Summary of the Joint Evaluation and Audit of Privacy Practices at the Treasury Board of Canada Secretariat


The Treasury Board of Canada Secretariat’s (TBS) privacy practices are delivered by the Access to Information and Privacy (ATIP) Office, which is composed of the Operations Unit and the Privacy Policy Unit. The Privacy Policy Unit focuses on the protection of personal information for activities undertaken by TBS program officials, and the Operations Unit ensures the right of access to personal information when an official request is submitted under the relevant acts.

Scope and methodology

The joint evaluation and audit scope covered the period from to . The evaluation assessed the performance of privacy practices. However, relevance was not assessed, as TBS has a legislative requirement to implement the Privacy Act. The audit assessed the adequacy and effectiveness of privacy practices and controls in supporting TBS priorities. The lines of evidence used to inform joint results:

  • were proportional to the program’s risk and materiality
  • included a review of:
    • program documentation
    • literature examining privacy and its application in government
    • administrative data, including testing and key informant interviews


Due to the low materiality of this joint evaluation and audit, an employee survey was not undertaken. The multiple lines of evidence mitigated this limitation.

Immediate outcomes

  • Employees, managers and sector heads understand their respective roles and responsibilities regarding privacy
  • Employees, managers and sector heads are aware of privacy risks and the impacts of privacy breaches.

Intermediate outcome

  • Employees, managers and sector heads address privacy risks in decision-making.

Long-term outcome

  • Privacy awareness is embedded in the organizational culture.

Results of the joint audit and evaluation

Improvement needed:

  • Privacy awareness and understanding across TBS are inconsistent and depend on the extent to which a sector has been engaged in privacy activities.
  • Privacy assessment tools and processes do not embed privacy in the department’s culture or in decision-making.
  • The program does not have adequate resources to effectively manage the privacy risks and requirements of the department. Program resource needs are increasing given the department’s new initiatives and lines of business, and the new or changing skills required to support the evolution of privacy risks.


  • Develop a formal outreach and engagement plan and expand promotional efforts to ensure that those sectors that are not typically involved in privacy activities are reached.
  • Re-examine the design and implementation of the privacy impact assessment procedures in consultation with the Office of the Chief Information Officer’s Information and Privacy Policy Division.
  • Supplement the business case with a formal human resources plan in order to support current and future needs.
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: