Information Sharing Agreement Between the British Columbia Vital Statistics Agency and the Canada Revenue Agency

Final Report

Audit, Evaluation, and Risk Branch
August 2013


Executive Summary

Background

The Canada Revenue Agency (CRA) enters into written collaborative arrangements, such as Information Sharing Agreements (Agreements), with federal, provincial and territorial departments and agencies to improve the efficiency and effectiveness of program delivery. Where there is an exchange of confidential information between these entities, the CRA ensures that the agreements contain the language necessary to make both parties aware of, and respect legal and policy requirements related to the use and security of this information.

In order to ensure that these provisions are respected by both parties, the Agreements include a clause requiring that internal audits be conducted on the use and security of the information provided. In this agreement, it stipulates that the CRA is required to conduct its first internal audit at a mutually agreed-upon time within two years of the effective date of this agreement. Thereafter, internal audits will be conducted on a periodic basis as agreed to by British Columbia Vital Statistics Agency (BCVSA) and the CRA, and based on the results of the previous audit.

This audit focused on protected information received by the CRA under the Agreement with the BCVSA.

The purpose of the Agreement is to document the terms and conditions under which the BCVSA discloses information to the CRA respecting the registration of births and deaths in BC, in order to assist the CRA in meeting its mandate for integrated service offerings. The ‘Integrated Birth Registration and Canada Child Tax Benefit (CCTB) Application Service’ allows the mother of a child to combine two processes. At the same time as the mother completes the child's birth registration with the BCVSA, she may apply for the CCTB for her child.

The Client Relations Directorate, within the Strategy and Integration Branch (SIB) directs and coordinates internal and external client relations by providing support to the branches and regions for all agreements signed with the CRA’s partners. The Assessment and Benefit Services Branch is responsible for functional direction of the vital statistics update process. The operational activities in relation to births information and related CCTB applications provided under this agreement are conducted in the Surrey Tax Centre (TC) within the Pacific Region. The operational activities in relation to deaths information provided under this agreement are conducted in the Ottawa Technology Centre within the Ontario Region. The Security and Internal Affairs Directorate of the Finance and Administration Branch is responsible for enforcing and ensuring compliance with security-related policies and in supporting the CRA in meeting its security-related legal obligations.

Objective

The objective of this audit was to provide assurance that the use and security of the information received by the CRA complies with the terms and conditions set out in the Agreement.

Examination work was performed between April and June 2013 and included visits to the Surrey TC and at the Ottawa Technology Centre.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Conclusion

Overall, the CRA is in compliance with the terms and conditions governing the use, communication and security of information as provided in the Agreement. The results of the audit indicate that the responsible managers and staff in the Surrey TC and the Ottawa Technology Centre were aware of their responsibilities and applied the controls necessary to discharge those responsibilities and that the system and processes in use further supported the appropriate use and safeguarding of information.

Introduction

The Canada Revenue Agency (CRA) enters into written collaborative arrangements (WCAs), such as Information Sharing Agreements (Agreement) with federal, provincial and territorial departments and agencies to improve the efficiency and effectiveness of program delivery.

The Agreement with the British Columbia Vital Statistics Agency (BCVSA) has been in effect since July 28, 2009. The purpose of the Agreement is to document the terms and conditions under which the BCVSA discloses information to the CRA respecting the registration of births and deaths in BC, in order to assist the CRA in meeting its mandate for integrated service offerings. The BCVSA shares information with the CRA via an automated process that sends vital event information electronically using a secure electronic interface Footnote 1 .

The “Integrated Birth Registration and Canada Child Tax Benefit (CCTB) Application Service” allows the mother of a child to combine the child's birth registration with the BCVSA and the application for the CCTB for her child.

The BCVSA also provides the CRA with information regarding deaths registered with the BCVSA. This information is used to annotate individual CRA records as "deceased" and incorporate additional required data elements.

The Client Relations Directorate, within the Strategy and Integration Branch (SIB), is responsible for managing all the WCAs and maintains a repository to assist CRA staff in the communication and exchange of information and service arrangements. The Assessment and Benefit Services Branch is responsible for functional direction of the vital statistics update process. The operational activities in relation to births information and related CCTB applications provided under this agreement are conducted in the Surrey Tax Centre (TC) within the Pacific Region. The operational activities in relation to deaths information provided under this agreement are conducted at the Ottawa Technology Centre within the Ontario Region. The Security and Internal Affairs Directorate (SIAD) of the Finance and Administration Branch (FAB) is responsible for enforcing and ensuring compliance with security-related policies and in supporting the CRA in meeting its security-related legal obligations.

Focus of the Audit

The objective of this audit was to provide assurance that the use and security of the information received by the CRA complies with the terms and conditions set out in the Agreement.

The methodology for this audit consisted of interviews, observation, and document review. It did not involve testing of general computer controls or the security of automated systems.

Examination work was performed between April and June 2013 and included visits at the Surrey TC and the Ottawa Technology Centre.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings

1.0 Compliance with Policies, Procedures, Laws, and Regulations

1.1 Use of BC Vital Statistics Agency Information

According to the Agreement, the information received from BCVSA is to be used by the CRA solely for the administration and enforcement of the Income Tax Act, the Canadian Pension Plan and the Employment Insurance Act. Employees should be aware of the intended use of this information and understand their responsibility to keep the data secured.

Based on interviews and a review of documentation for handling information received under this Agreement, the information was used to update the CRA IDENT database, which stores information on individual taxpayers. This database is secured by the CRA general computer controls. The information from that database is then used in administering and enforcing the legislation cited above.

Based on interviews and a demonstration of the process, the automated system that receives the information under the Agreement is designed to automatically update the IDENT database. The automated system generates exception documents for BCVSA transactions which cannot be automatically processed because of data that does not conform to system validation requirements. These exception documents can be accessed by authorized employees at the Surrey TC and the Ottawa Technology Centre. These employees correct the information provided or obtain missing information and then update the IDENT database.

The audit team noted that the authorized employees are aware of their responsibilities with respect to use of the information. This information is not shared beyond the personnel authorized to deal with this exceptions workload. This limited circulation reduces the opportunity for unauthorized use of the information by other personnel.

Interviews with employees and managers responsible for the Agreement revealed that they were aware of their obligations with respect to the Code of Ethics and Conduct. Our testing confirmed that these personnel had formally indicated that they had read and understood the Code.

There was no indication during the interviews or the demonstration that the information from BCVSA was used for any other purposes than those specified in the Agreement.

1.2 Access to BC Vital Statistics Agency Information

Access to the BCVSA information must be in accordance with the CRA security requirements and provided on a “need-to-know” basis. Interviews with managers and staff revealed that approximately five employees are granted access to the information at any point in time at the Surrey TC with about the same number of employees granted access at the Ottawa Technology Centre. Their access to the required automated processes under this Agreement is administered through the general access control regime that secures the CRA computing environment.

These roles are monitored through semi-annual reviews known as Employee System Access Review (ESAR), which are supported by a national tracking system which is not accessible to the Surrey TC or Ottawa Technology Centre personnel. The ESAR tool is designed to allow managers to control the roles and the consequent authorization to access the automated processes required for process exceptions. The audit team’s testing revealed that the ESAR report associated with the most recent review in December 2012 had been used by managers to confirm that only authorized employees in the unit had access to the information.

1.3 Disclosure of BC Vital Statistics Agency Information

Based on interviews with managers and staff, the BCVSA information is not shared within or outside of CRA before it is used to update the IDENT database. The audit team did not observe and were not made aware of any instances in which the information was disclosed to personnel other than those authorized within the processing unit.

2.0 Safeguarding of Information

Information received from the BCVSA must be handled, stored and disposed of in accordance with the requirements of the Agreement and CRA policies and guidelines.

According to interviewees, security training related to the handling, storage and disposal of documents is provided as part of the initiation activities when employees start working at CRA. The authorized employees responsible for this workload in the Surrey TC and the Ottawa Technology Centre attended the most recent annual security awareness refresher training sessions. A control list for employee attendance at the most recent annual awareness sessions in March 2013 was obtained and reviewed by the audit team to confirm attendance. In addition, the audit team observed lists of attendance at various other security awareness training sessions.

2.1  Handling of the Information

Based on interviews and the documentation describing the automated system, the information is received electronically and processed automatically. The CRA automated system controls are designed to thoroughly screen for viruses or related threats to any files entering the CRA computing environment.

The employees handling the information provided under the Agreement have the correct security classifications according to a review of the Manager Self-Service Footnote 2 records of those classifications.

At the Surrey TC, the audit team observed that printed exception documents for births are marked as “Protected B” as required under the CRA Guidelines for Performing a Risk Assessment to Identify the Category and Level of the Information. At the Ottawa Technology Centre, the exceptions for deaths information are provided in electronic form in a secure repository accessible only by authorized personnel.

Based on interviews and observation, physical access to information at workstations is controlled in accordance with the CRA security guidelines through local TC and Technology Centre security guards. Use of the workstation computers is controlled through the general access controls that cover the entire CRA Information Technology environment.

At the Surrey TC, swipe cards and security keypads requiring access codes restrict entry into the room in which servers are housed. These swipe cards and access codes are provided only to authorized personnel. This was based on interviews with Information Technology and local Security personnel and on testing which included observation of those attempting to enter the secure server rooms.

At the Ottawa Technology Centre, based on interviews and observation, servers are stored within secure cabinets in an open area. Those cabinets are locked, and accessible only to authorized employees. The audit team tested each cabinet without the key and found that they could not be opened.

Managers and staff indicated that they were aware of the security incidents procedures and were able to appropriately describe the protocol if such an incident were to occur.

2.2  Storage and Disposal of the Information

Based on interviews and a demonstration of the process, hardcopy exception documents at the Surrey TC are stored with the associated taxpayer file after they are used and retained for four years, as required by the policy for all CCTB applications. They are put into storage at an offsite location, and administered by a CRA unit responsible for storage and disposal.

Based on interviews and a demonstration at the Ottawa Technology Centre, exception documents are received in electronic form and not printed. After they are used for exception processing, the reports are stored in a secure directory and deleted after two years, as required by the Taxation Operations Manual. The audit team tested and confirmed this retention by reviewing and obtaining the list of files contained in the secure directory.

Conclusion

Overall, the CRA is in compliance with the terms and conditions governing the use, communication and security of information as provided in the Agreement. The results of the audit indicate that the responsible managers and staff in the Surrey TC and the Ottawa Technology Centre were aware of their responsibilities and applied the controls necessary to discharge those responsibilities and that the system and processes in use further supported the appropriate use and safeguarding of information.

Page details

Date modified: