Review and benchmarking of privacy management: chapter 3

2. Objectives and Scope

Objectives

The objectives of this project were twofold:

• Conduct a review to determine if the necessary policy and management framework and key management processes over ECCC’s personal information are in place; and
• Conduct a benchmarking exercise to compare ECCC’s collection of personal information processes to other departments of similar size and mandates.

The detailed results of the Benchmarking of Privacy Management exercise are presented as a distinct report in Annex 2 (where ECCC’s results are identified as Department #7). The benchmarking report presents the comparative results of all seven participating departments without specific analysis of ECCC results, while the review report is presented from ECCC’s perspective.

Scope

The review focused on privacy management responsibilities of the ATIP coordinator and staff, as well as practices of the enabler branches more actively engaged in handling personal information (i.e.; staffing and procurement processes). The scope did not include:

• Access to information requests and correction of personal information (accuracy verification), since this was considered a lower risk during AEB’s planning phase;
• Sensitive business information, since this is not covered by the Privacy Act; and
• Validation of management’s assertions concerning the status of the 124 recommendations (2013 assessment).

The fieldwork for both the review and the benchmarking exercise was carried out solely in the National Capital Region.

Statement of Conformance

This review conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program, applied in the context of a review.

In our professional judgement, sufficient and appropriate procedures have been conducted and evidence gathered to provide reasonable assurance to support the accuracy of the conclusions reached and contained in this report. However, controls were not tested. The conclusions are based on a comparison of the situations as they existed at the end of the fieldwork (January 2015) against the review criteria.