Final benchmarking report on the handling of sensitive and personal information: chapter 3
3. Objective, Scope and Methodology
The benchmarking objective was to compare ECCC’s key privacy processes to selected comparable other government departments (OGDs) to implement best practices where warranted. Annex 1 sets out the main topics for the study and questions concerning:
- privacy policy framework (PPF);
- governance and oversight;
- roles and responsibilities;
- disclosure and collection of personal information;
- PIA;
- awareness and training; and
- information holdings.
The topics were selected based on requirements of the Privacy Act and TB policies relating to the protection of personal information. The study also focused on the handling of personal information specific to the staffing and procurement processes.
The study was conducted using an online survey complemented by interviews and documentation review to support the analysis and comparison of privacy management in seven departments. The selection of departments was based on their similarity in size and nature of operations. The following departments participated in the study:
- Environment and Climate Change Canada;
- Agriculture and Agri-Food Canada;
- Canadian Food Inspection Agency;
- Fisheries and Oceans Canada;
- National Research Council Canada;
- Natural Resources Canada; and
- Transport Canada.
The following processes were used to gather information and report on results:
- An initial survey was sent to ATIP coordinators of OGDs with a copy to their chief audit executives (CAEs);
- When required, the survey was followed by interviews with the departments to clarify and/or obtain further information;
- Answers and data obtained were analyzed and compared;
- Best practices were noted;
- As agreed with departments at the outset, the results of the analysis were shared in a semi-confidential manner (participants are identified, but the results are not linked to specific participants);
- Comments and feedback received through the validation process with the departments were consolidated and incorporated in this final report, respecting the same principle of confidentiality.
The scope did not include access to information requests, correction of personal information (accuracy verification) or IT infrastructures and safeguards.