Assessment of the Access to Information and Privacy Program

December 2017

1259-3-0027 (ADM(RS))

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Acronyms and Abbreviations

Back to Table of Contents

Background

• National Defence is subject to the Government of Canada’s Access to Information Act and Privacy Act.
• Based on the Office of the Information Commissioner’s 2016/17 annual report, the Department of National Defence (DND) received a score of “Red Alert” on its performance in fiscal year (FY) 2015/16 due to its very high proportion of information requests completed past the statutory date.
• Less than 50 percent of the requests had been completed within the prescribed timeline of 30 calendar days.
• The size of the Access to information (ATI) request backlog has consistently increased over the past five FY.
• As of August 2017, 76 percent of the 1,297 open ATI files had been opened for more than 30 days.
• As of August 2017, 75 percent of the 3,648 open Privacy files had been opened for more than 30 days.

Back to Table of Contents

Objectives of the Assessment

• The overall objective of the assessment was to consider the design, operating effectiveness and efficiency of the key processes of the Access to Information and Privacy (ATIP) program. Specifically, the assessment considered the following:
  • the overall governance and oversight of the ATIP program;
  • the adequacy of the design of the key ATIP processes;
  • the operating effectiveness and efficiency of the key ATIP processes.

• The assessment also had the objective to provide implementable guidance and recommendations to help enhance the design, effectiveness and efficiency of the key ATIP processes.

Back to Table of Contents

Scope of the Assessment

• The scope of the assessment focused on the following:
  • Identifying current ATIP practices in place at DND to assess against the following:
    • Treasury Board’s ATIP requirements; and
    • best practices at comparable departments.

  • The assessment covered FYs 2015/16 and 2016/17 but focused on current practices.

Back to Table of Contents

Approach of the Assessment

• The fieldwork was conducted between August 2 and September 15, 2017 and consisted of interviews, documentation review and benchmarking to two other federal departments.
  • Interviews included selected senior management representatives, including Level 1s (L1), representatives of the Directorate of Access to Information and Privacy (DAIP), liaison officers from selected L1s and representatives of two other federal departments’ ATIP units
  • The documentation review included, but was not limited to, relevant legislative documentation, DAIP organizational charts, process documentation and workflows, statistical reports and peer organizations’ documentation.

  • This advisory engagement was conducted by KPMG on behalf of ADM(RS). The assessment report was prepared by KPMG.

Back to Table of Contents

Summary of Findings

The assessment identified seven opportunities for improvement, as follows:

1. The Corporate Secretary (Corp Sec) organization should consider implementing an ATIP process guide and formal, in-depth training that would support an enhanced understanding of roles and responsibilities, accountabilities, expectations and the detailed process related to ATIP. The guide and training should be provided to all DND personnel involved in the ATIP process on a regular basis.
2. Reports on the overall status of ATI requests (with appropriate details by area and type) should be provided to L1 management on a regular basis (monthly). In addition, these reports, including the status of requests, should be discussed on a regular basis at management meetings.
3. Corp Sec, in conjunction with Assistant Deputy Minister (Information Management) (ADM(IM)), should explore the feasibility of technological solutions to enhance the business processes related to ATIP. Specifically, they should consider solutions to reduce the redundancy of paper files, as well as the possibility of implementing a categorized repository of ATIP requests to leverage the search capabilities of available information.
4. Corp Sec should complete a review of the current skill sets of the staff contingent to identify and fill required capacity and capability gaps. Corp Sec should also assess the current organizational structure of DAIP and consider the possibility of separating the operations function and strategy function, as well as creating a team with more experience to assess requests of higher complexity.
5. Corp Sec should implement a process to triage requests by type and/or level of complexity to categorize and prioritize requests for more effective and efficient grouping, staff resource allocation and remediation.
6. Corp Sec should identify, assess and implement the necessary changes to reduce the current timelines to task ATIP requests by ensuring that the requests are clarified and are assigned to the proper offices of primary interest (OPI) within the standard processing time. In addition, OPIs tasked with a request should respond within 72 hours regarding their ability to complete the request.

7. Corp Sec should consider discussing with Chief Military Personnel (CMP) the possibility of releasing medical and dental files to retiring members of the Canadian Armed Forces as part of the exit process.

Back to Table of Contents

Finding: Governance

Objective A – Appropriate governance and oversight for the management of ATIP requests have been established to comply with legislative, Treasury Board and departmental requirements, including mitigating the risk that excluded or exempted information is disclosed.

Observation 1 – Roles and Responsibilities: Roles, responsibilities and accountabilities regarding ATIP functions (shared across the Department) are not clearly understood.

• DAIP has been delegated with the responsibility for ATIP matters within Defence.
• Processing of ATIP requests appears to be a “secondary function” for most staff outside of DAIP and does not appear to be appropriately prioritized.
• The delegation of authority of DAIP is not recognized across the Department, and as such, DAIP does not have the confidence of the other organizations when releasing information for ATI requests.
• Formal training sessions have not been consistently delivered since 2015.
• Given the typical amount of member movement, it is likely that most staff have not received formal ATIP training.
• Some liaison officers have taken the initiative to provide some training to staff in their sector. However, this has not been done consistently across the Department.
• ATIP commitments and performance measures are not included in senior officials’ performance management agreements.

Observation 2 – Information for Decision Making: Information to monitor and analyze the status of ATIP requests is not provided to senior management external to DAIP on a regular basis.

• Reports providing statistics that summarize the status of ATI requests were not provided to management on a regular basis.
• The status of requests was not a recurring discussion item at management meetings. As such, strategies to reduce the backlog of requests were not regularly discussed.

Back to Table of Contents

Finding: Policies and Procedures

Objective B – Policies, procedures and processes for the management of ATIP requests are adequately designed to support compliance with legislation, Treasury Board and departmental requirements, including mitigating the risk that excluded or exempted information is disclosed.

Observation 3 – Policies and Procedures: Policies, procedures and processes are generally well designed.

• DND does not have a separate policy for the management of ATIP, relying instead on Treasury Board’s policies on ATI and Privacy.
• Processes, including timelines, have been designed to support compliance with legislative requirements.

• In general, the high-level design of the processes and timelines are aligned with the peer organizations benchmarked.

Back to Table of Contents

Finding: Effectiveness of Processes

Objective C – The ATIP processes and control framework for the management of requests is operating effectively to support compliance with legislation, Treasury Board and departmental requirements, including mitigating the risk that excluded or exempted information is disclosed.

Observation 4 – Documentation Flow: The ATIP process is largely paper based and manually driven, which contributes to the increase in processing time and the inefficient/ineffective processing of similar requests.

• All documents related to severances are completed manually using the paper version of documents.
• The retrieval process, which may require receiving documents from different units across the country, requires that documents be sent through the mail, which may delay the process.
• Once the OPIs have completed their review, they forward the documents to DAIP using internal mail.
• When DAIP staff receive documents, they scan and then upload them into the Data Centre Infrastructure Management system. This also contributes to delays in making requests available to DAIP staff.
• The paper based processing of requests contributes to ineffective categorization and management of ATIP responses, further contributing to the inefficient/ineffective processing of similar responses.

Observation 5 – People: DAIP is lacking resources with sufficient ATIP knowledge to complete its requirements.

• As of August 2017, approximately 46 percent of DAIP positions were vacant.
• Many of these vacancies are at the PM-4 and PM-5 levels (team leader and senior analyst).
• According to DAIP management, a large number of staff transferred to other departments due to challenges in the working environment, as well as the fact that the Directorate will be moving to the Carling Campus.

Observation 6 – Clarity of Requests: Processing of requests may take longer than required due to the complexity and/or lack of clarity of the request.

• OPIs are assigned a total of 14 calendar days (approximately 10 work days) to respond to a request with their recommendations.
• Analysis of statistics for FY 2017/18 demonstrated that the average number of days for retrieval and response by OPIs was 18 calendar days.
• In many cases, complex and/or unclear requests require the extraction and severance of a large quantity of documentation.
• In many cases, the OPIs return the requests to DAIP and ask that they obtain further clarification from the requester three to five days after the original tasking.
• The size of the ATI backlog has consistently increased over the past five fiscal years.

• As of August 2017, 76 percent of the 1,297 open ATI files had been opened for more than 30 days.

Observation 7 – Tasking: The timeline to task an ATIP request to the proper OPI can contribute to delays in the overall process.

• The DND standard to clarify requests and forward to the appropriate OPI is one to two days.
• A DAIP review of FY 2012/13 statistics demonstrated that the process to clarify requests took on average 13 days.
• A number of interviewees have noted that there are usually delays in the tasking process. These delays may be due to the fact that the tasking officer may not have sufficient knowledge of the information requirement and/or the Department to identify the proper OPI.

Observation 8 – Privacy Requests: There is a large number of Privacy requests related to medical and dental information.

• Privacy requests have increased considerably in the past four years.
• DAIP received a total of 8,245 Privacy requests in FY 2016/17.
• A review of prior years’ data revealed that approximately 35 percent of these requests relate to CAF medical records and 17 percent relate to CAF dental records.
• As of August 2017, 75 percent of the 3,648 open Privacy files had been opened for more than 30 days.

Back to Table of Contents

Annex A─Management Action Plan