implemented to safeguard access to facilities, including the use of employee identification cards;
    • Security clearances required for all employees and contractors that access the facilities;
    • Authorisation from a supervisor required for employees to perform work outside of normal working hours;
    • Video surveillance and physical alarm systems in place; and
    • Designated zones in each office to properly secure sensitive information.
  2. Notwithstanding the controls in place, there is a risk related to accessing information held within the offices. Completed application forms were filed in open shelves awaiting the appropriate retention and disposition actions. As well, active files that were in varying stages of processing were left out on desks and were visible to others who had access to that area. The lack of designated controlled working storage spaces is a common issue across the offices visited.

Electronic files

  1. The audit also examined controls to limit access to applicant personal information in GCMS based on their specific operational requirements. Overall, IRCC has controls in place to provide employee access to GCMS. An employee’s manager or supervisor is responsible for identifying the need and access level for the employee to work in the system and requesting employee access. The request is submitted to the Access Control Unit at IRCC National Headquarters. This process is operating as intended. However, once an employee is granted access to work in GCMS, they have the ability to view data and information from multiple program applicants in the system.
  2. There was also no ongoing monitoring of employee access to applicant personal information in GCMS to assess inappropriate user account activities or access to information. The extent of the risk is unknown. However, the audit team was informed during site visits that there have been instances of inappropriate access of information in GCMS which were dealt with by IRCC management.
  3. Recommendation 4. Immigration, Refugees and Citizenship Canada should assess the risk exposure related to the storage of active and completed paper application files at offices across Canada and electronic information stored from GCMS and develop and implement mitigation strategies to address the inherent risks identified.

IV. Conclusion

  1. For the three programs examined – Permanent Resident Program (Economic and Family Class), Temporary Resident Program (study permits and work permits), and Citizenship Grants program – IRCC is generally meeting its responsibilities to manage personal information in accordance with the Privacy Act and related instruments. The Department informs the general public and program applicants why it is collecting information, how it will be collected and used, and how it will be safeguarded, retained and disposed of.
  2. A number of opportunities for improvement were identified to strengthen the controls in place over the management of personal information throughout its lifecycle. These included ensuring consistency in privacy notice statements on application forms and in PIBs, alignment of PIBs to the operational realities of the Department; finalization and implementation of a retention and disposition strategy for documents stored electronically, and assessing the risks related to the current practices in place to safeguard information located at IRCC facilities or stored in GCDOCS from GCMS.

Appendix A – Management response to recommendations

Recommendation 1

Immigration, Refugees and Citizenship Canada should:

  • Finalize and communicate the departmental Privacy Notice Guidelines document; and
  • Review all privacy notice statements to ensure that they contain all required elements of the Privacy Notice Guidelines, and are consistent with active Personal Information Banks.

Management response

Management agrees with the recommendation.

  • The ATIP Division undertook to develop departmental Privacy Notice Guidelines. The Guidelines have been reviewed, translated and approved by the DG of Corporate Affairs Branch and Chief Privacy Officer. The introduction of the Guidelines will be announced in Today @IRCC. The Guidelines will be posted on ATIP’s internal webpage. Part (a) of recommendation will completed by June 1, 2018.
  • Management agrees to review all privacy notice statements to ensure they contain all required elements of the Privacy Notice Guidelines and are consistent with active Personal Information Banks. Corporate Services (ATIP) will coordinate the review. ATIP to engage KITS to determine the number of existing departmental forms that collect personal information; and to identify the responsible Branch for each form. Branch heads (Director General’s) will be responsible for ensuring all forms within their branch contain appropriate privacy notices. Branches are required to provide ATIP with status updates on a quarterly basis. Part (b) of recommendation to be completed by June 1, 2018.

Recommendation 2

Immigration, Refugees and Citizenship Canada should review and update all Personal Information Banks to ensure that they set out realistic timelines aligned to the operational realities of the Department. The updated Personal Information Banks should be communicated and monitored to ensure implementation.

Management response

Management agrees with the recommendation. The ATIP Division will ensure a review and update of all IRCC’s Personal Information Banks (PIBs) is conducted. A consultant will be contracted to review departmental PIBs to ensure they are consistent and contain all required elements in accordance to Treasury Board guidance.

The retention and disposal standards currently identified in IRCC PIBs were provided by program officials responsible for the PIB. To respond to the recommendation and ensure PIBs contain realistic timelines that align with operational realities of the Department, Branch heads (DG’s) will engage Information Management (IM) to determine their program’s retention and disposition schedules. IM is required to provide a quarterly status update to ATIP of these schedules, which will subsequently be included in the department’s PIBs. ATIP will obtain approval of revised PIBs from Branch heads. A yearly review of PIBs will be conducted as per Treasury Board guidance. The review and update of PIBs to be completed by June 1, 2018.

Recommendation 3

Immigration, Refugees and Citizenship Canada should finalize and implement a retention and disposition strategy for information entered into GCMS and stored electronically in GCDOCS.

Management response

Management agrees with the recommendation.

IRCC acknowledges the importance of appropriate retention schedules. IRCC is continually reviewing retention and disposition schedules with program owners, to ensure that information is appropriately managed by the Department.

Recommendation 4

Immigration, Refugees and Citizenship Canada should assess the risk exposure related to the storage of active and completed paper application files at offices across Canada and electronic information stored from GCMS and develop and implement mitigation strategies to address the inherent risks identified.

Management response

Management agrees with the recommendation.

The Chief Privacy Officer, in collaboration with senior officials from the Operations Sector; Administration, Security and Accommodations Branch; and the Solutions and Information Management Branch, will conduct a risk assessment of the storage of paper and electronic files to determine the risk exposure related to the protection of personal information. Mitigation strategies will be developed and implemented to address key risks.

Page details

Date modified: