Audit of Statistical Infrastructure Branch – Tax Data

Audit Report

November 14, 2013
Project Number: 80590-78

Executive Summary

Through the terms and conditions of a Memorandum of Understanding (MOU) signed in 2011, the Canada Revenue Agency (CRA) and Statistics Canada exchange information to facilitate and support statistical research and analysis associated with the administration of a number of their respective programs. The Tax Data Division is responsible for the development of centralized databases containing edited and imputed tax microdata accessible internally to user divisions, as well as managing and coordinating all aspects of the data requests made to the CRA under the MOU.

There are currently 29 active tax microdata files transmitted to Statistics Canada. Access has been granted to 36 divisions across the Agency, representing close to 700 individual users. TDD currently manages over 3,300 requests annually for access to available tax microdata files.

The objectives of the audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that:

  • The TDD has an adequate and effective risk management framework in place to ensure the terms and conditions of the MOU pertaining to security of confidential taxpayer information are met; and
  • The information is being used, disclosed, retained and disposed of in accordance with the terms and conditions set out in the MOU.

This audit was conducted under the authority of the approved Statistics Canada integrated Risk-Based Audit and Evaluation Plan 2013/14 to 2017/18.

Key Findings

TDD has implemented an adequate risk management framework to protect confidential taxpayer information. Roles and responsibilities are defined; corporate policies and directives specific to tax data, which meet or exceed the requirements of the MOU, have been developed and communicated to stakeholders.

The Data Access Request System (DARS) is used to manage and control access over TDD product files. It keeps an audit trail of: who is authorized to access tax payer information; the identification of data files that are to be accessed; planned usage and purpose; and the period for which authorization is granted. The DARS is an effective means to meet the requirements of the MOU.

While client-divisions are allowed to create additional files from original tax microdata files, they have not been reporting to TDD the required information on a regular or consistent basis, resulting in a segment of the location and users of tax information not reported to the ACS as required by the MOU.

CRA and Statistics Canada must ensure an audit trail of all accesses to information provided under the MOU is maintained and provided upon request. Such an audit trail is not kept. TDD management's understanding is that the requirements of the audit trail described in Appendix C-1 were sufficient to meet the requirements of Clause 30 of the MOU. The MOU is unclear as to the depth and breadth of an audit trail for all accesses to information provided under the MOU.

The MOU allows Statistics Canada to enter into agreements with Provincial Statistical Focal Points (SFP) and departments of the Government of Canada for the use of tax payer information for their jurisdiction. Testing revealed that agreements set out terms and conditions for the use, disclosure, retention and disposal of tax information in accordance with the terms and conditions set out in the MOU.

Testing results of a sample of 33 recorded authorized tax microdata users revealed that most key physical and IT security practices and tools designed to protect taxpayer information met or exceeded the requirements of the MOU. Shared folders are commonly used to provide access to operational information to all employees within a team, group, division or selected employees within other divisions. The audit found that in some cases, the use of shared folders to disseminate tax data to other employees was not properly controlled, allowing unauthorized access to tax microdata, which does not respect the need-to-know principle.

Vulnerabilities were also identified during the audit, which could pose a risk to the confidentiality of tax microdata. Firstly, in an electronic work environment where managing large data sets is critical, having active USB ports provides the opportunity to remove confidential information from Statistics Canada premises, in a manner that is untraceable and undetectable. Secondly, retention periods and procedures for the disposal of tax microdata files are not clearly established.

Overall Conclusion

The TDD has implemented an adequate risk management framework to ensure the terms and conditions of the MOU pertaining to security of confidential taxpayer information are met. Management attention is required in two areas: 1) Ensure that reports on the location and uses of tax information is complete by including the information held by both TDD and client divisions. 2) Seeking clarification from CRA on the depth and breadth of an audit trail for all accesses to information provided under the MOU.

For the most part, tax information is being used, disclosed, retained and disposed of in accordance with the terms and conditions set out in the MOU. Improvements are required in three areas: 1) Shared folders are restricted to authorized users only; 2) Consider and manage the risk of active USB ports on tax microdata users' computers; 3) Establishment of clear retention periods for tax microdata files.

Conformance with Professional Standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) Internal Standards for the Professional Practice of Internal Auditing.

Patrice Prud'homme
Chief Audit Executive

Introduction

Background

Through the terms and conditions of a Memorandum of Understanding (MOU) signed in 2011, the Canada Revenue Agency (CRA) and Statistics Canada exchange information to facilitate and support statistical research and analysis associated with the administration of a number of their respective programs. Statistics Canada uses tax microdata as a direct replacement of survey data in the business statistics program. Divisions utilize these rich data sources to validate survey results by comparison, and to create record linkages. Statistics Canada uses tax microdata to achieve higher accuracy, greater geographical detail, improved timeliness, and lower response burden.

The purpose of the MOU is to clarify the roles and responsibilities and outline the conditions and procedures for the release of confidential taxpayer information between the CRA and Statistics Canada under the Income Tax Act, the Excise Tax Act and the Statistics Act.

Tax Data Division (TDD) was formed in April 1997 for the purpose of centralizing Statistics Canada's acquisition and processing of tax microdata. The division is responsible for the development of centralized databases containing edited and imputed tax microdata, which are accessible internally to user divisions. TDD acts as a service provider to subject matter divisions and ensures that all clients are provided with information related to administrative data files and their use. There are currently 29 active tax microdata files transmitted to Statistics Canada. Access has been granted to 36 divisions across the Agency, representing close to 700 individual users. TDD currently manages over 3,300 requests annually for access to available tax microdata files.

Aside from the centralized repository of tax microdata within TDD, client divisions within Statistics Canada also handle a number of files containing sub-sets or specific variables drawn from tax microdata obtained from the TDD database. In accordance with the Directive on the Security of Sensitive Statistical Information (SSSI), responsibilities for the approval of use, access, storage and disposal of tax microdata are delegated to divisional directors. The Directive also states that divisional directors must report this information back to TDD on an annual basis.

Audit Objectives

The objectives of the audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that:

  • The TDD has an adequate and effective risk management framework in place to ensure the terms and conditions of the MOU pertaining to security of confidential taxpayer information are met; and
  • The information is being used, disclosed, retained and disposed of in accordance with the terms and conditions set out in the MOU.

Scope

The current MOU requires that an internal audit be conducted by each Agency within two years of its signing. The current MOU was signed in 2011. The scope of this audit included a risk-based examination of processes and mechanisms in place within Statistics Canada to support the receipt of tax microdata and its dissemination to Statistics Canada program fields.

Approach and Methodology

The audit work consisted of the examination of documents, interviews with key Senior Management and personnel, and a review of compliance with relevant policies and guidelines.

The field work consisted of the review and assessment of the processes and procedures in place to ensure compliance to security requirements of the MOU, as well as relevant policies and procedures.

The audit team conducted walkthroughs for a sample of 33 recorded authorized tax microdata users. A sample of authorized users was selected on a random and judgmental basis, from the list of approximately 700 users in the 36 client divisions across Statistics Canada. Employees of the Tax Data Division and 11 other client divisions across Statistics Canada were visited with little to no notice for an interview, physical inspection and sweep of their computer.

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Authority

This audit was conducted under the authority of the approved Statistics Canada integrated Risk-Based Audit and Evaluation Plan 2013/14 to 2017/18.

Findings, Recommendations and Management Response

Objective 1: The Tax Data Division (TDD) has an adequate and effective risk management framework in place to ensure the terms and conditions of the MOU pertaining to security of confidential taxpayer information are met.

Risk Management Framework

TDD has implemented an adequate risk management framework to protect confidential taxpayer information. Roles and responsibilities are defined; corporate policies and directives specific to tax data, which meet or exceed the requirements of the MOU, have been developed and communicated to stakeholders.

The Data Access Request System (DARS) is used to manage and control access over TDD product files. It keeps an audit trail of: who is authorized to access tax payer information; the identification of data files that are to be accessed; planned usage and purpose; and the period for which authorization is granted. The DARS is an effective means to meet the requirements of the MOU.

While client-divisions are allowed to create additional files from original tax microdata files, they have not been reporting to TDD the required information on a regular or consistent basis, resulting in a segment of the location and users of tax information not reported to the ACS as required by the MOU.

CRA and Statistics Canada must ensure an audit trail of all accesses to information provided under the MOU is maintained and provided upon request. Such an audit trail is not kept. TDD management's understanding is that the requirements of the audit trail described in Appendix C-1 were sufficient to meet the requirements of Clause 30 of the MOU. The MOU is unclear as to the depth and breadth of an audit trail for all accesses to information provided under the MOU.

The MOU allows Statistics Canada to enter into agreements with Provincial Statistical Focal Points (SFP) and departments of the Government of Canada for the use of tax payer information for their jurisdiction. Testing revealed that agreements set out terms and conditions for the use, disclosure, retention and disposal of tax information in accordance with the terms and conditions set out in the MOU.

An effective control framework for the security of confidential tax microdata would enable Statistics Canada to comply with the terms and conditions of its Memorandum of Understanding (MOU) with the Canada Revenue Agency. Policies, directives, systems and written agreements should be in place to ensure the terms and conditions of the MOU are upheld, and to control and limit access to persons whose current work-related responsibilities require access to tax microdata.

Management of Tax Microdata within Statistics Canada

Ensuring compliance to the terms and conditions of the MOU is a responsibility that is shared amongst TDD, client divisions across Statistics Canada and divisions providing services at a corporate level.

Roles and Responsibilities

Respective roles and responsibilities can be summarized as follows:

  • TDD is responsible for providing program divisions across Statistics Canada with access to tax databases and for promoting and facilitating increased usage of tax microdata. TDD is also responsible for ensuring the security of tax microdata within Statistics Canada.
  • The Informatics Branch is responsible for the implementation of the IT Security Policy, the selection and assessment of IT security products for departmental deployment, providing IT security awareness and advice to divisions on IT security requirements of the MOU.
  • The Information Management Division (IMD) is responsible for the overall protection of information and the policy framework related to security.
  • Client divisions using tax microdata are responsible and accountable to ensure that physical and IT security requirements are being met within the division. TDD also delegates the responsibility of conformance to security requirements of the MOU to divisional directors. Delegated responsibilities include: computer processing and file storage requirements; requirements for marking, storing, erasing and disposing of documents and computer media; and requirements for electronic transmission and transportation.

Policies and Directives

Statistics Canada has a number of relevant policies and directives which apply to the handling of tax microdata:

  • Directive on the Security of Sensitive Statistical Information (SSSI);
  • IT Security Policy;
  • Security Practices Manual;
  • Network Use Policy; and
  • Directive on the Management of Statistical Microdata Files.

Risk Management

As part of Treasury Board policies, government programs must identify the risks that may preclude the achievement of objectives, assess the existing controls in place, and identify mitigation strategies to reduce risks.

At the operational level, the Tax Project Planning Group includes the TDD's Chiefs and considers risks surrounding the protection and confidentiality of tax microdata, as well as the TDD's compliance to the MOU with the CRA. TDD documents its risks using the corporate Risk Register document. TDD has taken into consideration both internal and external sources of risks and has documented details of its risk mitigation strategies, action plans, as they pertain to quality and timeliness of products delivered, as well as security of tax microdata.

Security Requirements

The MOU requires that Statistics Canada inform users of tax microdata on security requirements. TDD communicates with client divisions to ensure they understand their responsibilities pertaining to the security of tax microdata.

Two documents are distributed to tax microdata users within client divisions prior to granting access: TDD's "User Agreement" and "Best Practices" checklist provide a list of security requirements and practices for maintaining the confidentiality of tax microdata, which meet and in some cases exceed those included in the terms and conditions of the MOU. Also, the Director of TDD sends annual reminders to Directors within client divisions to remind them of their responsibilities surrounding tax data. The Statistics Canada Information and Privacy Breach Protocol defines what is considered an information breach and clearly states that if the breach involves tax microdata, the director, Tax Data Division must be contacted. No incidents involving tax microdata handled by internal client divisions have been reported.

Authorized Uses and Location

The Director (TDD) is responsible for keeping track of the location and uses of tax data within Statistics Canada.Appendix C-1 of the MOU makes reference to an audit trail which requires that the following information be kept: who is authorized to access and use tax microdata, the period for which this authorization is granted, and the purpose and the identification of tax microdata files that are to be accessed.

In order to manage access to tax microdata, TDD makes the distinction between two types of users:

  • Primary users are those who access original tax microdata files held by TDD. Only employees who submit a request as Primary Users can access TDD tax files. The system is effective in controlling access to these files and keeping complete lists of employees authorized to access files under the custody of TDD.
  • Secondary users are employees who access files created and held outside TDD's servers which contain tax microdata exported from TDD original tax files. Access to these derived files is controlled by client-divisions via file permissions approved by divisional directors, and activated by Information Technology Operations Division (ITOD). The MOU assigns responsibility for authorizing requests to access tax microdata held within TDD to the Director of TDD. The Directive on SSSI assigns the responsibility of authorizing access to tax microdata held outside TDD to divisional directors. This situation meets the requirement of the MOU.

TDD uses the corporate system called the Data Access Request System (DARS) to manage and control access over TDD product files. DARS is used by TDD to keep an audit trail of: who is authorized to access tax payer information; the identification of data files that are to be accessed; planned usage and purpose; and the period for which this authorization is granted. Testing was conducted to verify the effectiveness of the revocation and re-assignment processes when employees leave the Department or move to other divisions. Results showed that accesses are promptly revoked. The DARS is an effective means to meet the requirements of the MOU in this regard.

Reporting

According to the MOU, the TDD Director is responsible for reporting periodically to the Assistant Chief Statistician, Informatics and Methodology Field on the location and uses of tax data within Statistics Canada.

As mentioned above, TDD uses the DARS to track primary and secondary users as part of its process of reporting to the ACS, based on whether they have direct access to TDD original tax files or access to a derived file created from a TDD file. The MOU does not require that this distinction be made.

ACS reports include information pertaining to active access authorizations and are produced on a monthly and quarterly basis, as follow:

  • Table 1: Report of Access to Tax Data Holdings by Type of Usage – Primary User;
  • Table 2: Report of Total Primary Unique Users of Tax Data Holdings by Division;
  • Table 3: Report of Access to Tax Data Holdings by Type of Usage – Secondary User;
  • Table 4: Report of Total Secondary Unique Users of Tax Data Holdings by Division;
  • Table 5: Report of Total Unique Users of Tax Data Holdings by Division;
  • Table 6: Report of Top 10 User Divisions; and
  • Table 7: Report of User Divisions – Current and Previous Month.

TDD effectively keeps track and reports to the ACS on the location and uses of tax microdata held within its division.

Statistics Canada policies allow client-divisions to create additional files from original tax microdata files. Accountability for protecting the confidentiality of this information has been delegated to client-users. Directors within these divisions have the authority to approve access to tax microdata contained in files kept under their jurisdiction. The Directive on the SSSI requires that divisional directors "report the location, users and use made of tax microdata provided by other divisions to the Director of Tax Data Division annually". The requirement for divisional directors to report annually to TDD is not aligned with the current monthly and quarterly reporting to the ACS. TDD management has confirmed that client divisions have not been providing the required information on a regular or consistent basis, which does not meet the Directive's requirement.

While TDD is able to report on location and uses for tax microdata held within its division, there is a gap for reporting on the location and uses of tax microdata held outside TDD. Consequently, a segment of the location and users of tax information is not reported to the ACS as required by the MOU.

Access Logs

Clause 30 of the MOU states that CRA and Statistics Canada must ensure an audit trail of all accesses to information provided under the MOU is maintained and provided upon request. In the context of protecting the security of information, the definition of an "audit trail" is a security-relevant chronological record showing who has accessed a computer system and what operations he or she has performed during a given period of time, which would provide documentary evidence of a sequence of activities.

According to interviews with TDD staff and management, as well as ITOD staff, logs for actual accesses to TDD tax files and derived files stored across the agency are not kept. TDD management stated that their understanding is that the requirements of the audit trail described in Appendix C-1 (i.e. who is authorized to access tax payer information; the identification of data files that are to be accessed; planned usage and purpose; and the period for which this authorization is granted) were sufficient to meet the requirements of Clause 30 of the MOU. The MOU is unclear as to the intended purpose of this requirement, its depth and breadth, and the retention period for which access logs should be maintained.

Sharing Tax Microdata with Other Federal Departments and Provincial Statistical Agencies

The MOU with CRA allows Statistics Canada to enter into agreements with Provincial Statistical Focal Points (SFP) and departments of the Government of Canada for the use of tax payer information for their jurisdiction. SFP are organizations which play somewhat the same role as Statistics Canada in terms of collecting and delivering statistical products at the provincial level and are bound by provincial laws similar to the Statistics Act. These organizations are pre-approved by the CRA as part of clause 11 of the MOU. Statistics Canada has agreements with eight (8) SFPs. Procedures to obtain permissions and records of authorization by directors are in place for the transfer of information to SFP and three federal government departments. The authorization is formally documented and evidenced on Disclosure Orders signed by the Chief Statistician.

A sample of three agreements was randomly selected and reviewed to assess whether the provisions of the MOU related to the use and protection of such information are upheld. Results revealed that in each case, the agreement set out terms and conditions for the use, disclosure, retention and disposal of tax information in accordance with the terms and conditions set out in the MOU. The requirement to report suspected or actual security incidents involving tax microdata is part of written arrangements with external organizations to which Statistics Canada provides taxpayer or confidential information obtained under the MOU. No incidents involving external clients have been reported.

Recommendations:

The Assistant Chief Statistician of Analytical Studies, Methodology and Statistical Infrastructure should ensure that:

  • Mechanisms are in place to ensure that the ACS is informed of the location and uses of tax information held within client divisions across Statistics Canada.
  • Clarification is sought from CRA on the depth and breadth of an audit trail of all accesses to information provided under the MOU, and that appropriate measures are taken to implement the requirement.

Management Response:

Management agrees with the recommendations.

  • The Director of TDD will implement a reporting process to ensure secondary uses and users of tax information will be provided to and monitored by TDD. Relevant information to be integrated into regular reporting to ACS of tax data use.

    Deliverables and Timeline: Corporate Access Request System (CARS). To be implemented by June 2014.
  • The Director of TDD will discuss and clarify with CRA.

    Deliverables and Timeline: Confirmation of the intent of Clause 30 of the MOU in terms of information requirements. Note: Should clarification result in different information requirements an action plan for implementation will be developed to achieve compliance. Risks – costs, SSC collaboration. Discussion to take place by December 2013. Implementation by September 2014.

Objective 2: The information is being used, disclosed, retained and disposed of in accordance with the terms and conditions set out in the MOU.

Stewardship

Testing results of a sample of 33 recorded authorized tax microdata users revealed that most key physical and IT security practices and tools designed to protect taxpayer information met or exceeded the requirements of the MOU. Shared folders are commonly used to provide access to operational information to all employees within a team, group, division or selected employees within other divisions. The audit found that in some cases, the use of shared folders to disseminate tax data to other employees was not properly controlled, allowing unauthorized access to tax microdata, which does not respect the need-to-know principle.

Vulnerabilities were also identified during the audit, which could pose a risk to the confidentiality of tax microdata. Firstly, in an electronic work environment where managing large data sets is critical, having active USB ports provides the opportunity to remove confidential information from Statistics Canada premises, in a manner that is untraceable and undetectable. Secondly, retention periods and procedures for the disposal of tax microdata files are not clearly established.

Sound stewardship practices and procedures, such as adhering to guidelines and security policies and using the appropriate tools for safeguarding tax microdata should be in place to ensure that taxpayer information is being used, disclosed, retained and disposed of within Statistics Canada in accordance with the terms and conditions set out in the MOU.

Part of this responsibility is delegated to directors of client divisions using tax microdata across Statistics Canada. TDD relies upon employees outside its jurisdiction to comply with the terms and conditions of the MOU. Also, as the vast majority of tax microdata is transmitted electronically from CRA and made available in electronic format, TDD is dependent upon the corporate IT infrastructure as a means to safeguard confidential microdata under the custody of Statistics Canada in what has become, for the most part, a paperless environment.

The audit team conducted walkthroughs for a sample of 33 recorded authorized tax microdata users. A sample of authorized users was selected on a random and judgmental basis, from the list of approximately 700 users in the 36 client divisions across Statistics Canada. Employees of the Tax Data Division and 11 other client divisions across Statistics Canada were visited with little to no notice for an interview, physical inspection and sweep of their computer hard drives to assess whether compliance of selected security measures outlined in TDD's "Best Practices" checklist were consistently applied; and to corroborate that IT applications and components of its infrastructure are in place in accordance with security requirements of the MOU.

Adherence to TDD Guidelines and the MOU

TDD's "Best Practices" checklist has 11 items, which relate to both physical and IT security. The audit team reviewed a number of key security practices and tools in place related to the use, disclosure, storage and disposal of tax microdata. All 33 employees complied with the following requirements, which meets or exceeds the requirements of the MOU:

  • Use of secure storage cabinets prescribed by corporate security;
  • Access to printers which meet confidentiality requirements;
  • Use of approved shredders prescribed by corporate security; and
  • Securing computer access when leaving the workstation.

Interviews were also conducted with the IT staff assigned to support the TDD, the IT Security team, network staff at Shared Services Canada assigned to Statistics Canada, the DARS team, and directors of four (4) client divisions. The following requirements pertaining to Statistics Canada's IT infrastructure met the requirement of the MOU:

  • Servers containing sensitive tax microdata are restricted to a secure closed network (Network A);
  • Servers do not have wireless communications capabilities;
  • Servers are kept within the secure data centre and are managed by IT/SSC;
  • Statistics Canada's password policy applies at the network-level. Configurations surrounding password life and standards were tested and controls in place meet the requirements of the MOU;
  • Practices for use of EFT protocol meet the requirement of the MOU;
  • Entrust is used for pre-encryption of files prior to sending via EFT; and
  • Workstations are delivered without wireless capability and when applicable, laptop wireless communications capabilities are disabled. Laptops available for borrowing from the common pool have wireless communications but cannot connect to Network A.

The audit found that in some cases, the use of shared folders to disseminate tax data to other employees was not properly controlled, allowing unauthorized access to tax microdata.

Employees in client divisions use shared folders to share and access tax microdata. This practice is in line with TDD's User Agreements, provided that these shared folders are restricted to authorized users, which are in turn reported to TDD. In its agreements with client divisions, this practice is recommended for sharing files containing tax microdata, as an alternative to using removable storage media with encryption.

The audit team selected two files created by client-division and tested the effectiveness of using shared folders to disseminate tax microdata to other divisional employees and other divisions. Results showed that these two folders were not restricted to authorized users only. Many of the employees with access to these two shared folders were not recorded in TDD's lists of authorized secondary users. Files containing tax microdata were stored on existing shared folders within the division, as opposed to storing them on shared folders created specifically for authorized tax microdata users.

While this practice ensures that tax microdata remains on a secure closed network and is restricted to Statistics Canada employees at all times, storing tax microdata on shared folders accessible to all employees of a division does not restrict its access to authorized users only on a need-to-know basis, as required under the MOU.

Vulnerabilities were also identified during the audit, which could pose a risk to the confidentiality of tax microdata:

Active USB Ports

The audit team identified vulnerabilities related to the protection of tax microdata associated with active USB ports on tax microdata users' computers.

A significant number of employees have stated that they bring personal USB keys to work and sometimes transfer music, photos and other personal information onto their work computer. A few users have stated that they use USB keys provided by the division, to transport electronic presentations, but that no tax microdata is stored on these keys. Some users have also said they connect their mobile phone device to their computer USB port for charging purposes. These devices have large electronic storage capacity onto which confidential information could be stored. Smartphones also have wireless public network access, which could be active while on Network A.

In an electronic work environment where managing large data sets is critical, having active USB ports provides the opportunity to remove confidential information from Statistics Canada premises, in a manner that is untraceable and undetectable.

Once confidential information is taken outside Statistics Canada's closed network, it can no longer be protected. The Informatics Branch is currently studying potential solutions to address risks associated to active USB ports.

Retention Period and Disposal of Tax Microdata

The MOU requires the disposal of tax microdata when no longer needed. However, the MOU does not provide guidelines as to how this determination is to be made. In reality, tax microdata could be kept indefinitely as it could always be useful for future studies.

The Directive on the Management of Statistical Microdata Files applies to all files containing sensitive information, including tax microdata. According to the Directive, tax microdata files fall under the category of administrative files which have a retention period of five years. In April 2013, TDD presented a proposal seeking an exemption for the retention of tax microdata files as stipulated in the Directive. TDD proposed that tax files received from CRA be considered as collection files, and in some cases as master files which could extend their retention period indefinitely.

TDD recognizes that there is a need to determine retention periods and procedures for the disposal of tax microdata files.

Recommendations:

The Assistant Chief Statistician of Analytical Studies, Methodology and Statistical Infrastructure should ensure that:

  • Shared folders used by client divisions to disseminate tax microdata to other Statistics Canada employees are restricted to authorized users on the basis of the need-to-know principle and reported to TDD;
  • Risks associated with active USB ports on tax microdata users' computers are considered and managed;
  • Statistics Canada establishes clear retention periods for files containing tax microdata.

Management Response:

Management agrees with the recommendations.

  • The Director of TDD will implement a reporting process to ensure secondary uses and users of tax information will be provided to and monitored by TDD. Relevant information to be integrated into regular reporting to ACS. Process for access to comply with "need-to-know" principle through definition of roles.

    Deliverables and Timeline: Reporting to be included in conditions of use of tax data. To be implemented by January 2014. Corporate Access Request System (CARS). To be implemented by September 2014.
  • The Director of TDD will develop conditions of use of tax data in context of departmental security practices for portable storage devices and clearly communicate to programs using tax data.

    Deliverables and Timeline: Revised guidelines to data using divisions to include conditions of use and director attestation. To be implemented by January 2014.
  • The Director of TDD/ADS and the Director of IMD will ensure the Directive on management of statistical microdata is revised to provide clear guidelines in the treatment of all administrative data files.

    Deliverables and Timeline: Update the directive on management of statistical microdata. To be implemented by June 2014.

Appendices

Appendix A: MOU Clauses in Scope

Appendix A: MOU Clauses in Scope
Clauses Requirements
11 StatCan undertakes to enter into written arrangements with each department or agency to which they propose to provide taxpayer or confidential information obtained under this MOU. These arrangements will ensure that the provisions of this MOU related to the use and protection of such information are upheld. Upon request, copies of such arrangements will be provided to the CRA.
12 Taxpayer and confidential information will not be shared by StatCan, where such sharing is authorized by law, to any other entity other than those noted in clause 11 above, without the written consent of the CRA.
30 The CRA and StatCan will ensure an audit trail of all accesses to information provided under this MOU is maintained, and provided upon request.
Appendix C-1 - (c) Physical Access and Record Management
Paragraph 1 Authorized access to the information is based on the need to perform assigned work related activities (need to know principle). The StatCan policy on the Security of Sensitive Statistical Information (SSSI) assigns to the Director, TDD the responsibility for authorizing all requests for access to micro tax data held by the TDD.
Paragraph 2 The Director, TDD has to the responsibility of authorizing all requests for access to micro tax data.
Paragraph 3 The Director is also responsible for keeping track of the location and uses of tax data within StatCan and to report on this periodically to the Assistant Chief Statistician, Informatics and Methodology Field.
Paragraph 4 StatCan must maintain an audit trail to ensure that the information is being used strictly in accordance with the legislation providing for its use and that all security requirements specified in this appendix are observed. As mandated by the SSSI, this audit trail must include a list of: who is authorized to access and use CRA data, the period for which this authorization is granted, and the purpose and the data files that are to be accessed. StatCan must also inform users of CRA data on security requirements and ensure that they adhere to them.
Appendix C-1 - (d) IT Storage and Transmission
Paragraph 1 Where the information is held on transportable media, passwords and full encryption must be used. This applies equally to backups of the confidential information stored on transportable media.
Paragraph 2 All computers that are used to access, process and store tax data will employ logical access controls (passwords) at the device and network level. 
Paragraph 3 Tax data cannot be transmitted by facsimile or by e-mail, unless the table in the e-mail is password protected or encrypted and that appropriate marking is applied on each page of the table.
Paragraph 4 Servers storing and transmitting unencrypted data, where used, must be located in a secure, controlled-access area. Controls must be in place to ensure that only authorized individuals can access the servers. Unless the information is encrypted continuously while outside the secure area, conduit must be used for all cabling and all cross-connect areas must be physically secured.
Paragraph 5 Network firewalls and access rules must be in place to prevent access to the information, other than to the identified persons. The information may be stored on and transmitted over approved networks not meeting these requirements, provided that it is encrypted. Alternatively, the information may be stored on a stand-alone computer with no external connections, or on a closed network. When a network transmits information that leaves a secure area (for example, to a StatCan office outside Ottawa), the data must be encrypted whenever it is outside the secure area.
Paragraph 6 Encryption of files transferred from the CRA to Statistics Canada and the files transferred from Statistics Canada to the CRA must use appropriate encryption keys as mandated by PWGSC.
Appendix C-1 - (f) Information Copying and Retention Copies and extracts of the information may only be made for the purposes of carrying out work as covered by this agreement. When no longer needed, any such copies or extracts must be destroyed in a secure manner. All electronic storage media used in the processing of the information, including all backups and transportable media, must be sanitized or destroyed on completion of their use. Destruction must occur within the secure area and meet the requirements of the Government Security Policy.
Appendix F - Electronic Transmission Security of electronic file transfer mechanism by FTP standard, including contingency plans in the event of an infrastructure failure related to the FTP delivery of an expected file.

Appendix B: Audit Objectives

Appendix B: Audit Objectives
Objectives Gathering Evidence
Key Information Sources Key data collection methods Key data analysis methods
1. The TDD has an adequate and effective management control framework and risk management practices in place to ensure the terms and conditions of the MOU pertaining to security of confidential taxpayer information are met.
  • Relevant TBS and/or Statistics Canada policies and procedure:
    • Network Use Policy
    • IT Security Policy
    • Directive on the Security of Sensitive Statistical Information
    • Directive on the Management of Statistical Microdata Files
    • Government Security Policy
    • Security Practice Manual
  • All levels of management/staff within Tax Data Division and other divisions having an impact on the MOU.
  • Corporate documents pertaining to governance, risk management and stewardship.
  • Memorandum of Understanding between SC and CRA
  • Interviews
  • Documentation review
  • Sampling
  • Verification
  • Analysis
  • Assessment
  • Walkthroughs
  • Testing
2. The information is being used, disclosed, retained and disposed of in accordance with the terms and conditions set out in the MOU
  • Relevant TBS and/or Statistics Canada policies and procedure:
    • Network Use Policy
    • IT Security Policy
    • Directive on the Security of Sensitive Statistical Information
    • Directive on the Management of Statistical Microdata Files
    • Government Security Policy
    • Security Practice Manual
  • All levels of management/staff within Tax Data Division and other divisions having an impact on the MOU.
  • Corporate documents pertaining to governance, risk management and stewardship.
  • Memorandum of Understanding between SC and CRA
  • Interviews
  • Documentation review
  • Sampling
  • Verification
  • Analysis
  • Assessment
  • Walkthroughs
  • Testing

Appendix C: Acronyms

Appendix C: Acronyms
Acronym Description
IIA Institute of Internal Auditors
MOU Memorandum of Understanding
CRA Canada Revenue Agency
TDD Tax Data Division
DAC Departmental Audit Committee
DARS Data Access Request System
ACS Assistant Chief Statistician
CS Chief Statistician
IT Information Technology
SSC Shared Services Canada
ITOD Information Technology Operations Division
SFP Statistical Focal Point
SSSI Security of Sensitive Statistical Information
IMD Information Management Division
CMC Core Management Controls