Internal Audit of the Management of Personal Information 2015

Table of contents

Executive summary

The objective of this audit is to assess the adequacy of the Public Service Commission’s (PSC) management control framework for compliance with the Privacy Act, including controls for the safeguarding, collection, accuracy, use, disclosure, retention and disposal of personal information.

Why is this important?

Canadians provide their personal information to federal government institutions in order to access services, receive benefits and participate in government-run programs. Government institutions have a duty to safeguard this information against unauthorized use and disclosure. The PSC has significant personal information holdings in many areas of the organization. In addition, information management in general has been identified as an area of importance for the PSC.

Key findings

The PSC has developed an effective management control framework for the management of personal information at the organization. Roles and responsibilities are defined but could be better communicated. Most major systems and programs have undergone a risk assessment to determine the controls needed to manage personal information in the organization. There are some smaller programs that have not been assessed and would benefit from a review.

The PSC has put in place effective controls for the collection of personal information. Notification and consent is obtained for the collection of personal information, information is collected under the proper authorities and personal information holdings are communicated to the public.

Safeguards are in place to protect personal information. System-level access controls are in place and most mobile electronic storage devices are encrypted to guard against inadvertent loss of information. Some work needs to be done in specific areas to further enhance security controls. In addition, there are opportunities to further reduce risk to inadvertent loss of personal information. Access to personal information should be limited and on a need-to-know basis.

The PSC has not defined its retention and disposal guidelines for most electronic information holdings. In many cases, personal information is kept indefinitely. While there are legitimate reasons for this in some cases, there are opportunities to further reduce risks through more effective retention and disposal practices.

Monitoring practices are in place to ensure that data is accurate and disclosures and privacy breaches are reported. The monitoring of the implementation of Privacy Impact Assessments at an organization-wide level is limited. Strengthened monitoring and reporting to senior management would help to hold managers accountable for the implementation of privacy controls.

Conclusion

Although the audit identified opportunities to further reduce and mitigate personal information management risks and increase the effectiveness of controls, overall, the PSC has a well-designed and implemented control framework for the management of personal information.

Statement of assurance

This audit engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of a quality assurance and improvement program.

Greg Nesbitt, CPA, CMA, CIA
Chief Audit Executive
Public Service Commission

Background

The Public Service Commission (PSC) collects and manages the personal information of individuals as part of its mandate to promote and safeguard merit-based appointments, protect the non-partisan nature of the public service and deliver staffing and assessment services. The PSC’s personal data holdings are significant and are collected for several purposes directly linked to the PSC’s mandate.

The Audit and Data Services Branch uses and collects personal information to produce reports and analyses on the public service staffing system and in the conduct of staffing audits.

The Staffing and Assessment Services Branch collects personal information from individuals who apply for public service jobs and who participate in ability, leadership, psychological and second language evaluation testing as well as competency assessment and counselling services.

The Investigations Branch collects personal information from individuals who submit requests for investigations and persons who may be affected by the information gathered during an investigation.

The Policy Branch collects personal information in the administration of the priority management system and in the administration of political candidacy requests.

The Corporate Management Branch collects personal information from PSC employees as part of their human resources files.

The types of personal information vary by program and include, but are not limited to, social insurance numbers, personal record identifiers, employment equity data, medical information, personal addresses, previous employment data, requests for investigation, priority entitlements and test results.

The protection and handling of personal information at the PSC and in the Government of Canada is governed by the Privacy Act, the Access to Information Act, the Treasury Board (TB) Policy on Privacy Protection and the Directive on Privacy Practices. Privacy requirements for federal institutions include sound management practices (including policies and protocols), clear responsibilities (including accountabilities), privacy awareness (including training, awareness and communication) as well as monitoring compliance and reporting to the public.

In addition to legislative requirements and TB policies and directives, the protection and handling of personal information at the PSC is directed by the PSC’s Privacy Management Framework (PMF), introduced in 2011. The PMF is comprised of policies, procedures and guidance regarding the authority of the PSC to collect and use personal information to fulfill its mandate, as prescribed by the Public Service Employment Act and related legislation.

Audit objective

To assess the adequacy of the PSC’s management control framework for compliance with the Privacy Act, including controls for the safeguarding, collection, accuracy, use, disclosure, retention and disposal of personal information.

Audit scope

The audit assessed electronic and paper-based personal information handling practices for activities conducted during FY 2012-2013 and FY 2013-2014. These include:

  • Requests related to personal information holdings under the Privacy Act or the Access to Information Act;
  • Personal information handling and storage practices;
  • Internal and external data sharing practices;
  • Personal information retention and disposal practices; and
  • The adequacy of training and other practices that reinforce a culture that values effective personal information management.

The audit did not include a review of Access to Information practices that are unrelated to personal information and certain aspects of information management already covered under the Audit of Information Management.

In addition to the activities of the Access to Information and Privacy (ATIP) Office, this audit focused mainly on the processes and activities of the following branches because they are stewards of extensive holdings of personal information from sources external to the PSC:

  • Audit and Data Services Branch  because of its responsibility for the PSC’s analytical environment and for staffing audits;
  • Staffing and Assessment Services Branch because of its responsibility for on-line staffing systems and personnel testing. Records often include medical and psychological information in both electronic and paper format; and
  • Policy Branch because of the sensitivity of the information that they handle, including exclusions granted under the Public Service Official Languages Exclusion Approval Order, exemptions from Executive testing, priority information management files, political activity files relating both to candidacy and to non-candidacy-related political activities and information relating to the staffing mobility of former ministerial staff and persons formerly employed in certain excluded positions at the Office of the Governor General's Secretary.

Outside of the ATIP Office, the Corporate Management Branch was only included in this audit with respect to the system management and advisory roles played by the Information Technology Services Directorate.

This audit also reviewed personal information management practices within the Investigations Branch in order to determine whether an effective control framework is in place. Our preliminary assessment did not identify any high risk areas that required a more in-depth review of the branch.Footnote 1

About the audit

The audit was conducted in accordance with Treasury Board’s Policy, Directive and Standards for the Professional Practice of Internal Auditing in the Government of Canada.Footnote 2

In order to assess the adequacy of controls in place to manage personal information holdings, the Audit Team gathered evidence using the following methods:

  • Interviews with management and staff;
  • Reviews and analysis of documents, including system-generated reports;
  • Walk-through of key processes;
  • Examination of data holdings; and
  • Other physical and electronic reviews and tests.

Evidence was reviewed and assessed as of September 2014 for sufficiency, reliability, relevancy and usefulness. The Audit Team measured the systems and practices of the PSC against the predefined and agreed-upon audit criteria listed in Appendix A.

Detailed findings and recommendations

There is an effective control framework in place to govern major programs that utilize personal information management at the Public Service Commission.

Finding 1: Management control framework over the protection of personal information

We examined the overall management control framework over personal information management within the Public Service Commission (PSC) to determine whether employees are aware of and were effectively carrying out their roles and responsibilities. We also assessed the adequacy of risk management practices over personal information. Lastly, we examined whether there were effective policies and processes in place to govern personal information management at the PSC.

The PSC collects, manages and stores personal information in all branches and levels of the organization and therefore personal information management is both an individual and organizational responsibility. Policies and processes need to be well-defined and communicated to provide employees with the tools for effective personal information management. Risks to personal information management need to be understood so that management can make informed decisions over the levels of control needed within their areas.

Personal information management expectations are defined in the Privacy Management Framework

At the PSC, personal information policies, processes and practices are defined in a Privacy Management Framework (PMF). The PMF, implemented in 2011, is aligned with Treasury Board policies and is posted on the internal PSC Web site.

The degree to which managers are aware of the information available in the PMF varies from branch to branch. This is mainly due to the fact that training provided by the Access to Information and Privacy (ATIP) Office covers certain parts of the Privacy Act but contains limited information on the PMF and is not mandatory. This lack of awareness has been improved by the development of branch-specific procedures. Well-communicated common practices help management develop a culture of responsibility and accountability for personal information at all levels of the organization.

Roles and responsibilities for personal information management are defined in the Privacy Management Framework

According to the PMF, personal information at the PSC is managed primarily at the branch level. Each branch is responsible for managing the risks to personal information by defining expectations for their staff and putting in place the appropriate levels of control to mitigate the risks.

The ATIP Office plays a central consultative role that includes providing guidance and advice and developing policies. The ATIP Office is also responsible for monitoring the PSC’s compliance with the Privacy Act.

Governance over personal information is the responsibility of senior management. Review of the results of Privacy Impact Assessments (PIA) and associated action plans is the responsibility of senior management committees, including the Executive Management Committee and the Information Management and Information Technology Committee (IM/ITC).

The Information Technology Services Directorate (ITSD) plays an important role in managing personal information. They are responsible for advising clients on the implementation of security measures, managing the networks and systems where information is stored and carrying out responsibilities on IM through the Information Management Office (IMO).

All major programs have undertaken a Privacy Impact Assessment

As stated in the PMF, the PIA is a process for identifying, assessing and mitigating privacy risks. A PIA identifies potential privacy issues, forecasts impacts and identifies strategies and actions to eliminate or reduce privacy risks. As required by TB policy, PIAs have been mandatory for all new or modified programs that have utilized personal information since 2002. The introduction of the PMF in 2011 has made this process more visible.

The PSC has substantially completed PIAs for its major systems and programs. This includes the analytical environment in the Audit and Data Services Branch, the Public Service Resourcing System (PSRS) in the Staffing and Assessment Services Branch and the Priority Information Management System (PIMS) in the Policy Branch. PIA action plans for these systems are in various stages of implementation.

Privacy Impact Assessments have not been undertaken for legacy systems and smaller programs

There are a number of legacy systems and processes that collect personal information that have not undergone a PIA, as outlined in Appendix B. Although the Directive on Privacy Impact Assessment puts the emphasis on new and substantially changed programs, without the completion of these assessments, including the development of action plans, management cannot have assurance that privacy risks in these areas have been identified and effectively mitigated.

Recommendations:

  1. The PSC ATIP Office should develop and deliver mandatory training on the PMF.
  2. All PSC branches should determine whether a PIA is needed for legacy systems and processes that utilize personal information.

Finding 2: Internal controls over the management of personal information

Most internal controls over personal information management are in place; there are opportunities to further reduce privacy risks.

We assessed whether the collection of personal information was authorized and consented to, as well as used and disclosed in accordance with authorities. We examined whether safeguards were in place to protect personal information and if there were processes to ensure the accuracy of, and access to, personal information. We also examined whether personal information is disposed of when it is no longer of value so as to reduce privacy risks and if the PSC discloses the rationale for why it collects this information.

Individuals have a right to know how and when their personal information will be collected and used so that they can make informed decisions prior to providing it to organizations. Once this information is collected, there is a duty to ensure that this information is accurate, protected against unauthorized access and used only as intended. Records that are collected and not needed for business purposes create additional risks to the organization.

Disclosure and openness

Notification and consent for collection of personal information is obtained

Prior to the collection of personal information, the organization must disclose the reasons for collection and use of the information and receive consent. This is typically done through various notification forms that are made available to individuals when their personal data is collected.

In all systems reviewed, the necessary notification is provided and consent is obtained prior to the collection of personal information. The initiative for creating and maintaining notice and consent forms is managed at the branch level. The ATIP Office, in its consultative capacity, has created a template to aid in the development of these forms, and reviews notices and consent forms, upon request.

Personal information banks are updated and well-documented

The PSC’s Info Source chapter, that contains the descriptions of the PSC’s personal information holdings, is posted on the external Web site and is the primary means of disclosing to the public the nature of the collection of personal information and ensuring that the PSC respects the Privacy Act’s principle of openness. This information is updated and provided to TBS annually.

Collection, use and disclosure of personal information

Personal information is collected under authority granted by the Privacy Act

The Privacy Act, the Public Service Employment Act and the Inquiries Act (Investigations Branch) give the PSC the authority to collect data for the fulfillment of its mandate. All personal information collected and used by the PSC is referenced under this authority.

There are opportunities to limit the personal information received and used by the Public Service Commission

Each month, the ITSD receives the Central Index (CI) File from Public Works and Government Services Canada. This file contains personal information of all current and former federal government employees, including Social Insurance Numbers and Personal Record Identifiers, and is used by the PSC for research and analysis. Not all of the personal information in the CI File is needed by the PSC. Limiting the amount of information received and used by the PSC reduces the risk of potential privacy breaches.

Access to personal information in the Priority Information Management System is given at the group level

Human resource (HR) advisors in the federal public service are provided access to the Priority Information Management System (PIMS) and can access the personal information of all individuals who have a priority entitlement. Most HR advisors only need to access information on individuals in their area of responsibility. This is due to the design of the system that gives group-level access. Personal information should be shared on a need-to-know basis to reduce the risk of privacy breaches.

Internal Information Sharing Agreements are in progress

Personal information can be shared internally between branches or externally between other federal, provincial, municipal or international governments when an Information Sharing Agreement is in place, where there is consistent use and where disclosure to persons to whom the information belongs has taken place. These agreements outline the terms and conditions under which personal information is shared between the parties.

Internal Information Sharing Agreements between branches are not in place for all processes but have been identified as an action in some PIAs that were reviewed. These agreements ensure that the level of risk and control that one branch is managing over their ownership of personal information is respected and well understood by other branches and users of the information.

Externally, personal information shared with other federal government departments is governed by either a Memorandum of Understanding or a usage agreement with individual employees of other government organizations for all systems we reviewed.

Safeguarding of personal information

System-level access controls to personal information are in place

Personal information can be safeguarded against unauthorized access by preventative controls such as limiting physical or electronic access and/or detective controls such as reviewing who accessed or modified systems and records. Access to systems is generally well-controlled at the PSC. Access lists are being maintained and unique passwords are regularly updated. An audit trail or log of transactions once a user has access is available on most systems. Physical access to facilities was outside the scope of this audit.

The Public Service Commission network is not certified to handle certain personal information

Certain personal information is considered Protected B, based on the federal government’s classification system. The PSC’s network has not been certified Protected B. This was noted in the recent Information Management Audit. The PSC is working to resolve this issue.

Required security levels for employees who work with personal information have not been assessed

Most personal information at the PSC is classified as Protected A or Protected B. Employees who work with this personal information must be cleared with a minimum Enhanced Reliability security clearance.

Some employees at the PSC are required to work with multiple records of personal information, sensitive personal records and/or personal information on individuals outside of the PSC. Any of these situations could impact the security classification level of the information and, therefore, the security requirements of employees who access this information.

Most controls over mobile electronic devices are in place

One of the biggest risks to privacy breaches is the loss of electronic devices that contain personal information. This includes mobile telephones, USB storage keys and laptops. To prevent this risk, personal information should be stored on the network instead of locally on electronic devices. However, from time to time there is a need to keep this information to work from other locations that do not have network access or to share information with other government organizations. In these cases, all electronic storage devices need to be encrypted. All of the PSC’s mobile phones and laptops are encrypted.

The PSC has some encrypted USB keys but has not deployed them in all branches. Additionally, the PSC does not lock down the use of non-approved USB storage keys and individuals can store personal information on these keys, even though it is prohibited by policy. This risk is somewhat mitigated due to the fact that there is a good general awareness of the need to store information using secure keys but could be strengthened through additional training.

In the Policy Branch (PB), political activity forms can arrive via an unsecure fax machine rather than via a password-protected copier machine that preserves confidentiality. While access is limited to employees only, any dedicated electronic devices that can potentially receive personal information should have safeguards in place to prevent unauthorized disclosure.

Accuracy and access

Individuals can access their files to verify the accuracy of personal information

The majority of personal information collected by the PSC is provided by individuals through job applications and political candidacy requests. Therefore, the responsibility of the accuracy of the information rests on the individual. The PSC’s role is to provide controlled access to systems and conduct behind-the scenes-verification. Access is controlled and information is periodically verified for all systems tested.

Disposition and retention

Most electronic information is kept indefinitely

Retention and disposition schedules for all personal information, whether electronic or paper, are the responsibility of Library and Archives Canada (LAC). Personal information that is stored beyond the time it serves a business purpose creates an unnecessary access and/or disclosure risk, as well as requiring additional storage space and creating extra work during ATIP requests.

Most paper documents at the PSC are retained and disposed in accordance with LAC schedules; however, most personal information in electronic format is stored indefinitely.

There are several outstanding issues that need to be resolved, including whether electronic records:

  • Have historic value, in which case indefinite storage is the correct solution;
  • Are so unique that no corresponding LAC schedule exists, in which case one needs to be developed; and
  • Have been transferred to RDIMS and the retention period has not been identified.

Anonymizing the documents (removing personal identifiers) rather than disposition is another option that can be used to reduce the risks associated with long-term storage of electronic data. This option may be considered for holdings that are of value for research purposes only.

Recommendations:

  1. The Audit and Data Services Branch, in conjunction with the Information Technology Services Directorate (ITSD), should limit the receipt of personal information in the CI File to those records and fields required to carry out their work.
  2. The PB, in conjunction with the ITSD, should limit access to personal information in the PIMS system to a need-to-know basis.
  3. The ITSD should assess security levels for the CI File, deploy secure USB keys and provide secure faxes to areas that receive and utilize personal information.
  4. All PSC branches should review their retention processes and develop schedules for disposition or anonymization of personal information.

Finding 3: Monitoring of personal information management practices

Improvement to monitoring practices will provide senior management with a better understanding of risks and controls.

We assessed the processes that were in place to monitor personal information management practices at the PSC. We also examined whether the policies and processes of the PSC were updated on a regular basis, in accordance with federal government requirements. Lastly, we examined privacy breach practices at the PSC and what mechanisms were in place to identify, report and guard against future occurrences.

Monitoring of practices ensures managers are held accountable for their management of personal information and gives senior management assurance that risks are mitigated. Changes to federal government policies and practices need to be monitored to help the PSC address emerging risks and issues. Effective management of privacy breaches addresses potential gaps and provides for continuous improvement of PSC personal information management practices.

Overall monitoring and reporting processes need to be strengthened

There are some processes in place to monitor and report to senior management on the status of personal information management practices at the PSC. Senior managers sign off on Personal Information Banks and ensure that PIAs are conducted to cover new personal information holdings and existing holdings that have substantially changed. Information on privacy management practices is provided to senior management in the ATIP Annual Report.

There are several areas that need to be strengthened. Follow-up on PIAs and associated action plans are reported on by the ATIP Office every two years. Several action plans are at various stages of completion.

Completed PIAs and action plans are sent to the Office of the Privacy Commissioner and the TBS for feedback and consultation and are monitored by the ATIP Office. When they are not finalized and approved, this monitoring and feedback cannot occur.

In addition, there is no comprehensive report/inventory of all personal information holdings and their degree of compliance with the requirements of the PMF and the TB Privacy Directive, which would give management a tool to monitor the state of personal information management in the PSC.

The ATIP Office has limited visibility in the PSC’s Integrated Business Plan. Given the nature of the PSC’s business, increased focus and attention to privacy information management would help management identify these monitoring and reporting gaps. Without an effective monitoring process, senior management cannot ensure that branches have taken the necessary steps to manage privacy risks.

Data accuracy is being monitored

Branches are monitoring personal information collected for accuracy through the review of data entered into on-line templates. In addition, when a collection process requires several steps, it is common practice to use checklists and routing slips to ensure that the process is completed as required.

There is monitoring and reporting of privacy breaches

Privacy breaches at the PSC are rare. Most breaches come to the attention of the ATIP Office through complaints by the person concerned about the release of details of personal information. The majority of complaints are unfounded. Founded complaints are followed up by the ATIP Office to reduce the risk of future occurrences. PSC branches have the responsibility to report breaches to the ATIP Office. They can also be reported to the ATIP Office via a complaint to the Privacy Commissioner. All breaches are reported to the Office of the Privacy Commissioner.

Recommendation:

  1. The PSC ATIP Office should strengthen monitoring and reporting practices and ensure that activities from privacy action plans are included in the PSC’s planning processes.

Appendix A - Audit criteria

Line of enquiry Criteria Core Management Controls Reference
Governance and Risk Management
1. There is an effective management control framework to govern the management of personal information 1.1 Roles, responsibilities and accountabilities for the collection, disclosure, use and retention of personal information are clear and communicated AC-1, AC-2
G-1, G-3
PP-2, PP-4
PPL-4
1.2 There are effective plans, processes and policies for the collection, disclosure, use and retention of personal information G-4
PP-4
1.3 The PSC has an effective process for managing risks related to the collection, disclosure, use and retention of personal information G-6
PP-3
PPL-8
RM-3
RP-2
ST-18
Internal controls for managing personal information
2. There are effective controls over the management of personal information 2.1 Appropriate safeguards are in place to protect personal information in accordance with the Policy on Government Security and the Directive on Privacy Practices ST-11, ST-12
2.2 Effective information management processes ensure accuracy of and access to personal information PPL-4
ST-12
2.3 The collection of personal information is limited, used and disclosed only in accordance with policies and regulations (limiting collection and disclosure) PP-4
ST-12, ST-22
2.4 Personal information is disposed of or retained in accordance with policies, guidelines and schedules (limiting retention) PP-4
ST-12
2.5 The reasons for the collection of personal information are disclosed (openness) ST-12, ST-16
Monitoring of personal information practices
3. There is effective monitoring over personal information practices 3.1 There is a process in place to monitor the collection, retention, disclosure and use of personal information PP-3
RP-3
3.2 Compliance with policies and directives are monitored on a regular basis and reported to the governance function CFS-1,G-6
LICM-1
PP-3
PPL-8
3.3 There is a reliable and comprehensive system for capturing privacy breaches, such that they are identified, reported and remedied ST-14, ST-16,
ST-23

Appendix B - Types of data holdings

Electronic processes
  Holding System PIA
Branch PIB # Bank Name Name Acronym Status
ADSB PSC PPU 080 PSC Audits under the PSEA Staffing Audit Tool SAT None
ADSB PSC PCE 761 Analytical Environment Extracts from other systems including PIMS, PSRS, and JAISFootnote 3 AE Substantially Complete
SASB PSC PCU 202 Assessment Accommodation for Individuals with Special Needs Duty to Accommodate DTA Unknown
SASB PSC PCU 025 Assessment by the Personnel Psychology Centre Assessment Centre Integrated Information System ACIIS None
SASB PSC PCU 025 Assessment by the Personnel Psychology Centre Test Scoring & Results Reporting TSRR None
SASB PSC PPU 015 Applicant Profiles, Applications and Referrals Public Service Resourcing System PSRS Action Plan last updated June 2013
PB PSC PCE 801 Statutory and Regulatory Priority Entitlements Priority Information Management System PIMS Latest Action Plan updated July 2014

 

Other processes
Branch PIB # Bank Name Name
PB PSC PCE 763 Administration of Political Candidacy Requests None
SASB PSC PCE 744 Executive Counselling None
PB PSC PCU 747 Mobility Provisions for Former Minister’s Staff and Persons Formerly Employed at the Office of the Governor General’s Secretary None

Appendix C – Management action plan

Recommendations Management Response and Planned Action Management
Accountability
Completion Date
1. The ATIP Office should develop and deliver mandatory training on the Privacy Management Framework (PMF) The ATIP Office will develop and deliver a mandatory training program on ATIP for PSC managers. This mandatory program will cover the PMF.

Optional and on-request training will continue to be offered to all PSC employees.
ATIP ATIP: Content of program: December 2014.

All managers have completed training: by June 2015
2. All PSC branches should determine whether a Privacy Impact Assessment (PIA) is needed for legacy systems and processes that utilize personal information The ATIP Office will present an annual PIA status report to the Executive Management Committee (EMC) for review and discussion.

EMC will identify programs and activities that require a PIA or a review of their PIA, based on the annual status report. The ATIP Office will support and monitor branches’ implementation of EMC decisions.

To assist EMC oversight and decisions, all branches will undertake a review to determine the need for a PIA.
All PSC branches ATIP: Presentation of first Annual PIA Status Report: February 2015

All branches June 2015
3. The Audit and Data Services Branch (ADSB), in conjunction with the Information Technology Services Directorate (ITSD), should limit the receipt of personal information in the Central Index (CI) File to those records and fields required to carry out their work The ADSB will work in conjunction with the ITSD to review the process for the receipt of the CI File and to determine the feasibility of reducing the records and fields received to only those that are needed.   ADSB and ITSD ADSB review of processes: March 2016
4. The Policy Branch (PB), in conjunction with the ITSD, should limit access to personal information in the Priority Information Management System to a need-to-know basis. The PB will work in conjunction with the ITSD to review processes to ensure that access to personal information is limited to employees who need it to perform the duties and functions of their positions. PB and ITSD Policy review of processes: June 2015
5. The ITSD should assess security levels for the (CI) File, deploy secure USB keys and provide secure faxes to areas that receive and utilize personal information The ITSD has assessed security requirements for their employees working with the CI File. Specifically, employees are now required to be cleared at the Secret level.

Secure USB keys will be deployed in Quarter 4 2015 and non-approved USB keys will be locked out of the network ITSD will work with policy branch to install a secure fax for political candidacy requests.
ITSD March 2015
6. All PSC branches should review their retention processes and develop schedules for disposition or anonymization of personal information PSC branches will work with Information Management to develop processes and schedules for retention and disposition of personal information.

The ATIP Office will add the missing information on retention and disposal standards to the PSC Info Source chapter.
All PSC branches ATIP: Processes and schedules: June 2015

Review of PSC Info Source Chapter: October 2015
7. The PSC ATIP Office should strengthen monitoring and reporting practices and ensure that activities from privacy action plans are included in the PSC’s planning processes The ATIP Office will present a PIA status report to EMC annually. This report will include an update on related privacy action plans and required adjustments.

The ATIP Office will provide a list of privacy proposed actions for inclusion in the PSC’s Integrated Business Plan.
ATIP

ATIP: Annual PIA Status Report: February 2015 and ongoing.


Privacy proposed actions included in 2015-2016 Integrated Business Plan
March 2015

Footnotes

Page details

Date modified: