Final benchmarking report on the handling of sensitive and personal information: chapter 5
Annex 1 - Benchmarking Topics and Survey Questions
| Benchmarking Topics | |
|---|---|
| 1.1 | Privacy Policy Framework (PPF) - An effective PPF has been developed and implemented to support the management and monitoring of privacy practices. Has a PPF been developed and what is the level of implementation? What elements are covered in your PPF? Have you conducted a privacy policy gap analysis? |
| 1.2 | Governance and Oversight - Formal governance structures are in place and help provide oversight of privacy practices. Do you have a formal delegation order for privacy responsibilities? What type of governance structures do you have in place in terms of privacy management? Was a privacy review or audit conducted in your department? If so, in what year was it conducted? |
| 1.3 | Roles and Responsibilities - Roles and responsibilities are clearly defined and communicated for all ECCC employees. Have the roles and responsibilities in terms of privacy management been communicated to contracting and staffing officers? |
| 1.4 | Disclosure and Collection of Personal Information - Personal information that is collected relates directly to an operating program or activity. When collected, the individual is also informed of the purpose for which the information is being collected. What type of personal information do you collect for procurement and contracting activities? What type of personal information do you collect for staffing activities? When collecting personal information for any type of contract or staffing action, how do you inform individuals of the purpose for which their information is being collected? Do your forms/contracts include a privacy protection clause? (Form used to collect personal information for contracts and staffing) How do you collect personal information for contracting and staffing activities? How do you process personal information once collected from the individual for contracting or staffing processes) How is access to personal information determined for contracting and staffing? Do you share personal information with other organizations? If so, with whom? |
| 1.5 | Privacy Impact Assessments (PIA) - PIAs are conducted for substantially modified programs and activities that involve personal information. Sound management and key decisions are made based on the results of the PIAs. Is the Privacy Impact Assessment (PIA) process documented? How do you ensure PIAs are conducted for all new or substantially modified programs and activities that involve personal information? |
| 1.6 | Awareness and Training - Privacy and awareness training sessions are conducted and provide the necessary information to employees to enable them to fulfil their role and responsibilities. Does your department/agency conduct awareness/training sessions? If so, what type of awareness/training sessions are available to employees? Do you send reminders to employees about potential privacy breaches? How do you ensure that all personal information under the control of your organization is identified and described? |
| 1.7 | Information Holdings - Personal information under the control of ECCC is identified and described in classes of personal information banks (PIB) on an annual basis. Do you use encryption to protect personal information? What type of encryption do you use? Which portable/mobile devices are used in the collection of personal information? |