Information Received Under the Memorandum of Understanding With the Workers' Compensation Board of British Columbia

Final Report

Corporate Audit and Evaluation Branch
October 2008

Table of Contents

• Executive Summary
• Introduction
• Focus of the Audit
• Findings, Recommendations and Action Plans
  • 1.0 Use and Disclosure of Information
  • 2.0 Security and Safeguarding of Information
    • 2.1 Management of User Access Privileges
    • 2.2 Protection of Stored Information
    • 2.3 Encryption of Transmitted Information
    • 2.4 Retention and Erasure of Information
    • 2.5 Security Awareness
• Conclusion

Executive Summary

Background: The Canada Revenue Agency (CRA) enters into Memoranda of Understanding (MOU) and other written arrangements with federal, provincial and territorial departments and agencies to improve efficiency and effectiveness in program delivery. Where it exchanges confidential information with these entities, the CRA negotiates MOUs so that both parties have a heightened awareness of the legal and policy requirements related to the use and the security of information. The inclusion of reciprocal internal audit clauses in MOUs was part of an initiative of the Corporate Strategies and Business Development Branch (CSBDB) to ensure these provisions are respected by both parties.

This audit dealt with information received by the CRA under the MOU with the Workers’ Compensation Board of British Columbia (WCB of BC) signed on, and with an effective date of July 13, 2005. The purpose of the MOU is to share data to identify employers who are not compliant with WCB administration or CRA legislation. The CRA and the WCB of BC exchange payroll information on their respective clients, as well as employer and registration information.

Objective: The objective of the audit was to provide assurance that the CRA is in compliance with the terms and conditions governing the use, communication, security, retention and disposition of information provided by the WCB of BC as set out in the MOU.

The audit was conducted in accordance with the International Standards for the Practice of Internal Auditing.

Conclusion: Based on the audit work performed, the CRA is generally in compliance with the terms and conditions governing the use, communication, security, retention and disposition of information provided by the WCB of BC as set out in the MOU. Internal Audit found that four elements of the approach should be enhanced to help ensure ongoing compliance with the MOU.

There was no evidence that the WCB information was used for purposes other than those for which it was intended, or disclosed to any third party outside of the terms of the MOU.

However, there was no record of dates when system access was revoked or suspended so it could not be verified if user access to the Registration Identification Program in the Surrey Tax Centre was kept current and immediately revoked or suspended when access to perform the assigned functions was no longer required.

The audit found that the WCB information was kept on shared drives in some sections of the Taxpayer Services and Debt Management and Information Technology branches that were accessible to CRA employees within that area who did not participate in the WCB project. In addition, information to supplement established CRA procedures regarding the retention periods of the data and the proper data erasure methods was not provided to the Pacific Region Tax Services Offices (TSOs). Furthermore, the data erasure method specified by the MOU is not practical for deleting individual files or folders from the hard disk/server.

Action Plan : Management fully agreed with the findings and plans to address them as follows:

Management of User Access

Effective July 18, 2008, RIP system access control will be documented via a password- protected spreadsheet with limited access. The Team Leader and/or the alternate will activate, suspend or delete access privileges, and immediately record this activity in the spreadsheet, as well as conduct quarterly reviews of these privileges.

Information Stored on Shared Drives

The Partnership Opportunities Section (POS) has developed a Reference Guide for the program areas using the WCB data, which includes a section on the MOU. The Reference Guide will be made available for training of all staff for each project and will be shared with all users of the WCB data. POS will complete distribution of the appropriate section of the Reference Guide no later than December 31, 2008. POS will distribute copies of the Reference Guide to all entitled stakeholders of existing, new, and potential partners.

Retention Period

POS will outline the retention period information in a memo to all internal stakeholders by September 30, 2008. The information contained in this memo will be incorporated into the Reference Guide currently being enhanced by POS.

Data Erasure Methods

POS has discussed the current acceptable methods of erasure of electronically stored information with the Security, Risk Management & Internal Affairs Directorate in the Finance and Administration Branch, and with the Information Technology Branch (ITB).  POS will include in their Reference Guide a checklist of important information regarding security of data. This section of the Reference Guide will be available to all entitled stakeholders by December 31, 2008.

For future MOUs, by September 30, 2008, the Provincial and Territorial Affairs Division will discuss the file erasure methods with Security, Risk Management and Internal Affairs Directorate and recommend an amendment to the security requirements chart.

Introduction

The Canada Revenue Agency (CRA) enters into Memoranda of Understanding (MOU) and other written arrangements with federal, provincial and territorial departments and agencies to improve efficiency and effectiveness in program delivery. Where it exchanges confidential information with these entities, the CRA negotiates MOUs so that both parties are aware of and respect legal and policy requirements related to the use and the security of information. The inclusion of reciprocal internal audit clauses in MOUs was part of an initiative of the Corporate Strategies and Business Development Branch (CSBDB) to ensure these provisions are respected by both parties.

This audit dealt with information received by the CRA under the MOU with the Workers’ Compensation Board of British Columbia (WCB of BC) signed on, and with an effective date of July 13, 2005. The purpose of the MOU is to share data to identify employers who are not compliant with WCB administration or CRA legislation. The CRA and the WCB of BC exchange payroll information on their respective clients, as well as employer and registration information. There have been two exchanges of information between the CRA and the WCB of BC pursuant to this MOU: one received by the CRA in 2005 and the other in 2007.

Under the MOU, the CRA undertakes a registration gap analysis and compliance activities. The original compact discs (CDs) are received by the Partnership Opportunities Section (POS) in the Taxpayer Services and Debt Management Branch (TSDMB). The POS transfers the CDs to the Information Technology Branch (ITB) for processing. The ITB generates two exception report, which are returned to the POS. One exception report is for the WCB of BC and is provided to the partner in accordance with the terms of the MOU. The data in the CRA exception report is subsequently delivered to the Surrey Tax Centre (Surrey TC), where staff conduct comparative analysis and contact potential registrants.

Results of the comparative analysis are posted in the Registration Identification Program (RIP), a computer application used to record results of the follow up activities completed on accounts identified in the gap analysis. The ITB accesses the results in the RIP and prepares statistical reports for the POS. The POS conducts additional analysis and forwards some accounts to the Trust Examination sections in Tax Services Offices (TSOs) in the Pacific Region through the Trust Account Programs Division.

Focus of the Audit

The objective of the audit was to provide assurance that the CRA is in compliance with the MOU terms and conditions governing the use, communication, security, retention and disposition of information provided by the WCB of BC.  

The scope of the audit included the Partnership Opportunities Section (POS) of TSDMB, Provincial and Territorial Affairs Division (PTAD) of CSBDB, Payroll Deductions, Accounting and Collections System (PAYDAC) section of ITB, Security, Risk Management and Internal Affairs Directorate of the Finance and Administration Branch, Surrey Taxation Centre, and TSOs of Vancouver, Burnaby Fraser, Vancouver Island, Southern Interior and Northern BC and Yukon. The audit was conducted between January and June of 2008.

Assurance related to CRA information technology (IT) controls and other general controls was partially based on audit work conducted in the recent related audits, including the IT Security Follow Up started in 2007, and the 2006 audit of Information Received under the MOU with the Workplace Health, Safety & Compensation Commission of the Province of Newfoundland and Labrador.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings, Recommendations and Action Plans

1.0 Use and Disclosure of Information

According to the MOU, the WCB of BC information is to be used by the CRA solely for the administration and enforcement of the Income Tax Act and the Excise Tax Act; and information is only to be disclosed to others under the terms and conditions set out in the MOU. 

There was no evidence that this information was used for purposes other than the registration gap analysis and follow up compliance activities. Interviews with staff at Surrey TC, as well as the Vancouver, Burnaby-Fraser, Vancouver Island, Southern Interior, and Northern BC and Yukon TSOs reported that the information received from the WCB of BC was used solely for the purpose of identifying and registering BC employers not registered for CRA programs. This was also confirmed by the TSDMB Data Mining and Risk Management and Workload Identification Section in TSDMB.

Interviewed staff also indicated that they were not aware of any security incidents relating to the inappropriate use and communication of information received from the WCB of BC. The Security, Risk Management and Internal Affairs Directorate in the Finance and Administration Branch confirmed that there have been no reported security incidents with respect to information received under the MOU. The POS stated that no data was released to any third party.

2.0 Security and Safeguarding of Information

The MOU with the WCB of BC (Appendix F) outlines the security requirements for handling, storage, and disposition of information. Based on these requirements, results of the prior related audits and our assessment of risks related to information received from the WCB of BC, examinations were conducted on the following security controls:

• management of user access privileges;
• protection of stored information;
• encryption of transmitted information;
• retention and erasure of information, and
• security awareness.

2.1 Management of User Access Privileges

The security of confidential client information is enhanced when access to information systems is granted to employees only when the information is needed to perform work-related activities. The CRA security standards and management control system of user access rights require that a record of all computer system access privileges is to be created and maintained for each person. These standards also state that user access privileges are to be kept current and immediately revoked or suspended when access to perform the assigned functions is no longer required.

The RIP unit at the Surrey TC keeps a record of computer system access privileges to the RIP application. However, it could not be verified if user access privileges in this unit are kept current and immediately revoked or suspended when access to perform the assigned functions is no longer required. Access to the RIP is controlled by the team leader through the User Management System (UMS) that does not provide an independent record of the dates when user access privileges are revoked or suspended. The Agency has several system access management initiatives being implemented, including an automated identity access management system that would replace the existing user management systems.

Recommendation:

The Surrey TC should ensure that it meets the CRA requirements related to the user access privileges management. The RIP unit at the Surrey TC should implement a control system that would allow tracking dates of removal or suspension of the user access privileges until the national automated identity access management initiatives are implemented.

Action Plan

Effective July 18, 2008, RIP system access control will be documented via a spreadsheet. The spreadsheet will be stored within a controlled folder on the Surrey TC shared drive. Access to this folder will be limited to the Manager of the Employer Services, the Team Leader of the WCB Project Team, and one alternate. Furthermore, the spreadsheet itself will be password protected.

It will be the responsibility of the Team Leader and/or the alternate to activate, suspend or delete access privileges when required, and to immediately record this activity on the attached sheet. Furthermore, quarterly reviews of RIP access privileges will be conducted by the Team Leader and/or the alternate.

2.2 Protection of Stored Information

CRA security standards require that removable media such as CDs, diskettes, hard disks or tapes containing information be stored in locked cabinets when not being used. The information is not to be stored on the users' computer systems. Access to stored information is to be provided on a “need-to-know” basis.

The first two standards have been met in the POS and the Surrey TC. During site visits, observations confirmed that in the POS and in the Surrey TC the CDs containing information received from the WCB of BC were stored in a locked cabinet. In addition, it was verified in the Surrey TC that electronic files containing the MOU data were stored on a server and not on the hard drives of users’ computers.

However, based on interviews in the Payroll Deductions, Accounting and Collections System’s (PAYDAC) section in ITB and the Trust Accounts Division (TAD) in TSDMB, access to the WCB information saved on their shared drives was not restricted only to the employees working with this information. It could, therefore, be accessed by CRA employees not involved in the project.

Recommendation:

The POS should ensure that all program areas working with the WCB of BC data are aware of the MOU requirements related to the stored information and restrict access to the WCB of BC information stored on shared drives only to employees who are involved in this project.

Action Plan

POS has developed a Reference Guide for the program areas working with WCB data, which includes a section on the MOU. This section outlines the purpose of the joint compliance initiative and the roles and responsibilities of all stakeholders with access to the WCB data. The Reference Guide will be made available for training of all staff for each project and will be shared with all users of the WCB data. POS will complete distribution of this section of the Reference Guide no later than December 31, 2008. POS will distribute copies of the Reference Guide to all entitled stakeholders of existing, new and potential partners.

ITB has informed POS that as of July 2008, a new procedure had been implemented so that the file containing WCB data no longer resided on the shared drive. Under this new procedure, only the person preparing the CD containing WCB data will have access to the pertinent file.

2.3 Encryption of Transmitted Information

According to CRA security policies for the storage and electronic transmission of taxpayer information, information transmitted electronically and via removable media such as CDs, containing databases of confidential client information, should be encrypted using CRA approved methods. In addition, under the terms of the MOU, the CRA and the WCB agreed that client information transmitted electronically and/or via a removable media would be encrypted.

The audit showed that the WCB information transmitted via email and CDs was encrypted and password-protected. The interviews in the POS and Surrey TC indicated that passwords were provided separate of the data, over the phone, and never left as a voicemail.

2.4 Retention and Erasure of Information

In accordance with the CRA Finance and Administration Manual – Security Volume, classified and designated "Protected" information that is no longer required must be promptly discarded in a manner that will completely destroy the information. The MOU with the WCB of BC also states that information is to be destroyed when no longer required. However, the MOU does not prescribe specific retention periods for information.

The POS has recently received an opinion regarding retention of information from the Client Services Section, Information Policy and Governance Division, Statistics and Information Management Directorate. The opinion stated that the information should be destroyed when no longer needed but it did not specify the retention period. The POS has decided to set the retention period for WCB information at two years.

This information was also communicated to the Surrey TC. The Surrey TC team leader confirmed that the CD from Phase 1 of the project was destroyed by the local IT office in March 2008. However, Pacific Region TSOs, ITB PAYDAC and TSDMB TAD did not receive any guidance relating to the retention period for the data.

Furthermore, the MOU requires that “non-removable hard disks should be overwritten three times (e.g. RCMP-DSX, Norton’s WIPEDISK) or be magnetically erased using an approved degausser.” The interviews showed that in practice, using the “delete” button on the computer was perceived to be an adequate method of information erasure. This practice does not erase files permanently and does not comply with the MOU’s requirements. However, the method described in the MOU is not practical as it would erase all the data contained on the hard disk, not just the MOU data.

Recommendations

POS should communicate the established retention period for the WCB information to other internal stakeholders.

POS should consult with the Security, Risk Management and Internal Affairs Directorate, Finance and Administration Branch and with the Information Technology Branch to identify acceptable methods of erasure of electronically stored information and communicate them to other internal stakeholders.

The Provincial and Territorial Affairs Division, CSBDB, in consultation with the Security, Risk Management and Internal Affairs Directorate of the Finance and Administration Branch, should ensure that appropriate methods of information erasure are included in the current MOU and similar MOUs, as well as in the future MOUs.

Action Plan

POS will outline the retention period information in a memo to all internal stakeholders by September 30, 2008. 

POS has discussed the current acceptable methods of erasure of electronically stored information with the Security, Risk Management & Internal Affairs Directorate in the Finance and Administration Branch, and with the Information Technology Branch (ITB). Based on these discussions, POS has developed a checklist of important information regarding security of data and included it in its Reference Guide. POS will make copies of the appropriate section of the Reference Guide available to all entitled stakeholders by December 31, 2008.

For future MOUs, by September 30, 2008, the Provincial and Territorial Affairs Division will discuss the file erasure methods with Security, Risk Management and Internal Affairs Directorate and recommend an amendment to the security requirements chart.

2.5 Security Awareness

The audit found that CRA employees working with the WCB of BC information were aware of the CRA standards related to security of this information. Security awareness initiatives are in place in the CRA and delivered nationally and locally. These initiatives promote awareness of policies and procedures related to the protection of CRA personnel, information, and physical assets. All selected interviewees at the Surrey TC and Pacific Region TSOs reported that they had received security awareness training when they first joined the Agency and periodically thereafter. Employees regularly receive national security reminders via e-mail. 

Conclusion

Based on the audit work performed, the CRA was found to be in compliance with the terms and conditions governing the use, communication to others and security of information received from theWCB, except in four cases. The audit found that the WCB information was kept on the TSDMB Risk Management and ITB PAYDAC shared drives, and was accessible to some employees within these areas who did not participate in the WCB project. In addition, there was no guidance provided to the BC TSOs regarding the retention periods of the data and the proper data erasure methods. Furthermore, the data erasure method specified by the MOU is not practical for deleting individual files/folders as it would delete all information contained on the hard disk/server.

It could not be verified if user access to the RIP in the Surrey TC was kept current and immediately revoked or suspended when access to perform the assigned functions was no longer required as there was no record of dates when access was revoked or suspended.

There was no evidence that information was used for purposes other than that for which it was intended, or disclosed to any third parties outside of the terms of the MOU.