ARCHIVED - Final Audit Report - Audit of Information Management

October 2010

Table of Contents

Executive Summary

Information Management (IM) is a discipline that directs and supports effective and efficient management of information in an organization, from planning and systems development to disposal or long-term preservation. The Government of Canada has an information management strategy that is followed by departments and agencies. Yet, the Information Commissioner of Canada has identified that across government there remains systemic issues affecting the way in which departments manage information.

The objective of this audit is to assess Health Canada's information management practices in relation to roles and responsibilities, systems, record classification structure, disposition authorities and the protection of personal information. The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, and has examined sufficient, relevant evidence and obtained sufficient information and explanations to provide a reasonable level of assurance in support of the audit conclusion.

The Chief Information Officer, in conjunction with the Information Knowledge Management Division, has been actively strengthening the IM activities by: increasing IM awareness across the Department; streamlining the IM governance structure; developing and implementing IM performance measurement indicators; and by the implementation of an Electronic Data Management System (EDMS) in the Healthy Environment and Consumer Safety Branch. However, areas for improvements still exist.

IM is a shared responsibility between the corporate function and the program managers. The Chief Information Officer, Corporate Services Branch, ensures that appropriate management direction, processes and tools are in place to efficiently manage information to support the Department's business and to retain the quality of information throughout the information lifecycle. Health Canada managers are responsible for managing information as an integral part of programs, service delivery and as a strategic business resource. While the Department has in place a structure to manage its information, there are still roles and responsibility gaps with respect to how information is managed and monitored for both integrity and completeness. Identifying and integrating the shared roles and responsibilities within the governance framework will provide more effective management of the Department's information holdings.

Records classification systems are developed and used to support all stages of the records and information management lifecycle but to date, not all Branches have adopted the same classification system. The Information Knowledge Management Division has taken steps to advise Branches of the benefits of using a standard functional classification system but the responsibility for adopting such a system ultimately lies with the Branches.

A Records Disposition Authority is the authority issued by the National Archivist of Canada to identify records that are to be archived or disposed of when no longer required for operational, legal or informational purposes. A review of Records Disposition Authorities within the Branches showed that they often did not exist, were incomplete, or were more suited as a guideline.

Within three programs examined, it was noted that personal information is not adequately protected, monitored and accessed based on Treasury Board of Canada's Policy on Government Security, Policy on Privacy Protection and the Directive on Privacy Protection. It was also noted that Branches were not reporting completely on the collection of personal information.

To address some of these issues raised, Health Canada has begun to develop an overarching information architecture model for managing the Department's information holdings. However, further work is needed. Management has agreed, with an action plan, to the six recommendations which will serve to strengthen Information Management at Health Canada.

Introduction

Background

Information Management (IM) is a discipline that directs and supports effective and efficient management of information in an organization, from planning and systems development to disposal or long-term preservation.

In February 2009, the Information Commissioner of Canada tabled the Report Cards 2007/2008 and Systemic Issues Affecting Access to Information in Canada. Amongst the issues identified were deficiencies in information management.

Under the direction of Health Canada's Chief Information Officer, the Information Management Services Directorate (IMSD) provides the strategy, policies, infrastructure, tools and staff necessary to make effective use of information management. Within this Directorate, the Information Knowledge Management Division (IKMD) provides department-wide functional leadership and guidance for information management (IM) and knowledge management.

More specifically, the Division is responsible for the development and maintenance of information/knowledge management strategies, policies, information architecture, standards and guidelines. The Division is also accountable for the development and support of a records management solution in all media types, development and deployment of training and awareness strategies, and coordinating, to develop IM communication products; delivery of records disposition; services to facilitate access to knowledge; library services; research and mail services. The Division is divided into three sections: IM Innovations and Systems, IM Services Delivery, and IM Policy, Planning and Strategies Section.

Branches are responsible for managing corporate information which consists of documents pertaining to the delivery of programs and services, records of decisions made, and evidence of financial and legal transactions. A corporate record can take many forms (i.e. paper documents, email, electronic documents, photographs and digital images).

The 2008/09 budget for information management for IKMD is reported to be approximately $8.2 million. Storage costs to manage the Department's records, amount to approximately $6 million. These figures do not include any of the IM costs absorbed by the Branches.

Audit Objective

The objective of this audit is to assess Health Canada's information management practices in relation to roles and responsibilities, systems, record classification structure, disposition authorities and the protection of personal information.

Scope and Approach

The audit was undertaken by the Audit and Accountability Bureau as per Health Canada's Risk-Based Audit Plan for 2008/09, which was approved by the Departmental Audit Committee on April 3, 2008. The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, and has examined sufficient, relevant evidence and obtained sufficient information and explanations to provide a reasonable level of assurance in support of the audit conclusion.

The audit examined the roles and responsibilities for information management, the processes to support the Access to Information and Privacy Acts, the infrastructure used to support information management and lifecycle management.

The audit relied on the Treasury Board of Canada Secretariat core management control criteria to assess management controls and stewardship (Appendix A). The lines of enquiry and audit criteria were agreed upon by the Corporate Services Branch.

The audit focused largely in the Corporate Services Branch. The audit focus for records management, standards and classification, and Records Disposition Authorities, was limited to: the Chemical Emergency Response Unit, within the Healthy Environment and Consumer Safety Branch (HECSB); and the Community Wellness and Health Surveillance Directorate, the Employee Assistance Services unit, and the Percy E. Moore Hospital, within the Regions and Programs Branch (RAPB). Finally, the audit focus for the protection of personal information was limited to the Community Wellness and Health Surveillance Directorate, the Employee Assistance Services Unit, and the Percy E. Moore Hospital.

The methodology for the audit included a review of documentation including: records of decisions, policies, processes in support of Access to Information and Privacy Acts, guidelines and standards. Interviews were conducted and a test of controls was completed. The audit covered the period from January 1, 2008 to March 31, 2009.

Findings, Recommendations and Management Response

Information Management - A Shared Responsibility

Roles and Responsibilities

Audit Criterion

Roles and responsibilities for managing information should be clearly defined and documented.

Managing information is a crucial element of all Government of Canada activities and a part of every public servant's responsibilities. It involves treating the information used or produced in the course of performing a job as a strategic business resource and in line with legal and policy requirements. As such, all employees are responsible for managing the information they collect, create and use to support not only the outcomes of the programs and services, but also the Department's operations and legislated accountabilities.

In order to meet these obligations, public servants must be sufficiently knowledgeable to apply the information management policy, standards, procedures, directives, guidelines, and tools. This includes documenting activities and decisions and using departmental information in a manner that facilitates access while ensuring that privacy and security requirements are being met.

Accountability for information management is assigned to the Deputy Minister and is supported by the legislation, guidance and directives from both the Treasury Board of Canada Secretariat and Library and Archives Canada.

The Deputy Minister is supported by the Chief Information Officer, the senior executive accountable for information management at Health Canada. This senior manager is the head of the Information Management Services Directorate (which includes the Information Knowledge Management Division) and also co-chairs the Information Management Accountability Board.

Overall, the Chief Information Officer ensures that appropriate management direction, processes and tools are in place to efficiently manage information to support the Department's business and to retain the quality of information throughout the information lifecycle. During the strategic planning exercise the Chief Information Officer ensures that information management requirements are addressed and aligned with information technology requirements. Lastly, the Chief Information Officer is responsible for coordinating resources and the departmental implementation of government-wide solutions.

Health Canada managers are responsible for managing information as an integral part of programs, service delivery and as a strategic business resource. Managers are responsible for identifying information issues and requirements to functional specialists, and for ensuring that processes and systems appropriately address any information management issues. In addition, managers ensure that employees understand and apply effective information management strategies in their day-to-day operations.

Supporting Health Canada management are the Branch Information Management Advisor (BIMA) and the Regional Information Management Advisor (RIMA). Advisors support department-wide information management initiatives by implementing policies, directives and standards. Advisors also develop and deliver information management services such as providing routine advice, training and awareness sessions. In addition, they are responsible for supporting integration of information management requirements into departmental business and information technology strategies. Lastly, they collaborate with all managers to address information lifecycle requirements.

All Branches are responsible for managing their information in accordance with the Government of Canada's policies (Policy on Information Management, Policy on Government Security), and legislative requirements (Access to Information and Privacy Acts and Library and Archives Canada Act). The Information Knowledge Management Division, Corporate Services Branch, as the functional lead in this area, supports the Branches by developing and maintaining departmental information management/information knowledge strategies, policies, information architecture, standards and guidelines. In addition, IKMD provides knowledge management, training and awareness, and the planning and delivery of records disposition authorities.

While the Department has in place a structure to manage its information there are roles and responsibility gaps for the development and coordination of managing the records and for monitoring the integrity and completeness of the record holdings. In addition, there is a lack of clarity around responsibility for monitoring information holdings in the Department. In 2007, a responsibility matrix was developed that outlined decision domains of authority for each of the Information Management Committees. Since that time the governance framework for information management has evolved leaving the responsibility matrix outdated.

An analysis of the mandates for committees responsible for IM was conducted and noted that the responsibilities listed in the Records Management Policy (2006) were not well integrated within the governing framework.

In the spring of 2009, a review of the governance structure was completed to clarify roles and responsibilities and to identify opportunities to improve efficiency and effectiveness of information management. Identifying and integrating the shared roles and responsibilities within the governance framework will provide more effective management of the Department's information holdings.

Recommendation 1

  1. It is recommended that the Chief Information Officer, Corporate Services Branch, update information management policies/guidelines and directives to reflect current roles and responsibilities for managing information in the Department.
  2. It is recommended that all Branches apply information management principles, standards, and practices as expected in Treasury Board and departmental frameworks, policies, directives, and guidelines in the performance of duties, and for documenting activities and decisions.
  3. It is recommended that the Chief Information Officer, Corporate Services Branch, conduct annual assessments on the effectiveness of Branch information management practices and report annually to the Senior Management Board - Policy.

Management Response

Since the release of the Treasury Board of Canada Secretariat Policy on Information Management (2007), the Library and Archives Canada Roles and Responsibilities (2008), the new Record Keeping Directive (July 2009), and since the completion of the audit numerous actions have been undertaken by Corporate Services Branch (CSB).

In July 2009, the Branch updated the Departmental IM policies, guidelines and directives to reflect current roles and responsibilities for managing information and posted them to the Health Canada intranet. In addition, the Branch reviewed and updated the IM/IT governance structure, and improved ATI and litigation e-discovery performance indicators. Corporate Services Branch has also been creating Department-wide generic IM position descriptions to further strengthen the IM role within the Department.

An IM Strategy is being developed in order to assist the Branches in meeting the responsibilities for IM. The Strategy will be delivered through three pillars: awareness and communications; learning and training; engagement and commitment. Branches are committed to developing and implementing IM action plans.

Corporate Services Branch is evolving towards an integrated enterprise approach to managing information holdings, allowing it to conduct annual assessments of the effectiveness of Branch IM practices. Annually the Branch gathers, analyzes and reports on IM performance as a part of the Treasury Board of Canada Secretariat annual Management Accountability Framework (MAF) exercise. Lastly, the Branch plans to introduce an additional reporting mechanism to capture the effectiveness of Branch IM practices.

Enterprise Information Architecture Model

Audit Criterion

Administration of an information systems function should include the maintenance of a business information model and establish the appropriate systems to manage the information holdings.

Data Management Elements

  1. Location
  2. Filing
  3. Retrieval
  4. Security
  5. Disaster Recovery
  6. Retention Period
  7. Archiving
  8. Distribution
  9. Workflow
  10. Creation
  11. Authenticity
  12. Traceability

A document management system can range from a manual system such as a filing cabinet all the way to an enterprise data management system. Regardless of the type of system there are several common elements that are involved in managing documents.

However, as reported in the 2008 Project Charter for Electronic Management System, Health Canada has some key information management challenges surrounding these common elements, for example: excessive time spent looking for documents; occurrences of lost documents; incomplete or inaccurate document audit trail; and difficulties in managing the "paper mountain".

To address some of these challenges, IMSD has begun to develop an overarching information architecture model for managing the Department's information holdings. In addition, it has developed and implemented an Application Software Registry that contains a list of software applications owned by the Department. Other building blocks include the implementation of the Records Information Classification Standard, and an electronic data management tool.

The scope of what these tools individually manage falls short of the capacity needed to manage the entire spectrum of Health Canada information holdings. Interviews were held with Branch Access to Information (ATI) coordinators, all of which commented on the excessive time required to find information in response to ATI requests. Branch ATI coordinators rely on the knowledge base of employees for locating and accessing required information. An integrated Information Architecture Model is important to readily identify the appropriate information holdings needed to support ATI requests.

In an effort to find an electronic data management solution, the Information Management Accountability Board selected one of Health Canada's program areas to pilot a new electronic data management system. The pilot project was approved by the Senior Management Board in December 2008. The Electronic Document Management System (EDMS) was rolled out to over 1,000 users across the Healthy Environments and Consumer Safety Branch (HECSB) and Regions and Programs Branch (i.e. Manitoba-Saskatchewan and Atlantic Regions).

EDMS has provided a number of benefits to users in HECSB, which include increased productivity and efficiency for program delivery, compliance on a number of key requirements such as ATIP business processes, ability to manage documents more effectively and efficiently throughout their lifecycle (conversion to the records classification structure), avoidance of document re-creation costs, avoidance of corporate memory loss due to employee turnover, promotion of information sharing, and protection and control of records.

At the end of the pilot, a client survey highlighted some areas of concerns. In particular, staff indicated that the proposed system had some challenges in assisting them with their day-to-day business activities such as integrating EDMS with e-mail. Employees noted the need for the Department to seek a national solution to integrate with other reporting systems.

It was also noted that there was no plan to identify resources to fund an enterprise content management solution across the Department.

Recommendation 2

  1. It is recommended that the Chief Information Officer, Corporate Services Branch, in collaboration with all Branches, develop a three year plan to fund and implement an Enterprise Content Management Solution (ECMS) across the Department.
  2. It is recommended that all Branches use the Department's Enterprise Content Management Solution (ECMS) once it becomes available.

Management Response

Corporate Services Branch in collaboration with all Branches will create a senior management Steering Committee with a mandate to develop a 3-5 year business plan to fund and effectively implement an Enterprise Content Management Solution (ECMS) across the Department. The business case will also include a multi-year implementation strategy and a Change Management Framework.

In the absence of an ECMS, in the interim, Corporate Services Branch will continue with the limited implementation of Record Document Information Management System (RDIMS) to Corporate Services Branch Executive Committee members as part of its commitment to enhance management practices within existing budgets and to respond to the Clerk's priorities for information/knowledge management.

Records Management, Standards and Classification

Audit Criterion

Information management should incorporate effective management of records to meet program and service outcomes, operational needs and accountabilities.

Decision-making, program delivery and accountability, are dependent on sound record management practices. Records capture day-to-day operations and decision-making processes and are a key corporate asset. To support federal government institutions in arranging their records by function, the Government of Canada has developed a methodology for constructing a function-based records classification system. A function-based records classification is a logical arrangement of all records documenting or evidencing activities based upon an analysis of the institution's business functions, sub-functions, and activities. The Office of the Information Commissioner, as well as the Office of the Auditor General of Canada, has expressed concerns with the lack of proper records management in departments.

A classification system is a key element of information management that provides the structure within which information is managed. It also facilitates the retrieval of information to support decision-making. Records classification systems are developed and used to support all stages of the records and information management lifecycle.

The records management aspect of the audit focussed on the IM practices of four Health Canada business units. The business units selected were the Chemical Emergency Response Unit in the Healthy Environments and Consumer Safety Branch; and the Community Wellness and Health Surveillance Directorate, the Employee Assistance Services unit, and the Percy E. Moore Hospital in the Regions and Programs Branch.

The Corporate Services Branch has developed a Records Keeping Procedures Manual and a function-based IM classification standard and has been providing training towards achieving the expected Government of Canada classification standard for classifying information holdings. In 2007/08 a revised classification standard was implemented.

Audit interviews with various Branch and Regional Information Advisors (BIMA/RIMA) confirmed the limited use of a records information classification standard to manage electronic records within the respective branches.

Recommendation 3

  1. It is recommended that the Chief Information Officer, Corporate Services Branch, monitor compliance to the departmental current classification standard for managing information.
  2. It is recommended that all Branches, implement the Department's current classification standard for managing information as identified in the Directive on the Management and Storage of Information on Health Canada's Network Servers.

Management Response

As previously noted, in 2007/08 a second generation functional classification structure (aXsv2) was implemented by Corporate Services Branch to manage information holdings to ensure that records are managed in accordance with the approved Departmental classification structure. As such, the Departmental Classification structure is updated on an ongoing basis to reflect changes to the functions and/or activities carried out by the Department.

Corporate Services Branch continues to promote the current Departmental Classification structure, providing training sessions (6-8 times per year) as well as ad hoc coaching support/sessions on a regular basis. In addition, all branches are to ensure Branch IM Specialists are sufficiently trained to provide support to end clients regarding the use of the department's current classification standard; and, the department's current classification standard is used by its employees to classify/organize information in all media and document management solutions unless Business dictates otherwise. To monitor Branches uptake of the departmental classification standard Corporate Services Branch will track compliance by examining on an ongoing basis its use within the various IM systems used across Health Canada.

Records Disposition Authority

Audit Criterion

The Department has effective procedures for managing the media library, back-up and recovery and retention of data, and proper disposal of media.

A Records Disposition Authority (RDA) is the authority issued by the National Archivist of Canada to identify records that have historical value and are to be archived at Library and Archives Canada (LAC). These authorities provide the basis for the development of Records Retention and Disposition Schedules which identify the length of time records are to be managed by the Department and indicate whether they are to be transferred to LAC or destroyed when no longer required for operational, legal or departmental business purposes.

The examination phase of the audit was limited to a review of the records disposition practices of the Chemical Emergency Response Unit of the Healthy Environments Consumer Safety Branch, the Community Wellness and Health Surveillance Directorate, the Employee Assistance Services Unit, and the Percy E. Moore Hospital of the Regions and Programs Branch.

In all instances sampled, either the RDAs did not exist, were incomplete or were more suited as a guideline. As well, the Information Knowledge Management Division confirmed that a high percentage of the Departmental business processes are not covered under a RDA. To prevent the Department from losing information, RDAs should be developed by the Department and approved by Library and Archives Canada.

Recommendation 4

  1. It is recommended that the Chief Information Officer, Corporate Services Branch, coordinate the development and approval of the Records Disposition Authorities with all Branches.
  2. It is recommended that all Branches, implement the Records Disposition Authorities in accordance with Health Canada's Disposition Directive.

Management Response

Corporate Services Branch in collaboration with Library and Archives Canada (LAC) has recently developed project plans and work breakdown structures, which also have been communicated to the Branches involved. Currently the CIO is coordinating the development of an MOU, negotiating with both LAC and HC's Branches. Once the MOU is signed, Corporate Services Branch will co-ordinate the development and approval of Records Disposition Authorities (RDA) for all Branches; and, establish retention periods and application guidelines. To ensure Branch RDAs are implemented in accordance with the HC Disposition directive, Corporate Services Branch will monitor their application through the use of the disposition authorization process outlined in the HC Record Keeping procedures manual.

Protection of Personal Information

Audit Criterion

Effective administration of the Privacy Act, in conjunction with the Policy on Government Security, the Policy on Privacy Protection and the Directive on Privacy Practices, should be in place to protect personal information.

Personal information is information about an identifiable individual which is recorded in any form. Personal information can only be about individuals, not about corporations or associations.

Types of Personal Information

Race, national/ethnic origin, colour, religion, age, marital status, fingerprints, blood type

Education, medical, employment or criminal history

Identifying number, symbol or other particular information assigned to an individual (i.e. Social Insurance Numbers or address)

Private or confidential correspondence, personal opinions or views and replies to that correspondence

The name of an individual when it reveals personal information about the individual

For organizations in Canada holding personal information, the Privacy Act (1983) is the cornerstone from which policy and standards on privacy are developed. Within the context of controls for personal information, the underlying theme is to ensure the safeguarding of personal information.

The Policy on Government Security prescribes the application of safeguards to protect employees, preserve the confidentiality, integrity, availability and value of sensitive information. Branch management is responsible for ensuring that only authorized employees are accessing personal information. The Department must limit access to protected information to those individuals who have "a need to know".

With respect to the protection of personal information, the examination was limited to three business units that have applications containing personal information - the Community Wellness and Health Surveillance, the Employee Assistance Services Unit, and the Percy E. Moore Hospital, within the Regions and Programs Branch.

Results of this examination identified some control deficiencies surrounding the protection of personal information - namely access and monitoring of personal information holdings. Since Health Canada collects information on both its employees and others as it relates to programs and services delivered to the public, it is important that the Department protect the collected personal information as intended in the Privacy Act and the Policy on Government Security. Lastly, Branches need to monitor personal information in accordance with the Treasury Board's Policy on Privacy Protection and/or Directive on Privacy Practices.

Recommendation 5

  1. It is recommended that the Assistant Deputy Minister, Corporate Services Branch, continue to support all Branches by developing a Health Canada Privacy Management Framework (PMF) that outlines responsibilities, accountabilities and processes for handling and monitoring personal information in their respective Branches.
  2. It is recommended that all Branches, employ appropriate measures as defined in the Directive on Privacy Practices by ensuring that:
    • Work positions are identified within a program or activity that has a valid reason to access and handle personal information. Access should be limited to individuals occupying those positions;
    • access and use of personal information is limited by administrative, technical and physical means to protect the information; and
    • Access, use and disclosure of personal information is monitored and documented. This should include measures for addressing the timely identification of inappropriate or unauthorized access or handling of personal information related to a particular program or activity.

Management Response

In support of all Branches, Corporate Services Branch is developing a departmental Privacy Strategy, outlining specific deliverables based on analysis of risk, greater awareness, and strengthening accountability which will increase the Department's capacity to promote and protect personal information. Branches with the highest amount of personal information holdings (FNIHB, RAPB, HECSB, PACCB, and CSB) will receive training to build greater awareness and strengthen accountability which will also be supported ay an increased monitoring and risk analysis strategy.

As a first step, Corporate Services Branch will provide possible solutions for select accountability issues; primarily a Privacy Impact Assessment (PIA) and Privacy Breach process, including monitoring, reporting and potential sanctions for non-compliance.

New Privacy policies and directives will be communicated, on a timely basis, to the members of the IM and Privacy Forums within the Department. Approved solutions will be implemented via communications and training: privacy training and IM awareness will be refined to include new messaging that focuses on strengthening accountability and safeguarding personal information.

To ensure appropriate measures as defined in the TBS Directive on Privacy Practices are employed, a number of actions will be implemented including that: Branches will review work positions that require access to personal information for valid authority in order to limit access and use of personal information; the ADM Corporate Services Branch will provide guidance to programs when responding to inappropriate or unauthorized access of personal information as it relates to documenting and monitoring access, use and disclosure of personal information in select programs; Privacy Breach guidelines are developed.

Parliamentary Reporting

Audit Criterion

Effective administration of the Privacy Act should support public accountability instruments and reports to Parliament.

Health Canada has an Access to Information and Privacy Division that reports to the Assistant Deputy Minister, Corporate Services Branch. The Division is responsible for facilitating departmental compliance with the Privacy Act, which includes mandatory reporting of collections of personal information to Parliament which is done through Info Source.

Info Source falls under the purview of the Treasury Board of Canada Secretariat which produces a series of publications containing information about the functions, programs, activities and related information holdings collected by the Government of Canada. The primary purpose of Info Source is to assist individuals exercise their rights under the Privacy Act. Info Source also supports the federal government's commitment to facilitating access to information.

To respond to the mandatory reporting requirements for Parliament, the Department must disclose all collections of personal information for which the Department is responsible. This requires that Branches identify and register collections of personal information with the ATIP Division. The ATIP Division prepares an annual listing of all the Department's personal information collections which are submitted to the Treasury Board of Canada Secretariat.

Based on the combined results of the audit tests completed, interviews conducted, as well as the results from the 2008/09 Treasury Board of Canada Secretariat - Management Accountability Framework Assessment, point to the need for Health Canada to improve its reporting of collections of personal information.

Recommendation 6

  1. It is recommended that all Branches identify and report the collections of personal information to the Corporate Services Branch, as required under the Treasury Board's Directive on Privacy Practices. In addition, Branches should identify a senior official from their respective Branches to coordinate this activity with the Corporate Services Branch. Lastly, the Assistant Deputy Minister, Corporate Services Branch, should ensure that all personal information is registered in accordance with the Privacy Act.

Management Response

In support of the Branches' identification and reporting of the collection of personal information, the Access to Information Privacy Officer within Corporate Services Branch has committed to developing an accessible centralized electronic document where Branches can both view and update their personal information collections. In addition, as directed by Senior Management Board -Operations on June 9, 2010, DG-level Branch Privacy Champions will be identified as the single points of contact to liaise with Corporate Services Branch on all privacy issues. Branches will ensure to report their respective collections of personal information to Corporate Services Branch. Corporate Services Branch will continue to work with Branches to ensure that all collections of personal information they provide is registered with Treasury Board Secretariat for Info Source purposes thus meeting Privacy Act requirements.

Conclusion

Health Canada's Chief Information Officer, in conjunction with the Information Management Knowledge Division, has been actively strengthening the IM activities. Recently the IM governance structure was streamlined to improve overall effectiveness, and an IM awareness strategy was launched across the Department to increase employee's understanding of their responsibilities for Access to Information, Privacy, Records Management and IM Security. The Division has also been developing and implementing IM performance measurement indicators. Lastly, the Information Management Knowledge Division piloted an Electronic Data Management System (EDMS) in partnership with the Healthy Environment and Consumer Safety Branch. This system is seen as a prototype for extension to the remainder of the Department.

While Health Canada has shown recent progress in addressing some of its information management issues, further opportunities for improvement exist and progress will be dependent on senior management, as well as its employees, endorsing and applying sound information management principles and practices.

Specifically, the Department would benefit from updating policies and procedures to reflect recent changes in roles and responsibilities for information management thereby finalizing the governance structure. The implementation of an Enterprise Information Architecture system to integrate the Department's information holdings would also help address many of the concerns for managing information. In the area of storage and retrieval the Department would benefit from the application of a records classification structure which integrates all information sources. Health Canada needs to continue to ensure that information is managed using a lifecycle approach in accordance with Government of Canada policies and procedures. Lastly, personal information needs to be better managed in accordance with the Privacy Act, Policy on Government Security, Policy on Privacy Protection and the Directive on Privacy Protection.

Appendix A - Lines of Enquiry and Audit Criteria

Line of Enquiry
Audit Criteria
The Department should manage its information effectively.
  1. Roles and Responsibilities for managing information should be clearly defined and documented.
  2. Administration of an information systems function should include the maintenance of a business information model and establish the appropriate systems to manage its information holdings.
  3. Information Management should incorporate effective management of information and records to meet program and service outcomes, operational needs and accountabilities.
  4. The Department has effective procedures for managing the media library, back-up and recovery and retention of data and proper disposal of media.
  5. Effective administration of the Privacy Act, in conjunction with Policy on Government Security, the Policy on Privacy Protection and the Directive on Privacy Practices, should be in place to protect personal information.
  6. Effective administration of the Privacy Act should support public accountability instruments and reports to Parliament.

Page details

Date modified: