Review and benchmarking of privacy management: chapter 1
Executive Summary
The review and benchmarking of privacy management was included in the 2013 Integrated Risk-Based Audit and Evaluation Plan approved by the Deputy Minister, upon recommendation of the External Audit Advisory Committee.
In 2012, Environment and Climate Change Canada (ECCC) developed and implemented a Privacy Policy Framework (PPF) supported by a set of directives and procedures. Following a privacy incident, management conducted an assessment of specific business processes in 2013.
Also in 2013, senior management requested that the Audit and Evaluation Branch (AEB) conduct a review of ECCC’s management framework and key management processes with respect to ECCC’s personal information, as well as conduct a benchmarking exercise to compare Environment Canada’s privacy processes with those of similar federal departments.
Overall, the review confirmed that the required policies and processes for privacy management are in place and conform essentially to all elements of the Treasury Board (TB) Policy on Privacy Protection. ECCC’s Privacy Policy Framework documents roles and responsibilities and privacy processes such as the Privacy Impact Assessment (PIA) and the Breach Protocol processes. The review confirmed that personal information for staffing and procurement activities is collected only for the purpose of specific programs.
Since the management assessment, many training sessions have been provided to staffing and procurement employees, and almost all employees (over 6,000) took the mandatory online security awareness session, which includes a privacy component. The Department has also implemented disk encryption on more than 1,900 laptops to ensure information security. However, the audit team identified the following areas where privacy processes and controls could be improved:
- Practices and approach to collecting Social Insurance Numbers (SINs) as part of the Privacy Policy Framework (PPF); and,
- Monitoring of Privacy Impact Assessment metrics.
Recommendation 1
The Director General of Corporate Secretariat should consider reviewing ECCC’s Privacy Policy Framework to better define the requirements for the collection, use and disclosure of the Social Insurance Number.
Recommendation 2
The Director General of Corporate Secretariat should improve its approach to the monitoring of Privacy Impact Assessments which are conducted and required.
Management Response
Management agrees with the recommendations. The detailed management response can be found under Section 3 of this report.