Audit of Research Data Centre (RDC)
McMaster University

Control environment

The mandate of RDCs is to promote and facilitate social science research using Statistics Canada's confidential microdata, while protecting the confidentiality of data through effective operational and analytical policies and procedures that create a culture of confidentiality.

For the RDC program as a whole, the audit found that functional authority is formally delegated to the manager/director of the RDC Program. At the regional level, functional authority resides with the RDC regional manager and the day-to-day monitoring of the environment and physical security within the RDC is the responsibility of RDC analysts. RDC analysts administer the operation of the Research Data Centre and ensure that the activities are consistent with Statistics Canada's mandate.

A key management control relied upon to ensure the confidentiality of information within RDCs is the 'deemed' employee status which any researcher must obtain prior to accessing the RDC. In addition to having an approved project, each researcher must undergo a security screening and be sworn in under the Statistics Act. Once completed, the oath sworn is binding for life and researchers are subject to the same penalties under the Statistics Act as Statistics Canada employees. Additionally researchers must attend an orientation session which outlines RDC rules and researcher responsibilities with respect to confidentiality of information.

The McMaster RDC had one full-time RDC analyst, two part-time RDC analysts and one statistical assistant. The regional manager responsible for the McMaster RDC is located at the Western University RDC. All RDC analysts report to the regional manager, and the statistical assistant at the McMaster facility reports to the full-time RDC analyst.

RDCs are managed by RDC analysts, who are Statistics Canada employees and not university staff. This organizational model is used to ensure that operations in the facilities are consistent with Statistics Canada's mandate and policies in order to ensure the security of the centre and confidentiality of the information housed in the RDC facility. RDC documentation notes that,

"the RDC analyst is the primary individual who represents the interests of Statistics Canada in the centre. As such, the analyst has specific responsibilities that are aimed at ensuring the smooth operation of the RDC as well as guaranteeing that the criteria for confidentiality and security are respected by all who access the centre."

Additionally, the annual Management Report on the Canadian RDC Program notes that it is

"important for the RDC analysts to have a peer-to-peer relationship with the researchers working in their centers"

and that RDC staff

"at least maintain, if not advance, their research skills."

At the McMaster University RDC, RDC analysts are also researchers, have an expertise in data analysis and statistical techniques, and have close connection to the research community using the RDC. All RDC analysts at the McMaster facility have post-graduate degrees and three of the four STC employees also conduct research at the facility. This level of knowledge ensures research expertise, and facilitates the research conducted at the centre.

Consequently, RDC analysts are expected to play a dual, but somewhat conflicting, role within the RDC. As Statistics Canada employees, their primary role is to ensure that the criteria for confidentiality and security are respected. Through interviews with RDC staff and observations during the site visit, the audit team noted that RDC analysts' principal focus is to consult with researchers on research techniques and findings, rather than monitoring the ongoing activities in the centre. RDC staff stated that researchers are professionals and because they want a collegial relationship and want to promote the centre, it is not the role of RDC staff to monitor researcher activities within the McMaster facility. This view is in contradiction to Statistics Canada's management expectations for RDCs and likely contributed to several of the following observations.

Vulnerabilities

The audit team noted other potential control weakness during the site visit to the McMaster University RDC. Alone, these items do not present a significant risk to the confidentiality of the information held in RDCs. However, when assessed within the current operating environment at the facility, the risk to the confidentiality of the information is increased.

All printing done by researchers must be examined by RDC staff to ensure no confidential information leaves the facility. Researcher printouts are directed to the network printer which is located in the researcher workstation area. Green coloured paper is used for printing and researchers are able to print directly from their workstation, and have access to printing supplies. Documented procedures for researchers stipulate printing should be done on the network printer under the control of the RDC analyst. Researchers are required to hand in all material printed on green paper, however within the McMaster RDC printing by researchers is not actively monitored by RDC staff.

Additionally, RDC requirements note that hand written notes taken by researchers while in the RDC are subject to the same confidentiality regulations and requirements as analytical output and should not be removed without being checked by RDC staff. The audit observed researchers taking notes and leaving the facility without having these checked.

RDC documentation notes that security measures implemented in the RDCs must be visible and must be seen to protect the information in the centres. For example, RDCs cannot be left unattended. Documentation notes,

"in order for an RDC to be open, a Statistics Canada employee, and not a 'deemed' employee, must be on site."

At the McMaster facility, RDC staff stated that they leave researchers in the centre unattended for short periods of time.

During the 2012 RDC audit of the University of Alberta RDC, documentation related to the use of electronic devices in the RDCs was inconsistent. The audit recommended that policies and directives related to cell phone use and the use of other electronic devices in the RDC be consistent, and clearly outline the approved practice. This has been implemented, and all documentation is consistent and states that researchers may bring electronic devices into the centre, but they must not be operated in the vicinity of researcher workstations. At the McMaster RDC, WIFI is accessible within the facility and can be used with electronic devices; although it is not available on researcher workstations. Given that the McMaster University RDC is a busy facility and researchers' activities are not actively monitored, having WIFI accessibility may elevate the risk to the confidentiality of the information in the centre.

The audit revealed that the control environment within the McMaster RDC has been modified to focus primarily on teaching and facilitation of research within the facility. RDC staff focus on the peer-to-peer relationship with researchers and do not fully understand their primary role as protecting the interests of Statistics Canada nor do they apply the necessary rigour to monitoring activities. Vulnerabilities noted by the audit team, in addition to a lack of monitoring in the centre, elevate the risk to the confidentiality of information. In the absence of active monitoring by RDC staff, it is unlikely that potential confidentiality incidents would be detected or subsequently reported upon.

Physical security

The physical construction and physical security measures required in RDCs are intended to help ensure the security of the information held in the facility. These measures should comply with applicable TBS policies, such as the Government Policy on Security (GPS) and Statistics Canada's Security Practices Manual. In the context of RDCs, physical security should include controls such as perimeter and intrusion detection, physical access, and specific physical site controls.

Perimeter security and intrusion detection controls

The RDC is located on the second floor of the Mills Library at McMaster University. The McMaster University RDC was constructed in compliance with pertinent Statistics Canada's requirements for perimeter security for 'shared floor occupancy' i.e. the surrounding walls of the RDC itself, is either brick or load-bearing walls, or frosted and muted windows (e.g., virtually sound-proof windows, whereby only murmurs can be heard and nothing spoken inside the facility, can be audibly heard outside of the RDC itself).

The procedures document for opening RDCs and branches outline the characteristics considered most important for security. It notes,

"the physical protection of the monitors needs to be maintained, that is, there should not be a direct view from one workstation to another."

At the McMaster RDC, the physical setup of workstations consists of workstations set up on long tables, and there is a direct view between workstations.

Campus security provides 24/7 monitoring of the RDC facilities. They have an access card and the security code to the alarm system. The McMaster RDC has motion sensors and glass break sensors on the windows. The sensor system is activated when the RDC is closed. Additionally, the RDC has a panic button that notifies campus security of incidents during working hours. Outside of working hours, if the alarm or motion sensor system is triggered, campus security would be notified as first response. The academic director and RDC analyst would also be notified.

Access security controls

Physical access in and out of the McMaster University RDC is through a single steel door entrance. The door handle has a keyed lock. The RDC also has a door alarm system and motion detectors, which are functional and safeguard the facility after working hours. Entry to the McMaster RDC is restricted to authorized persons only. RDC staff and campus security have keys to the facility. For all other users of the facility who require access, a generic access card is programmed for their use, which must be provided back to the full-time RDC Analyst, upon contract completion.

According to RDC and STC guidelines, RDCs must have a high-security deadbolt with a one-inch throw in place on steel entrance doors. This has been an ongoing requirement for RDCs. The audit found that the McMaster RDC did not have a high-security deadbolt on the entrance door and that this was noted as a deficiency in the 2011 physical inspection, conducted by departmental security.

RDCs must monitor all access into the facility to ensure the physical security of the centre. At the McMaster RDC, an electronic swipe card access system consisting of an identification card, which contains electronic information identifying the owner, is in place as an access control. The system records all RDC entries and exits, and RDC staff can request these access logs if required. Unauthorised visitors are not allowed past the single entry door of the RDC facility. The audit team examined the access logs for the four days auditors were on site at the McMaster facility. Although these logs had registered entries and exits of RDC and university staff, as well as researchers, the audit noted there was no record for the entries or exits of one researcher observed in the centre several times during the period examined, nor was there a record of the entries or exits of audit team members using the visitor card assigned to them.

A second control required at all RDCs is a visitor sign-in sheet. The RDC visitor protocol notes that visits by 'non-deemed' employees must be pre-planned, and a log including date, time, name of visitor, name of the employee who accompanied the visitor and reason for visit, must be kept for all such visits. The log must be kept and available for audit purposes for at least one year after an entry. Although a visitor sign-in sheet was found inside the entry door to the McMaster University RDC, interviews with RDC staff and examination of the logs found that it is not being used.

Other physical security controls

To help ensure RDC security, IT-related wiring must be channeled through walls and ceilings in secure conduits. The audit team noted that this was in place at the McMaster University RDC. There is a secure server room, which is kept locked and the facility has locked storage cabinets for storing researchers' files to protect confidential, classified, and protected information. Network B access is only available in the RDC analysts' offices. There is a separate conference room with one workstation within the facility for researchers and RDC staff to use. The printer/fax/scanning device is for RDC staff use only and is located in an RDC analyst's office. The network printer used by researchers is housed in the workstation area and researchers are able to print as needed.

Departmental physical security inspections

Departmental Security at Statistics Canada head office provides guidance and directives on physical security requirements. Physical inspections are completed upon initial opening and STC management has recently determined that RDC inspections will take place every four years. Departmental security staff performs the physical inspections, and provide recommendations to the RDC regional managers and head office staff. The last McMaster University RDC physical security inspection was conducted in December, 2011. As a result of this inspection, several recommendations were noted, including the following: installation of a high security deadbolt on the steel entrance door; frosting of the windows in the conference room, which face the researcher workstations; access card reviews to be completed quarterly; and better signage of the centre.

Although the audit found evidence of discussion among RDC analysts, regional managers, and management within Microdata Access Division related to inspection recommendations, there was no evidence of a formal response to departmental security. Better signage had been put into place; however, recommendations related to more frequent card access reviews, the high security deadbolt, and frosting of the windows have not been implemented. RDC staff were unclear as to whether the implementation of security inspection recommendations were mandatory.

Recommendations:

It is recommended that the Assistant Chief Statistician of Social, Health and Labour Statistics should ensure that:

• The RDC staff at the McMaster centre understand and undertake the role of actively monitoring the operating environment and activities of researchers in the facility to ensure that they adhere to RDC, STC and TBS security requirements and guidelines.
• Procedures documents related to opening and operating RDCs and branches are clarified to determine what is considered mandatory requirement for the physical setup of researcher workstations to ensure an effective physical control environment.
• Departmental Security recommendations regarding the Departmental Security led Physical Inspection conducted in December 2011, are formally responded to and mandatory requirements are implemented in a timely fashion.
• Automated entry logs are validated to ensure they are effective at recording all access to the RDC; and visitor logs are in place and used as required.

Management response:
Management agrees with the recommendations.

• The director of MAD will better define for analysts what 'actively monitoring' means and provide concrete examples.
  
  Deliverables and Timeline: Communiqué to all staff on expectations for 'active monitoring'. Follow-up discussions will take place in regional meetings. This will be completed by December 2013.
• The director of MAD will ensure appropriate staffing levels are in place according to the workload, to ensure time for active monitoring.
  
  Deliverables and Timeline: Revisit staffing level issue with the Academic Director at McMaster University, as per this year's annual review of staffing levels. This will be completed by January 2014.
• The director of MAD will review requirements for the physical setup of workstations with physical security with recommendation to use privacy screens rather than physical barriers between workstations where it makes sense to do so.
  
  Deliverables and Timeline: A sign-off document template is in place. This will be completed by November 2013.
• The director of MAD will negotiate with Physical Security and IT Security to develop a sign-off document for all RDC inspections and to get the inspection reports in a more timely fashion. This form will require Physical Security and IT Security to sign-off on each recommended action and then final sign-off once all requirements have been met.
  
  Deliverables and timeline: Sign-off document template. This has been completed.
• The director of MAD will ensure that there is a review of all automated-entry logs in all RDCs. Through regional meetings RDC management will ensure all RDC staff review the requirements for using visitor logs.
  
  Deliverables and Timeline: Identify problems with any other automated entry logs and an action plan with universities to rectify these. This will be completed by March 2014.

Contract processing procedures

RDCs are operated under the provisions of the Statistics Act, in accordance with confidentiality rules. This mode of access is appropriate when a research question can only be answered using inferential statistical analysis on the confidential microdata. The researcher must also be willing and able to become a 'deemed' employee of Statistics Canada and conduct the data analysis in the RDC secured computer lab.^{Footnote 1}

As per the Policy on the Use of Deemed employees revised in August 2007, researchers wishing to access the RDC are required to become 'deemed' employees and undergo a reliability security screening pursuant to sub-sections 5(2) and 5(3) of the Statistics Act, and take an oath or affirmation of office and secrecy, pursuant to sub-section 6(1) of the Statistics Act. They must also sign an acknowledgment that they have read and understood theStatistics Canada Values and Ethics Code for the Public Service. These actions are to be completed prior to the MRC being signed by Statistics Canada. Once a researcher has successfully completed these requirements and attended an orientation session, they are officially a 'deemed' employee of Statistics Canada. RDC researchers and other 'deemed' employees must reaffirm their oath of secrecy under two conditions: 1) when a researcher wishes to regain data access when there has not been an active contract for one year or more or; 2) when the current security clearance expires.

The audit tested to ensure that all required documentation was in place and valid for 40 researchers associated with 24 sampled contracts. Testing revealed that valid security clearances and oaths of office and secrecy had been signed by all researchers. Testing to ensure that researcher acknowledgements of the Values and Ethics Code for the Public Service found that of the 40 researchers associated with the sampled contracts, 33 had signed this acknowledgement and copies were on file. For another 7 researchers, there was no signed copy of the acknowledgement on file, despite the fact that all 7 of these researchers had contracts dated after August 2007—when the requirement was established. These researchers had however, initialed the Conflict of Interest section of the MRC, indicating that they will conduct themselves in accordance with the principles and spirit of the Values and Ethics Code for Deemed Employees.

The Microdata Research Contract is also signed by Statistics Canada, either by the manager of the RDC program (or her delegated authority), or the director of the survey division. Upon receipt of this signature, a researcher can be given access to confidential microdata approved for their project, and commence data analysis in the RDC. The audit determined that contracts were signed by the appropriate authority at Statistics Canada.

The audit tested compliance of the contract processing procedures by reviewing a sample of twenty-one active and completed contracts associated with the McMaster RDC. The audit noted that for one of the active contracts selected, there had been a misclassification and the contract was held at the Guelph RDC. A second contract was associated with a STC subject matter employee working in the McMaster RDC. All approvals and vetting took place at head office and were not found on file within the RDC. For the remaining 19 contracts - proposals, project descriptions, or course syllabus were found to be in place. Proposal evaluations were found on file at the McMaster RDC except in the case of three contracts. For these contracts, evaluations associated with the Survey of Labour and Income Dynamics (SLID) were not found in the electronic files at the RDC. This information was found on file at head office and one of the evaluations rejected the request for access to the data. This was not reflected in the final MRC and the audit team found during testing of userIDs, that the five researchers associated with this MRC had been given access to this dataset, despite the request being rejected. Internal Audit notified RDC management at head office of the issue and was subsequently advised that the access privileges to the microdata set in question had been revoked and that RDC staff had verified that researchers had not accessed this data.

Contract processing procedures are in place within the RDC program but should be enhanced to ensure that researchers with active contracts complete all the required acknowledgments and affirmations. Additionally, results of proposal evaluations associated with MRCs should be on file and validated against MRCs to ensure researchers obtain access to approved datasets only.

Confidentiality vetting

RDCs are repositories of Statistics Canada microdata files that are accessible to researchers with approved projects. Effective and appropriate processes and procedures for confidentiality vetting should be in place and adhered to in order to significantly reduce the risk of unwanted disclosure. Confidentiality vetting should be carefully administered by the RDC analyst, as per the established protocols, to ensure that confidentiality of data is not compromised.

Confidentiality vetting is the process of screening research outputs, syntax or any confidential data-related material to assess the risk of a prohibited disclosure. This is done by analysing whether obvious identification of individual cases or information about individual cases can be inferred or deduced from the statistical output.

Roles and responsibilities

The RDC Analyst's primary responsibility with respect to confidentiality vetting is to ensure confidentiality is not breached when allowing research outputs to leave the RDC. The analyst should review all materials that the researcher would like to remove from the RDC and the final responsibility and decision to release the output rests with the analyst. At the McMaster RDC, the majority of confidentiality vetting is completed by one of the part-time RDC analysts. This analyst works two days at the McMaster facility (working the three other days at a different RDC in Ontario). This same analyst has been working with the RDC program for several years and, along with having active MRCs, understands Statistics Canada data and the confidentiality requirements.

Confidentiality vetting is conducted using the survey-specific guidelines for all surveys housed in the RDCs. Questions or concerns related to the vetting process or to unfamiliar statistical techniques are addressed by the RDC regional manager or with the RDC Vetting Committee.

During the orientation session, researchers receive training related to the confidentiality vetting process and the required documentation for vetting requests. This documentation includes descriptions of variables, weighted and non-weighted counts, syntax and completion of the disclosure request form for every output request.

Processes and procedures

A detailed draft document entitled, Disclosure Control Rules for Outputs from Survey Data at RDCs provides instructions on how to conduct and perform confidentiality vetting. Guidelines on disclosure risk analysis for various data types and descriptive or tabular output and variance-covariance and correlation matrices, graphs, and models are included.

Confidentiality vetting guidelines and processes are found in the Researcher Guide. An important part of the process is for researchers to complete the 'Vetting Request Form' (formerly known as 'Disclosure Request Form'), which provides the required information for the analyst to conduct and document the vetting request. Information required from the researcher includes:

• the name of the output file, survey and cycles used
• characteristics of the population being analyzed
• the statistical procedure and weights used
• a description of the variables
• weighted and unweighted outputs.

Once the vetting is complete, output deemed non-confidential is released to the researcher.

The audit tested 19 active and completed contracts to ensure confidentiality vetting took place and was appropriate. Among the 19 active and completed contracts, no data had been submitted for vetting in 7 contracts. Among the remaining 12 active and completed contracts that required vetting, the audit found evidence that confidentiality vetting took place. However, completed confidentiality vetting forms were not found in files. The RDC analyst noted that, although researchers submit these forms with vetting requests, once the analyst has completed the vetting, forms are deleted or shredded and not kept in the records. Because each subsequent vetting request is dependent upon previously vetted information, the absence of completed vetting forms renders it inefficient and difficult for the analyst to easily determine what has been previously vetted. Moreover, should another RDC analyst take over the confidentiality vetting task, it would be time-consuming to trace back what has been vetted. Despite not having completed vetted forms in place, the audit team was able to determine, using submitted output and other documentation (such as syntax and variable lists), that, of the twelve contracts that required vetting of output, confidentiality vetting took place and was appropriate. 'To be vetted' folders contained syntax files, as well as weighted and unweighted outputs and previously vetted data (where appropriate) was evidenced. Vetted data folders contained evidence that confidentiality vetting was completed for all 12 contracts, including checks of minimum cell counts, removal of unweighted output and suppression of weighted output in cases where confidentiality was at risk.

The audit determined that confidentiality vetting takes place. Completed confidentiality vetting request forms are deleted upon completion of the request, making any subsequent vetting associated with the project inefficient and more difficult to trace back what had been completed.

Recommendations

It is recommended that the Assistant Chief Statistician of Social, Health and Labour Statistics should ensure that:

• When MRCs are created, updated, revised or extended, RDC staff confirms that researchers meet the all security, confidentiality, conflict of interest, and values and ethics code requirements in place at the time of the new or updated contract.
• Results of proposal evaluations are on file and validated against final MRCs to ensure that access to confidential microdata is restricted to researchers whose requests for data access have been approved.
• Completed confidentiality vetting request forms submitted with output for vetting are kept on file for future reference.

Management response:
Management agrees with the recommendations.

• The Director of MAD has been working with IMD to revise our Microdata Research Contract (MRC) so that we reduce multiple forms with multiple researcher signatures. The new MRC is almost ready and will be standard for CDER, the FRDC and the RDCs. This will clarify what signatures are required.
  
  Deliverables and Timeline: New Microdata Research Contract. This will be completed by January 2014.
• The Director of MAD will implement a new procedure to ensure that data sets not approved for access within a larger approved project are better identified for analysts.
  
  Deliverables and Timeline: New procedure documented and implemented. This will be completed November 2013.
• The Director of MAD notes that completed forms are already retained with each project, but where they are retained is inconsistent. We will establish a consistent location for all analysts to store vetting request forms.
  
  Deliverables and Timeline: New procedure documented and implemented. This will be completed in March 2014.