Information Exchanged under the memorandum of understanding with workplace health, safety and compensation commission of New Brunswick

Final Report

Corporate Audit and Evaluation Branch
June 2011

Executive Summary
Introduction
Focus of the Audit
Findings, Recommendations and Action Plans
- 1.0 Compliance with policies, plans, procedures, laws and regulations
- 2.0 Safeguarding of information
Conclusion

Executive Summary

Background: The Canada Revenue Agency (CRA) enters into Memoranda of Understanding (MOUs) and other agreements with federal, provincial and territorial departments and agencies to improve the efficiency and effectiveness of program delivery. Where the CRA exchanges information with these entities, the legal and policy requirements related to the use and security of information are included in the MOU.

This audit dealt with information received by the CRA as provided under the MOU with Workplace Health, Safety and Compensation Commission of New Brunswick (WorkSafeNB [Footnote 1]) signed on, and became effective as of, December 20, 2007. Through the sharing of information, both parties are able to compare business registrations and identify employers who are not compliant with WorkSafeNB or the CRA legislation.

Objective: The objective of this audit was to provide assurance that the use, communication and security of information received by the CRA is in accordance with the terms and conditions set out in the MOU.

This audit dealt with WorkSafeNB information received by the CRA and covered a period from October 2008 to September 2010.

This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Conclusion: Overall, the CRA is in compliance with the terms and conditions governing the use, communication and security of information as provided in the MOU. Although the overall risk of non-compliance with the MOU is low, opportunities exist to improve controls over the access to and disposal of information in terms of restricting access on a need-to-know basis; retaining and disposing of shared data within the limits set by the MOU; using approved software to erase data stored on servers; and maintaining proper records of destruction.

Action Plan: The Partnership Opportunities Section of Taxpayer Services and Debt Management Branch and the Payroll Deductions, Accounting and Collections System team of the Information Technology Branch both agree with the recommendations and have committed in their action plans to improve controls over access to and disposal of information.

Introduction

The Canada Revenue Agency (CRA) enters into Memoranda of Understanding (MOUs) and other agreements with federal, provincial and territorial departments and agencies to improve the efficiency and effectiveness of program delivery. The MOU with Workplace Health, Safety and Compensation Commission of New Brunswick (WorkSafeNB [Footnote 2]) was signed on and became effective as of December 20, 2007.

The CRA and WorkSafeNB deal with businesses that are obligated, under respective Acts [Footnote 3], to be registered with and report to both organizations. In an effort to improve compliance with their respective legislation, this MOU was developed to assist in identifying non-compliant businesses in New Brunswick. Through the sharing of information, both parties are able to compare business registrations and identify businesses that are not registered and reporting as required.

WorkSafeNB provides their client information to the CRA. The Partnership Opportunities Section (POS), in Taxpayer Services and Debt Management Branch (TSDMB), receives this information, maintains a copy and requests the Payroll Deductions, Accounting and Collections System (PAYDAC) team, in Information Technology Branch (ITB), to perform a comparison with the CRA databases [Footnote 4]. Through this comparison, unregistered businesses are separately identified for WorkSafeNB and the CRA, and two reports are generated. One report is forwarded to WorkSafeNB and the second report is sent to the Registrant Identification Program (RIP) team at the Summerside Tax Centre (TC). The RIP team sends out letters to the businesses, who are identified as not being registered, responds to their enquiries, assists in determining the requirement to register, and informs businesses of their filing obligations under the various Acts governed by the CRA.

Pursuant to the MOU, an exchange of information between the CRA and WorkSafeNB took place in the fall of 2008.

Focus of the Audit

The objective of this audit was to provide assurance that the use, communication and security of information received by the CRA is in accordance with the terms and conditions set out in the MOU.

The audit was conducted at the TSDMB, ITB, Finance and Administration Branch, and Strategy and Integration Branch in headquarters and the Summerside TC in the Atlantic Region. The examination phase of the audit was conducted from June to November 2010.

This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings, Recommendations and Action Plans

1.0 Compliance with policies, plans, procedures, laws and regulations

1.1 Use of WorkSafeNB information

According to the MOU, the WorkSafeNB information is to be used by the CRA solely for the administration and enforcement of the Income Tax Act (ITA), the Excise Tax Act (ETA), the Canadian Pension Plan (CPP) and the Employment Insurance Act (EIA). Employees should be aware of the intended use of this information and understand their responsibility to keep the data secured.

Communications efforts to staff regarding their security of information responsibilities include an annual reminder for review and sign off by staff on the Code of Ethics and Conduct; training on the security of information for employees who work with WorkSafeNB information; and periodic reminders from national, branch, regional and local offices on the importance of security of information.

Audit test results confirmed that staff with access to WorkSafeNB information were aware of the provisions of section 241 and subsection 239(2.2) of the ITA and sections 295 and 328 of the ETA. In addition, staff has agreed via Confirmation of Receipt acknowledgements to keep confidential information secure.

There was no evidence that WorkSafeNB information was used for purposes other than intended. Interviews with management and staff indicated that the information was used solely to identify businesses not registered with the CRA or with WorkSafeNB.

1.2 Access to WorkSafeNB information

Access to the WorkSafeNB information must be in accordance with the CRA policies and provided on a “need-to-know” basis to administer and enforce the ITA, ETA, CPP and EIA. The MOU stipulates that access to agreed-upon information should be given only to authorized employees or contractors who have a job-related duty. Also, this access should be limited to the time it takes to perform the job.

Unique userIDs and passwords are assigned to restrict access to system information. User system profiles have been managed to support access to WorkSafeNB information and access is limited to staff assigned to work with the data for both POS and RIP teams. However, while only 3 of 24 members of the PAYDAC team had duties directly related to the handling of the WorkSafeNB data, all 24 had access to the mainframe where this data is stored.

Although the likelihood of jeopardizing the security of confidential information is considered low given the controls in place to ensure that employees are aware of their responsibilities, access to WorkSafeNB data should be granted on a “need-to-know” basis to comply with the terms of the MOU and the CRA Security Policy.

Recommendation

The manager of PAYDAC in ITB should ensure access to WorkSafeNB data only be granted on a job-related “need-to-know” basis for the PAYDAC team.

Action Plan

The manager has ensured the files will be accessible by one user and his or her backup for all further requests. This became effective October 2010.

1.3 Disclosure of WorkSafeNB information

The CRA must obtain written consent from WorkSafeNB or at least notify WorkSafeNB whenever shared information is disclosed to a third party, e.g. for purposes of administration and enforcement or court order. Policies and procedures are in place to ensure written consent is obtained as needed for the disclosure of shared information. Results from interviews with management and staff confirmed that there has been no request or need to disclose WorkSafeNB information.

2.0 Safeguarding of information

2.1 Handling of WorkSafeNB information

Controls are in place to ensure that WorkSafeNB information is handled appropriately. All staff interviewed stated that they have received training related to security of confidential information. Information was kept in electronic form and not printed. Headquarters and regional divisions of Security confirmed that there had not been any reported security incidents regarding the loss or unauthorized disclosure of WorkSafeNB information.

2.2 Storage of WorkSafeNB information

Physical security practices should adhere to the provisions of the MOU and CRA policies and guidelines. Generally, all components of systems processing, storing and transmitting of the information should be protected in offices with physical security controls. Servers should be kept in a locked room and physical access limited to authorized staff. Removable media, such as CDs, should be kept in a locked cabinet when not being used and WorkSafeNB information should not be stored on the users’ computer systems. Based on audit procedures performed, no exceptions were observed to the above controls.

2.3 Disposal of WorkSafeNB information

When the WorkSafeNB information is no longer required, the data should be destroyed using approved methods described in the MOU and an account of the action maintained. The POS created a communiqué [Footnote 5] to clarify the requirements regarding the retention and destruction of data as follows:

retention for two years;
erasure using TrueDelete or PointSec Media; and
physical destruction of CDs (i.e. cutting/breaking).

The POS units and the RIP team have controls in place to ensure they dispose of the data within two years to ensure compliance with the retention requirements.

For compliance enforcement or program administration purposes, WorkSafeNB information can be retained beyond two years and returned or destroyed when no longer required. The PAYDAC team’s practice is to overwrite the WorkSafeNB data with future exchanges of data. As there are no planned exchanges with WorkSafeNB within the two-year retention period, the data will exceed the retention limit as it will remain in the mainframe for seven years before it is automatically deleted.

Chapter 8 of the CRA Disposal of Sensitive Information and Assets Policy in the Finance and Administration Manual requires a certificate of destruction to be completed for the destruction of classified information. A certificate of destruction [Footnote 6] was not evident to document the erasure of the files from the servers and the destruction of CDs containing the WorkSafeNB data.

WorkSafeNB data on the POS headquarters shared drive was not erased using the approved methods, i.e. TrueDelete or PointSec Media. While the retention period had not expired during the audit period, procedures were not in place to ensure the approved methods would be used to erase the WorkSafeNB data from the POS shared drive located at the Summerside TC and the mainframe used by the PAYDAC team.

Recommendation

The PAYDAC team should dispose of the WorkSafeNB data within the given timeframe as provided in the POS communiqué.

The PAYDAC team, POS headquarters, POS and RIP teams at the Summerside TC should ensure data is erased from servers using appropriate methods as provided in the MOU or POS communiqué and implement a certificate of destruction to track the details of WorkSafeNB disposal.

Action Plan

The PAYDAC team has requested software that creates a certificate of destruction be installed on the computer that handles the files. This software will be installed by May 2011. The files will be removed after two years, as specified in the communiqué.

POS will implement a Certificate of Destruction, with POS headquarters and POS Summerside TC staff, and update its procedures to reflect this new requirement by September 30, 2011.

Conclusion

Overall, the CRA is in compliance with the terms and conditions governing the use, communication and security of information as provided in the MOU. Although the overall risk of non-compliance with the MOU is low, opportunities exist to improve controls over the access to and disposal of information in terms of restricting access on a need-to-know basis; retaining and disposing of shared data within the limits set by the MOU; using approved software to erase data stored on servers; and maintaining proper records of destruction.

Footnotes

Footnote _ftn1

In October 2008, the New Brunswick Workplace Health, Safety and Compensation Commission changed its name to WorkSafeNB.

Return to footnote_ftn1 Referrer

Footnote _ftn2

In October 2008, the New Brunswick Workplace Health, Safety and Compensation Commission changed its name to WorkSafeNB.

Return to footnote_ftn2 Referrer

Footnote _ftn3

For the CRA, this relates to the administering and enforcing of the Income Tax Act, the Excise Tax Act, the Canadian Pension Plan and the Employment Insurance Act. For WorkSafeNB, this relates to the administering and enforcement of the Commission Act, the Workers’ Compensation Act and the Government Employees Compensation Act.

Return to footnote_ftn3 Referrer

Footnote _ftn4

Specific databases are PAYDAC, BN and INFODEC.

Return to footnote_ftn4 Referrer

Footnote _ftn5

POS-001-2009E, February 25, 2009, issued by Partnership Opportunities Section, Non-Filer and Non-Registrant Programs

Return to footnote_ftn5 Referrer

Footnote _ftn6

“Certificate of destruction” is the terminology used in the Finance and Administration Manual.

Return to footnote_ftn6 Referrer

Page details

Date modified:: 2011-10-18

Language selection

Search

Sign in