Summary of the Joint Evaluation and Audit of Privacy Practices at the Treasury Board of Canada Secretariat
Scope and methodology
The joint evaluation and audit scope covered the period from to . The evaluation assessed the performance of privacy practices. However, relevance was not assessed, as TBS has a legislative requirement to implement the Privacy Act. The audit assessed the adequacy and effectiveness of privacy practices and controls in supporting TBS priorities. The lines of evidence used to inform joint results:
- were proportional to the program’s risk and materiality
- included a review of:
- program documentation
- literature examining privacy and its application in government
- administrative data, including testing and key informant interviews
Due to the low materiality of this joint evaluation and audit, an employee survey was not undertaken. The multiple lines of evidence mitigated this limitation.
- Employees, managers and sector heads understand their respective roles and responsibilities regarding privacy
- Employees, managers and sector heads are aware of privacy risks and the impacts of privacy breaches.
- Employees, managers and sector heads address privacy risks in decision-making.
- Privacy awareness is embedded in the organizational culture.
Results of the joint audit and evaluation
- Privacy awareness and understanding across TBS are inconsistent and depend on the extent to which a sector has been engaged in privacy activities.
- Privacy assessment tools and processes do not embed privacy in the department’s culture or in decision-making.
- The program does not have adequate resources to effectively manage the privacy risks and requirements of the department. Program resource needs are increasing given the department’s new initiatives and lines of business, and the new or changing skills required to support the evolution of privacy risks.
- Develop a formal outreach and engagement plan and expand promotional efforts to ensure that those sectors that are not typically involved in privacy activities are reached.
- Supplement the business case with a formal human resources plan in order to support current and future needs.
Report a problem or mistake on this page
- Date modified: