ARCHIVED - Management Response and Action Plan (MRAP) - Audit of Information Management

October 2010

Recommendations
Planned Management Actions
Deliverables
Expected Completion Date
Accountability
1a) It is recommended that the Chief Information Officer, Corporate Services Branch, update information management (IM) policies, guidelines and directives to reflect current roles and responsibilities for managing information in the Department.

IM Awareness, Learning, Engagement

Strengthen IM awareness, IM learning, and management and employee engagement to respond to the Treasury Board of Canada Secretariat (TBS) Policy on Information Management, the Library and Archives Canada (LAC) Roles and Responsibilities document, the new Record Keeping Directive (July 2009) and more recently the recommendations in this audit. Activities undertaken/planned include:
  • Inclusion of updated departmental IM policies, guidelines and directives into our current IM Awareness program.
  • Provision of training and coaching support sessions for Branch IM staff and other employees (6 times/year).


IM Awareness program made available, revised to include updated IM policies, guidelines and directives.



September 2011



Chief Information Officer (CIO), Corporate Services Branch (CSB), Information Management Services Directorate (IMSD) in collaboration with Branch ADMs and other Executives

Branch ADMs to conduct Branch Executive Committee IM Awareness sessions. Branch Executive Committee IM Awareness sessions delivered September 2011 Branch ADMs and other Executives
1b) It is recommended that all Branches apply information management principles, standards, and practices as expected in Treasury Board and departmental frameworks, policies, directives, and guidelines in the performance of duties, and for documenting activities and decisions.

Health Canada IM STRATEGY

Develop a Departmental IM Strategy to support the redefinition of IM as a key internal service through three pillars: awareness / communications, learning / training and engagement/commitment.


Departmental IM Strategy developed and approved.


September 2011


CIO,CSB, (Lead) in collaboration with Branch ADMs and other Executives
Branches will work with CSB to develop and implement Branch specific IM action plans utilizing common elements from the HC IM Strategy and adding specific IM branch requirements. Branch IM Action Plans developed and implemented. September 2012 Branch ADMs and other Executives
1c) It is recommended that the Chief Information Officer, Corporate Services Branch, conduct annual assessments on the effectiveness of Branch information management practices and report annually to the Senior Management Board- Policy (SMB-Policy). Over time, CSB is evolving towards an integrated enterprise approach to managing departmental information holdings, allowing it to conduct annual assessments of the effectiveness of IM practices in all Branches Annual assessment report of the effectiveness of Branch IM practices. October 2011 CIO,CSB (lead) in collaboration with Branch ADMs and Other Executives
2a) It is recommended that the Chief Information Officer, Corporate Services Branch, in collaboration with all Branches, develop a three year plan to fund and implement an Enterprise Content Management Solution (ECMS) across the Department.

Health Canada ECMS Business Case

Prepare a Business Cost Case which will include a three-five year funding and implementation strategy for the implementation of an Enterprise Content Management Solution (ECMS) and Change Management Framework.



Business Cost Case presented to Executive Management Committee for approval.



September 2011



CIO,CSB (lead) in collaboration with Branch ADMs and Other Executives
2b) It is recommended that all Branches use the Department's Enterprise Content Management Solution (ECMS) once it becomes available. Contingent on Executive Committee approval of the multi-year business case and approved funding:
  • Develop a phased ECMS implementation plan.
ECMS multi-year Implementation plan fully implemented. March 2013 CIO,CSB (lead) in collaboration with Branch ADMs and Other Executives
3a) It is recommended that the Chief Information Officer, Corporate Services Branch, monitor compliance to the current departmental classification standard for managing information. Monitor compliance to the departmental classification standard, by examining on an ongoing basis the use of the departmental classification structure within the various IM systems and file directories used across Health Canada. To be Included in the branch assessment reports (see 1c). (see 1c - above) (see 1c - above)
3b) It is recommended that all Branches, implement the Department's current classification standard for managing information as identified in the Directive on the Management and Storage of Information on Health Canada's Network Servers. Branches will ensure that branch employees are aware of and utilize the department's current classification standard (AXS V2) to classify/organize information in all media and document management solutions unless Business dictates otherwise. Branches utilize the Department's current classification standard to classify/organize information in all media. September 2011 Branches ADMs and other Executives
4a) It is recommended that the Chief Information Officer, Corporate Services Branch, coordinate the development and approval of the Records Disposition Authorities with all Branches. Coordinate the development and approval of the Records Disposition Authorities (RDA) for all Branches by:
  • Coordinating the development of an MOU and negotiate with Library Archives Canada (LAC) and HC's Branches.
  • Undertake the appraisal process, establish retention periods, and create application in order to improve Branch IM engagement, monitor progress and provide clarity of the process.
RDA for Branches developed and approved and implemented for all Branches. December 2014 CIO,CSB, in collaboration with Branch ADMs and Other Executives
4b) It is recommended that all Branches, implement the Records Disposition Authorities in accordance with Health Canada's Disposition Directive.
  • Branch Records Disposition Authorities (RDA) to be implemented in accordance with Health Canada's Disposition directive.

Branch approved Records Disposition Authorities (RDA) implemented including information regularly gathered to report to CSB (for progress tracking and MAF).

December 2014

Branches ADMs and other Executives
5a) It is recommended that the Assistant Deputy Minister, Corporate Services Branch, continue to support all Branches by developing a Health Canada Privacy Management Framework (PMF) that outlines responsibilities, accountabilities and processes for handling and monitoring personal information in their respective Branches.

Privacy Awareness

ATIP to develop a Privacy Strategy that will focus on increasing Health Canada's capacity to promote and protect personal information based on four themes:
  1. Analysis of Risk
  2. Greater Awareness
  3. Strengthening Accountability
  4. Increased Monitoring


Senior manager assigned as a dedicated resource for development of a privacy management strategy.

The Privacy Strategy developed for Executive Management approval, incorporating:

Corporate risk identified and mitigation strategies in place

Accountabilities in place and understood


October 2010






February 2011


ADM, CSB, ATIP







ADM, CSB, ATIP
The aforementioned themes will be used to strengthen Health Canada's cultural change management and overall capacity to manage and monitor personal information, with a focus on the branches with the highest amount of personal information holdings (FNIHB, RAPB, HECSB, PACCB & CSB). 100% of all employees involved in managing personal information to have access to privacy training.

Privacy awareness communications for all HC staff, encouraging better understanding of their responsibilities regarding safeguarding of personal information.

Privacy tools in place - such as a Privacy Impact Assessment (PIA), Privacy Breach processes and monitoring.
June/July 2011






November 2010










February 2011
ADM, CSB, ATIP







ADM, CSB, ATIP











ADM, CSB, ATIP
The ATIP will implement a broad awareness campaign while targeting training for specific areas where information is highly sensitive. Privacy Blitz Information Week, Privacy Day and privacy training. November 2010 ADM, CSB, ATIP
New Privacy policies and directives are communicated, on a timely basis, to the members of the IM and Privacy Forums within the Department. Messages and privacy training that focus on strengthening accountability and safeguarding personal information.

Web-based Privacy training tools.
November 2010







March 2011
ADM, CSB, ATIP








ADM, CSB, ATIP
5b) It is recommended that all Branches, employ appropriate measures as defined in the Directive on Privacy Practices by ensuring that:
  • work positions are identified within a program or activity that have a valid reason to access and handle personal information. Access should be limited to individuals occupying those positions;
  • access and use of personal information is limited by administrative, technical and physical means to protect the information; and
  • access, use and disclosure of personal information is monitored and documented. This should include measures for addressing the timely identification of inappropriate or unauthorized access or handling of personal information related to a particular program or activity
Branches will review work positions that require access to personal information for valid authority in order to limit access and use of personal information. Access to personal information limited to identified positions September 2011 Branch ADMs and other Executives
Development of Disclosure Parameter documents with select Programs, allowing for more efficient and regular monitoring/reporting of disclosures. Parameter documents established with 3 programs September 2011 ADM, CSB, ATIP
Development of Privacy Breach guidelines. Approved Privacy Breach Guidelines February 2011 ADM,CSB,ATIP and Branch ADMs and other Executives
Build a data base and catalogue personal information that is being stored in Health Canada.



Monitoring and reporting on compliance on a quarterly basis.
Integrated development of IM tools to track and eventually monitor compliance when it comes to both the number of individuals receiving training, the information being held and, present KPIs.

Benchmark report on compliance.
April 2011












April 2011
ADM,CSB,ATIP












ADM, CSB, ATIP
6a) It is recommended that all Branches identify and report the collections of personal information to the Corporate Services Branch, as required under the Treasury Board's Directive on Privacy Practices.

In addition, Branches shall identify a senior official from their respective Branches to coordinate this activity with the Corporate Services Branch.

Lastly, the Assistant Deputy Minister, Corporate Services Branch, should ensure that all personal information is registered in accordance with the Privacy Act.
As part of the Privacy Strategy:
  • Integrate input processes for annual reporting requirements (Annual Report to Parliament, Info Source) and develop an accessible centralized electronic document where Branches can both view and update their personal information collections
  • As directed by SMB-Ops on June 9, identification of Branch Privacy lead at the ADM/DG level, as a single point of contact to liaise with CSB on all Privacy issues.
Online personal information inventory (used to integrate annual reporting requirements and Info Source obligations into single process)

Branch Privacy Champions (DG level) identified in all Branches to lead development of a privacy culture in their branches.
October 2010 (first iteration)







January 2011
ADM,CSB,ATIP









Branch ADMs and other Executives
CSB will work with Branches to ensure that all personal information provided is registered with TBS by confirming with Branches both their inputted information and its status with respect to the Info Source process. Personal information provided is registered with TBS for Info Source purposes within TBS deadlines. July 2011 ADM,CSB,ATIP

Page details

Date modified: