Internal audit of data governance
Internal Audit & Accountability Branch
17 October 2019
- The Audit of Data Governance was included in the Department’s 2019-2021 Risk-Based Audit Plan, which was recommended by the Departmental Audit Committee at the April 2019 meeting and subsequently approved by the Deputy Minister.
Importance of data
- Immigration, Refugees and Citizenship Canada’s (IRCC’s) achievement of departmental results is becoming increasingly dependent on being able to easily access, use, and share increasing volumes of data, much of which is personal data. The growing collection and use of data by different business lines within IRCC creates a risk that these functional areas do not take an integrated and systemic approach to the identification, capture, preservation, protection, and sharing of information within IRCC and across partner departments. Without an integrated approach, service to clients could be less effective, operational efficiency and policy effectiveness may be hampered, compliance with relevant legislation and regulations may be at risk, and personal information could be less secure.
- As the volume and diversity of data produced by IRCC grows, and as technology changes rapidly, it is imperative that the Department stay current and devise new ways to manage data. The Directive on Open Government and the Treasury Board Policy on Results require departments and agencies to support transparency, accountability, and citizen engagement by using strong information management practices such that Canadians can easily find and use government information and data of business value. Departments are also expected to ensure that there are initiatives and practices in place to make data and information increasingly open and shareable, while at the same time maintaining privacy, confidentiality, security, and service excellence.
Data governance at IRCC
- Data governance is how an organization guides the management of its data assets. At IRCC, “data governance is the horizontal management of policies and procedures regarding the availability, integrity, security, and usability of data assets and the performance of data-related functions”Footnote 1.
- The Department’s growing reliance on data requires it to enhance its data governance. Since 2013, IRCC has carried out a number of related activities. For example, the Department commissioned studies conducted by a third party consultant that led to recommendations for IRCC to clarify leadership and provide clear direction on departmental priorities, including on data governance.
- In 2019, IRCC launched a transformation initiative so that the Department can modernize and deliver services in better, faster, and more productive ways, while maintaining safety and security. This initiative divided IRCC’s former information technology function into three specialized branches and created two new branches, all of which exist within an overarching Transformation and Digital Solutions Sector. Of the five branches, the Digital Strategy Branch is responsible for defining the broad digital strategy that will support transformation of IRCC. Its responsibilities include providing the Department with specific information management expertise and broader directional guidance for areas such as information architecture, analytics, and innovation. These changes reinforce the requirement that IRCC update and enhance its data governance so that it reflects the current priorities and operating environment.
II. Audit objective, scope and methodology
Audit objective and scope
- The audit objective was to assess whether IRCC has an adequate governance structure and processes in place to support the management of departmental data.
- The audit assessed the adequacy of the governance structure and processes by examining whether:
- A data governance structure including key roles, responsibilities, and accountabilities has been established and communicated.
- Internal governance processes are in place to manage data throughout its lifecycle.
- Oversight and monitoring activities occur so that data governance-related objectives are attained.
- The audit scope covered the time period from 1 January 2017 to 31 May 2019.
- The following audit procedures were performed:
- Reviews of applicable legislation and policy documents;
- Reviews of key supporting documents and relevant background documentation;
- Examination of processes, procedures, and systems;
- Interviews with key personnel; and
- Observation of pertinent oversight group meetings.
- The audit scope did not examine operational activities to manage data or any resulting issues and impacts.
- The audit observations, conclusions, and recommendations are based on the work performed.
Statement of conformance
- This audit was planned and conducted in conformance with the Institute of Internal Auditors International Professional Practices Framework, as supported by the results of a quality assurance and improvement program.
III. Audit finding and recommendations
Data governance structure
- Data governance operates at the executive and senior management decision-making levels, with support from middle management and working level, which provide upward advice and recommendations.
- There are five departmental bodies at senior management and operational levels that make up the foundation of data governance at IRCC:
- The Data Executive Steering Committee (DESC), established in 2013, is a Director General-level committee made up of 20 delegates. It provides senior leadership review and strategic guidance to support excellence in data governance, in part by defining and agreeing upon a department-wide vision and strategy for data governance;
- Core DESC, established in 2013, was initially made up of three members of DESC: the Research and Evaluation Branch, and the Operations Planning Performance Branch, the Solutions and Information Management Branch. The Solutions and Information Management Branch is now replaced by the Digital Strategy Branch and the IT Operations Branch. Core DESC is a coordinating committee for the full DESC that serves to set the overall direction for the data governance program and to guide the agenda for decisions by full DESC;
- The Data Governance Council, established in 2014, is a director-level committee responsible for executing the governance strategy;
- The Data Governance Team, established in 2013, is the working-level arm responsible for facilitating the adoption of best practices and developing tools and procedures for implementing IRCC’s data governance strategy; and
- The Data Stewards Network, established in 2017, is a working group chaired by the Data Governance Team and made up of subject matter and technical experts. The Data Stewards Network has the main objective of enhancing IRCC data quality to support business processes and improve decision-making.
- As a Director General-level committee, DESC does not have formal decision-making authority in the corporate governance structure at IRCC, where authority resides with Assistant Deputy Minister-level committees. However, according to the 2015 Data Governance Program Charter, DESC is accountable for defining and approving a Department-wide approach to determine how data is managed throughout the Department, and how best to resolve existing and future data issues. The charter describes the work of all other established groups within the data governance structure as flowing from decisions made by DESC.
- The Data Governance Program Charter states that DESC will report to the Executive Committee, a formal decision-making IRCC committee at the ADM level, chaired by the Deputy Minister. However, a review of the Executive Committee meeting minutes from January 2014 to December 2016 shows that during those years there were no discussions relating to DESC’s activities or to the topic of data governance.
- The February 2019 Terms of Reference for the Performance Measurement and Evaluation Committee state that DESC reports to that body. However, a review of the Performance Measurement and Evaluation Committee’s minutes from March 2013 to May 2019 show that DESC did not formally report to that committee during this time frame.
- According to its Terms of Reference, DESC must account for the strategic direction and the securing of resources for data governance and supports senior management to make evidence-based decisions. Without reporting up to a corporate decision-making authority, DESC cannot account for or obtain resources to implement the strategic direction of data governance at IRCC and therefore may not have the formal authority it needs to support and direct data governance within IRCC. Appropriate authority at key levels enables a “tone at the top” that can support horizontal initiatives and foster the development of a data culture that values data as an important asset at all levels across the department.
- The Terms of Reference for DESC indicate that this committee should meet on a monthly basis. From January 2017 to May 2019 three meetings took place. Attendance at these meetings by delegated representatives was low: the DESC is made up of 20 Directors General and Directors from various branches. During the three meetings that took place, between 10 and 11 members of the committee were absent or replaced by delegates. Delegates in attendance were often substitutes of a lower level than official DESC members. No meeting took place in 2018 or 2019.
- According to the draft Terms of Reference for Core DESC (drafted in May 2019, although the committee was established in 2013), Core DESC is a coordinating committee for full DESC and its primarily roles are to set the overall direction for the data governance program and to guide the agenda for decisions by the larger DESC Committee. Core DESC does not appear in IRCC’s 2015 Data Governance Charter or in the Terms of Reference for DESC. On paper, Core DESC exists to support and guide DESC’s work; however, in practice it appears that Core DESC has been exercising the executive decision-making function and carrying forward data governance work, for example by working with the third party data governance assessment and by beginning data governance projects such as the master data management project. There is therefore a discrepancy between formally designated roles, responsibilities, and accountabilities and informal practice in the Department. From January 2017 to May 2019, nine core DESC meetings took place. There has not been a core DESC meeting since 2 November 2018.
- The Data Governance Council and the Data Stewards Network met on a basis more consistent with their Terms of Reference, although there was a six month gap between the most recent Data Governance Council meeting and the one prior. The Data Stewards Network meets regularly and provides a platform for collaboration that promotes knowledge, information sharing, and the importance of data quality at working levels throughout the Department. These operational level committees cannot report up on their activities or ensure that they are carrying out the high-level strategic vision for data governance at IRCC if DESC is not meeting or validating its work with the Performance Measurement and Evaluation Committee.
- In July of 2019, the Acting Deputy Minister at IRCC announced that the Department would be introducing a new Chief Data Officer position within the Strategic and Program Policy Sector. More details on this new position were not available at the time of the audit; however, the new Chief Data Officer position will be implicated in data governance activities going forward.
- Lack of reporting, unclear authorities, and inadequate committee attendance without representation at appropriate levels prevents the occurrence of regular, high-level discussions and decisions amongst those of sufficient authority to promote common goals across the Department.
Recommendation 1. The ADM, Strategic and Program Policy, should create and maintain a data governance structure with authority levels to approve and promote data strategies, standards, and practices across IRCC.
Management response. The ADM, Strategic and Program Policy (SPP) agrees with the audit report and accepts the recommendation. The actions detailed in the management response will seek to address the opportunities, issues, and risks identified in the audit.
Oversight and monitoring
- Two important aspects of data governance are the oversight of data management projects and initiatives and the tracking and monitoring of departmental regulatory compliance with data strategies and policies.
- Data management practices are governed by the Treasury Board Secretariat’s Policy on Information Management and Policy Framework for Information and TechnologyFootnote 2 and, at the Departmental level, by IRCC’s Policy on Information Management/Information Technology Governance. IRCC has undergone several reorganizations that are not reflected in its policy as written. For example, some of the governing bodies identified as having information management/information technology responsibilities, including the responsibility for departmental compliance with the policy, are no longer functioning and Core DESC and DESC, the highest level data governance committees at IRCC, are not identified. The Terms of Reference for DESC indicate that one of the responsibilities of the Chair and Co-Chair is to monitor the development and implementation of data governance activities in the Department.
- Although outdated, IRCC’s Policy on Information Management/Information Technology Governance remains in effect. It states that approved information management/information technology projects must follow project management best practices and information management activities must show they support the integrity, accuracy, and effective management of information throughout its life cycle. Information management initiatives, including business glossaries, a master data model, a data strategy, and a data quality assessment process have been planned and are being implemented. One of these initiatives, the creation of a data strategy, would respond to a recommendation from the Clerk of the Privy Council that by September 2019 all departments, agencies, or portfolios have a data strategy in place appropriate to their line of business.
- A formal project management approach to propose, approve, and report on information management projects such as the data quality assessment to executive committees was not used. A formal approach would include a plan with information on the project’s objective, scope, resources, deliverables, and milestones. Some initiatives such as the creation of a data strategy are not projects, but would also benefit from a formal process setting out clear roles, responsibilities, accountabilities, and reporting requirements. Executive level and key stakeholder consent and reporting not only helps projects and initiatives obtain stakeholder buy-in, but also help facilitate transparency and communication while identifying accountabilities and preventing duplication of efforts.
- The Treasury Board Policy on Information Management provides guidance on the management of data. It states that departments must manage information, which includes data, as a valuable asset to support the outcomes of programs and services, as well as operational needs and accountabilities. The management of data must occur all the way through its life cycle. From the collection of data to its usage and disposal, the Department must not only to safeguard the information, but also manage it in compliance with applicable rules and regulations. Due to the sensitive and personal nature of much of the data that IRCC retains, it is imperative that the Department comply with all legislation and regulations.
- IRCC has established and communicated operational level guidelines and instructions to administer the collection, usage, sharing, storage, and disposition of departmental information and data, in compliance with government legislation, policies, and directives. These include, for example, retention and disposition schedules, the IRCC Privacy Framework, and information sharing resources. However, there is no proactive monitoring of whether Departmental practices mitigate known risks, are up to date, or comply with the guidance. As a result, there is a risk that senior management does not have timely access to the information it needs to determine whether the Department is fulfilling all applicable requirements related to information, including data, life cycle management.
- For example, examination of the Departmental Risk Profile 2018-19 demonstrated that risks related to the management of information and data were identified, as were mitigation strategies related to those risks. However, there is no central accountability that oversees the completion of the mitigating strategies set out in the risk profile. As well, a new disposition authority from Library and Archives Canada requires each of these retention and disposition schedules to be reviewed and maintained on an ongoing basis with annual reviews. Retention and disposition schedules at IRCC have not been updated since 2011 and do not cover all data produced and used by IRCC systems.
- Without accountabilities to oversee departmental guidance, roles and responsibilities for the disposition of data are not clear. Guidance on the disposition of data at IRCC states that the “functional owner” of the information must decide when it is appropriate to dispose of data. The “functional owner” is a program or functional area, and is also referred to as the office of primary interest for the collection of particular data. The office of primary interest is required to provide authorization when other users need to share this data or when disposing of the data at the end of its retention period. Multiple offices of primary interest exist in relation to particular data sets, for example when data is entered into the Global Case Management System by users in multiple branches. As a result, multiple entities can have an interest in or need to use the same data and can therefore have a stake in related retention and disposition decisions, even though there may be only one office of primary interest. Despite these complexities, there were no documented guidelines on the disposition decision-making process and no monitoring done to ensure that decisions on retention and disposition were being made consistently and in accordance with regulations.
Recommendation 2. The ADM, Transformation and Digital Solutions, and the ADM, Strategic and Program Policy, should clarify roles and responsibilities for data management by information functional owners, create an approach to manage data-related projects and initiatives, and define accountabilities for the oversight of Departmental compliance with the legislation, policies, and standards that govern the data life cycle.
Management response. The ADM, Transformation and Digital Solution and the ADM, Strategic and Program Policy (SPP) agree with the audit report and accept the recommendation. The actions detailed in the management response will seek to address the opportunities, issues, and risks identified in the audit.
Overall, the audit found that IRCC has a governance structure and some horizontal processes in place to support the management of departmental data. However, improvements are needed to create a governance structure with the right level of authority to make decisions about the creation and implementation of processes that support the management of data across the Department. Clarifying roles and responsibilities for information functional owners and defining accountabilities for the oversight of data management activities and for Departmental compliance with legislative and regulatory requirements will also support data governance.
Management has accepted the audit findings and developed an action plan to address the recommendations.
- Date modified: