Review and benchmarking of privacy management: chapter 6
Annex 1 Methodology and Criteria
Methodology
The planning phase for this review was conducted using a risk assessment to confirm the audit objective and areas that warranted further examination. The criteria used in the context of this review were developed based on a combination of standards/models, such as the Global Technology Audit Guide - Practice Guide on Managing and Auditing Privacy Risks, the Privacy Actand related TB and ECCC policies and internal directives. The review was carried out by using a combination of interviews and an examination of documentation.
The management assessment conducted in 2013 by ATIP and IM&IT Security staff and the benchmarking study conducted by AEB were also reviewed, and the results were taken into consideration.
Criteria
| 1. | Management framework and key management processes over ECCC’s privacy information are in place | Status (Met/Not Met) |
|---|---|---|
| 1.1 | Privacy Policy Framework (PPF) - A PPF has been developed and implemented to support the management and monitoring of privacy practices. | Partially Met |
| 1.2 | Governance and oversight - Formal governance structures are in place and help provide oversight on privacy practices. | Met |
| 1.3 | Roles and Responsibilities - Roles and responsibilities are clearly defined and communicated for all ECCC employees. | Met |
| 1.4 | Disclosure and Collection of Personal Information - Personal information being collected relates directly to an operating program or activity. When collected, the individual is also informed of the purpose for which the information is being collected. | Met |
| 1.5 | Privacy Impact Assessments (PIA) - PIAs are being conducted for substantially modified programs and activities that involve personal information. | Partially Met |
| 1.6 | Awareness and Training - Privacy and awareness training sessions are being conducted and provide the necessary information to employees to enable them to fulfil their roles and responsibilities. | Met |
| 1.7 | Information Holdings - Personal information under the control of ECCC is identified and described in classes of Personal Information Banks (PIB) on an annual basis. | Met |
Key Dates
Opening conference (launch memo)
November 2013
Review plan sent to management
April 2014
Penultimate draft report approved by CAE
June 2015
External Audit Advisory Committee recommendation
June 2015
Deputy Minister approval
December 2015
ECCC Privacy Policy Framework
November 2, 2012
Page details
- Date modified: