Privacy Implementation Notice 2024-03: Personal information management in internal audit

6.1 Collection

Legislative authority for internal audits in departments, as defined in section 2 of the FAA, is based on sections 7 and 16.1 of the FAA. Any personal information collected during an internal audit must directly relate to the internal audit in order to comply with section 4 of the Privacy Act.

6.2 Use and disclosure

Most of the information used in audit functions is either not personal information to begin with, or else, as noted above, would fall within the exceptions of paragraphs 3(j), 3(k) and 3(l) to the definition, which applies to sections 7 (Use) and 8 (Disclosure) of the Privacy Act.

Where personal information is included, paragraph 8(2)(h) of the Privacy Act allows personal information to be disclosed without consent to internal audit officers, including forinternal audit advisory engagements, or to the Office of the Comptroller General for audit purposes. This also satisfies the use requirement of section 7 of the Privacy Act, which allows an individual’s personal information to be used consistent with the purpose for which it may disclosed under subsection 8(2).

Departments must provide unrestricted access to departmental records, databases, workplaces, employees and contractors to the Chief Audit Executive, and by extension internal audit, according to section 4.2.3.4 of the Policy on Internal Audit. This is further supported by the Global Internal Audit Standards, which have been introduced as part of the Institute of Internal Auditors’ International Professional Practices Framework (IPPF) and are effective as of January 9, 2025. According to section 4.1.2 of the Policy on Internal Audit, internal audits must be carried out in accordance with IPPF where the IPPF is not in conflict with internal audit policies or directives.

It may be necessary to disclose personal information that is collected as part of an operating program or activity to internal audit officers on an ongoing basis. This will allow internal audits to use that information for ongoing monitoring. This applies only to personal information that is being actively retained according to a program’s retention standards. Once a record containing personal information has passed its retention period, even if a program or activity is undergoing ongoing monitoring, the record must be disposed of according to an institution’s record disposal standards.

Any personal information collected by or disclosed to internal audit must only be used for internal audit–related functions, unless the information was disclosed for another purpose under subsection 8(2), in which case it can be used consistent with the disclosure under subsection 8(2).

If personal information is shared outside of a department, for example in a multi-institution audit, this must be documented in an information sharing arrangement prior to the disclosure of personal information, according to section 4.2.33 of the Directive on Privacy Practices. The agreement must include all the elements listed in section 4.2.34 of that directive. For more guidance on drafting information sharing arrangements, see Guidance on Preparing Information Sharing Agreements Involving Personal Information.

There is no need to include arrangements for internal audits in a department’s public summary of arrangements on the department’s Info Source. Departments may consider information sharing in the context of internal audits to be a single, one-time disclosure of personal information within the meaning of section 4.2.36 of the directive. However, this does not apply to disclosures of personal information for the purposes of internal audit ongoing monitoring. An information sharing agreement must be in place when regular disclosures of personal information between departments take place as part of multi-departmental audits.

Where appropriate, it is advisable to apply privacy preserving techniques to the personal information of program participants, given that internal auditors cannot make administrative decisions with this data and are unlikely to have a need-to-know of participant identities. Examples of privacy preserving techniques include data minimization (where only the absolute minimum personal information is collected) and de-identification (where personal information is modified to remove or alter identifiers).

However, a department’s employees’ information could be used for administrative decisions, such as when the findings of an internal audit lead to an investigation. Such an investigation would be based on section 4.1.8 of the Policy on Internal Audit that requires an investigation into serious issues uncovered in an internal audit related to policy compliance. Therefore, there may be a benefit in leaving employee information identifiable where it is possible this information may eventually be used for an investigative function.

For more information on privacy preserving techniques, see the:

• Privacy Implementation Notice 2023-01: De-identification
• Privacy Implementation Notice 2020-03: Protecting privacy when releasing information about a small number of individuals
• Privacy Implementation Notice 2023-02: Personal information for program monitoring, evaluation and reporting purposes

Personal information banks are a transparency tool to reflect what personal information is collected and how it will be used. As records containing personal information may be disclosed to internal audit, departments may consider listing internal audit under the heading of consistent use in Personal Information Banks in the interest of transparency.

Departments may also employ the “Internal Audit” Standard PIB (PSU 941) for the collection of personal information of those administering programs or activities. These could include the department’s employees, former employees, contractors, and representatives of companies. This Standard PIB also provides that internal audit collects personal information contained within the records disclosed by departmental programs being audited.

Much of the information in this PIB relates to information that is not considered personal information, particularly information relating to public servants such as name, position and contact information, which are excluded from the definition of personal information under section 3 of the Privacy Act. However, the PIB also provides for the collection of some information that would be considered the personal information of public servants, such as financial information, signatures or employee identification numbers. If a department wishes to employ this Standard PIB, they must register against it with TBS.

6.3 Programs delivered by third parties

Programs or activities delivered by third parties for a department are also subject to internal auditing. As personal information from contractors and representatives of companies can be collected for internal auditing, it is recommended that departments establish specific provisions in contracts for the function. For further guidance on contracting, see Taking Privacy into Account Before Making Contracting Decisions.

