Management Response and Action Plan - Audit of the Management of Privacy Practices at Health Canada and the Public Health Agency of Canada
Organization: Health Canada or Public Health Agency of Canada
Published: November 2019
Recommendations | Management Response and Planned Actions | Deliverable | Completion Date | Responsibility |
---|---|---|---|---|
Recommendation 1 The Assistant Deputy Minister, Corporate Services Branch, should strengthen branch risk management practices by conducting an Agency and Departmental risk assessment with input from all the branches. |
Management agrees with the recommendation. |
|||
Management will continue to build on the targeted discussions that currently occur, as well as the privacy risk reporting that is done via the quarterly dashboards to HC and PHAC executive committees. Planned actions recognize that program executives and senior officials who handle personal information are responsible for its compliant handling Footnote 1. |
1.1 Develop and propose an approach to assess the risk at the branch level. |
Q4 - 2019-20 |
Planning, Integration and Management Services Directorate (PIMSD) |
|
1.2 Carry out branch-level risk assessment. |
Q1/Q2 - 2020-21 |
PIMSD and Branch Heads |
||
1.3 Analyze findings and present recommendations to senior management. |
Q3 - 2020-21 |
PIMSD |
||
Recommendation 2 The Assistant Deputy Minister, Corporate Services Branch, should monitor and follow up on Privacy Impact Assessment and Privacy Protocol recommendations made by the Privacy Management Division. |
Management agrees with the recommendation. |
|||
Planned actions recognize that program executives and senior officials who handle personal information are responsible for its compliant handling Footnote 2 |
2.1 Implement an approach to monitor and report to senior management on the status of Privacy Impact Assessment and Privacy Protocol recommendations. |
Q1 - 2020-21 |
PIMSD |
|
Recommendation 3 The Assistant Deputy Minister, Corporate Services Branch, should finalize and implement the Privacy Management Division's strategic engagement plan, in order to fully implement its training and awareness strategy across the two organizations in a risk-based and strategic fashion. |
Management agrees with the recommendation. |
|||
The strategic engagement plan has been used since December 2019 to identify areas of highest risk and has subsequently allowed for PMD to prioritize its engagement work at the Departmental and Agency level. Branches within HC and the Agency manage various amounts and types of personal information depending on their mandates, therefore the actions outlined will be prioritized in consideration of branch-specific risk assessment. |
3.1 Refine and implement the Strategic Engagement Plan based on the outcome of the Departmental and Agency risk assessment. |
Q3 - 2020-21 |
PIMSD |
|
Recommendation 4 The Assistant Deputy Minister, Corporate Services Branch, should ensure that all Privacy Management Division staff have completed basic Sex- and Gender-Based Analysis + training and assess where SGBA+ may be relevant to its business practices and tools. |
Management agrees with the recommendation. |
|||
All PMD staff who have not yet completed the SGBA+ training will complete the Introduction to GBA+ course (B001). |
Q3 - 2019-20 |
PIMSD |
||
Complete an analysis of how SGBA+ considerations can be incorporated into PMD's existing privacy risk practices and tools. |
Q4 - 2019-20 |
PIMSD |
||
|
Page details
- Date modified: