Audit Report
November 13, 2012
Project Number: 80590-72
- Executive Summary
- Introduction
- Background
- Audit Objectives
- Scope
- Approach and Methodology
- Authority
- Findings, Recommendations and Management Responses
- Information Technology Security
- Physical Security
- Administration of Microdata Research Contracts and Confidentiality Vetting
- Appendices
- Appendix A: Audit Criteria
- Appendix B: Acronyms
Executive summary
The University of Alberta Research Data Centre (RDC) is one of twenty-four RDCs located in university campuses across Canada. These RDCs were established through the efforts of Statistics Canada, Social Sciences and Humanities Research Council, Canadian Institutes of Health Research and university consortia, to strengthen Canada's social research capacity, and support the policy research community. The University of Alberta RDC facility was part of the group of 9 RDCs to open its doors in 2001 and is located on the third floor in the Rutherford Library at the University of Alberta. In 2011, the University of Alberta RDC experienced a growth of almost 44% in the number of contracts at the facility. In an average month in 2011, approximately 59 researchers had access to data at the University of Alberta RDC.
RDCs are staffed by Statistics Canada employees, and are operated under the provisions of the Statistics Act. As such, RDCs must have security measures in place to safeguard the confidentiality of data to the same degree as in Statistics Canada's offices.
The objective of this audit was to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that the RDC at the University of Alberta:
- Complies with applicable Treasury Board Secretariat (TBS) and Statistics Canada policies and standards regarding Information Technology (IT) and Physical Security, to ensure that confidentiality of data is protected in the delivery of services.
- Has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services.
The audit was conducted by Internal Audit Services in accordance with the Government of Canada's Policy on Internal Audit.
Key findings
The University of Alberta Research Data Centre has effective IT and physical security measures to ensure access, identification and protection of the confidentiality of sensitive statistical information. Access to the University of Alberta RDC is restricted to authorized personnel, including: deemed employees, researchers with valid Microdata Research Contracts (MRCs), and University of Alberta IT support staff.
The audit revealed that there are opportunities to strengthen the IT control environment by ensuring that the login timeout feature on researcher workstations is functional in order to maintain the effectiveness of this control.
The audit noted that procedural documents related to the use of personal electronic devices within the RDCs were not consistent. Multiple directives highlighted a range of procedures, from access to complete prohibition. RDC staff are left to decide which control is applicable.
Roles, responsibilities, and accountabilities are defined and communicated in the following areas: administration of Microdata Research Contracts, confidentiality vetting, as well as physical security and IT security within the RDC facility.
Authority is formally delegated at the program and operations level. Processes and procedures for confidentiality vetting are in place and requests for vetting are carefully administered and effectively screened by the RDC analyst to ensure that confidentiality of data is not compromised. Applicable physical security measures and IT access, identification and authentication safeguard measures are in place and adhered to for safeguarding and protecting Statistics Canada confidential data.
Overall conclusion
Physical security measures and IT access, identification and authentication safeguard measures are compliant with applicable TBS and Statistics Canada policies and standards. The administration of Microdata Research Contracts is appropriately managed and the research proposal process is effective. The processes and procedures for confidentiality vetting of output in place are adequate and effective to ensure the confidentiality of sensitive statistical information.
The audit results highlighted opportunities for improving the practices and mechanisms that are in place to ensure that confidentiality of data is protected in the delivery of services. Areas to be strengthened are: 1) ensuring that the login timeout feature on inactive workstations is functional; and, 2) ensuring consistency in the procedures and practices related to personal electronic devices usage in RDCs.
Conformance with professional standards
The audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.
Patrice Prud'homme
Chief Audit Executive
Introduction
Background
Decision-makers need an up-to-date and in-depth understanding of Canadian society to help them respond not only to today's needs, but to anticipate tomorrow's as well. This need is underlined by a growing demand for analytical output from the rich sources of data collected by Statistics Canada.
In 1998, the Canadian Initiative on Social Statistics studied the challenges facing the research community in Canada. One of the recommendations of the national task force report on the Advancement of Research using Social Statistics, was the creation of research facilities to give academic researchers improved access to Statistics Canada's microdata files.
The Research Data Centres (RDCs) are part of an initiative by Statistics Canada, the Social Sciences and Humanities Research Council (SSHRC), Canadian Institutes of Health Research (CIHR) and university consortia, aimed at strengthening Canada's social research capacity and supporting the policy research community. SSHRC is the federal agency that promotes and supports university-based research and training in the social sciences and humanities. CIHR is the major federal agency responsible for funding health research in Canada.
Twenty-four RDCs are located in secure settings on Canadian university campuses. These RDCs provide researchers with access to microdata from population and household surveys without requiring researchers to travel to Ottawa to access Statistics Canada microdata. A Federal Research Data Centre (FRDC) located in Ottawa provides microdata access to researchers from federal policy departments.
The RDCs provide opportunities to generate a wide perspective on Canada's social landscape; provide social science research facilities across the country in both larger and smaller population centres; train a new generation of Canadian quantitative social scientists; and expand the collaboration between Statistics Canada, and the stakeholders - SSHRC, the Canadian Research Data Centre Network (CRDCN), CIHR and academic researchers.
The RDCs are staffed by Statistics Canada employees and are operated under the provisions of the Statistics Act, including the requirement to operate in accordance with Statistics Canada's confidentiality rules and accessibility restrictions (i.e. facilities are accessible only to researchers with approved projects who have been sworn in under the Statistics Act as deemed employees).
There is a growing demand from academic and government researchers outside Statistics Canada for access to microdata. Microdata Access Division (MAD) provides restricted access to confidential microdata through RDCs at universities across the country and the federal RDC in Ottawa. MAD is responsible for ensuring the confidentiality of information provided by Canadians.
The Statistics Canada Risk-Based Audit Plan requires Internal Audit Services to complete an audit of one RDC per year. In 2010, an audit was undertaken to look at the overarching governance of all RDCs which included site visits to 5 RDC locations. In 2011, the Prairie Research Data Centre (University of Calgary and University of Lethbridge) was audited. The University of Alberta RDC is the second audit that has focused on a specific RDC. This audit will add value by ensuring that confidentially measures are followed and effective.
Audit objectives
The objectives of this audit are to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that the RDC at the University of Alberta:
- Complies with applicable Treasury Board Secretariat (TBS) and Statistics Canada (StatCan) policies and standards regarding Information Technology (IT) and Physical Security, to ensure that confidentiality of data is protected in the delivery of services.
- Has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services.
Scope
The scope of this audit included a detailed examination of the systems and practices of the University of Alberta RDC for the protection of data, use of technology, and physical security.
The audit focused on disclosure risk analysis and vetting of data output by the on-site Statistics Canada employees; deemed employee status and security clearance requirements for access to microdata; research proposal process for RDC; microdata research contract administration; physical security of the RDC site in compliance with applicable TBS and Statistics Canada policies and standards and IT protection in compliance with applicable TBS and Statistics Canada policies and standards.
Approach and methodology
The field work was performed in two stages beginning with interviews and review and assessment of the processes and procedures to ensure physical security, use of technology and the protection of data. The second stage consisted of a site visit to the University of Alberta RDC to test controls for safeguarding microdata files including logical access and computer security controls, and to perform compliance testing of the centres to assess the physical security measures in place. The administration of MRCs and confidentiality vetting were also tested to ensure appropriate controls were in place.
This audit was conducted in accordance with the Standards for the Professional Practice of Internal Auditing as per The Institute of Internal Auditors (IIA), and the TBS Policy on Internal Audit.
Authority
The audit was conducted under the authority of Statistics Canada Integrated Risk-Based Audit and Evaluation Plan 2012/13-2014/15 recommended by the Departmental Audit Committee, April 2012 and subsequently approved by the Chief Statistician.
Findings, recommendations and management responses
Line of Enquiry No. 1: The University of Alberta RDC complies with applicable TBS and Statistics Canada policies and standards regarding Information Technology Security and Physical Security to ensure that confidentiality of data is protected in the delivery of services.
Information technology security
Roles and responsibilities at both the program and regional level are defined and communicated.
Tests for access, identification and authentification safeguard measures were in place and effective.
Assessment of the system and communications protection safeguards revealed that opportunities exist to strengthen the computing environment by ensuring that the automatic login timeout feature is functional on researcher workstations in all RDCs.
Information technology security in RDCs should be compliant with applicable TBS policies, such as the Operational Security Standards: Management of IT Security and Statistics Canada's Security Practices Manual. Roles, responsibilities, and accountabilities should be clearly defined and communicated. In the context of the RDCs, IT security should include system and communications protection: security controls that support the protection of the information system itself as well as communications with and within the information system; Access control: security controls that support the ability to permit or deny user access to resources within an information system; and identification and authentication: security controls that support the unique identification of users and the authentication of these users when attempting to access the information system.
Roles and responsibilities
The audit found that at the program level, functional authority is formally delegated to the Manager/Director of the RDC Program, and at the regional level the RDC analyst. The University of Alberta RDC analyst reports to the RDC regional manager who is located in Winnipeg. The statistical assistant at the University of Alberta facility reports to the full-time RDC analyst.
Departmental Security and Information Technology Services at Statistics Canada head office provide guidance and directives on IT and physical security requirements. They perform the physical and IT security inspections of the RDC sites and provide recommendations to the Director/Manager of the RDC program. The first IT and physical security inspection of the University of Alberta RDC took place just prior to the facility opening in 2001. A second inspection was conducted in February, 2011. Periodic inspections have been scheduled for each RDC every 4 years.
System and communications protection safeguards
The computing environment at the University of Alberta RDC has been recently updated and the new server uses a MAC operating system. It is located in a secured closet located within the RDC. The server is a stand-alone setup with open directories, using Access Control List (ACL industry standard) to grant permissions. Apart from the wide-area network (WAN), the server has no external connection. As a result, remote access to the server outside of the RDC is not possible. Data on the server is also written in Redundant Array of Independent Disks (RAID) which is a data storage method whereby data is broken down into blocks and stored on multiple hard drives. RAID provides an enhanced level of security; should one or more of the server's hard drives be stolen, it would be impossible to replicate data.
There are eight stand-alone workstations available for use by the researchers. These are not connected to the internet (internet access is only available to RDC employees in the RDC analyst office), and do not have an operating system or programs installed. Workstations are part of the thick client system that had been virtualized. Upon start-up, the Basic Input/Output System (BIOS) sends a query directly to the server to get an image from the server.
The audit examined workstation configurations, and found the USB ports have been disabled and Ethernet ports are configured to workstation serial numbers. As a result, should another device be plugged into an Ethernet port, the port automatically deactivates and must be manually reset. Researcher workstations are not configured to print and the audit determined that researchers would not be able to change the printer configuration as it is locked.
Login timeouts were found to be set to 10 minutes. However, the audit found that the lockout function was not operational; after 10 minutes a screensaver came on but did not lockout the user. As a result, reactivation did not require a password; increasing the risk of unauthorized access to Statistics Canada confidential microdata on unattended workstations.
Access, identification and authentication safeguards
Procedures specify that user accounts should be created only when a contract is approved and becomes active; access should be removed if the account is not active and password configuration should meet Statistics Canada standards. Creation of user accounts and the granting of access to microdata files were substantiated by approved active contracts in all sampled contracts.
Administrative privileges rest with the RDC analyst and IT support staff assigned to the RDC. Upon requisition of the RDC analyst, IT support creates userIDs, accounts and permissions to data sets. Tests are completed by the RDC analyst and IT support to ensure only researchers can access data set out in the MRC. Researchers are not able to view data that is not associated with their MRC, and cannot move files between projects. Password configuration within the University of Alberta RDC complies with Statistics Canada standards.
The audit tested access control in three ways, by examining
- UserIDs
- Active Control Listing by survey
- Active Control Listing by project numbers.
There were seventy-four active userIDs at the University of Alberta RDC, seven were for administrative purposes and the remaining sixty-seven were validated to ensure userIDs were only associated with active contracts. The audit team found that when researchers were associated with more than one research project, a separate userID had been created corresponding to each project.
A sub-sample of twenty-nine researcher names were chosen from the 71 researcher names found in the twenty-six contracts sampled to ensure that only researchers with active contracts had a valid userID and could access only data noted in MRC. The audit found that associated with the twenty-six contracts were nine active userIDs (eight were associated with the data sets listed in active MRCs and one account was set up but not associated with any dataset as they were waiting for the final signed contract). Another seven researchers from the sub-sample had active contracts where the principal researcher was from the University of Alberta, but because they worked out of other RDCs they did not have a userID at the University of Alberta facility. The remaining thirteen names were associated with completed contracts and did not have active userIDs.
Active Control Listings by survey name were examined to ensure that only researchers with MRCs associated with the surveys were validated. Two surveys were chosen to validate. The Active Control Listings for these surveys indicated that access was restricted to userIDs associated with authorized researchers only.
A final validation of the Active Control Listing by project number was conducted to determine if project numbers had been set up to access only data associated with the project. The audit examined two separate project numbers and the userIDs associated with the projects. The audit confirmed that users would not be able to access data not associated with their project.
The audit determined that applicable IT security measures are in place and adhered to for safeguarding and protecting Statistics Canada confidential data. IT access, identification and authentication safeguard measures are in place at the RDCs and are working as intended.
Recommendations:
It is recommended that the Assistant Chief Statistician of Social, Health and Labour Statistics should ensure that:
- The login timeout of researcher workstations in all RDCs is functional to ensure the security of sensitive statistical information.
Management response:
Management agrees with the recommendations.
- The Director, MAD will ensure that workstations are reconfigured so the login timeout is functional.
Deliverables and Timeline: Validation that workstations have functional login timeouts. This has been completed. - The Director, MAD will ensure that the IT checklist included in the IT Security Verification document which provides relevant information on what and how to verify security settings on the domain, servers and workstations is updated to include verifying that workstation login timeouts are functional.
Deliverables and Timeline: The IT checklist is updated to include verification of the functionality of workstations login timeouts. This has been completed. Administration of the checklist will take place once per academic semester. - The Director, MAD will ensure that RDCs that have been migrated to the single master domain will have automatic application of an automatic login timeout of 10 minutes by the application of a Group Policy Object at the domain level.
Deliverables and Timeline: Centralized management of login timeout will be completed by March 2014.
Physical security
Roles and responsibilities at both the program and regional level are defined and communicated.
Physical security measures comply with applicable TBS and Statistics Canada policies and standards to ensure the safeguarding and protection of confidential data.
Assessment of the practices and procedures related to the use of personal electronic devices in the RDC by researchers revealed that opportunities exist to strengthen the physical environment by ensuring documented procedures for the use of cell phones in RDCs are clear and consistent.
Physical security in RDCs should be compliant with applicable TBS policies, such as the Government Policy on Security (GPS) and Statistics Canada's Security Practices Manual. Roles, responsibilities, and accountabilities should be clearly defined and communicated. In the context of RDCs, physical security should include controls such as: physical access, intrusion detection and monitoring activities.
Roles and responsibilities
The audit found that at the program level functional authority is formally delegated to the Manager/Director of the RDC Program, and at the regional level the RDC analyst. The University of Alberta RDC analyst reports to the RDC regional manager who is located in Winnipeg. The statistical assistant at the University of Alberta facility reports to the full-time RDC analyst. Departmental Security at Statistics Canada head office provides guidance and directives on physical security requirements. They perform the physical inspections of the RDC sites and provide recommendations to the Director/Manager of the RDC program. The first physical security inspection of the University of Alberta RDC took place just prior to the facility opening in 2001. A second inspection was conducted in February, 2011. Periodic inspections have been scheduled for each RDC every 4 years.
Perimeter security controls
The University of Alberta RDC is located on the third floor of the Rutherford Library at the University of Alberta. The audit noted that the facility is in compliance with TBS and Statistics Canada's requirements for perimeter security for 'shared floor occupancy' i.e. wall separation and construction; and solid-core wood doors with heavy-duty hardware and accessories.
Entry security controls
Physical access in and out of the University of Alberta RDC is through a single entry point to allow for effective screening and monitoring by the RDC staff. Each single entry door is equipped with an electronic intrusion alarm and deadbolt lock for which only the RDC staff and campus security have the key. This is in compliance with TBS and Statistics Canada requirements.
Access security controls
To comply with TBS and Statistics Canada requirements, the RDC has in place an electronic swipe card access system consisting of an ID card which contains electronic information identifying the cardholder to control access to the facility. The system registers all entries, exits and failed attempts for the RDC and records the card number which is linked to the user. RDC staff can view and print out a record of all access, which notes the card number, the time, and the outcome if required. Unauthorised visitors are not allowed past the single entry door of the RDC facilities. The audit tested the system and examined the access registry for 4 separate days between May and July 2012, and found evidence that all entrants and exits and failed attempts were logged to specific access cards.
Telecommunications wiring and restricted-access area controls
The audit noted that IT-related wiring is channelled through the walls and ceiling of the RDC in secure conduits. There is a secure server room, which is kept locked. The facility has locked storage cabinets for storing archived CDs and researchers' files to protect confidential, classified, and protected information. Network B access is only available in the RDC analyst office. There is a separate conference room within the facility for researchers and RDC staff to use. The printer, fax/photocopier are housed within the facility, in a separate room with a closed door. The fax and scanning functions are further restricted, as they require a password which only the RDC analyst and statistical assistant have to access these features.
Intrusion detection and monitoring activity controls
Campus security provides 24/7 monitoring of the RDC facilities. They have an access card and security code to the alarm system. A motion sensor system is also in place to enhance the security. The motion sensor system is activated between the hours of 6:00 pm and 7:00 am. Should the alarm or motion sensor system be triggered, campus security would be notified as first response. The RDC analyst and the Academic Director would be subsequently be notified.
RDCs cannot be left unattended; if the RDC analyst or the statistical assistant is required to leave the RDC for a period of time during regular hours, researchers are required to leave the RDC, the door is then locked and a sign is placed on the door.
Based on the physical inspection of the University of Alberta RDC, the audit determined that applicable physical security measures are in place and adhered to for safeguarding and protecting Statistics Canada confidential data and access to the RDC facility is restricted to authorized personnel, i.e. deemed employees, such as researchers and university IT support staff.
Cleaning and maintenance service activities controls
In compliance with TBS and Statistics Canada requirements, the audit confirmed with RDC staff that maintenance and cleaning personnel do not have access cards to the RDC. Cleaning personnel can only access the RDC facility during regular working hours and are escorted by RDC staff.
Use of electronic devices in the RDCs
The audit noted that RDC authored documentation related to the use of personal computing devices (such as cell phones, PDAs and laptops) within the RDC is inconsistent. The document entitled Security in the RDC notes that "researchers will not be allowed to bring any personal computing devices into the centre." The internal document entitled, Description of security measures to protect data notes that, "researchers are prohibited from having any electronic devices in the vicinity of their workstation." Finally the Researcher Guide which is distributed to all researchers with a signed MRC states that, "researchers may carry electronic devices with them in the RDC, however, researchers are not to operate any text editing or messaging or image/test capture devices at the workstation or inside the RDC secure area. A cell phone should not be operated in the RDC... In case of emergencies, researchers may leave their cell phones on while in the centre. To answer a call, the researcher must do so away from the workstation and conduct the conversation outside of the RDC secure area."
The procedures guidelines related to the use of electronic devices in the RDCs by researchers would benefit from consistency and clarity related to the handling of cell phones and other electronic devices within the RDC facility. Confusion related to the correct handling of personal electronic devices may increase the risk to the confidentiality of information held in the RDC.
Recommendations:
It is recommended that the Assistant Chief Statistician of Social, Health and Labour Statistics should ensure that:
- Policies and directives related to the usage of cell phones and other electronic devices in the RDC are consistent, and clearly outline the approved practice.
Management response:
Management agrees with the recommendations.
- The Director, MAD will ensure that older RDC documentation has been updated to ensure that these documents are consistent with the Researcher Guide with respect to cell phone usage in the RDCs.
Deliverables and Timeline: Older documentation is updated to reflect the cell phone practices set out in the Researcher Guide. This has been completed. - The Director, MAD will ensure Regional Managers will remind RDC Analysts of the correct procedures for proper cell phone and electronic device usage during their regional calls.
Deliverables and Timeline: Regional Managers will communicate correct cell phone and electronic device procedures to all RDC analysts. Communication will take place with all RDC Analysts by November 30, 2012.
Line of Enquiry No. 2: The University of Alberta RDC has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services.
Administration of Microdata Research Contracts and confidentiality vetting
The authority for the administration of the MRCs and the confidentiality risk analysis is formally delegated at the program and operational level. Roles and responsibilities have been formally defined and communicated.
Survey specific processes, procedures and activities related to the confidentiality vetting of researcher output are effective and ensure the confidentiality of the data have been achieved.
Administration of Microdata Research Contracts (MRCs)
Administration of MRCs is a combination of assigned responsibilities and procedures to control and protect information held in RDCs. Practices include restricting access to the facility to only those researchers with valid security clearances and current contracts, and the establishment and maintenance of an inventory of administrative information related to each research project.
Authority
The University of Alberta RDC operates under the provisions of the Statistics Act in accordance with all the confidentiality rules and requirements that govern Statistics Canada. The RDC is accessible only to researchers with approved projects who have been sworn in under the Statistics Act as deemed employees.
Roles and responsibilities
The roles and responsibilities for the management of the MRCs, access to confidential microdata and confidentiality vetting are defined and communicated to stakeholders in policies, guidelines, standards and detailed guides. At the program level, authority is formally delegated to the RDC Manager in Statistics Canada's Security Practices Manual, which states that the RDC manager "is responsible for establishing and maintaining an inventory of administrative information on research projects involving deemed employees for Headquarters, the regional offices and the research data centres. Information includes research proposals and other information throughout the life-cycle of the project and certification that required procedures have been followed."
All RDC contract information has migrated to the Client Relationship Management System (CRMS). This database is used to manage information about MRC contracts and individuals who are authorized to have access to microdata in the RDCs and headquarters. Information includes contract status, approval dates, names of researchers, reviewers and review outcomes, contract end dates and data approved for access.
Additionally, the Policy on the Security of Sensitive Statistical Information assigns to Directors, "the responsibility for controlling and protecting all sensitive statistical information obtained or held by their respective areas in the pursuit of their program objectives. When access to sensitive statistical information is provided in a Research Data Centre or equivalent, the Manager, Research Data Centre Program, assumes these responsibilities."
Contract processing procedures
RDCs are operated under the provisions of the Statistics Act in accordance with confidentiality rules. This mode of access is appropriate when a research question can only be answered using inferential statistical analysis on the confidential microdata. The researcher must also be willing and able to become a deemed employee of Statistics Canada and conduct the data analysis in the RDC secured computer lab. RDC access is appropriate when:
- access to sensitive variables not provided in the Public Use Microdata File (PUMF) is required for the analysis; or
- a PUMF does not exist; or
- longitudinal data are required for the analysis; or
- the analytical work is complex in nature and not suitable for other forms of data access.
If an RDC is determined to be the appropriate mode of data access, the researcher must prepare a proposal requesting data access. The proposal defines the scope of the work proposed by the researcher and the data sets to be used in his/her analysis. When preparing the proposal, researchers are asked to define the research question(s) and objective(s), as well as statistical methods and software requirements.
Prospective researchers submit proposals that must be approved by one of two peer review procedures: the Social Sciences and Humanities Research Council (SSHRC); or for policy- related work, "Provincial and Territorial Statistical Focal Points" of the province within each ministry for federal-provincial-territorial governments. A Statistics Canada institutional review accompanies each of these application types.
After the review process, for a SSHRC peer review project, the Principal Investigator receives a letter from SSHRC notifying the researcher of the status of the proposal, and providing a copy of the reviewers' comments.
If the proposal is approved, the letter from SSHRC asks the Principal Investigator to contact the RDC analyst to begin the administrative process to gain access to an RDC. Researchers have 12 months from the date of the letter to start the project; whereupon the approval of the proposal will expire and the researcher will need to re-apply to SSHRC. The approved proposal is part of the MRC (or contract) between the Principal Investigator and Statistics Canada.
While the proposal defines the scope of the research to be done under the contract, the contract specifies the following terms of access:
- Purpose and scope of the research project as outlined in the approved research proposal
- Agreement by Statistics Canada to provide access to confidential microdata
- Agreement of the researchers to abide by the RDC security and confidentiality requirements
- Agreement of the work to be done in the RDC by the researchers and the results produced are to correspond to the objectives identified in the research proposal
- Agreement on the length of the contract
- Agreement of the Principal Investigator to provide a final product to Statistics Canada at the end of the contract.
Prior to obtaining Statistics Canada's signature on the MRC, researchers wishing to access the RDC are required to become 'deemed employees' and undergo a reliability security screening pursuant to sub-sections 5(2) and 5(3) of the Statistics Act, and take an oath or affirmation of office and secrecy, pursuant to sub-section 6(1) of the Statistics Act. They must also sign Statistics Canada's Values and Ethics Code for the Public Service. These actions are completed prior to the MRC being signed by Statistics Canada. Once a researcher has successfully completed these requirements and attended an orientation session, they are officially a "deemed employee" of Statistics Canada. RDC researchers and other deemed employees must reaffirm their oath of secrecy under two conditions: 1) when a researcher wishes to regain data access when there has not been an active contract for one year or more or; 2) when the current security clearance expires.
The Microdata Research Contract is also signed by Statistics Canada, either by the Manager of the RDC Program or the Director of the survey division. Upon receipt of this signature, a researcher can then be given access to confidential microdata and commence data analysis in the RDC.
The audit tested compliance of the contract processing procedures by reviewing a sample of twenty completed and in-progress contracts, as well as six proposals in progress, approved but awaiting final contract or withdrawn, for the University of Alberta RDC. The audit noted that for all the in-progress and completed contracts sampled, records of the project proposal with a listing of the data sets, and signed copies of the MRC and its respective amendments and revision(s) were on file and complete. For proposals awaiting contracts or proposals withdrawn, evidence was found of proposal review and approval. The audit also found evidence of cases in which proposals were approved but final outputs were rejected or had to be amended, indicating that the confidentiality risk assessment continues throughout the life of the contract.
The audit tested that all required documentation was in place, valid and signed for the seventy-one researchers that fell under the twenty-six MRCs selected. The audit found evidence that all researchers had signed oaths and values and ethics forms and held valid security screenings.
Confidentiality vetting
RDCs are repositories of Statistics Canada microdata files that are accessible to researchers with approved projects. Effective and appropriate processes and procedures for confidentiality vetting should be in place and adhered to in order to significantly reduce the risk of unwanted disclosure. Confidentiality vetting should be carefully administered by the RDC analyst, as per the established protocols, to ensure that confidentiality of data is not compromised.
Confidentiality vetting is the process of screening research outputs, syntax or any confidential data-related material to assess the risk of a prohibited disclosure. This is done by analysing whether obvious identification of individual cases or whether information about individual cases can be inferred or deduced from the statistical output. There are three types of disclosures: identity disclosure, attribute disclosure, and residual disclosure.
Roles and responsibilities
The audit revealed that the full-time RDC analyst at the University of Alberta performs confidentiality vetting for the RDC. She has been at the RDC since its opening in 2001 and has knowledge and experience of statistical sampling techniques and software. Documentation notes that the RDC Analyst's primary responsibility in confidentiality vetting is to ensure confidentiality is not breached when allowing research outputs to leave the RDC. The Analyst reviews all the materials that the researcher would like to remove from the RDC, and the final responsibility and decision to release the output rests with the Analyst.
Confidentiality vetting is conducted using the survey-specific guidelines for all surveys housed in the RDCs. Questions or concerns with regards to the vetting process or related to unfamiliar statistical techniques are addressed with the RDC regional manager or with the RDC Vetting Committee.
Researchers are provided training during their orientation session related to the confidentiality vetting process, required documentation including the various analytical methods and completion of the disclosure request form for every output request.
Processes and procedures
A detailed and comprehensive draft document Disclosure Risk Analysis Guide for RDC Analysts provides detailed step-by-step instructions with illustrations and flow-charts on how to conduct and perform confidentiality vetting. Guidelines on disclosure risk analysis for various data types and descriptive or tabular output and variance-covariance and correlation matrices, graphs, models, and an example of a 'disclosure request form' are also included.
An important part of the process is for researchers to complete the "Vetting Request Form" (formerly known as Disclosure Request Form) which provides the required information for the Analyst to conduct and document the vetting request. Information required from the researcher includes the name of the output file, the name of the survey and cycles used in the analysis, the characteristics of the population being analyzed, the statistical procedure, the weights used, and if applicable, to verify the extent of residual disclosure risk. Researchers also must provide a description of the variables on the request form or in a separate document and are asked to produce the same outputs both weighted (by applying the survey weights) and un-weighted (outputs from the raw data) as supporting documentation for confidentiality vetting. Analysts rely on the un-weighted outputs to confirm that the results meet the thresholds of the minimum number of respondents necessary to produce releasable estimates. After the vetting is completed, the weighted outputs are released from the RDC to the researcher.
Confidentiality vetting guidelines and processes are found in the Researcher Guide. Printing is directed to the network printer which is controlled by the RDC analyst. Coloured paper is used for printing and anything on coloured paper cannot be taken out of the facility. This control enables RDC staff to visually detect what is being removed from the RDC.
The audit tested sixteen active and completed contracts to ensure that processes and procedures for confidentiality vetting are in place and effective. In three of the contracts sampled, no data had been sent for vetting. Of the thirteen contracts that required vetting of output, appropriate documentation was found in place. That is, a confidentiality vetting request, a list of variables, weighted and unweighted outputs, previously vetted data as well syntax (in some cases) was in place. The audit found that associated vetted folders contained evidence that confidentiality vetting was completed for all thirteen contracts, including checks of minimum cell counts, removal of unweighted output and suppression of weighted output in cases where confidentiality was at risk.
The audit determined that the RDC analyst ensures that Statistics Canada confidential data is not compromised by carefully administering and screening all confidentiality vetting requests.
Appendices
Appendix A: Audit criteria
Line of Enquiry / Core Controls / Criteria | Sub-Criteria | Policy Instrument |
---|---|---|
1. The University of Alberta RDC complies with applicable TBS and Statistics Canada policies and standards' regarding Information Technology Security and Physical Security to ensure that confidentiality of data is protected in the delivery of services. | ||
Stewardship | ||
1.1 Appropriate physical and IT controls exist. (ST-11) | 1.1.1 Logical access controls exist to ensure access to systems, data and programs is restricted to authorized users. | TBS Government Policy on Security TBS Standard on Physical Security TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Statistics Canada IT Security Policy Internal RDC physical and IT security documentation |
1.1.2 Access to the RDC facilities in the region are physically restricted and enforced for the protection of sensitive assets. | Security of Sensitive Statistical Information TBS Standard on Physical Security Statistics Canada Security Practices Manual Statistics Act Discretionary Disclosure Directive |
|
1.1.3 Authentication and access procedures and mechanisms exist for the RDC facility. | Internal RDC physical and IT security documentation Security of Sensitive Statistical Information Policy on Deemed Employees Statistics Act Internal RDC physical and IT security documentation |
|
1.2 Records and information and other sensitive assets are safeguarded using information systems which are maintained in accordance with applicable laws and regulations. (ST-12) | 1.2.1 Procedures to safeguard and protect the use of assets (i.e. authorized use only) exist and are adhered to. | Security of Sensitive Statistical Information Discretionary Disclosure Directive Internal RDC physical and IT security documentation Internal RDC confidentiality documentation |
1.2.2 Physical and IT security measures adhere to applicable TBS policies and Statistics Canada policies and procedures. | TBS Directive on Departmental Security Management Internal RDC physical and IT security documentation Statistics Canada Security Practices Manual Statistics Canada IT Security Policy TBS Government Policy on Security TBS Standard on Physical Security |
|
1.2.3 Exceptions to required TBS or Statistics Canada policies and procedures are identified and appropriate actions are taken | Statistics Canada IT Security Policy TBS Government Policy on Security TBS Standard on Physical Security Discretionary Disclosure Directive Statistics Canada Security Practices Manual |
|
1.3 Management has established processes to develop and manage relevant agreements, Memorandum of Understandings (MoUs), and/or contracts, for the purposes of the RDC Program in the region. (ST-22) | 1.3.1 The processes governing access to data adhere to applicable TBS and Statistics Canada IT security policies. | Management Accountability Framework TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Statistics Act Security of Sensitive Statistical Information Discretionary Disclosure Directive Policy on Deemed Employees |
1.3.2 For services delivered by external IT service providers, management has implemented a program to monitor their activities. | TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Statistics Canada IT Security Policy Internal RDC documentation |
|
1.4 Management has designed and implemented effective general computer controls for RDC systems. (ST-23) | 1.4.1 Appropriate levels of management have designed and implemented processes, procedures, and controls for safeguarding Statistics Canada microdata files including:
|
Management Accountability Framework RDC Security Inspection reports Statistics Canada Security Practices Manual |
1.4.2 Controls for the RDC Program in the region include a mix of automated and manual controls and their operating effectiveness is periodically tested. | RDC Security Inspection reports Statistics Canada Security Practices Manual |
|
2) The University of Alberta RDC has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services. | ||
Accountability | ||
2.1 Authorities, responsibilities and accountabilities, are formally defined, clear and communicated. (AC-1) | 2.1.1 Responsibilities and accountabilities are formally defined and clearly communicated for Statistics Canada employees, researchers and RDC partners | Management Accountability Framework Security Practices Manual Internal RDC roles and responsibilities documentation Policy on Deemed Employees Statistics Act Policy on the Security of Sensitive Statistical Information |
2.1.2 All applicable agreements and documents clearly outline each party's roles, responsibilities and accountabilities as it relates to the RDCs, and the confidentiality of Statistics Canada data. | MRC contracts templates Oath / Affirmation of Secrecy Values and Ethics documents RDC Researcher Handbook |
|
2.1.3 Authority is formally delegated and delegated authority is aligned with individuals' responsibilities. Where applicable, incompatible functions are not combined. | Policy on the Security of Sensitive Statistical Information Internal Confidentiality Vetting documents |
|
2.2 A clear and effective organization structure is established and documented for the RDC program. (AC-2,3) | 2.2.1 Functional authority for physical and IT security is appropriately vested in and exercised by functional heads, as it relates to the RDC Program both at the program and regional RDC level. | Security Practices Manual Policy on Deemed Employees Procedures for opening an RDC Procedures for operating an RDC |
2.2.2 The organizational structure for the RDC program, both at the program and regional level permits clear and effective lines of communication with external partners and reporting regarding confidentiality, IT and physical security | RDC Organizational documentation and chart RDC documentation for staff RDC documentation for Academic Directors RDC documentation for researchers |
|
Risk Management | ||
2.3 Management identifies, assess and responds to the risks that may preclude the achievement of its objectives. (RM-2) | 2.3.1 Risks are identified at both the program and regional levels, respectively, and take into consideration the internal and external environments of the RDC Program. | Divisional Risk Register Management Accountability Framework |
2.3.2 Management led - physical and IT security control assessments exist with input from relevant corporate service functions. | Statistics Canada Security Practices Manual Statistics Canada IT Security Policy RDC Security Inspections |
|
2.4 Management identifies and assesses the appropriateness of existing controls to effectively manage its risks. (RM-3) | 2.4.1 Formal processes and guidelines exist to assess the controls in place to manage identified risks. | RDC researcher Guide Policy on the Security of Sensitive Statistical Information Internal Confidentiality Vetting documents RDC Security Inspections |
Public Service Values | ||
2.5 Employees formally and periodically acknowledge compliance with Statistics Canada's policies, as it pertains to the confidentiality of sensitive statistical information. (PSV-5) | 2.5.1 Upon commencement with the organization, all Statistics Canada and deemed staff are required to sign a statement (e.g. the Statistics Act / Statistics Canada Oath) acknowledging understanding and compliance with relevant RDC Program policy. | Statistics Act Oath of Secrecy Values and Ethics documents RDC Researcher Guide Policy on the Security of Sensitive Statistical Information RDC Researcher Guide Policy on Deemed Employees |
2.5.2 Compliance is periodically acknowledged by Statistics Canada employees, deemed employees and external partners, where applicable. | Statistics Canada Security Practices Manual Internal RDC security documentation |
Appendix B: Acronyms
Acronym | Description |
---|---|
ACL | Active Control Listing |
BIOS | Basic Input/Output System |
CIHR | Canadian Institute of Health Research |
CRDCN | Canadian Research Data Centre Network |
CRMS | Client Research Management System |
CS | Chief Statistician |
DAC | Departmental Audit Committee |
DS | Departmental Security |
FRDC | Federal Research Data Centre |
IIA | Institute of Internal Auditors |
IT | Information Technology |
LOE | Line of Enquiry |
MAD | Microdata Access Division |
MRC | Microdata Research Contract |
PUMF | Public Use Microdata File |
RAID | Redundant Array of Independent Disks |
RDC | Research Data Centre |
SSHRC | Social Sciences and Humanities Research Council |
TBS | Treasury Board Secretariat |
USB | Universal Serial Bus |
WAN | Wide Area Network |