Audit of the Access to Information process

Audit objective

The objective of this audit was to provide assurance that the ATI process complies with the Access to Information Act, is effective and is operating as intended.

Summary of key findings

• A governance framework is in place to support the Access to Information and Privacy (ATIP) function, although oversight requires strengthening.
• The Department is having difficulty complying with the statutory time limits as set out in the Access to Information Act.
• The Department is tracking and monitoring its performance, however, data integrity needs to be improved.
• The BPR has made improvements to the ATI process, although the intended objective to improve ATI service levels has not yet been achieved.

Audit conclusion

The audit concluded that the ATI process complies with the Access to Information Act although it is not operating as intended. There are opportunities to improve oversight, timeliness of responses, resourcing issues, data integrity and to move forward with initiatives to modernize the ATI function.

Recommendations

1. It is recommended that the Corporate Secretary, on a periodic basis, table for discussion at Department wide committees ATI performance results, seek appropriate senior management guidance, and follow-up on recommended actions.
2. It is recommended that the Corporate Secretary implement a strategy to address ATI response delays and ATI analyst skill shortages.
3. It is recommended that the Corporate Secretary ensure complete and accurate performance reporting.
4. It is recommended that the Corporate Secretary continue to improve the ATI function to support service delivery by addressing training gaps and modernization efforts.

1.1 Context

The Access to Information Act, which came into effect on July 1, 1983, gives every Canadian citizen, permanent resident and individual or corporation present in Canada the right to timely access of records—in any format—that are under the control of a government institution, subject to certain specific and limited exceptions. The Act requires the head of a government institution to respond to a request within 30 days after the request is received or longer with an extension for a reasonable period of time due to specific circumstances (i.e. large number of records or required consultation). The requester has the right to make a complaint to the Information Commissioner about time extensions or if the record was not provided within the time limits set out in the Act (deemed refusal to give access).^{Footnote 1}

ESDC’s Access to Information and Privacy Operations Division is the lead in administering access to information and privacy legislation. The Director of the Division reports to the Corporate Secretary in her capacity as the Chief Privacy Officer for the Department. The Division is the main point of contact with the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner (OIC) for complaint resolution. The Division is made of two units: the Request Processing Unit and the Incident Management and Legislative Disclosures Unit. The Request Processing Unit is the focus of this audit and will be referred to as ATIP Operations (ATIP Ops) for the context of this report. ATIP Ops is a centralized group, with approximately 19 full-time equivalent positions (including vacancies)^{Footnote 2} who are involved in the processing of requests. ATIP Ops is involved in processing ATI and Privacy requests, responding to complaints (Privacy and ATI), consultations with other government departments (OGD), providing advice and guidance to departmental staff on the application of the ATI and Privacy legislation as well as performance reporting (internally, to Treasury Board (TB) and Parliament).

ADM across ESDC are responsible for the timely search and retrieval of relevant records within their respective Branches and Regions and for the formulation of recommendations regarding their disclosure. Responding to an ATI request is a departmental priority that requires all stakeholders to carry out their roles and responsibilities in order for the Department to meet its objectives in providing timely access to records under the Act.

In May of 2015 the Corporate Secretary launched the BPR to address challenges identified with the current ATI process such as: increased volumes of requests, more complex requests and an increase in the number of complaints.

1.2 Audit objective

The objective of this audit was to provide assurance that the ATI process complies with the Access to Information Act, is effective and is operating as intended.

1.3 Scope

The scope of this audit included ATI activities carried out from January 2015 to March 2016.

The audit scope did not include the following:

• An assessment of the accuracy or completeness of completed ATIP requests;
• The management of Privacy requests or the Incident Management and Legislative Disclosures Unit;
• Privacy management areas addressed in the Audit of the Departmental Control Framework for the Management of Personal Information (Privacy) which took place in 2014.

1.4 Methodology

The audit was conducted using the following methodologies which included but were not limited to:

• Review of applicable TB and departmental policies, directives and guidelines;
• Review of documentation supporting the redesign of the ATI process;
• Review of monitoring activities and performance reporting;
• Interviews with present and past directors of ATIP Operations Division and key ATIP Ops personnel. Representatives from 12 Branches and all four Regions also provided feedback on the ATI process;
• Consultation with Strategic Communications and the facilitator from the BPR working group;
• On-site observations and a process walkthrough; and
• Sampling and testing of ATI requests between April 2015 and December 2015 from the monthly reports and backlog list.

2.1 A governance framework is in place to support the ATIP function, although oversight requires strengthening

The Director of the ATIP Operations Division reports to the Corporate Secretary in her capacity as the delegated authority for the administration of the Access to Information and Privacy Acts. A Delegation Order^{Footnote 3} was approved in June 2015 by the former Ministers of ESDC and Labour. This formally authorizes employees from the Deputy Ministers through to the ATI officers at the PM-04 and PM-05 levels to exercise specific duties or functions under the Access to Information Act. As a result it enables those individuals closely associated with the day-to-day operations to make decisions for efficient processing of ATI responses.

There is a governance framework in place to support the ATIP function. This consists of the Portfolio Management Board (PMB) and Corporate Management Committee (CMC). The audit noted that the mandate, decision making authority, membership and frequency of meetings were clearly established through a formal Terms of Reference. PMB acts as the main decision making body responsible for setting strategic directions and priorities as well as providing guidance on issues that affect the Department. CMC supports PMB by overseeing departmental activities.

The Department’s ATI performance is reported to PMB through quarterly reports in the form of an annex item for information. The ATI Quarterly Management Reports highlight the details of ATI performance at the Branch and Regional level including departmental compliance, however, this report is not discussed unless one of the members has a question or raises an issue. The audit team noted that ATI performance issues such as ATI capacity and skill shortages, increasing volume and complexity of requests and the delays in implementing the paperless system as part of the BPR are not clearly outlined in the quarterly reports provided to PMB. Our review of corresponding records of decisions (January 2015 to March 2016) indicated that an ATI related performance discussion occurred only once (May 2015) without a requirement for follow-up. Oversight at the senior management level is an important element of a management framework. It was one of the areas identified by the Department in 2010 and the OIC in 2015 as an enabler of outstanding performance.

2.2 The Department is having difficulty complying with the statutory time limits as set out in the Access to Information Act

As per the Access to Information Act a government institution must respond to a request within 30 calendar days after the request is received, each request must be handled on a priority basis and any delays in responding place the Department in potential violation of the Act. A complaint may be filed and investigated by the OIC. The Information Commissioner^{Footnote 4} would make a finding and facilitate a resolution or make a recommendation for corrective action.

The Department was assessed by the OIC in 2010–2011 at a rating of “A” which indicates outstanding performance with a deemed refusal^{Footnote 5} rate of 3.5%^{Footnote 6}. The Department in 2010–2011 received 492 requests and processed 106,518 pages. As per the OIC report on Measuring up^{Footnote 7}, the Department attributed its performance to having a strong and knowledgeable access to information team, with little turnover, and the implementation of quarterly reporting to clearly communicate and brief senior management on the Department’s ATI statistics. However, the Department’s compliance rate with the Act has declined over the past few years. The Department has self-assessed itself in accordance with the OIC standards^{Footnote 8} at a rating of between “D” and “F” which indicates below average and unsatisfactory performance^{Footnote 9} and this trend has continued into 2015–2016 as depicted by the following table.

Table 1: Departmental Compliance^{Footnote 10}

The audit team was informed that significant increases in volume and complexity of requests have contributed to the increase in the non-compliance rates for 2014-2015 (1,160 requests received and 139,549 pages processed) and 2015-2016 (1,571 requests and 257,325 pages processed). An additional factor has been the recent Federal Court^{Footnote 11} ruling stating that the government can no longer charge fees for the search and processing of electronic government documents under the Act. This means that all electronic records can now be requested without restriction on the size, year or resources required to gather the information. Resourcing issues (e.g. departure of experienced ATI analysts) were also noted as another contributing factor to unsatisfactory results reporting in the third and fourth quarters of both years.

This past year has seen many changes in leadership with the introduction of a new Corporate Secretary and Director of ATIP Operations Division as well as the continued resource issues. The audit team was informed that the ATIP Ops has lost experienced team leaders and analysts through retirement or for similar positions with OGD. An ATIP organizational review completed in 2010 identified a future skills deficiency risk as most of the ATIP analysts, at that time, were a few years away from retirement. It was recommended that a succession plan and a developmental program be put in place to ensure the transfer of knowledge and skills to junior staff. However, this did not take place resulting in a shortage of skilled analysts to meet the statutory timelines.

As per an OIC arm chair discussion in 2012, “institutions must devote adequate resources to fulfilling their duties under the Access to Information Act”.^{Footnote 12} The audit team reviewed several responses from the OIC on requester complaints which stated that resource and workload issues were not valid reasons for delaying an ATI response. The backlog files reviewed revealed delays of 86 to 700 days with periods of inactivity between actions on these files. ATIP Ops attributed workload issues and the time waiting for a consultation with other stakeholders (internal or external) as the reasons for periods of inactivity. Audit testing also revealed that many requests which included extensions for volume fell below the minimum number of pages as per TB^{Footnote 13} and OIC guidance.^{Footnote 14} For example, one request noted 206 pages received and 104 reviewed with an extension for volume of 45 days. There is no system or strategy to actively manage the inventory of late requests, the emphasis is primarily on requests that can be processed within the timelines. The audit team noted that a resource was assigned to clear the backlog; however, before it could be cleared another replaced it. We feel a strategy is needed to not only address the processing of new ATI requests but also to address the inventory of late requests.

Contractors are temporarily being sought to address gaps until experienced ATI resources can be hired or developed. However, there is also a skill shortage in this field throughout government. ESDC’s experienced ATI analysts, as per the weekly reports, are managing an average workload of 40-50 files while coaching junior team members as well as carrying out other duties related to ATIP (i.e. Privacy requests processing, OGD consultations, complaints, ad hoc reporting and special requests). The audit team noted an unequal distribution of work as some analysts are new and on average it takes approximately two years to develop basic ATI competencies. This places significant pressure on experienced team members and contributes to the challenges that the Department is currently managing.

All of the above factors are contributing to the Department’s ability to maintain a level of performance to adequately comply with its statutory obligations.

2.3 The Department is tracking and monitoring its performance, however, data integrity needs to be improved

ATIP Ops uses a system called AccessPro Case Management (APCM) to process ATIP requests. APCM is an automated central processing system that allows analysts to track their actions, create correspondence, and capture essential data related to the processing of an ATIP request, such as the requesters' relevant information, scope of the request and other relevant tombstone data. APCM allows the production of statistical information for the preparation of reports such as departmental performance report and the ATI Annual Report to Parliament which Deputy Heads of every federal government institution must submit following the close of each fiscal year.

ATI request tracking and reporting is a tool within the Department to monitor performance and to identify issues that may need to be highlighted in order to better manage them or to escalate them to senior management. The audit found that the data generated by APCM did not support the information reported in the ATI Quarterly Management Reports. The audit team’s comparison of the number of requests received in the monthly report (generated for the audit) and the number of requests reported in the quarterly reports (first, second and third quarters) for 2015–2016 had large variances. A review of quarterly reports also revealed differences. For example, an earlier version of the quarterly report from 2014–2015 indicated a deemed refusal rate of 28.6% for Q2 but in a later version that number became 16.9% without an explanation. In addition, the 2014–2015 Annual Report on the Administration of the Access to Information Act reported 29 complaints while the OIC reported 33. The auditors also noted during testing a number of Privacy requests that were processed as ATI requests. The manager explained that this occurs when a requester mistakenly makes an ATI request when in fact it is a request for personal information. Privacy requests treated as ATI requests are captured as ATI requests for reporting purposes and as such may inflate the number of ATI requests reported.

These findings were raised at the conclusion of the conduct phase of the audit and the auditors were advised that ATIP Ops is aware of these issues and is currently exploring ways to ensure more accurate reporting.

2.4 The BPR has made improvements to the ATI process, although the intended objective to improve ATI service levels has not yet been achieved

The Corporate Secretary launched a BPR project to address the challenges with increasing volumes and resources not keeping pace. The objective of the BPR was “to simplify and improve the ATI process, ensuring that quality responses are provided in a timely manner.” As per the project charter, the target was to sustain service levels of ATIP processing within the legislated delays for 95% of requests (meaning a deemed refusal between 0-5%). The BPR was implemented in May 2015 and although some of the improvements have streamlined the ATI process, the intended objectives were not all achieved.

Some of the improvements that the audit team observed were:

• Replaced the seen and noted signatures with the Advance Release Notification (ARN), this means that the ADM who is accountable for the information is only required to review and approve the ATI package once eliminating duplication of effort. The ARN which includes the redacted^{Footnote 15} or fully disclosed ATI release packages (where applicable) is posted on the ATIP SharePoint site for key stakeholders four days prior to release to the requester.
• Increased guidance and awareness by introducing the SharePoint Web Site and ATI awareness sessions. All the information necessary to complete an ATI request is available in the References and Tools Section of the web site including how to support exemption or exclusion recommendations.^{Footnote 16}
• Partnered with the TB Access to Information and Privacy Online Request system. ESDC is now receiving a number of ATI requests from the on-line application which includes paid fees.

However, some elements did not have the intended outcome or were not implemented. Simplifying and streamlining the ATI process was intended to generate time flexibility for ATIP Ops, Branch and Regional stakeholders to better manage ATI obligations under the Act. However, this did not address the ongoing challenges with volume of requests or the ATI skill shortages (see section 2.2).