Final benchmarking report on the handling of sensitive and personal information: chapter 4


4. Observations

Overall, the privacy management practices of participating departments were similar to those of other departments.

4.1 Privacy Policy Framework

As per the TB Policy on Privacy Protection, heads of government institutions are responsible for the effective, well-coordinated, and proactive management of the Privacy Act and Privacy Regulations within their institutions. Documented directives and protocol help heads coordinate and be proactive in managing an effective privacy program. An PPF should set out clear responsibilities in government institutions for decision-making and managing the implementation of the Privacy Act and Privacy Regulations.

Although all seven departments have developed a PPF, only one has fully implemented its framework. Six had 50% or more of their frameworks implemented. One department was planning its implementation for March 2015.

Frameworks for the majority of departments included similar sections. Most departments followed TBS guidance and include guidance on privacy practices, Privacy Impact Assessments (PIAs), privacy breaches, and consent and notification/release. All departments have guidelines on privacy breaches, which were covered by the latest TB Guidelines for Privacy Breaches. These guidelines are in addition to and complement general TB policies and guidelines, such as the 2008 TB Directive on Social Insurance Number (SIN).

One department’s PPF demonstrates best practices and includes several guideline documents. The roles, responsibilities and requirements are described in detail. For example, the departmental policy governing the management of personal information sets out the differences between delegated authority and legislated responsibilities. The same document describes the retention and destruction requirements as well as a privacy protocol for non-administrative purposes.

As a best practice, an effective PPF would require regular gap analysis to make sure relevant policies have been properly implemented. Of the six departments that have implemented a policy framework, three have conducted a gap analysis of their compliance with TB policy and directives. One department responded that it has developed a Privacy Breach Guideline as a result of its gap analysis.

The following table presents the department’s key guideline topics included in their PPF.

Figure 1 - Key Guideline Topics in PPF
   (1) (2)  (3)  (4) (5) (6) (7)
Privacy practices/protocol/roles and responsibilities Yes Yes Yes No Yes Yes Yes
Privacy Impact Assessments / risk assessments Yes Yes Yes No Yes Yes Yes
Privacy breaches Yes Yes Yes Yes Yes Yes Yes
Social Insurance Number (SIN) No No Yes No No No No
Consent and notification / release guidelines No No No Yes Yes Yes Yes
Figure 1 Description

The above mentioned table describes the department’s key guideline topics included the participating departments’ privacy policy framework (PPF). The departments responded with a yes or no answer according to the key guideline topics in their respective PPF. The topics included:

  • Privacy practices/protocol/roles and responsibilities, one out of seven departments answered no;
  • Privacy Impact Assessments/risk assessments, one out of seven departments answered no;
  • Privacy Breaches, all departments answered yes;
  • Social Insurance Number (SIN), one out of seven departments answered yes; and
  • Consent and Notification/release guidelines, four out of seven departments answered yes.

4.2 Governance and Oversight

As per the TB Policy on Privacy Protection,Footnote3 heads of government institutions are responsible for:

Heads of government institutions are responsible for deciding whether to delegate, pursuant to section 73 of the Privacy Act, any of their powers, duties or functions under the Act. All seven departments follow best practices and have a formal delegation of authority in place. The level of delegation of authority differs from department to department, (see Figure 2) but all involve their ATIP group.

Figure 2: Delegation for Privacy Management

Authority levels
(1) (2) (3)  (4) (5) (6)  (7)
Assistant Deputy Minister / Chief Privacy Officer Yes Yes Yes No Yes Yes No
Director General responsible for ATIP No Yes Yes No Yes Yes Yes
Director of ATIP Yes Yes Yes Yes Yes No Yes
Deputy Director / Manager of ATIP No Yes Yes Yes Yes No No
Figure 2 Description

The above mentioned table describes the different responsibility levels of delegation in all seven of the participating departments for Privacy Management.

The departments responded with a yes or no answer for the following authority levels:

  • Assistant Deputy Minister/Chief Privacy Officer, two out of seven departments answered no;
  • Director General responsible for ATIP, two out of seven departments answered no;
  • Director of ATIP, one out of seven departments answered no; and
  • Deputy Director/Manager of ATIP, four out of seven departments answered yes.

According to TBS Management Accountability Framework (MAF) guidance, departments should have in place an oversight body for the governance of its management, which would include the management of its privacy responsibilities.

When questioned on this guidance, no department specifically mentioned having an oversight body. Departments responded by referring to their formal delegation of authorities and reporting relationships. Oversight is provided through general governance structures and the reporting relationships.

To ensure an effective PPF has been implemented and that proper oversight has been provided on privacy practices, the TB Policy on Privacy Protection makes heads of government institutions or their delegates responsible for monitoring compliance with the policy as it relates to the administration of the Privacy Act. This monitoring can take the form of a privacy review or audit.

One department conducted a privacy audit in 2010 and another department conducted a privacy assessment in 2013.

4.3 Roles and Responsibilities

As per the TB Policy on Privacy Protection, heads of government institutions should ensure clear responsibilities for decision-making and managing the application of the Privacy Act and Privacy Regulations. They should also ensure employees of the government institution are made aware of policies, procedures and legal responsibilities under the Act.

Although six departments communicate employee roles and responsibilities through their ATIP groups, one department could not confirm whether these had been communicated.

We noted the best practice of providing written documentation on the roles and responsibilities through a framework or a handbook, and providing training sessions to employees.

4.4 Disclosure and Collection of Personal Information

This section covers the collection, processing and disclosure of personal information specific to the procurement and staffing processes.

Collection

According to the Privacy Act, personal information shall not be collected by a government institution unless it relates directly to an operating program or activity of the institution. While the purpose of this exercise was not to assess whether information collected was related to an operating program, the AEB was interested in understanding the type of information being collected in the context of procurement and staffing processes and possibly enable implementation of best practices where possible.

The following (Figure 3) presents the results of the survey specific to procurement and contracting activities. Overall, two departments collect all the information indicated below and all participating departments collect the name, address (past and present) and email address. The table also displays considerable variety in terms of other types of personal information that is collected.

Figure 3 - Personal Information Collected for Procurement Activities
Information Collected (1) (2) (3) (4) (5) (6) (7) % of Departments Collecting this Information
Name x x x x x x x 100%
Address (past and present) x x x x x x x 100%
Email address x x x x x x x 100%
Phone number   x x x x x x 86%
Billing rate or exact salary figure x x x   x x x 86%
Date of birth x     x x x x 71%
Confirmation of security clearance     x x x x x 71%
Previous employment       x x x x 57%
Work start and end dates     x x x x x 57%
Location of work     x   x x x 57%
Academic level         x x x 43%
Social Insurance Number       x x   x 43%
Hours of work (temp help)         x x x 43%
Other x x         x 43%
Figure 3 Description

The above mentioned table displays the results of personal information collected for procurement activities in all seven departments. The departments responded to a specific survey and the results are as follows:

  • Name, address (past and present) and email address 100%;
  • Phone number and billing rate or exact salary figure 86%;
  • Date of birth and confirmation of security clearance 71%;
  • Previous work employment, work start and end dates and location of work 57%; and
  • Academic level, Social Insurance Number and hours of work (temp help) and other 43%.

In the case of the staffing process, we noted that, as a best practice, , rather than collecting copies of personal identification related to staffing actions, one department requires the hiring managers to sign a letter attesting to the fact that they have viewed the identification. This provides an additional safeguard against any unauthorized access to personal information.

The following presents the type of personal information collected in the context of the staffing process. It is important to note that one department (Department 6) did not provide a response to this section of the survey.

Once again, the table shows that there is a wide variety of information that is collected, with the following information being collected by all departments: name, address, phone number, email address and résumés. Under the category of “Other types of information,” one department noted that they collect a signed consent form allowing the release of the individual’s personal information into the Priority Information Management System (PIMS).

Figure 4 - Personal Information Collected for Staffing Activities
Staffing (1) (2) (3) (4) (5) (7) % of Departments Collecting this Information
Name x x x x x x 100%
Address (past and present) x x x x x x 100%
Phone number x x x x x x 100%
Email address x x x x x x 100%
Résumé x x x x x x 100%
Academic level   x x x x x 83%
Confirmation of security clearance   x x x x x 83%
Social Insurance Number   x x x x x 83%
Psychological assessment   x x x x x 83%
Work start and end date   x x x x x 83%
Date of birth     x x x x 67%
Attestation from academic institutions   x x   x x 67%
Personal security briefing form   x x   x x 67%
Personal record identifier (PRI)   x x   x x 67%
Scan of citizenship card   x x   x x 67%
Proof of Canadian citizenship attestation   x x   x x 67%
Hours of work   x x x   x 67%
Location of work   x x   x x 67%
Supervisor’s name and position   x x   x x 67%
Previous employment   x x   x x 67%
Scan of driver’s license   x x     x 50%
Scan of birth certificate   x x     x 50%
Scan of passport   x x     x 50%
Exact salary figure   x x     x 50%
Position classification code   x x     x 50%
Other, please specify x x     x   50%
Figure 4 Description

The above mentioned table displays the results of personal information collected for staffing activities from six of the Seven departments.

The results are as follows:

  • Name, address (past and present), phone number, email address and resume 100%;
  • Academic level, confirmation of security clearance, Social Insurance Number, psychological assessment and work start and end dates 83%;
  • Date of birth, attestation from academic institutions, personal security briefing form, personal record identifier (PRI), scan of citizenship card, proof of Canadian citizenship attestation, hours of work, location of work, supervisor’s name and position and previous employment 67% and;
  • Scan of driver’s license, scan of birth certificate, scan of passport, exact salary figure, position classification code and other 50%.

The Privacy Act requires that when personal information is collected, the individual be informed of the purpose for which the information is collected. It also states that: “Personal information under the control of a government institution should not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.” The TB Policy on Privacy Protection specifically states that departments should ensure that appropriate privacy protection clauses are included in contracts and agreements that may involve intergovernmental or trans-border flows of personal information.

Best practice would require some form of documentation as to how an individual was informed of the purpose of collection. Most departments informed the individual that their personal information would be protected through a privacy protection clause included in the forms/contracts that collect personal information. One department informed individuals either by phone or by email.

The Act and the TB Policy on Privacy Protection do not describe the methods of collection that can be used. Depending on the type of information collected and its sensitivity, the departments surveyed use a variety of collection methods.

For contracting, of the seven departments that participated in the study:

For staffing, the six departments responding to the survey questions collect personal information for staffing actions through one or more of the following methods:

Based on our analysis of the information received, email and electronic forms are seen as better practices to collect personal information because of the encryption capability.

Processing

Once the personal information has been collected, departments require robust processes to ensure that their personal information collections are secure and are accurate for reporting on an annual basis. The use of printers or scanners requires a protocol for ensuring the information is not left stored on the device, and printed material must be shared and stored in accordance with classification requirements.

For contracting, of the seven departments responding to the survey questions:

For staffing, of the six departments responding to the survey questions:

As stated in the previous section, email and electronic forms are seen as better practices to process personal information because of the encryption capability.

Figure 5 - Methods for Processing Personal Information for Staffing and Procurement Activitie

Figure 5 - Methods for Processing Personal Information for Staffing and Procurement Activitie
Long Description of Figure 5

The above mentioned bar chart depicts the survey results on methods used for processing personal information for staffing and contracting activities.  All seven departments responded to questions on contracting and only six departments on staffing. 

Disclosure

To comply with the intent of the Act and TB policy, departments should restrict access to personal information to those employees who need this information to operate their program and to others according to the allowable purposes for disclosure to a public or private institution, pursuant to section 13 of the Act.

When surveyed, all departments responded that they only give formal access to personal information to those employees within the department who have responsibilities for either staffing or procurement, such as administrative officers or team leaders responsible for administering a contract, HR employees and managers responsible for staffing actions. The departments surveyed also indicated that personal information is also shared with other government departments (OGDs), federal or provincial, and/or private organizations in the context of staffing or procurement activities.

Sharing information depends on each department’s mandate. Some departments work closely together, which necessitates the sharing of personal information. According to the survey, all departments comply with the purposes set out in section 13 of the Act.

One of the expected results of the TB Policy on Privacy Protection is to ensure consistent public reporting on the administration of the Act through annual reports to Parliament, statistical reports and the annual publication of Info Source. All seven departments stated that they produce a statistical report and description of their PIB. With the exception of one department, all also review their description on an annual basis.

4.5 Privacy Impact Assessments

The TB Policy on Government Security and the TB Directive on Privacy Impact Assessments require that PIAs be conducted for substantially modified programs and activities that involve personal information.

Six departments follow the best practice of documenting their PIA processes. Although one department has formalized its process, they are still conducting PIAs on an ad hoc basis. Results also show that other departments are using a variety of methods to partially fulfill this responsibility: in one department, the ATIP group works closely with their IT group and therefore gets notified when there are any information systems that are being implemented or substantially modified; another department shares a PIA questionnaire with all program managers.

4.6 Employee Awareness and Training

According to Treasury Board policies and directives, all employees who handle personal information or are involved in the design and implementation of systems that handle personal information must be made fully aware of their obligations.

All departments conduct training and awareness sessions. Some departments make it mandatory for all new employees and provide the training as part of their orientation. The following lists the types of best practices for providing training to employees within the different departments:

Four departments followed best practice and sent reminders to employees regarding privacy breaches. A privacy breach is an incident or event that violates the Privacy Act and occurs when there is improper or unauthorized collection, use, disclosure, retention or disposal of personal information.

4.7 Information Holdings

The TB Policy on Privacy Protection requires that departments “ensure effective protection and management of personal information by identifying, assessing, monitoring and mitigating privacy risks in government programs and activities involving the collection, retention, use, disclosure and disposal of personal information.”

The results of our analysis indicated that six departments use encryption digital signatures and certificate authentication to mitigate the risk of a privacy breach. One department was unaware as to whether such a device was being used in their department at the time of this survey.

Four departments use laptops and USB or portable drives to collect personal information. Of those departments, three have proper protection procedures in place requiring that the USB key be ordered through the IT groups and encrypted.

Page details

2018-12-06