6.4 Retention

Library and Archives Canada’s (LAC) Multi-Institutional Disposition Authority (MIDA) 99/004, which permits the destruction or other disposal of information resources generated by the common administrative function of comptrollership (under which internal audit is classified), contains specific exclusions for information resources generated in the context of internal audit. As such, in relation to audits conducted by a department (or on its behalf by private sector consultants hired by the department), departments must obtain separate consent from the Librarian and Archivist of Canada to dispose of final internal audit reports and documentation of management response, corrective action and follow up.

Preliminary versions of a report used to create a final document or used to solicit comments or input from others before the report is finalized are considered internal audit working papers and must be retained and filed. However, versions of reports that are not communicated beyond the author(s) or copies used for information or reference purposes may be regarded as transitory records to be disposed of in accordance with information management policies and the appropriate authorizations issued under the Library and Archives of Canada Act.

When personal information is not used for an administrative decision, as in internal audits, it should be disposed of as soon as it is no longer required. Internal audit should therefore dispose of any of their copies of the personal information provided they are not included in the preliminary or final versions of the report. If the findings lead to an investigation, then the relevant information would be disclosed to the entity leading the investigation, and the personal information held by internal audit would be disposed of as soon as it was no longer required for further audit purposes. Even if the personal information has been de-identified, there remains a risk of re-identification. Therefore, institutions must dispose of these records in the same manner as if they had not been de-identified. The same retention standards apply to de-identified information as to personal information.

If the personal information is used for an investigative function, these records must be retained for a minimum of two years, according to the Privacy Regulations. The retention period may be longer depending on departmental record retention standards.

6.5 Reporting

Even if personal information substantiates the findings of the report, it must not be included in the internal audit report, unless the individual has given their consent to publish their information, or the information is already publicly available. This is because audit reports must be published publicly, as required by section 4.1.6 of the Policy on Internal Audit, subject to exceptions related to security considerations and the sensitivity of the information. See Technical Bulletin 2023-1: Policy on Internal Audit (accessible only on the Government of Canada network) for more information.

If the internal audit report discloses publicly available information, it is important to ensure the accuracy of that information and that it is still publicly available at the time of the report’s publication. Institutions can refer to the Privacy Implementation Notice on personal information that is publicly available online for further guidance on managing publicly available personal information.

Departments must also consider the risk of re-identification if de-identified information will be published in a public internal audit report. De-identified personal information stemming from data sets with data from a small number of individuals within unique and specific categories of personal information carries an increased risk of re-identification. The privacy implementation notices on de-identification and on small numbers provide further guidance on de-identified personal information and the risk of re-identification (see above). Departmental privacy officials may be expected to assist internal audit colleagues in de-identifying or severing personal information from internal audit reports prior to publishing.

6.6 Requests for access under the acts

Subsection 22.1(1) of the ATIA specifies the head of a government institution may refuse to disclose any draft reports or internal audit working papers related to internal audit as part of an access to information request if the records were less than 15 years old at the time the request was made. If reports or internal audit working papers are not exempted under subsection 22.1(1), it may be possible that the opinions of public servants and third parties delivering the program or activity are released. This information may fall within paragraphs 3(j) or 3(k) of the exception to the definition of “personal information” in the Privacy Act, and section 19 of the ATIA would not apply. For more information on the application of these sections, see the Access to Information Manual.

However, the exceptions to the definition of personal information in the Privacy Act do not apply to section 12 (Right of Access) of this Act, so the information is still considered the personal information of the individual for the purpose of their right of access. Personal information contained in draft reports and internal audit working papers may therefore be disclosed to the individual to whom the information is about under the Privacy Act.

Personal information requests under the Privacy Act are only for personal information in records and the Privacy Act does not require that other information in records related to the request be processed. If an initial search for records following a personal information request includes draft reports or internal audit working papers, the following outcomes are advised:

• The requester’s personal information is disclosed, unless an exemption or an exclusion under the Privacy Act applies
• If the non-personal information would be released if the same request was made under the ATIA, in lieu of having a requester make a similar request under the ATIA, the information should be released to the requester
• However, access may be denied under subsection 12(1) of the Privacy Act for non-personal information that would normally be withheld under one or more exemptions under the ATIA, for example subsection 22.1(1) for internal audits

Legislation

• Access to Information Act
• Financial Administration Act
• Privacy Act
• Privacy Regulations

Related policy instruments

• Directive on Internal Audit
• Directive on Privacy Practices
• Policy on Internal Audit
• Policy on Privacy Protection

Related guidance instruments

• Access to Information Manual
• Internal Auditors’ International Professional Practices Framework
• Global Internal Audit Standards
• Guidance on Preparing Information Sharing Agreements Involving Personal Information
• Multi-Institutional Disposition Authority (MIDA) 99/004
• Privacy Implementation Notice 2020-03: Protecting privacy when releasing information about a small number of individuals
• Privacy Implementation Notice 2023-01: De-identification
• Privacy Implementation Notice 2023-02: Personal information for program monitoring, evaluation and reporting purposes
• Privacy Implementation Notice 2023-03: Guidance pertaining to the collection, use, retention and disclosure of personal information that is publicly available online
• Taking Privacy into Account Before Making Contracting Decisions
• Technical Bulletin 2023-1: Policy on Internal Audit (accessible only on the Government of Canada network)