Review and benchmarking of privacy management: chapter 2

1. Introduction and Background

The review and benchmarking of privacy management was included in the 2013 Integrated Risk Based Audit and Evaluation Plan approved by the Deputy Minister, as recommended by the External Audit Advisory Committee.

Government Privacy Requirements

Personal information is defined as information about an identifiable individual which is recorded in any form. The Government of Canada is committed to protecting the privacy of individuals with respect to the personal information that is under the control of government institutions.

The Privacy Act, Privacy Regulations and the Treasury Board (TB) Privacy Policy Suite supports the government’s commitment to establish clear standards for the collection, use, disclosure and retention of personal information, as well as best practices or effective controls for the promotion and enforcement of privacy.

Environment Canada Privacy Management

The Access to Information and Privacy (ATIP) Coordinator, which at ECCC is the Director General of the Corporate Secretariat, is responsible for:

• ensuring appropriate measures and processes are put into effect for the creation, collection, retention, accuracy, use, disclosure or disposition of personal information;
• establishing a plan for addressing privacy breaches;
• establishing procedures for maintaining a record of new uses and disclosures to ensure that personal information banks (PIB) remain up to date;
• informing employees of their responsibilities for privacy management; and
• establishing authority for the collection and creation of personal information.

Program managers are responsible for:

• informing the ATIP Division of any new or substantially modified program or activity;
• limiting the collection of personal information to what is directly related to programs or activities; and
• initiating a new Privacy Impact Assessment (PIA) when a program or activity is newly created or substantially modified.

Finally, all employees have a responsibility to protect the personal information they manage.

ECCC collects different types of personal information throughout the course of its program delivery,^{Footnote 1} such as age, marital status, race, national or ethnic origin, medical records, criminal records, employment history, identifying numbers (e.g. Social Insurance Number, Personal Record Identifier).

Consistent with the government’s requirements for privacy, ECCC has issued a Privacy Policy Framework (PPF) in 2012 which includes internal directives on Privacy Impact Assessment, privacy practices and a Privacy Breach Protocol.

Privacy Management Assessment

In response to a privacy incident, ECCC’s Corporate Services Branch (CSB), in collaboration with Corporate Secretariat, in 2013 assessed practices related to the handling of sensitive and personal information. The assessment included staffing, finance and procurement activities.

The assessment identified 124 recommendations that could be quickly implemented, followed by several management actions.  At the time of this review, 90 of the 124 recommendations had been implemented and 34 were deferred pending implementation of broader initiatives, such as the SAP financial system and the HR Business Process Reorganization.  In response to the assessment, ECCC has put in place many controls to help further the protection of personal information, such as the installation of encryption software on laptops.

The results of the above-mentioned assessment were considered during the planning and scoping of this review.