Internal audit of access to information and privacy (ATIP) management

Internal Audit & Accountability Branch
21 February 2019

I. Background

Introduction

1. The audit of Access to Information and Privacy (ATIP) Management was included in the Department’s 2018-2020 risk-based audit plan, which was reviewed by the Departmental Audit Committee and approved by the Deputy Minister.
2. The Government of Canada recognizes the right of access by the public to information in records under the control of government institutions as an essential element of our system of democracy. The process of obtaining information under the control of a government institution is called an Access to Information and Privacy (ATIP) request which is made in accordance with the provisions of the Access to Information Act (ATIA) or the Privacy Act (PA).
3. Under the ATIA and the PA, the Minister of Immigration, Refugees and Citizenship Canada (IRCC) is responsible to manage ATIP requests. The Minister has delegated this authority to members of various IRCC management to carry out powers, duties, and functions under the Acts related to ATIP requests.

Operating Environment

4. At IRCC, the ATIP Division within the Corporate Management Sector is responsible for handling ATIP requests in collaboration with the departmental branches where records and information are managed and stored. The ATIP Division also consults with other federal departments and agencies in the processing of ATIP requests as well as collaborates with the Office of the Information Commissioner (OIC) and Office of the Privacy Commissioner (OPC) when addressing complaints and investigations.
5. The ATIP Division is structured into three units:
   • The Operations unit is responsible for carrying out administrative functions as well as processing and reviewing of the majority of ATIP requests for client case files.
   • The Complex and Sensitive Issues (CSI) unit is responsible for processing more complex, corporate files and managing complaints and investigations with the OIC and OPC.
   • The Privacy, Policy and Governance (PPG) unit is responsible for developing policies, providing guidance, delivering training to internal stakeholders, managing privacy breaches and complaints from the OPC concerning departmental privacy practices.
6. IRCC receives more than half of the total ATIA requests, and 18 percent of PA requests of all federal department and agencies, resulting in a considerable contribution to the Government of Canada’s overall compliance rate for ATIP requests. In 2016-2017 IRCC received 50,728 requests under the ATIA and 12,605 under the PA. In 2017-18, IRCC received 64,234 requests under the ATIA and 13,368 under the PA. This represents an increase of 27 percent and 6 percent, respectively.
7. As the volume of requests continues to increase, the volume of pages of information continues to rise as well. In 2017-2018, IRCC reviewed 4,586,653 pages. Volumes and file complexity are expected to increase as immigration volumes continue to grow.
8. Both Acts allow for a response time of 30 calendar days from the date of receipt of an official request. Extensions to the response time may be given for certain reasons that are identified in the Acts. For example, if the request is for a large number of records, or a request requires a search through a large number of records and processing this in the 30 day time limit would interfere with the operations of the Department. In 2017-2018, IRCC’s compliance rate (responding within legislated timelines) was 72 percent for requests made under the ATIA and 59 percent for requests made under the PA.
9. Over the past five years, the volume of ATIP requests has significantly increased as a result of procedural changes to various lines of business and events such as the Operation Syrian Refugees. Requests are expected to continue to increase and reach over 100,000 by 2020. Figure 1, below, shows the volume of requests received over the past five fiscal years and the projected increase in requests expected in the next three fiscal years.

Figure 1: IRCC Volume of ATIP Requests Received and Projected

• Text version: Figure 1: IRCC Volume of ATIP Requests Received and Projected

  Fiscal Year	Number of ATIP requests received (ATIA and PA)
  2013-14	39,242
  2014-15	47,844
  2015-16	56,952
  2016-17	63,333
  2018-19	94,439
  2019-20	109,284
  2020-21	124,130

Source: IRCC ATIP Annual Reports to Parliament 2013-2014, 2014-2015, 2015-2016, 2016-2017 and 2017-2018. Figures for fiscal years 2018-2019, 2019-2020, and 2020-2021 have been projected.

II. Audit objective, scope and methodology

Audit objective and scope

10. The audit objective was to assess the effectiveness of the current governance and control framework to manage ATIP requests in the Department to ensure compliance with legislative, Treasury Board and departmental requirements.
11. The audit scope covered the governance framework (for example, roles and responsibilities, leadership and accountabilities), reporting and monitoring capabilities, resource management, compliance, and operating effectiveness of the ATIP management process within the Department. The audit scope did not include Privacy Act requirements related to Privacy Impact Assessments, privacy breaches, or complaints from the Office of the Privacy Commissioner that relate to departmental privacy practices.
12. The audit covered the time period from April 1, 2016 to June 30, 2018.

Methodology

13. The following audit procedures were performed:
    • Review of applicable legislation and policy documents;
    • Review of key supporting documents and relevant background information;
    • Conducted interviews with key personnel and stakeholders in the Department and other federal Departments/Agencies;
    • Conducted walkthroughs of key processes, procedures and systems related to ATIP management;
    • Conducted a workshop with key ATIP Division management; and,
    • Conducted tests and analytical procedures on a sample of ATIP files and complaints received.

Statement of conformance

14. This audit was planned and conducted in conformance with the Institute of Internal Auditors’ International Professional Practices Framework, as supported by the results of IAAB's quality assurance and improvement program.

III. Audit findings and recommendations

Governance structure, roles and responsibilities

15. The Department has put in place a governance structure, roles and responsibilities, and accountabilities for the management of ATIP requests. There is a signed delegation of authority from the Minister of IRCC, which authorizes officers of IRCC to carry out duties and functions under the Acts according to the established delegation schedule.
16. The ATIP Division has approximately 100 employees responsible for administering the Access to Information Act and the Privacy Act for IRCC. There are also liaison officers positioned in other branches in IRCC who assist the ATIP Division by performing searches for information, collecting records, and making recommendations and proposed redactions on sensitive information. There are two full-time and thirty-two part-time liaison officers. The latter are the primary support to the ATIP function outside of the Division. However, these individuals have other responsibilities as part of their regular duties.
17. The ATIP Division has developed guidance for client requests and complex requests, which includes guides on the end-to-end processes. Guidance is also available to IRCC employees on the departmental intranet. The guidance for IRCC employees is reviewed on an ongoing basis, but has not substantially been revised on the intranet since 2014 and as a result, some of the guidance may no longer be current or accurate, and may contribute to a lack of understanding of the processes and procedures for completing requests outside of the ATIP Division.

Monitoring and oversight activities

18. The ATIP Division prepares a weekly report for senior management which includes the number of requests received and processed, as well the current compliance rate under both Acts. The Division also prepares reports on an as-needed basis, when requested from senior management. The process to generate this information is time-consuming due to the limited functionality of the current system that requires the reports to be manually generated.
19. Not all information requested and presented to senior management is adequate in terms of usefulness, coverage and completeness of information. For example, information presented weekly to senior management excludes taskings related to case files and files less than 50 days late, which are still considered late under the legislation. Including this information would increase the reported number of late taskings and provide more relevant information for senior management.
20. Senior management does monitor key performance indicators such as the number of requests processed, number of complaints received, and legislative compliance rates. Reports and presentations provided to management in 2017 and 2018 have highlighted operational challenges and the need for additional funding and modernization of ATIP technologies.
21. Overall, the Department lacks broader, strategic process improvement discussions and initiatives to guide the management of the ATIP process and address the operational challenges. There is a departmental ATIP Transformation Project currently underway; however, this initiative is still in its early stages.

Control framework

22. Controls and procedures are in place so that requests are processed in accordance with the requirements regarding timing, completeness and justification of non-disclosures. Requests are entered into the ATIP data management system and allowable days for processing the request are automatically identified and monitored. Controls are also in place to track, monitor, and report on non-compliance. However, as a result of competing priorities, operational pressures, and volumes faced by the Operations Sector for visa processing and the ATIP Division, there have been delays in processing and impacts on the ATIP Division’s ability to meet the legislative requirements.
23. Overall, the Department complies with legislative requirements to complete requests in 30 days and within the timeframe when an extension has been approved. Between June 2017 and June 2018, 72 percent of requests made under the Access to Information Act were completed on time. In 2017-2018, there was also a backlog of 5,096 ATIA files and 1,516 PA files. The significant number of files in the backlog require the ATIP Division to process the backlog files while working to achieve processing standards for the current file intake.

Figure 2: Backlog of Files in 2018

• Text version: Figure 2: Backlog of Files in 2018

  Month	Jan-18	Feb-18	Mar-18	Apr-18	May-18	Jun-18	Jul-18
  Backlog Files	8,857	7,875	6,612	7,312	7,872	7,198	6,932
  Backlog Files Closed	2,367	2,114	3,511	1,855	1,225	1,646	1,977

Source: ATIP Divisional data and Snapshot Report week 17 (July 21, 2018 to July 27, 2018).

24. To ensure that responses to ATIP requests are complete, the Division sends out taskings to all possible associated branches that may have information related to a particular request. These branches are expected to review the information and provide recommendations for exemptions along with appropriate justification. Additionally, during the processing of requests, the Division may consult with other government institutions, agencies or third parties for exemption recommendations.
25. At times there can be disagreement over exemption interpretation of the Acts when branches provide information to support the response to the request. In these cases, the ATIP Division requests the justification for the applicability of the exemption and strives to come to an agreement with the branch prior to finalizing the file. However, inconsistencies were observed by stakeholders in the interpretation of the Acts and processing of information among ATIP Division analysts. Controls such as training exist to prevent this from occurring, but strengthening quality measures and tools could further support consistency in the application of the Acts.
26. Furthermore, controls are also in place to ensure that information is appropriately safeguarded and that delegations of authorities are respected. As well, all records of requests are maintained (for a period of up to two years after a request is closed) in the event of repeat or similar requests, or complaints and investigations.
27. There is also segregation of duties present for each file reviewed. Different individuals were responsible for the review, sign off, and release of the response to the request depending on the sensitivity of the records requested. While the final review of information collected to respond to sensitive requests is scheduled to take up to three days as per the ATIP management process, some of these requests exhibited long delays, taking up to 47 days to receive final approval before the release of information.

Complaints and investigations

28. Under both Acts, individuals submitting ATIP requests to a federal institution who are unsatisfied with how the request was processed, may file a complaint with the OIC or OPC as per the respective Act. Federal institutions are required to comply with the OIC and OPC investigators in addressing the complaints and must consider any resulting recommendations for improvement.
29. Complaints may be submitted for multiple reasons, such as:
    • an untimely response to the request (delay and time extension complaints);
    • an improper denial of information (missing records or improper application of exemptions or exclusions under the Act);
    • an incorrect official language of choice; or,
    • format of information released.
30. During 2017-2018, the Department was notified of 204 ATIP complaints received by the OIC, which represents 0.35 percent of all requests completed during the period. Of these, six were Section 35 complaints, where a formal investigation was initiated by the OIC; and one was a Section 37 complaint, where investigation findings and recommendations are issued to the department head. During this time, the ATIP Division processed and closed 180 complaint investigations. Of these, 52 complaints were abandoned, discontinued or deemed unfounded. The remaining 128 complaints were resolved to the satisfaction of the requester.
31. The Department was also notified of 23 privacy complaints received by the OPC in 2017-2018. This represents 0.17 percent of all requests completed during this period. During this period, ATIP processed and closed 21 complaint investigations of which four were deemed not well founded and 17 were resolved to the satisfaction of the requester.

Figure 3: Complaints Received in 2015-2016 to 2017-2018

• Text version: Figure 3: Complaints Received in 2015-2016 to 2017-2018

  	2015-2016	2016-2017	2017-2018
  Complaints Received Under Access to Information Act	185	115	204
  Complaints Received Under Privacy Act	14	25	23
  Total Complaints Received	199	140	227

Source: IRCC ATIP Annual Reports to Parliament 2015-2016, 2016-2017 and 2017-2018.

Figure 4: Complaints Closed in Last Three Fiscal Years

• Text version: Figure 4: Complaints Closed in Last Three Fiscal Years

  	2015-2016	2016-2017	2017-2018
  Complaints Received Under Access to Information Act	110	191	180
  Complaints Received Under Privacy Act	17	13	21
  Total Complaints Received	127	204	201

Source: IRCC ATIP Annual Reports to Parliament 2015-2016, 2016-2017 and 2017-2018.

32. The Department has recently focused on improving its collaboration and communication with the OIC and OPC through more frequent meetings and regular reporting. This improved relationship has become increasingly important as the number of ATIP requests continues to rise and the Department works to ensure that it processes requests in a timely manner.
33. Complaints and investigations are tracked and managed through the ATIP case management system. There is no formal process for triaging complaints and investigations. ATIP Division staff rely on the OIC or OPC investigator to flag and identify sensitive or priority complaints on an ad hoc basis. While the Department has not received a significant number of complaints, it could benefit from a formal process to proactively manage complaints according to priority levels.
34. Recommendation 1: The Assistant Deputy Minister of Corporate Management and Chief Financial Officer should determine its strategic long-term plan to improve the process to manage ATIP requests within the ATIP Division and across the Department. The plan should ensure there is sufficient capacity, both in terms of budget and resources, to process files within legislated timeframes while maintaining quality standards.
35. Recommendation 2: The Assistant Deputy Minister of Corporate Management and Chief Financial Officer should implement a formal process to triage and manage complaints according to priority levels so that complaints are resolved in a timely manner using a risk-based approach.

IV. Conclusion

36. Overall, the Department has a governance and control framework in place to support the management of ATIP requests; however, opportunities for improvement were identified to strengthen the current framework to better support the management of ATIP requests so that compliance with legislative, Treasury Board and departmental requirements is ensured.
37. The Department should continue to implement controls and procedures to appropriately safeguard information and respect delegations of authorities. Continued collaboration with the OIC and OPC was also a noted improved practice, and is imperative to the successful management of ATIP formal complaints. Areas where the management of ATIP requests could be strengthened include:
    • determine a strategic long-term plan to improve the process to manage ATIP requests within the ATIP Division and across the Department so that there is sufficient capacity, both in terms of budget and resources, to process files within legislated timeframes while maintaining quality standards; and,
    • implement a formal process to triage and manage complaints according to priority levels so that complaints are resolved using a risk-based approach in a timely manner.

Appendix A – Management response