Audit Report
Report Date: March 2012
Project Number: 80590-69
- Executive Summary
- Key Findings
- Overall Conclusion
- Conformance and Professional Standards
- Introduction
- Background
- Audit Objectives
- Scope
- Approach
- Authority
- Findings, Recommendations and Management Response
- Control Environment for the Management of Confidentiality
- Risk Management
- Compliance with Legislation, Policies and Directives
- Appendices
- Appendix A: Audit Criteria
- Appendix B: Confidentiality Agreements & Forms
- Appendix C: Applicable Legislation, Policies and Directives
Executive Summary
Statistics Canada's Canadian Centre for Justice Statistics (CCJS) is the operational arm of the federal/provincial/territorial partnership known as the National Justice Statistics Initiative (NJSI) whose mandate is to provide information to the justice community and the public on the nature and extent of crime and the administration of criminal and civil justice in Canada. CCJS collects data pertaining to the national justice system from microdata provided by external justice partners and data providers, such as policing jurisdictions, federal/provincial/municipal courts and other justice partners. After receiving and manipulating the data, aggregate statistical information is provided in advance of official release to the organization that is the source of the file for validation and information purposes. Throughout this process, the director is responsible for keeping track of the location, users and use made of information provided in confidence. A number of tools, such as agreements, forms and IT systems, are in place to protect the confidentiality of sensitive statistical information throughout the survey process. At the corporate level, several divisions play a role in the management of confidentiality for sensitive statistical information.
The objectives of the audit are to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that:
- Justice Statistics Surveys have an adequate and effective policy framework in place to ensure that the confidentiality of sensitive statistical information is protected; and
- Selected surveys comply with applicable Treasury Board Secretariat (TBS) and Statistics Canada (StatCan) legislation, policies and standards related to confidentiality of sensitive statistical information.
The audit was conducted by Internal Audit Services in accordance with the Government of Canada's Policy on Internal Audit.
Key Findings
The policy framework for the management of sensitive statistical information would benefit from better clarity and integration of roles and responsibilities with regards to the protection of sensitive statistical information. The objectives of the control framework surrounding work-in-progress are not well-understood within Communications Division or CCJS . As a result, the policy framework surrounding work-in-progress (WIP) Agreements and Forms should be strengthened to ensure the protection of sensitive statistical information. In the absence of formal agreements in place to establish authorized recipients of pre-release information, it is unlikely that the program will be able to identify, report and mitigate the impacts of breaches should they occur.
Ratings provided by CCJS for the risk assessment exercise are not supported by documentation identifying specific risks that may preclude the achievement of protecting the confidentiality of sensitive statistical information for justice surveys, or comprehensive assessment of controls in place to mitigate these risks.
IT systems used to safeguard records and data are in compliance with applicable laws and Treasury Board policies. Access permission controls surrounding sensitive statistical information are in place. The audit team identified that access privileges need to be updated on a continuous basis in order to maintain the effectiveness of these controls.
Overall Conclusion
Justice Statistics are supported by a comprehensive policy framework. CCJS data management practices are in compliance with applicable TBS and Statistics Canada legislation, policies and standards related to confidentiality of sensitive statistical information.
While the Agency made significant efforts in establishing a strong confidentiality governance model, greater clarity and integration of roles and responsibilities is necessary to ensure the protection of sensitive statistical information. Improving the controls surrounding Advance Release would strengthen the confidentiality of sensitive statistical information shared during the validation of aggregate statistical information with external justice partners.
Conformance and Professional Standards
The conduct of this engagement conforms to the International Standards for the Professional Practice of Internal Auditing and the Government of Canada Internal Auditing Standards. Sufficient testing was carried to support the findings and related recommendations.
Patrice Prud'homme
Chief Audit Executive
Internal Audit Services, Statistics Canada
Introduction
Background
The confidentiality of sensitive statistical information is a key value and a legal necessity at Statistics Canada. It is anchored in the Statistics Act, and embedded into various policies and procedures that support the Agency's operations. While risks to confidentiality and security are inherent, Statistics Canada endeavours to manage these risks in survey program areas.
Statistics Canada conducts surveys in four justice domains: Policing Services, Courts, Corrections, and Victimization. Combined, there are 13 active surveys covering the four domains. CCJS is the operational arm of the federal/provincial/territorial partnership known as the National Justice Statistics Initiative (NJSI) whose mandate is to provide information to the justice community and the public on the nature and extent of crime and the administration of criminal and civil justice in Canada. CCJS operates in a partnership whereby the federal/provincial/territorial (F/P/T) governments share authority and responsibility for the justice statistics program. As a result of this governance structure, the jurisdictions play a key role in both the collection and the verification of data.
CCJS is responsible for 12 of the 13 surveys, with Social and Aboriginal Statistics Division (SASD), being responsible for the collection and processing of the General Social Survey cycle on Victimization. There is a mix of mandatory and voluntary surveys undertaken by CCJS . The sources of survey information in the division come from administrative data as well as direct questionnaire surveys.
Uniform Crime Reporting (UCR) Survey
Aggregate information on reported crime has been collected by the UCR survey since 1962. The microdata version of the survey (UCR2) captures information such as the age and sex of victims and offenders, victim-accused relationships, weapons involved, level of injury to the victim and the location of the incident. With this detailed information, issues such as family violence, the use of firearm to commit crime, organized crime and street gangs, hate-motivated crime, cyber crime, police-reported crime and youth crime severity can be addressed.
Integrated Criminal Court Survey (ICCS)
The Courts Program is responsible for collecting, analysing and disseminating information related to the operation of Canada's criminal and civil courts. The Integrated Criminal Court Survey (ICCS) collects detailed information on every appearance in adult criminal and youth court and thus provides information on caseload, case processing and sentencing for all Criminal Code and other federal statute charges in Canada. All provinces and territories report provincial/territorial court data to the survey. Overall survey coverage is about 95% of the criminal court caseload. The data are collected by way of an "interface". The interface is a software program that automatically extracts the data from the automated courts information system according to the survey definitions.
CCJS collects data pertaining to the national justice system from administrative sources provided by external justice partners and data providers, such as policing jurisdictions, federal/provincial/municipal courts and other justice partners. More specifically:
- The Police Information and Statistics (POLIS) committee, a committee of the Canadian Association of Chiefs of Police ensures that emerging police issues, priorities and concerns are addressed by CCJS surveys and products. Members include senior officers from large municipal, provincial and federal police services from across the country, plus the federal departments Statistics Canada, Justice Canada and Public Safety;
- The Liaison Officers Committee of the National Justice Statistics Initiative (LOCNJSI) oversees the work of CCJS on behalf of the National Justice Statistical Initiative (NJSI). The members of the LOCNJSI include departmental officials appointed by the deputy ministers, plus the Statistics Canada director general responsible for CCJS and a representative of the Canadian Association of Chiefs of Police. A deputy minister chairs the LOCNJSI;
- There are approximately 150 police services in all ten provinces and three territories which supply data to the UCR survey and represented approximately 99% of the population of Canada. These include municipal, provincial, military, transit, tribal and the RCMP. The vast majority of jurisdictions have "in-boxes" to provide data to the CCJS via the EFT. Those who do not, send a CD each month or mail in their information.
Data received by the CCJS undergo editing and processing prior to being aggregated for statistical use. After manipulating the data, the resulting aggregate statistical information is provided in advance of official release to the organization that is the source of the data and to other justice partners for verification that the data reflect the reality in their jurisdiction.
Aggregate statistical information in the pre‑release stage (including work-in-progress provided to external organizations for data validation) is included in the definition of sensitive statistical information, as defined in Statistics Canada's Policy Manual - Security of Sensitive Statistical Information. The data is developed from administrative files produced by justice partners and jurisdictions, and is considered "protected" information. Throughout this process, the director of CCJS is responsible for keeping track of the location, users and use made of information provided in confidence.
A number of tools, such as agreements, forms and IT systems, are in place to protect the confidentiality of sensitive statistical information throughout the survey process. At the corporate level, several divisions play a role in the management of confidentiality for sensitive statistical information. These divisions include:
- Information Management Division (IMD)
- Communications Division
- Informatics Divisions:
- Collection Information Systems (CISD)
- Statistical Information Systems (SISD)
- Informatics Technology Systems (ITSD).
Audit Objectives
The objectives of the audit are to provide the Chief Statistician and the Departmental Audit Committee with assurance that:
- Justice Statistics Surveys have an adequate and effective policy framework in place to ensure that the confidentiality of sensitive statistical information is protected; and
- Selected surveys comply with applicable TBS and Statistics Canada legislation, policies and standards related to confidentiality of sensitive statistical information.
Audit criteria are included in Appendix A.
Scope
The scope of this audit focussed on how CCJS manages the flow of sensitive statistical information both internally and externally. Two surveys within CCJS were selected: the UCR and ICCS . Justice Statistics Survey programs rely on both survey and administrative data sources and, as such, confidential justice related statistical information is accessed by both Statistics Canada employees as well as outside justice related data providers. CCJS is responsible for ensuring the confidentiality of sensitive statistical information.
This audit included an examination of the systems and practices used by CCJS for both surveys in the protection of confidential data by Statistics Canada employees. It also examined IT protection of confidential statistical information both internally on the Statistics Canada network as well as the IT protection measures used by CCJS to ensure confidentiality of justice data as it is accessed and or transmitted to external data partners and to ensure compliance with applicable TBS and Statistics Canada legislation, policies and standards.
Approach
The audit consisted of an examination of applicable legislation, policies, procedures and information related to the confidentiality of sensitive statistical information, interviews with key senior management and personnel, and a review and testing for compliance with relevant policies and guidelines related to the confidentiality of sensitive statistical information. This audit focussed mainly on practices within the Agency. Site visits of external organizations were not conducted.
Authority
The audit was conducted under the authority of Statistics Canada Multi-Year Risk-Based Audit Plan 2011/12-2013/14, approved March, 2011 by the Departmental Audit Committee.
Findings, Recommendations and Management Response
Line of Enquiry No. 1: Justice Statistics Surveys have an adequate and effective policy framework in place to ensure that the confidentiality of sensitive statistical information is protected.
Control Environment for the Management of Confidentiality
The policy framework for the management of sensitive statistical information would benefit from better clarity and integration of roles and responsibilities with regards to the protection of sensitive statistical information. The objectives of the control framework surrounding work-in-progress are not well-understood within Communications Division or CCJS. As a result, the policy framework surrounding WIP should be strengthened to ensure the protection of sensitive statistical information. In the absence of formal agreements in place to establish authorized recipients of pre-release information, it is unlikely that the program will be able to identify, report and mitigate the impacts of breaches should they occur.
A sound control environment is necessary to ensure the confidentiality of sensitive statistical information within the CCJS. This would include a clear mandate, authorities, responsibilities, and accountabilities with respect to confidentiality. These should be communicated within the division, to other StatCan divisions who provide support to CCJS, as well as in formal agreements between CCJS and external partners. Mechanisms such as formal acknowledgements of accountabilities by employees and external parties, and monitoring of external and internal environments, where significant risks exist, should be in place to ensure that confidentiality policies are followed.
Within the context of justice statistics, the Security Practices Manual defines sensitive statistical information as "aggregate statistical information in the pre-release stage, including work-in-progress provided to external organizations for data validation".
Roles and Responsibilities
CCJS's mandate is well-known and communicated to both staff and external stakeholders. Statistics Canada employees are legally required to protect the confidentiality of sensitive statistical information. Statistics Canada's Confidentiality Awareness Program identifies the roles and responsibilities of managers and employees, and the "Security of Sensitive Statistical Information" section of the StatCan Policy Manual outlines the roles and responsibilities of the various service divisions.
Employees acknowledge their responsibilities and accountabilities for confidentiality by taking the Oath upon commencement of employment and periodically completing the on-line confidentiality course upon renewal of their security pass. CCJS employees must adhere to the Confidentiality Awareness Program, which provides clear guidelines with respect to accessing confidential data, and how sensitive information should be handled within the Agency. It is each Program's responsibility to implement practices and mechanisms to ensure confidentiality of sensitive statistical information and seek advice from relevant divisions, as deemed necessary. The Confidentiality Awareness Program notes that "Directors assume the role of custodian of data holdings under their jurisdictions, and, as such, they are responsible for controlling and protecting all confidential statistical information obtained or held by their respective areas in the pursuit of their program objectives".
The former Data Access and Control Services (DACS) Division, which is now part of Information Management Division (IMD), is mandated to provide policy interpretation related to confidentiality and guidance to programs, if solicited.
According to the Policy on Official Release in The Daily, Communications Division is responsible for approving submissions for the advance release of statistical information and The Daily, and reporting on results and benefits of the advance release to Policy Committee.
Policy Framework for Advance Release
Justice partners are not legally bound by the Statistics Act. The responsibility for confidentiality, when shared with external parties, can only be effectively managed through acknowledgement of terms and conditions of agreements or memoranda of understanding.
The policy on The Daily and Official Release notes that there are three types of agreements and forms which allow for the advance release of sensitive statistical information. These include:
- Common Governance Structure Recognition Submission and Forms
- Work-in-progress Agreements and Forms
- Advance Release Submissions and Forms.
Common Governance Structure Recognition Submission and Forms are applicable to organizations that are considered to be partners in a collaborative program and, as such, may have access to release materials in advance of official release. In the case of CCJS, the Liaison Officers Committee of the National Justice Statistics Initiative was designated to be a collaborative program. Under Common Governance, LOs have access to 24 hour advance release of final analytic products, and 24 hour advance release of The Daily. The policy states that individuals must sign an Acknowledgement of Confidentiality.
Work-in-progress Agreements and Forms are designed to provide pre-final datasets and information products in advance of official release in The Daily to designated individuals or external organizations for purposes of data validation. Analytical studies may also be provided in advance of the official release in The Daily to an individual or external organization for the purpose of institutional or peer review. Advance release falling under WIP agreements must meet the security requirements for transmission of sensitive statistical information to ensure that only the intended recipient accesses the information. Procedures for the WIP advance release include: A WIP submission form must be prepared for each advance release of work-in-progress; the names of the individuals to whom the advance release will be made must be attached to the form; and the division must communicate the conditions governing the advance release of work-in-progress to the receiving organization. When providing work-in-progress data to external organizations for data validation, divisions should provide only the information that requires validation.
Advance Release Submissions are applicable to external organizations that provide Statistics Canada with administrative data files from which statistical outputs are produced. Under the condition of advance release, CCJS provides tabulations of aggregated, non-confidential statistics from unreleased final datasets to the organization that provided the data. Such tabulations may be provided at any moment after the finalization of the dataset.
The Policy on Official Release in The Daily outlines the following responsibilities for organizations receiving protected release information from Statistics Canada:
- undertake to protect the confidentiality of the protected release information provided to them
- limit access to the protected information to those designated officials within their organization for work-related purposes (need-to-know basis)
- undertake not to further disseminate the protected information, even subsequent to final release of the data by Statistics Canada.
The Policy also states that the director of the division providing the data, "must ensure that protected information is securely transmitted when disseminated outside the agency, and that it will be covered by an agreement requiring recipients to: acknowledge receiving the information; restrict access to designated officials of external organizations who absolutely require it; otherwise hold the information in confidence until officially released by Statistics Canada".
Communications Division maintains a register of all types of advance release submissions and retains original copies of Acknowledgements of Confidentiality. Since Common Governance forms were introduced, the division has also included these to its inventory. Employees within Communications Division have stated that they rely on program managers to make the determination of when WIP and Advance release submissions for organizations who provide administrative data forms are required. Because survey programs control the flow of information transmitted to external partners, Communications Division is not in a position to ensure that all advance releases have been formally approved or have valid agreements on file.
Practices in Place for Advance Release
The audit found that for the ICCS and UCR survey programs within CCJS, advance release of sensitive statistical information has been deemed by CCJS management to fall under Common Governance and WIP conditions. CCJS does not currently have any Advance Release Submissions in place for the advance release of final tabulations.
At the time of the audit, there were 26 individuals from the LO committee approved under the Common Governance Structure Recognition, which was implemented April 29, 2011. Of the 26, only 18 are deemed to require 24 hour advance release of a finalized information product and/or The Daily and had access. Accordingly, signed acknowledgements of Confidentiality for each of these individuals were on file.
Both ICCS and the UCR have WIPs on file for POLIS and LO members. These forms date back to 1993 and 1997 and do not expire. There are no acknowledgements of confidentiality from external parties on file as required in the Policy on Official Release in The Daily. CCJS and Communications Division staff stated that there were no plans in place to update these forms or obtain acknowledgements of confidentiality from external recipients. Because the current WIPs have no acknowledgment of terms and conditions for external recipients, their relevancy and effectiveness to protect the confidentiality of sensitive statistical information is limited.
There are no WIP agreements or acknowledgements of confidentiality for the approximately 150 individual policing jurisdictions that carry out data validation of aggregated tabulations from the administrative data submitted to CCJS, which is not compliant to the requirements for the advance release of sensitive statistical information. CCJS management and staff noted that they did not feel WIP agreements were required since the data belonged to the external organizations. However, the information being transmitted back to individual policing jurisdictions for validation meets the definition of sensitive statistical information as defined in Security Practices Manual.
There is currently no mechanism in place for CCJS's external partners to formally acknowledge their understanding and acceptance of accountabilities for confidentiality of sensitive statistical information. Without this acknowledgment, CCJS cannot hold external partners accountable for confidentiality in the event of inappropriate usage or unauthorized access of information.
CCJS formally communicates respective roles, responsibilities and accountabilities for confidentiality to POLIS and Liaison Members through the transmission of a best practices document. In administrating the validation process, CCJS relies on this practice to ensure that external organisations apply specific measures to protect the confidentiality of the data. Although the best practices document may be an effective communication tool, it does not require nor yield formal acknowledgement of responsibilities and accountabilities from these parties.
CCJS does not send the best practices documents to individual policing jurisdictions. CCJS management is of the opinion that because the data is being transmitted to the original data provider for validation, there is lesser concern as to how the data is handled by the external organization. Because the nature of the information being sent for validation meets the definition of sensitive statistical information, the program is still responsible of ensuring its protection and informing respondents of associated security risks.
The policy framework for the management of sensitive statistical information would benefit from better clarity and integration of roles and responsibilities with regards to the protection of sensitive statistical information. The objectives of the control framework surrounding work-in-progress are not well understood within Communications Division or CCJS. As a result, the policy framework surrounding WIP could be strengthened to ensure the protection of sensitive statistical information.
Recommendations
The ACS of Social, Health and Labour Statistics, in collaboration with Information Management and Communications Divisions, should ensure that:
- Policy documents and related tools/agreements establish an effective control environment for the protection of confidentiality of sensitive statistical information during the validation of aggregate statistical information with external partners; and
- Accountabilities of external parties are formally acknowledged in agreements, and that terms and conditions related to review privileges are subject to periodic review.
Management Response
Management agrees with the recommendations.
- Policy Committee will mandate a policy champion to review the policy framework as it relates to the control environment for the protection of sensitive statistical information.
Deliverables and Timeline: Mandated Policy Champion, by May 2012. - The Policy Champion will review existing policy documents, procedures, and related tools/agreements for work-in-progress (WIP) review and 24 hour advance access for data tabulations and other output products. This will ensure that they clearly outline the requirements for the protection of sensitive statistical information, including:
- roles and responsibilities within Statistics Canada (SM divisions, Communications, IMD)
- roles and responsibilities of external partners
- terms and conditions, procedures to be followed and appropriate agreements to be signed
- established frequency for review of privileges.
- The Policy Champion will ensure the requirements and processes specific to the Acknowledgements of confidentiality to be signed by external partners who participate in verification of data tabulations are clearly outlined in revised policy documents, procedures, and related tools/agreements.
Deliverables and Timeline: Updated policies, procedures, tools and agreements, by March 2013. - The Director, CCJS will have Acknowledgements of confidentiality signed by all external justice partners who participate in WIP reviews on an ongoing basis under common governance (e.g. members of LOC, POLIS).
Deliverables and Timeline: Signed Acknowledgements of confidentiality provided to Communications for existing agreements, and future agreements as required. This will be completed by September 2012 for existing agreements, and on an ongoing basis for future agreements. - The Director, CCJS will have Acknowledgements of confidentiality signed by all external partners who participate in verification of data tabulations on an ongoing basis (e.g. police service contacts).
Deliverables and Timeline: Signed Acknowledgements of confidentiality provided to Communications, by March 2013. - The Director, CCJS will ensure that processes for signing Acknowledgments of confidentiality for common governance partners and for individual situations not related to common governance are compliant with the requirements.
Deliverables and Timeline: Documentation of CCJS processes for Acknowledgments of confidentiality, by March 2013. - The Director, CCJS will establish regularly scheduled reviews of privileges and resigning of Acknowledgement forms, as per policy directives.
Deliverables and Timeline: Documentation of processes, which includes scheduled reviews and resigning of forms, by March 2013.
Reporting Breaches and Violation of Security
The Policy on Security of Sensitive Statistical Information outlines procedures intended to protect the confidentiality of sensitive statistical information. Section 5 - Breaches and Violations of Security, provides the following two definitions:
- "A breach of security is deemed to have occurred when any sensitive statistical information has been the subject of unauthorized disclosure or unauthorized access. A breach may include unauthorized disclosure, theft or loss or circumstances which make it probable that a breach has taken place. Possible breaches of security, in particular breaches to the confidentiality provisions of the Statistics Act, must be reported immediately to the Director, Data Access and Control Services Division (now IMD), who will undertake to inform the Chief Statistician".
- "A violation of security is any action taken in contravention of any provision of the Government Security Policy, this policy or Statistics Canada's EDP Security Policy (i.e., a policy violation, not a legal one). Violations will be reported to the Director, Data Access and Control Services Division (now IMD), who will take appropriate actions".
Within CCJS, significant reliance is put on long term relationship with justice data providers and partners; low staff turnover within these organizations; trust; and individuals' understanding of the importance of confidentiality. CCJS relies on the "threat" of discontinued review privileges for LOs and POLIS members if a breach were to occur. CCJS feels that this substitutes the need for formal agreements with external partners or for more enhanced monitoring activities. This "threat" could deter stakeholders from being transparent with regards to possible breaches, rather than be forthcoming, due to the possibility of losing review privileges.
Consequently, there are no mechanisms in place to ensure that external partners comply with best practices defined by CCJS, nor to detect and address issues of non-compliance, such as unauthorized dissemination by external partners prior to official release.
Reporting incidents of non-compliance to StatCan policies to a centralized corporate function is necessary to enable the Agency to measure the frequency and impact of incidents which may elevate the risk of a breach, or to determine and implement mitigation actions, where deemed necessary.
Interviews revealed that, on a number of occasions, pre-release data had been transmitted to and from the Agency without following appropriate security procedures, and these incidents went unreported. The common practice within the division for dealing with such incidents is to have survey employees communicate directly with the parties involved. Management from CCJS, IMD and Communications Division have stated that to their knowledge there has never been a reported security incident or breach and review privileges for any justice partner have never been suspended or revoked.
In order to report the occurrence of a security incident or breach, the characteristics of a breach need to be clearly defined and understood by all staff and stakeholders. Where no formal agreements are in place, there is no actual determination of who is authorized to receive information. As a result, the state of occurrence of a breach (i.e. unauthorized access) cannot be established nor identified by the program or external organization. In the absence of formal agreements in place to establish authorized recipients of pre-release information, it is unlikely that the program will be able to identify, report and mitigate the impacts of breaches should they occur.
Recommendations
The ACS of Social, Health and Labour Statistics, in collaboration with Information Management, should ensure that:
- Mechanisms are in place to formally establish who is authorized within external organizations to receive pre-release information, for what purpose and on what conditions, and to clarify what constitutes a breach involving external organizations; and
- Increased awareness is brought for reporting incidents of non-compliance to StatCan policies at a corporate level, in order to monitor the frequency and impact of incidents which may elevate the risk of a breach, and to determine and implement mitigation strategies, where deemed necessary.
Management Response
Management agrees with the recommendations.
- Policy Committee will mandate a policy champion to review the policy framework as it relates to the control environment for the protection of sensitive statistical information.
Deliverables and Timeline: Mandated Policy Champion, by May 2012. - The Policy Champion will review existing policy documents, procedures, and related tools/agreements for work-in-progress (WIP) review and 24 hour advance access for data tabulations and other output products. This will ensure that they clearly outline the requirements for the protection of sensitive statistical information, including:
- roles and responsibilities within Statistics Canada (SM divisions, Communications, IMD)
- roles and responsibilities of external partners
- terms and conditions, procedures to be followed and appropriate agreements to be signed
- established frequency for review of privileges.
- The Policy Champion will ensure the requirements and processes specific to the Acknowledgements of confidentiality to be signed by external partners who participate in verification of data tabulations are clearly outlined in revised policy documents, procedures, and related tools/agreements.
Deliverables and Timeline: Updated policies, procedures, tools and agreements, by March 2013. - The Director, CCJS will review the existing agreements with justice partners, and have them modified and resigned as needed to meet the revised requirements.
Deliverables and Timeline: Revised agreements signed and provided to Communications, by March 2013. - Managers across Statistics Canada will be reminded by the IMD of the requirements for reporting incidents of non-compliance.
Deliverables and Timeline: Corporate level communications on an ongoing basis. - Discussions will be held on the importance of ensuring the confidentiality of sensitive statistical information and of reporting potential breaches in meetings with justice partners on a regular and ongoing basis.
Deliverables and Timeline: Will be included as agenda items on an ongoing basis, and other materials will be prepared in support of discussions.
Risk Management
Ratings provided by CCJS for the risk assessment exercise are not supported by documentation identifying specific risks that may preclude the achievement of protecting the confidentiality of sensitive statistical information for justice surveys, or comprehensive assessment of controls in place to mitigate these risks.
The existence of formal practices and procedures for managing risks related to unauthorized use of, disclosure, loss or theft of data would ensure that management identifies and responds to risks for protecting and safeguarding Statistics Canada confidential information.
This would include the identification of risks; the assessment of controls in place to mitigate risks; the implementation of risk mitigation strategies and action plans to manage outstanding confidentiality risks; and periodic re-assessment of risks for relevancy and assessment of the effectiveness of mitigation strategies.
Divisional Risk Management
CCJS provides input into the corporate risk profile on an annual basis by completing a "Risk Register" form. During this exercise, CCJS provides a self-assessment of the risk levels associated to factors such as access, relevance, quality, and efficiency within the division. In 2011, confidentiality risk was deemed to be very well mitigated by CCJS. However, the risk assessment exercise, in its current format, does not require that assessments be supported by detailed explanations/rational (e.g. identification of risks; controls in place to mitigate risks, etc) for given ratings. Prior to 2010, program risk profiles were prepared as part of 2007-2009 Biennial Program Reports (BPR) and 2001/02 to 2005/06 Quadrennial Program Review (QPR). The division has not yet completed its first Program Performance Report (PPR) for 2010/11. CCJS management stated that they have frequent discussions on risk management; however these discussions have not been documented. A more formal approach to risk management would facilitate periodic re-assessment of risks for relevancy and the assessment of the effectiveness of mitigation strategies.
Threat and Risk Assessment
At the corporate level, an e-FTS Threat and Risk Assessment (TRA) was completed in 2009, which is a TBS requirement, and a StatCan policy requirement. The goal of the TRA was to assess the need for safeguards for the e-FTS beyond the inherent baseline security requirements that was defined for the service by ITSD. There were seven recommendations resulting from the TRA that were designed to mitigate risks related to unauthorized access, disclosure, integrity and availability of the information and damage to the reputation of the agency. At the time of the audit, ITSD was working on an action plan to address the recommendations of the report.
Recommendation
The ACS of Social, Health and Labour Statistics should ensure that:
- The ratings provided by CCJS for the risk assessment exercise are supported by documentation identifying specific risks that may preclude the achievement of protecting the confidentiality of sensitive statistical information for justice surveys, as well as a comprehensive assessment of controls in place to mitigate these risks.
Management Response
Management agrees with the recommendations.
- At a corporate level, the Director, CPED will determine the requirements for documentation to support the program area risk register exercise (which feeds into Statistics Canada's Corporate Risk Profile), and ensure that these requirements are clearly outlined in the risk register instructions, tools and other materials.
Deliverables and Timeline: Documentation for the risk register exercise, as required, by March 2013. - The Director, CCJS will ensure that CCJS is compliant with the corporate level direction for development of documentation to support divisional identification of risks.
Deliverables and Timeline: Documentation of the risk register exercise, by March 2013.
Line of Enquiry No. 2: Selected surveys comply with applicable TBS and Statistics Canada legislation, policies and standards related to confidentiality of sensitive statistical information.
Compliance with Legislation, Policies and Directives
IT systems used to safeguard records and data are in compliance with applicable laws and Treasury Board policies. Access permission controls surrounding sensitive statistical information are in place; however, access privileges need to be updated on a continuous basis in order to maintain effectiveness of these controls.
System access controls, authentication and access procedures should be in place, and be in compliance with Statistics Canada's and other relevant policies, as they relate to the confidentiality of sensitive statistical information. Compliance to these policies helps ensure access to systems, data and programmes is restricted to authorized users and authorized external data partners. Logical access controls should be implemented to ensure access to systems, data and programs, is restricted to authorized individuals.
Physical Storage Within CCJS
Statistics Canada is responsible for safeguarding sensitive statistical information received from external partners. Walkthroughs of employees' desk areas, overhead file cabinets and centralized filing area within CCJS were conducted to verify that only authorized employees working on the UCR and ICCS surveys had physical access to confidential/sensitive information (hardcopy files). It was found that confidential and sensitive statistical information within employees' respective workspaces were stored in locked cabinets and shredded when no longer required.
Information packages containing sensitive statistical information (i.e. "protected" information) for the UCR and ICCS surveys transmitted outside the Agency were also examined. The audit found that not all communication with external partners was clearly identified as needing to be treated in accordance with the requirements for handling "protected" information. Final data sent for validation did not bare the mention of a requirement that recipients keep data secure or confidential as required by the StatCan Security Practices Manual.
Identification and Authentication Safeguards, IT Storage and Transmission
Confidential electronic information and files are stored on designated servers for the division. The audit found that information system controls in place to safeguard records and data are in compliance with applicable laws and TB policies. Walkthroughs with nine divisional staff working with ICCS and UCR data (out of a possible 30 from four sections within CCJS) were carried out to verify compliance to the TBS and StatCan IT security policies. Results of the testing revealed:
- Employees with access to secure information do not have simultaneous access to networks A&B;
- Internally - individuals send Hyperlinks through email, rather than actual data files;
- Login time outs are set at ten minutes on all workstations tested;
- Passwords expire and must be changed every 90 days, as per the StatCan Security Practices Manual - Chapter 5.0;
- C drives of the nine workstations tested did not contain microdata or pre-release information;
- Servers are located in a central secured area (not within the division); and
- Draft documents with pre-release information are stored on network drives.
For external partners, the StatCan Policy Manual states that access must be restricted to designated officials who absolutely require it. Access authentication procedures and mechanisms are in place to ensure safe transmittal of statistical data between CCJS and its external partners. Two systems are used for the transmission of sensitive statistical information.
The electronic File Transfer System (e-FTS) in and out-boxes were fully implemented for the ICCS, and were tested. Access permissions were in accordance to the list of authorized users and double encryption for the out-box was implemented. The e-FTS in-box access permissions were tested for the UCR and only those authorized had access. For POLIS and LOs, an older system called the Extranet is still in use by the UCR to transmit information out for WIP review.
The Extranet system involves a single password approach, which is shared by numerous individuals within the recipient organizations. According to CCJS staff, the system requires significant effort in order to change passwords to reflect the turn-over of external organizations' staff. Thus, CCJS does not maintain a list of individuals authorized to access the system. While this practice does not restrict access to designated officials of external organizations, CCJS staff is mindful of encrypting sensitive statistical information in the pre-release stage when placing it on the site and passwords for encrypted files are sent to authorized recipients only.
Electronic Access of the Data Files
The StatCan Security Practice Manual requires that sensitive statistical information be controlled and protected in such a manner as to limit access to persons who have a need-to-know as part of their duties. Due to the sensitive nature of data provided by justice partners, CCJS endeavours to ensure access to data is strictly limited to employees and stakeholders who require access. Because not all staff should have access to every electronic folder in the division, CCJS processes include internal monitoring of access.
Testing of access permissions confirmed that some CCJS employees had access to electronic folders and files that were no longer required for their current duties. CCJS has not been submitting requests to the informatics divisions to update access permissions granted or revoked on an ongoing basis. The process of updating access and permission profiles within CCJS was underway at the end of the audit fieldwork. Examination of the list of users having active access to various policing and courts survey projects at the time of the audit revealed that only CCJS employees had access to electronic files within the division.
In the case of the Extranet, CCJS has conducted a recent password reset, at the request of certain justice partners. The initial passwords assigned for the Extranet had been in force for eleven years and there was concern over the effectiveness of this control. Regular updating of authentication and access rights would provide additional assurance that the "need-to-know" policy requirement is met.
Effective controls for physical storage of data files within CCJS are in place. Management practices are compliant with the StatCan Policy Manual on identification and authentication safeguards are in place and working as intended. Opportunities exist to strengthen electronic access controls to employees on a "need-to-know" basis.
Recommendation
The ACS of Social, Health and Labour Statistics should ensure that the following is implemented:
- Access privileges to justice statistics data files in the shared directory and Extranet site are kept up to date and granted to authorized CCJS employees and individuals from external organizations on a "need-to-know" basis.
Management Response:
Management agrees with the recommendations.
- The Director, CCJS will ensure that access privileges to files in the CCJS shared directory for Statistics Canada employees (e.g., CCJS, Methodology, IT staff) are reviewed on a regular basis, and are determined on a "need-to-know" basis, as per the corporate best practices.
Deliverables and Timeline: Plan for review of access privileges for CCJS shared director, on an ongoing basis. - The Director, CCJS will work towards completing the removal of all sensitive statistical information from the Extranet. In the interim, ensure that access privileges to the sensitive statistical information on the Extranet are reviewed on a regular basis, and are determined on a "need-to-know" basis.
Deliverables and Timeline: Interim measures to address existing sensitive statistical information on the Extranet and a plan for the elimination of all sensitive statistical information from the Extranet, by May 2012.
Appendices
Lines of Enquiry/ Core Controls |
Criteria |
---|---|
Justice Statistics Surveys have an adequate and effective policy framework in place to ensure that the confidentiality of sensitive statistical information is protected. | |
Governance |
|
Risk Management |
|
Public Service Values |
|
Accountability |
|
Selected surveys comply with applicable TBS and Statistics Canada legislation, policies and standards related to confidentiality of sensitive statistical information. | |
Stewardship |
|
Appendix B: Confidentiality Agreements & Forms
Various types of agreements and forms are in place to assist in the survey process, including the following for the UCR survey and ICCS:
- Waiver forms
- Disclosure Order Process
- Common Governance Form
- Work-in-progress (WIP) Agreements and Forms
- End-Use Licensing Agreement
- Data Quality and Sign-off and Data Transmittal Agreement.
Appendix C: Applicable Legislation, Policies and Directives
The following sections of the Manual speak to the notion of confidentiality of sensitive statistical information at StatCan:
- Section 1.1 - Policy on Informing Survey Respondents
- Section 2.3 - Policy on Informing Users of Data Quality and Methodology
- Section 2.5 - Policy on the Review of Information Products (Institutional and Peer Review)
- Section 3.2 - Policy on Official Release in The Daily (Common Governance, WIP and advance access to The Daily agreements)
- Section 4.3 - Discretionary Release Policy
- Section 4.5 - IT Security Policy
- Section 4.7 - Security of Sensitive Statistical Information
- Section 4.8 - Client Information Directive
Selected components of the following policies, guidelines and sections of the Act were assessed for compliance:
- Statistics Canada Act
- StatCan Security Practices Manual
- StatCan Policy Manual
- CCJS Best Practices document titled 'Protecting Pre-release Information
- e-FTS Threat and Risk Assessment (TRA)
- e-FTS External User Guide- v2.3
- e-FTS Internal User Guide- v3.0
- TBS Government Security Policy (GSP)
- TBS Operational Security Standard: Management of Information Technology Security (MITS)