Final benchmarking report on the handling of sensitive and personal information: chapter 4
4. Observations
Overall, the privacy management practices of participating departments were similar to those of other departments.
- All departments have developed a Privacy Policy Framework (PPF) as required by the Privacy Act and the TB Policy on Privacy Protection.
- While most departments responded that the implementation was well advanced, to date only one has fully implemented its PPF.
- Oversight is provided through general governance structures and the reporting relationships for all departments.
- Although there are similarities in the departments’ tools for processing personal information, there is considerable variety in terms of the type of personal information they collect. All departments have taken steps to limit the collection of personal information.
- All departments offer employee training on privacy issues, and most periodically remind employees of their obligations.
4.1 Privacy Policy Framework
As per the TB Policy on Privacy Protection, heads of government institutions are responsible for the effective, well-coordinated, and proactive management of the Privacy Act and Privacy Regulations within their institutions. Documented directives and protocol help heads coordinate and be proactive in managing an effective privacy program. An PPF should set out clear responsibilities in government institutions for decision-making and managing the implementation of the Privacy Act and Privacy Regulations.
Although all seven departments have developed a PPF, only one has fully implemented its framework. Six had 50% or more of their frameworks implemented. One department was planning its implementation for March 2015.
Frameworks for the majority of departments included similar sections. Most departments followed TBS guidance and include guidance on privacy practices, Privacy Impact Assessments (PIAs), privacy breaches, and consent and notification/release. All departments have guidelines on privacy breaches, which were covered by the latest TB Guidelines for Privacy Breaches. These guidelines are in addition to and complement general TB policies and guidelines, such as the 2008 TB Directive on Social Insurance Number (SIN).
One department’s PPF demonstrates best practices and includes several guideline documents. The roles, responsibilities and requirements are described in detail. For example, the departmental policy governing the management of personal information sets out the differences between delegated authority and legislated responsibilities. The same document describes the retention and destruction requirements as well as a privacy protocol for non-administrative purposes.
As a best practice, an effective PPF would require regular gap analysis to make sure relevant policies have been properly implemented. Of the six departments that have implemented a policy framework, three have conducted a gap analysis of their compliance with TB policy and directives. One department responded that it has developed a Privacy Breach Guideline as a result of its gap analysis.
The following table presents the department’s key guideline topics included in their PPF.
| (1) | (2) | (3) | (4) | (5) | (6) | (7) | |
|---|---|---|---|---|---|---|---|
| Privacy practices/protocol/roles and responsibilities | Yes | Yes | Yes | No | Yes | Yes | Yes |
| Privacy Impact Assessments / risk assessments | Yes | Yes | Yes | No | Yes | Yes | Yes |
| Privacy breaches | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Social Insurance Number (SIN) | No | No | Yes | No | No | No | No |
| Consent and notification / release guidelines | No | No | No | Yes | Yes | Yes | Yes |
Figure 1 Description
The above mentioned table describes the department’s key guideline topics included the participating departments’ privacy policy framework (PPF). The departments responded with a yes or no answer according to the key guideline topics in their respective PPF. The topics included:
- Privacy practices/protocol/roles and responsibilities, one out of seven departments answered no;
- Privacy Impact Assessments/risk assessments, one out of seven departments answered no;
- Privacy Breaches, all departments answered yes;
- Social Insurance Number (SIN), one out of seven departments answered yes; and
- Consent and Notification/release guidelines, four out of seven departments answered yes.
4.2 Governance and Oversight
As per the TB Policy on Privacy Protection,Footnote3 heads of government institutions are responsible for:
- Deciding whether to delegate any of their powers, duties or functions under the Act; and
- Signing an order, if a decision is made to delegate, authorizing one or more officers or employees of the institution, who are at the appropriate level, to exercise or perform the powers, duties or functions of the head, specified in the order. Once an order is signed, the powers, duties or functions that have been delegated may only be exercised or performed by the head of the institution or by the named officer(s) or employee(s). Delegates are accountable for any decisions they make. Ultimate responsibility, however, still rests with the head of the government institution.
Heads of government institutions are responsible for deciding whether to delegate, pursuant to section 73 of the Privacy Act, any of their powers, duties or functions under the Act. All seven departments follow best practices and have a formal delegation of authority in place. The level of delegation of authority differs from department to department, (see Figure 2) but all involve their ATIP group.
Authority levels |
(1) | (2) | (3) | (4) | (5) | (6) | (7) |
|---|---|---|---|---|---|---|---|
| Assistant Deputy Minister / Chief Privacy Officer | Yes | Yes | Yes | No | Yes | Yes | No |
| Director General responsible for ATIP | No | Yes | Yes | No | Yes | Yes | Yes |
| Director of ATIP | Yes | Yes | Yes | Yes | Yes | No | Yes |
| Deputy Director / Manager of ATIP | No | Yes | Yes | Yes | Yes | No | No |
Figure 2 Description
The above mentioned table describes the different responsibility levels of delegation in all seven of the participating departments for Privacy Management.
The departments responded with a yes or no answer for the following authority levels:
- Assistant Deputy Minister/Chief Privacy Officer, two out of seven departments answered no;
- Director General responsible for ATIP, two out of seven departments answered no;
- Director of ATIP, one out of seven departments answered no; and
- Deputy Director/Manager of ATIP, four out of seven departments answered yes.
According to TBS Management Accountability Framework (MAF) guidance, departments should have in place an oversight body for the governance of its management, which would include the management of its privacy responsibilities.
When questioned on this guidance, no department specifically mentioned having an oversight body. Departments responded by referring to their formal delegation of authorities and reporting relationships. Oversight is provided through general governance structures and the reporting relationships.
To ensure an effective PPF has been implemented and that proper oversight has been provided on privacy practices, the TB Policy on Privacy Protection makes heads of government institutions or their delegates responsible for monitoring compliance with the policy as it relates to the administration of the Privacy Act. This monitoring can take the form of a privacy review or audit.
One department conducted a privacy audit in 2010 and another department conducted a privacy assessment in 2013.
4.3 Roles and Responsibilities
As per the TB Policy on Privacy Protection, heads of government institutions should ensure clear responsibilities for decision-making and managing the application of the Privacy Act and Privacy Regulations. They should also ensure employees of the government institution are made aware of policies, procedures and legal responsibilities under the Act.
Although six departments communicate employee roles and responsibilities through their ATIP groups, one department could not confirm whether these had been communicated.
We noted the best practice of providing written documentation on the roles and responsibilities through a framework or a handbook, and providing training sessions to employees.
4.4 Disclosure and Collection of Personal Information
This section covers the collection, processing and disclosure of personal information specific to the procurement and staffing processes.
Collection
According to the Privacy Act, personal information shall not be collected by a government institution unless it relates directly to an operating program or activity of the institution. While the purpose of this exercise was not to assess whether information collected was related to an operating program, the AEB was interested in understanding the type of information being collected in the context of procurement and staffing processes and possibly enable implementation of best practices where possible.
The following (Figure 3) presents the results of the survey specific to procurement and contracting activities. Overall, two departments collect all the information indicated below and all participating departments collect the name, address (past and present) and email address. The table also displays considerable variety in terms of other types of personal information that is collected.
| Information Collected | (1) | (2) | (3) | (4) | (5) | (6) | (7) | % of Departments Collecting this Information |
|---|---|---|---|---|---|---|---|---|
| Name | x | x | x | x | x | x | x | 100% |
| Address (past and present) | x | x | x | x | x | x | x | 100% |
| Email address | x | x | x | x | x | x | x | 100% |
| Phone number | x | x | x | x | x | x | 86% | |
| Billing rate or exact salary figure | x | x | x | x | x | x | 86% | |
| Date of birth | x | x | x | x | x | 71% | ||
| Confirmation of security clearance | x | x | x | x | x | 71% | ||
| Previous employment | x | x | x | x | 57% | |||
| Work start and end dates | x | x | x | x | x | 57% | ||
| Location of work | x | x | x | x | 57% | |||
| Academic level | x | x | x | 43% | ||||
| Social Insurance Number | x | x | x | 43% | ||||
| Hours of work (temp help) | x | x | x | 43% | ||||
| Other | x | x | x | 43% |
Figure 3 Description
The above mentioned table displays the results of personal information collected for procurement activities in all seven departments. The departments responded to a specific survey and the results are as follows:
- Name, address (past and present) and email address 100%;
- Phone number and billing rate or exact salary figure 86%;
- Date of birth and confirmation of security clearance 71%;
- Previous work employment, work start and end dates and location of work 57%; and
- Academic level, Social Insurance Number and hours of work (temp help) and other 43%.
In the case of the staffing process, we noted that, as a best practice, , rather than collecting copies of personal identification related to staffing actions, one department requires the hiring managers to sign a letter attesting to the fact that they have viewed the identification. This provides an additional safeguard against any unauthorized access to personal information.
The following presents the type of personal information collected in the context of the staffing process. It is important to note that one department (Department 6) did not provide a response to this section of the survey.
Once again, the table shows that there is a wide variety of information that is collected, with the following information being collected by all departments: name, address, phone number, email address and résumés. Under the category of “Other types of information,” one department noted that they collect a signed consent form allowing the release of the individual’s personal information into the Priority Information Management System (PIMS).
| Staffing | (1) | (2) | (3) | (4) | (5) | (7) | % of Departments Collecting this Information |
|---|---|---|---|---|---|---|---|
| Name | x | x | x | x | x | x | 100% |
| Address (past and present) | x | x | x | x | x | x | 100% |
| Phone number | x | x | x | x | x | x | 100% |
| Email address | x | x | x | x | x | x | 100% |
| Résumé | x | x | x | x | x | x | 100% |
| Academic level | x | x | x | x | x | 83% | |
| Confirmation of security clearance | x | x | x | x | x | 83% | |
| Social Insurance Number | x | x | x | x | x | 83% | |
| Psychological assessment | x | x | x | x | x | 83% | |
| Work start and end date | x | x | x | x | x | 83% | |
| Date of birth | x | x | x | x | 67% | ||
| Attestation from academic institutions | x | x | x | x | 67% | ||
| Personal security briefing form | x | x | x | x | 67% | ||
| Personal record identifier (PRI) | x | x | x | x | 67% | ||
| Scan of citizenship card | x | x | x | x | 67% | ||
| Proof of Canadian citizenship attestation | x | x | x | x | 67% | ||
| Hours of work | x | x | x | x | 67% | ||
| Location of work | x | x | x | x | 67% | ||
| Supervisor’s name and position | x | x | x | x | 67% | ||
| Previous employment | x | x | x | x | 67% | ||
| Scan of driver’s license | x | x | x | 50% | |||
| Scan of birth certificate | x | x | x | 50% | |||
| Scan of passport | x | x | x | 50% | |||
| Exact salary figure | x | x | x | 50% | |||
| Position classification code | x | x | x | 50% | |||
| Other, please specify | x | x | x | 50% |
Figure 4 Description
The above mentioned table displays the results of personal information collected for staffing activities from six of the Seven departments.
The results are as follows:
- Name, address (past and present), phone number, email address and resume 100%;
- Academic level, confirmation of security clearance, Social Insurance Number, psychological assessment and work start and end dates 83%;
- Date of birth, attestation from academic institutions, personal security briefing form, personal record identifier (PRI), scan of citizenship card, proof of Canadian citizenship attestation, hours of work, location of work, supervisor’s name and position and previous employment 67% and;
- Scan of driver’s license, scan of birth certificate, scan of passport, exact salary figure, position classification code and other 50%.
The Privacy Act requires that when personal information is collected, the individual be informed of the purpose for which the information is collected. It also states that: “Personal information under the control of a government institution should not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.” The TB Policy on Privacy Protection specifically states that departments should ensure that appropriate privacy protection clauses are included in contracts and agreements that may involve intergovernmental or trans-border flows of personal information.
Best practice would require some form of documentation as to how an individual was informed of the purpose of collection. Most departments informed the individual that their personal information would be protected through a privacy protection clause included in the forms/contracts that collect personal information. One department informed individuals either by phone or by email.
The Act and the TB Policy on Privacy Protection do not describe the methods of collection that can be used. Depending on the type of information collected and its sensitivity, the departments surveyed use a variety of collection methods.
For contracting, of the seven departments that participated in the study:
- six collect personal information via email and forms;
- five obtain information by telephone or fax;
- four obtain personal information through scanned copy; and
- three obtain information either by paper or by other means such as quotes submitted by the vendor.
For staffing, the six departments responding to the survey questions collect personal information for staffing actions through one or more of the following methods:
- six use email;
- one uses either fax or telephone;
- six use either paper or electronic forms.
Based on our analysis of the information received, email and electronic forms are seen as better practices to collect personal information because of the encryption capability.
Processing
Once the personal information has been collected, departments require robust processes to ensure that their personal information collections are secure and are accurate for reporting on an annual basis. The use of printers or scanners requires a protocol for ensuring the information is not left stored on the device, and printed material must be shared and stored in accordance with classification requirements.
For contracting, of the seven departments responding to the survey questions:
- all seven process personal information through email;
- six use system software or an application for their personal information collections; and
- two also process the information through the use of fax, paper, printer or scanner. (see Figure 5)
For staffing, of the six departments responding to the survey questions:
- all six process personal information through email and a system software or application (e.g. PeopleSoft); and
- three also include paper forms and files in their processes. (See figure 5)
As stated in the previous section, email and electronic forms are seen as better practices to process personal information because of the encryption capability.
Figure 5 - Methods for Processing Personal Information for Staffing and Procurement Activitie
Long Description of Figure 5
The above mentioned bar chart depicts the survey results on methods used for processing personal information for staffing and contracting activities. All seven departments responded to questions on contracting and only six departments on staffing.
Disclosure
To comply with the intent of the Act and TB policy, departments should restrict access to personal information to those employees who need this information to operate their program and to others according to the allowable purposes for disclosure to a public or private institution, pursuant to section 13 of the Act.
When surveyed, all departments responded that they only give formal access to personal information to those employees within the department who have responsibilities for either staffing or procurement, such as administrative officers or team leaders responsible for administering a contract, HR employees and managers responsible for staffing actions. The departments surveyed also indicated that personal information is also shared with other government departments (OGDs), federal or provincial, and/or private organizations in the context of staffing or procurement activities.
Sharing information depends on each department’s mandate. Some departments work closely together, which necessitates the sharing of personal information. According to the survey, all departments comply with the purposes set out in section 13 of the Act.
One of the expected results of the TB Policy on Privacy Protection is to ensure consistent public reporting on the administration of the Act through annual reports to Parliament, statistical reports and the annual publication of Info Source. All seven departments stated that they produce a statistical report and description of their PIB. With the exception of one department, all also review their description on an annual basis.
4.5 Privacy Impact Assessments
The TB Policy on Government Security and the TB Directive on Privacy Impact Assessments require that PIAs be conducted for substantially modified programs and activities that involve personal information.
Six departments follow the best practice of documenting their PIA processes. Although one department has formalized its process, they are still conducting PIAs on an ad hoc basis. Results also show that other departments are using a variety of methods to partially fulfill this responsibility: in one department, the ATIP group works closely with their IT group and therefore gets notified when there are any information systems that are being implemented or substantially modified; another department shares a PIA questionnaire with all program managers.
4.6 Employee Awareness and Training
According to Treasury Board policies and directives, all employees who handle personal information or are involved in the design and implementation of systems that handle personal information must be made fully aware of their obligations.
All departments conduct training and awareness sessions. Some departments make it mandatory for all new employees and provide the training as part of their orientation. The following lists the types of best practices for providing training to employees within the different departments:
- Part of the intensive program for new inspectors (Prep-School).
- By request and tailor-made (divisional).
- Awareness sessions at management/governance tables.
- In conjunction with IM awareness training.
- Monthly meetings with ATIP Liaison officers to answer any questions.
- Tutorial provided with the statement, and posting on the internal web page.
Four departments followed best practice and sent reminders to employees regarding privacy breaches. A privacy breach is an incident or event that violates the Privacy Act and occurs when there is improper or unauthorized collection, use, disclosure, retention or disposal of personal information.
4.7 Information Holdings
The TB Policy on Privacy Protection requires that departments “ensure effective protection and management of personal information by identifying, assessing, monitoring and mitigating privacy risks in government programs and activities involving the collection, retention, use, disclosure and disposal of personal information.”
The results of our analysis indicated that six departments use encryption digital signatures and certificate authentication to mitigate the risk of a privacy breach. One department was unaware as to whether such a device was being used in their department at the time of this survey.
Four departments use laptops and USB or portable drives to collect personal information. Of those departments, three have proper protection procedures in place requiring that the USB key be ordered through the IT groups and encrypted.