July 15, 2014
Project Number: 80590-79
- Executive Summary
- Introduction
- Background
- Audit objectives
- Scope
- Approach and methodology
- Authority
- Findings, Recommendations and Management Responses
- Control Environment and Physical Security
- Information Technology Security
- Administration of Microdata Research Contracts and Confidentiality Vetting
- Appendices
- Appendix A: Audit criteria
- Appendix B: Acronyms
Executive Summary
The McMaster Research Data Centre (RDC) is one of 27 RDCs located on university campuses across Canada. RDCs were established through the efforts of Statistics Canada, Social Sciences and Humanities Research Council, Canadian Institutes of Health Research and university consortia, to strengthen Canada's social research capacity and support the policy research community. The McMaster RDC facility was the first RDC open, and is located on the second floor of the Mills library on the McMaster University campus.
Although the McMaster University RDC is considered a medium-sized RDC facility, the centre has a number of student researchers who require more support than other more experienced researchers. In 2012, the total number of active contracts at the McMaster RDC grew by almost 26%. Of the approximately 111 researchers authorized to access the centre, 45% were students.
RDCs are staffed by Statistics Canada employees and are operated under the provisions of the Statistics Act. As such, RDCs are required to have security measures in place that safeguard confidential data to the same degree as other Statistics Canada offices.
The objectives of this audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that the McMaster University RDC:
- Complies with applicable Treasury Board Secretariat (TBS) and Statistics Canada policies and standards regarding Information Technology (IT) and Physical Security, to ensure that confidentiality of data is protected in the delivery of services.
- Has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services.
The audit was conducted by Internal Audit Division (IA) in accordance with the Government of Canada's Policy on Internal Audit.
Key findings
Roles and responsibilities at both the program level and regional level are defined and communicated. While RDC staff established constructive peer-to-peer relationships with researchers, researcher activities within the facility are not actively monitored. Within this context, it is unlikely that RDC staff would be able to detect, report and mitigate the impacts of confidentiality incidents.
Researchers are required to become 'deemed' employees prior to accessing confidential microdata at the RDCs, in accordance with the Statistics Act. As such, they are subject to the provisions of the Statistics Act and its legal consequences, if a breach of confidentiality occurs. This is a key management control that ensures the confidentiality of microdata within the centres.
Review of the physical security in place at the McMaster RDC found that access to the centre is restricted to authorized personnel. Review of automated and manual access control logs found that these controls are not fully effective as automated controls do not accurately record all activity and manual visitor logs are not used.
Requirements related to the physical setup of researcher workstations in RDCs note that there must be a physical protection of monitors to ensure there is no direct view between workstations. This measure is not in place at the McMaster facility. Additionally, departmental physical security recommendations resulting from the December 2011 inspection have not been formally responded to and the mandatory high-security deadbolt on the RDC entrance was not in place.
IT systems that safeguard records and data are in place and in compliance with applicable laws and Treasury Board policies. Authentication and identification controls in place are effective.
The authority for the administration of the microdata research contracts (MRC) and the confidentiality risk analysis are formally delegated at the program level and operational level. Roles and responsibilities have been formally defined and communicated. Review of the management of MRCs found that values and ethics acknowledgement forms were not in place for some researchers with current MRCs. Additionally, results of certain proposal evaluations for MRCs were not on file in the RDC, and in one case, the contract did not correctly reflect data that had been approved for access. As a result, researchers had access to confidential microdata that had not been approved for the project.
Processes and procedures for confidentiality vetting are in place and requests for vetting are carefully administered and effectively screened by the RDC analyst to confirm that the confidentiality of the data is not compromised. However, data vetting request forms were found to be deleted after data vetting had been completed.
Overall conclusion
Statistics Canada's Research Data Centres were created to provide external researchers with access to Statistics Canada's confidential microdata. To ensure the confidentiality of these data files, program management designed a control framework specifically for the RDCs. Within this context, several control weaknesses were noted during the audit of the McMaster University RDC. Taken individually, these items do not present a significant material risk to the confidentiality of the information held in RDCs. However, when these risks are assessed in aggregate, the risk to the confidentiality of information is increased. Requiring researchers to become 'deemed' employees under the Statistics Act ensures that researchers are aware of their responsibilities and the potential penalties associated with a violation of confidentiality and is a key control used within the RDC environment to mitigate risks to the confidentiality of the information. Nonetheless, greater application of day-to-day monitoring controls within the centre is necessary to ensure the confidentiality of data is protected in the delivery of services. Physical security requirements for the RDC facilities should be clarified and mandatory requirements should be implemented.
Although weaknesses were noted in the physical environment, the audit found that the information technology security within the McMaster University RDC complies with applicable TBS and Statistics Canada policies and standards for safeguarding and protecting confidential Statistics Canada data.
Effective practices and mechanisms are in place to ensure that the confidentiality of data is protected in the vetting of researcher outputs as vetting requests are carefully administered and screened by the McMaster RDC analyst to ensure that confidentiality of data is not compromised. However, completed vetting request forms should be kept on file, even after the vetting has been completed. Contract administration should also be enhanced to ensure that researchers obtain access to approved data sets only, and that all required researcher acknowledgements and affirmations are in place for current contracts.
Conformance with professional standards
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.
Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the audit.
Patrice Prud'homme
Chief Audit Executive
Introduction
Background
Decision makers need an up-to-date and in-depth understanding of Canadian society to help them respond to today's needs, and to anticipate tomorrow's. This need is underlined by a growing demand for analytical output from the rich sources of data Statistics Canada collects.
In 1998, the Canadian Initiative on Social Statistics studied the challenges facing the research community in Canada. One of the recommendations of the national task force report on the Advancement of Research using Social Statistics, was the creation of research facilities to give academic researchers improved access to Statistics Canada's microdata files.
The Research Data Centres (RDCs) are part of an initiative by Statistics Canada, the Social Sciences and Humanities Research Council (SSHRC), Canadian Institutes of Health Research (CIHR) and university consortia to strengthen Canada's social research capacity and to support the policy research community. The SSHRC is a federal agency that promotes and supports university-based research and training in the social sciences and humanities disciplines. CIHR is the major federal agency responsible for funding health research in Canada.
The Microdata Access Division (MAD) provides restricted access to confidential microdata through RDCs at universities across the country and the federal RDC in Ottawa. MAD is responsible for ensuring the confidentiality of information provided by Canadians. Currently, 27 RDCs are in the network, all located in a secure setting on university campuses. These RDCs provide researchers with access to microdata from population and household surveys, meaning that researchers do not need to travel to Ottawa to access Statistics Canada microdata. In addition to centres located on campuses, the Federal Research Data Centre (FRDC) in Ottawa provides microdata access to researchers from federal policy departments.
The RDCs provide opportunities to generate a wide perspective on Canada's social landscape, provide social science research facilities across the country in both larger and smaller population centres, expand the collaboration between Statistics Canada, and the stakeholders—SSHRC, the Canadian Research Data Centre Network (CRDCN), CIHR and academic researchers, and train a new generation of Canadian quantitative social scientists.
The RDCs are staffed by Statistics Canada employees and are operated under the provisions of the Statistics Act in accordance with all confidentiality rules and are accessible only to researchers with approved research projects, who have been sworn in under the Statistics Act as 'deemed' employees.
The Statistics Canada Risk-Based Audit and Evaluation Plan requires that the Internal Audit Division completes an audit of one RDC per year. In 2011, the University of Calgary and the University of Lethbridge RDCs were audited and in 2012, the University of Alberta Research Data Centre was audited.
Audit objectives
The objectives of the audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that the RDC at McMaster University:
- Complies with applicable TBS and Statistics Canada (STC) policies and standards regarding Information Technology (IT) and Physical Security, to ensure that confidentiality of data is protected in the delivery of services.
- Has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services.
Scope
The scope of this audit included a detailed examination of the systems and practices of the RDC in the protection of data, use of technology and the physical security.
The audit focused on the confidentiality vetting of data output by the on-site Statistics Canada employees; 'deemed' employee status and security clearance requirements for access to microdata; research proposal process for RDC; microdata research contracts; physical security of the RDC site in compliance with applicable TBS and Statistics Canada policies and standards and IT protection in compliance with applicable TBS and Statistics Canada policies and standards.
Approach and methodology
The audit work consisted of an examination of documents, interviews with key senior management and personnel, and a review for compliance with relevant policies and guidelines.
The field work included a review, assessment, and testing of the processes and procedures in place to ensure physical security, use of technology and the protection of data at McMaster University. A sample of microdata research contracts (completed, in progress, and microdata research contracts in evaluation) was examined to ensure coverage of contract types, data sources, multiple contract holders and research purpose. A judgemental sample of 32 contracts was selected for testing representing approximately 14% of all microdata research contracts for this RDC.
This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Professional Practices Framework.
Authority
The audit was conducted under the authority of the approved Statistics Canada integrated Risk-Based Audit and Evaluation Plan 2013/14 to 2017/18.
Findings, Recommendations and Management Responses
Objective 1: The McMaster University RDC complies with applicable TBS and Statistics Canada policies and standards' regarding Information Technology Security and Physical Security to ensure that confidentiality of data is protected in the delivery of services.
Control Environment and Physical Security
Roles and responsibilities at both the program and regional level are defined and communicated. While RDC staff established constructive peer-to-peer relationships with researchers, researcher activities within the facility are not actively monitored. Within this context, it is unlikely that RDC staff would be able to detect, report and mitigate the impacts of confidentiality incidents.
Researchers are required to become 'deemed' employees prior to accessing confidential microdata at the RDCs, according to the Statistics Act. This is a key management control relied upon to ensure the confidentiality of microdata within the centres.
Access to the McMaster University RDC is restricted to authorized personnel only and perimeter security and intrusion detection controls in place are effective. Departmental physical security recommendations resulting from the December 2011 inspection have not been formally responded to, and the mandatory high-security deadbolt on the RDC entrance was not in place.
As per the requirements for the physical set-up of researcher workstations in RDCs, there must be a physical protection of monitors to ensure there is no direct view between workstations. This is not in place at the McMaster University RDC.
Review of automated and manual access-control logs found that these controls are not fully effective, as automated controls do not accurately record all activity, and manual visitor logs are not used.
The control environment sets the tone of an organization or program and influences the consciousness of its people. It includes management's philosophy, the organizational structure, the assignment of roles and responsibility as well as the operating style. With respect to RDCs, an effective control environment helps enable the program to achieve its objectives while ensuring the confidentiality of the data held in the centres. Well-defined roles and responsibilities and monitoring of the operating environment should be in place to ensure the security of the facility and the confidentiality of the information held in the RDC facilities.
Control environment
The mandate of RDCs is to promote and facilitate social science research using Statistics Canada's confidential microdata, while protecting the confidentiality of data through effective operational and analytical policies and procedures that create a culture of confidentiality.
For the RDC program as a whole, the audit found that functional authority is formally delegated to the manager/director of the RDC Program. At the regional level, functional authority resides with the RDC regional manager and the day-to-day monitoring of the environment and physical security within the RDC is the responsibility of RDC analysts. RDC analysts administer the operation of the Research Data Centre and ensure that the activities are consistent with Statistics Canada's mandate.
A key management control relied upon to ensure the confidentiality of information within RDCs is the 'deemed' employee status which any researcher must obtain prior to accessing the RDC. In addition to having an approved project, each researcher must undergo a security screening and be sworn in under the Statistics Act. Once completed, the oath sworn is binding for life and researchers are subject to the same penalties under the Statistics Act as Statistics Canada employees. Additionally researchers must attend an orientation session which outlines RDC rules and researcher responsibilities with respect to confidentiality of information.
The McMaster RDC had one full-time RDC analyst, two part-time RDC analysts and one statistical assistant. The regional manager responsible for the McMaster RDC is located at the Western University RDC. All RDC analysts report to the regional manager, and the statistical assistant at the McMaster facility reports to the full-time RDC analyst.
RDCs are managed by RDC analysts, who are Statistics Canada employees and not university staff. This organizational model is used to ensure that operations in the facilities are consistent with Statistics Canada's mandate and policies in order to ensure the security of the centre and confidentiality of the information housed in the RDC facility. RDC documentation notes that,
"the RDC analyst is the primary individual who represents the interests of Statistics Canada in the centre. As such, the analyst has specific responsibilities that are aimed at ensuring the smooth operation of the RDC as well as guaranteeing that the criteria for confidentiality and security are respected by all who access the centre."
Additionally, the annual Management Report on the Canadian RDC Program notes that it is
"important for the RDC analysts to have a peer-to-peer relationship with the researchers working in their centers"
and that RDC staff
"at least maintain, if not advance, their research skills."
At the McMaster University RDC, RDC analysts are also researchers, have an expertise in data analysis and statistical techniques, and have close connection to the research community using the RDC. All RDC analysts at the McMaster facility have post-graduate degrees and three of the four STC employees also conduct research at the facility. This level of knowledge ensures research expertise, and facilitates the research conducted at the centre.
Consequently, RDC analysts are expected to play a dual, but somewhat conflicting, role within the RDC. As Statistics Canada employees, their primary role is to ensure that the criteria for confidentiality and security are respected. Through interviews with RDC staff and observations during the site visit, the audit team noted that RDC analysts' principal focus is to consult with researchers on research techniques and findings, rather than monitoring the ongoing activities in the centre. RDC staff stated that researchers are professionals and because they want a collegial relationship and want to promote the centre, it is not the role of RDC staff to monitor researcher activities within the McMaster facility. This view is in contradiction to Statistics Canada's management expectations for RDCs and likely contributed to several of the following observations.
Vulnerabilities
The audit team noted other potential control weakness during the site visit to the McMaster University RDC. Alone, these items do not present a significant risk to the confidentiality of the information held in RDCs. However, when assessed within the current operating environment at the facility, the risk to the confidentiality of the information is increased.
All printing done by researchers must be examined by RDC staff to ensure no confidential information leaves the facility. Researcher printouts are directed to the network printer which is located in the researcher workstation area. Green coloured paper is used for printing and researchers are able to print directly from their workstation, and have access to printing supplies. Documented procedures for researchers stipulate printing should be done on the network printer under the control of the RDC analyst. Researchers are required to hand in all material printed on green paper, however within the McMaster RDC printing by researchers is not actively monitored by RDC staff.
Additionally, RDC requirements note that hand written notes taken by researchers while in the RDC are subject to the same confidentiality regulations and requirements as analytical output and should not be removed without being checked by RDC staff. The audit observed researchers taking notes and leaving the facility without having these checked.
RDC documentation notes that security measures implemented in the RDCs must be visible and must be seen to protect the information in the centres. For example, RDCs cannot be left unattended. Documentation notes,
"in order for an RDC to be open, a Statistics Canada employee, and not a 'deemed' employee, must be on site."
At the McMaster facility, RDC staff stated that they leave researchers in the centre unattended for short periods of time.
During the 2012 RDC audit of the University of Alberta RDC, documentation related to the use of electronic devices in the RDCs was inconsistent. The audit recommended that policies and directives related to cell phone use and the use of other electronic devices in the RDC be consistent, and clearly outline the approved practice. This has been implemented, and all documentation is consistent and states that researchers may bring electronic devices into the centre, but they must not be operated in the vicinity of researcher workstations. At the McMaster RDC, WIFI is accessible within the facility and can be used with electronic devices; although it is not available on researcher workstations. Given that the McMaster University RDC is a busy facility and researchers' activities are not actively monitored, having WIFI accessibility may elevate the risk to the confidentiality of the information in the centre.
The audit revealed that the control environment within the McMaster RDC has been modified to focus primarily on teaching and facilitation of research within the facility. RDC staff focus on the peer-to-peer relationship with researchers and do not fully understand their primary role as protecting the interests of Statistics Canada nor do they apply the necessary rigour to monitoring activities. Vulnerabilities noted by the audit team, in addition to a lack of monitoring in the centre, elevate the risk to the confidentiality of information. In the absence of active monitoring by RDC staff, it is unlikely that potential confidentiality incidents would be detected or subsequently reported upon.
Physical security
The physical construction and physical security measures required in RDCs are intended to help ensure the security of the information held in the facility. These measures should comply with applicable TBS policies, such as the Government Policy on Security (GPS) and Statistics Canada's Security Practices Manual. In the context of RDCs, physical security should include controls such as perimeter and intrusion detection, physical access, and specific physical site controls.
Perimeter security and intrusion detection controls
The RDC is located on the second floor of the Mills Library at McMaster University. The McMaster University RDC was constructed in compliance with pertinent Statistics Canada's requirements for perimeter security for 'shared floor occupancy' i.e. the surrounding walls of the RDC itself, is either brick or load-bearing walls, or frosted and muted windows (e.g., virtually sound-proof windows, whereby only murmurs can be heard and nothing spoken inside the facility, can be audibly heard outside of the RDC itself).
The procedures document for opening RDCs and branches outline the characteristics considered most important for security. It notes,
"the physical protection of the monitors needs to be maintained, that is, there should not be a direct view from one workstation to another."
At the McMaster RDC, the physical setup of workstations consists of workstations set up on long tables, and there is a direct view between workstations.
Campus security provides 24/7 monitoring of the RDC facilities. They have an access card and the security code to the alarm system. The McMaster RDC has motion sensors and glass break sensors on the windows. The sensor system is activated when the RDC is closed. Additionally, the RDC has a panic button that notifies campus security of incidents during working hours. Outside of working hours, if the alarm or motion sensor system is triggered, campus security would be notified as first response. The academic director and RDC analyst would also be notified.
Access security controls
Physical access in and out of the McMaster University RDC is through a single steel door entrance. The door handle has a keyed lock. The RDC also has a door alarm system and motion detectors, which are functional and safeguard the facility after working hours. Entry to the McMaster RDC is restricted to authorized persons only. RDC staff and campus security have keys to the facility. For all other users of the facility who require access, a generic access card is programmed for their use, which must be provided back to the full-time RDC Analyst, upon contract completion.
According to RDC and STC guidelines, RDCs must have a high-security deadbolt with a one-inch throw in place on steel entrance doors. This has been an ongoing requirement for RDCs. The audit found that the McMaster RDC did not have a high-security deadbolt on the entrance door and that this was noted as a deficiency in the 2011 physical inspection, conducted by departmental security.
RDCs must monitor all access into the facility to ensure the physical security of the centre. At the McMaster RDC, an electronic swipe card access system consisting of an identification card, which contains electronic information identifying the owner, is in place as an access control. The system records all RDC entries and exits, and RDC staff can request these access logs if required. Unauthorised visitors are not allowed past the single entry door of the RDC facility. The audit team examined the access logs for the four days auditors were on site at the McMaster facility. Although these logs had registered entries and exits of RDC and university staff, as well as researchers, the audit noted there was no record for the entries or exits of one researcher observed in the centre several times during the period examined, nor was there a record of the entries or exits of audit team members using the visitor card assigned to them.
A second control required at all RDCs is a visitor sign-in sheet. The RDC visitor protocol notes that visits by 'non-deemed' employees must be pre-planned, and a log including date, time, name of visitor, name of the employee who accompanied the visitor and reason for visit, must be kept for all such visits. The log must be kept and available for audit purposes for at least one year after an entry. Although a visitor sign-in sheet was found inside the entry door to the McMaster University RDC, interviews with RDC staff and examination of the logs found that it is not being used.
Other physical security controls
To help ensure RDC security, IT-related wiring must be channeled through walls and ceilings in secure conduits. The audit team noted that this was in place at the McMaster University RDC. There is a secure server room, which is kept locked and the facility has locked storage cabinets for storing researchers' files to protect confidential, classified, and protected information. Network B access is only available in the RDC analysts' offices. There is a separate conference room with one workstation within the facility for researchers and RDC staff to use. The printer/fax/scanning device is for RDC staff use only and is located in an RDC analyst's office. The network printer used by researchers is housed in the workstation area and researchers are able to print as needed.
Departmental physical security inspections
Departmental Security at Statistics Canada head office provides guidance and directives on physical security requirements. Physical inspections are completed upon initial opening and STC management has recently determined that RDC inspections will take place every four years. Departmental security staff performs the physical inspections, and provide recommendations to the RDC regional managers and head office staff. The last McMaster University RDC physical security inspection was conducted in December, 2011. As a result of this inspection, several recommendations were noted, including the following: installation of a high security deadbolt on the steel entrance door; frosting of the windows in the conference room, which face the researcher workstations; access card reviews to be completed quarterly; and better signage of the centre.
Although the audit found evidence of discussion among RDC analysts, regional managers, and management within Microdata Access Division related to inspection recommendations, there was no evidence of a formal response to departmental security. Better signage had been put into place; however, recommendations related to more frequent card access reviews, the high security deadbolt, and frosting of the windows have not been implemented. RDC staff were unclear as to whether the implementation of security inspection recommendations were mandatory.
Recommendations:
It is recommended that the Assistant Chief Statistician of Social, Health and Labour Statistics should ensure that:
- The RDC staff at the McMaster centre understand and undertake the role of actively monitoring the operating environment and activities of researchers in the facility to ensure that they adhere to RDC, STC and TBS security requirements and guidelines.
- Procedures documents related to opening and operating RDCs and branches are clarified to determine what is considered mandatory requirement for the physical setup of researcher workstations to ensure an effective physical control environment.
- Departmental Security recommendations regarding the Departmental Security led Physical Inspection conducted in December 2011, are formally responded to and mandatory requirements are implemented in a timely fashion.
- Automated entry logs are validated to ensure they are effective at recording all access to the RDC; and visitor logs are in place and used as required.
Management response:
Management agrees with the recommendations.
- The director of MAD will better define for analysts what 'actively monitoring' means and provide concrete examples.
Deliverables and Timeline: Communiqué to all staff on expectations for 'active monitoring'. Follow-up discussions will take place in regional meetings. This will be completed by December 2013. - The director of MAD will ensure appropriate staffing levels are in place according to the workload, to ensure time for active monitoring.
Deliverables and Timeline: Revisit staffing level issue with the Academic Director at McMaster University, as per this year's annual review of staffing levels. This will be completed by January 2014. - The director of MAD will review requirements for the physical setup of workstations with physical security with recommendation to use privacy screens rather than physical barriers between workstations where it makes sense to do so.
Deliverables and Timeline: A sign-off document template is in place. This will be completed by November 2013. - The director of MAD will negotiate with Physical Security and IT Security to develop a sign-off document for all RDC inspections and to get the inspection reports in a more timely fashion. This form will require Physical Security and IT Security to sign-off on each recommended action and then final sign-off once all requirements have been met.
Deliverables and timeline: Sign-off document template. This has been completed. - The director of MAD will ensure that there is a review of all automated-entry logs in all RDCs. Through regional meetings RDC management will ensure all RDC staff review the requirements for using visitor logs.
Deliverables and Timeline: Identify problems with any other automated entry logs and an action plan with universities to rectify these. This will be completed by March 2014.
Information Technology Security
Roles and responsibilities at both the program and regional level related to IT security are defined and communicated.
Information technology access, identification, and authentication safeguard measures are in place and effective.
Information technology security in RDCs should be compliant with applicable TBS policies, such as the Operational Security Standards: Management of IT Security and Statistics Canada's Security Practices Manual. Roles, responsibilities, and accountabilities should be clearly defined and communicated. In the context of RDCs, IT security should include security controls that support the protection of the information system, communications with and within the information system, access controls that ensure the ability to permit or deny user access to the systems and identification and authentication controls that support the unique identification and authentication of these users.
Roles and responsibilities
The audit found that at the program level, functional authority is formally delegated to the manager/director of the RDC Program, at the regional level to the RDC regional manager, and within the actual RDCs the RDC analyst ensures the day-to-day operations. At the McMaster RDC, the IT resources are provided by a university staff member. This staff member responds to RDC analyst support requests and ensures that workstation computers, the RDC server and other IT equipment are configured to adhere to STC directives and policies.
Departmental Security and Information Technology Services at Statistics Canada head office provide guidance and directives on IT and physical security requirements. They perform the physical and IT security inspections of the RDC sites and provide recommendations to the director or manager of the RDC program. The last IT inspection of the McMaster RDC was conducted in December, 2011. Periodic inspections have been scheduled for each RDC every four years.
System and communications protection safeguards
The server at the McMaster RDC has been recently updated and is housed in a secure server room located within the conference room of the RDC. The server is a stand-alone setup with open directories, using Access Control List (ACL industry standard) to grant permissions. Apart from the wide-area network (WAN), the server has no external connection. As a result, remote access to the server outside of the RDC is not possible. The McMaster University is scheduled for migration to the head office domain/interface prior to the end of the 2013/14 fiscal year. Once the migration takes place, user accounts will be managed by the HO RDC Program's Operations Unit. Currently, user accounts are located on servers which are set up by the RDC analysts and managed by the McMaster IT resource.
There are 11 stand-alone workstations available for use by the researchers. An additional workstation, located in the conference room, is used to discuss results for research teams and student researchers. Workstations are not connected to the internet (internet access is only available to RDC employees in the RDC analysts' offices), and data and researcher folders are stored on the server. Software is installed on each workstation by IT support and each workstation has an application which ensures no residual data remains on the computer upon log out.
The audit examined workstation configurations and found the USB ports have been disabled, and the plug and play feature for the keyboard and mouse ports have been configured such that should anything other than the mouse or keyboard be plugged in the port will automatically deactivate. Passwords have been configured to meet Statistics Canada's IT requirements.
Access, identification and authentication safeguards
Procedures specify that user accounts should be created only when a contract is approved and becomes active. Access should be removed upon the expiry date of the MRC and password configuration should meet Statistics Canada standards. Creation of user accounts and the granting of access to microdata files were substantiated by approved active contracts in all sampled contracts.
Administrative privileges rest with the RDC analysts and IT support staff assigned to the RDC. The statistical assistant does not have administrative privileges. IT related tasks have been divided among RDC staff. One RDC analyst assumes primary responsibility for creating researcher accounts and configuring accounts to ensure only data approved in the final contract are accessible. Testing of newly set-up accounts is completed by the analyst to ensure only researchers can access data set out in the MRC. The IT support is responsible for IT troubleshooting, workstation issues and all server related requirements. Although not a STC employee, the IT support is a 'deemed' employee and ensures systems within the RDC are configured to STC requirements. The audit noted that researchers cannot move files between projects and that password configuration within the McMaster RDC complies with Statistics Canada standards.
The audit tested access control in three ways, by examining
- UserIDs
- Active Control Listing by survey
- Active Control Listing by project numbers.
The audit examined 35 researcher userIDs at the McMaster RDC. Of these, 15 were active userIDs, 3 were accounts that had been set up but not yet activated and 17 were inactive and had been disabled. The audit team found that when researchers were associated with more than one research project, a separate userID had been created corresponding to each project.
Active Control Listings by survey name were examined for four microdata sets to ensure that only researchers with MRCs associated with the surveys were validated. The Active Control Listings for these surveys indicated that access was restricted to userIDs associated with authorized researchers only.
Validation of the Active Control Listing by project number was conducted to determine if project numbers had been set up to access only data associated with the project. The audit examined two separate project numbers and the userIDs associated with these projects. The audit confirmed that users would not be able to access data not associated with their project.
The audit determined that applicable IT security measures are in place and adhere to Statistics Canada's standards for safeguarding and protecting confidential data. IT access, identification and authentication safeguard measures are in place at the McMaster RDC and are working as intended.
Objective 2: The McMaster University RDC has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services.
Administration of Microdata Research Contracts and Confidentiality Vetting
The authority for the administration of the MRCs and the confidentiality risk analysis is formally delegated at the program and operational level. Roles and responsibilities have been formally defined and communicated. The audit found that values and ethics acknowledgement forms were not in place for some researchers with current MRCs.
Results of certain proposal evaluations for MRCs were not on file in the RDC, and in one case, the contract did not correctly reflect data that had been approved for access. As a result, researchers had access to confidential microdata that had not been approved for the project.
Processes and procedures for confidentiality vetting are in place and requests for vetting are carefully administered and effectively screened by the RDC analyst to confirm that the confidentiality of the data is not compromised. Data vetting request forms were found to be deleted once data vetting had been completed.
Administration of MRCs is a combination of assigned responsibilities and procedures that control and protect information held in RDCs. Practices include restricting access to the facility to only those researchers with valid security clearances and current contracts, and ensuring researchers can only access data which have been approved for use for the specific contract, and the establishment and maintenance of an inventory of administrative information related to each research project.
Authority
The McMaster University RDC operates under the provisions of the Statistics Act, in accordance with all the confidentiality rules and requirements that govern Statistics Canada. The RDC is accessible only to researchers with approved projects who have been sworn in under the Statistics Act as 'deemed' employees.
Roles and responsibilities
The roles and responsibilities for the management of the MRCs, access to confidential microdata and confidentiality vetting are defined and communicated to stakeholders in policies, guidelines, standards and detailed guides. At the program level, authority is formally delegated to the RDC Manager in Statistics Canada's Security Practices Manual, which states that the RDC manager
"is responsible for establishing and maintaining an inventory of administrative information on research projects involving deemed employees for Headquarters, the regional offices and the research data centres. Information includes research proposals and other information throughout the life-cycle of the project and certification that required procedures have been followed."
All RDC contract information is stored on the Client Relationship Management System (CRMS). This database is used to manage information about MRC contracts, data sets, proposals and principal researchers authorized to have access to microdata in the RDCs. Information includes contract status, approval dates, names of researchers, reviewers and review outcomes, contract end dates and data approved for access.
Additionally, the Policy on the Security of Sensitive Statistical Information assigns to Directors,
"the responsibility for controlling and protecting all sensitive statistical information obtained or held by their respective areas in the pursuit of their program objectives. When access to sensitive statistical information is provided in a Research Data Centre or equivalent, the Manager, Research Data Centre Program, assumes these responsibilities."
Contract processing procedures
RDCs are operated under the provisions of the Statistics Act, in accordance with confidentiality rules. This mode of access is appropriate when a research question can only be answered using inferential statistical analysis on the confidential microdata. The researcher must also be willing and able to become a 'deemed' employee of Statistics Canada and conduct the data analysis in the RDC secured computer lab.Footnote 1
As per the Policy on the Use of Deemed employees revised in August 2007, researchers wishing to access the RDC are required to become 'deemed' employees and undergo a reliability security screening pursuant to sub-sections 5(2) and 5(3) of the Statistics Act, and take an oath or affirmation of office and secrecy, pursuant to sub-section 6(1) of the Statistics Act. They must also sign an acknowledgment that they have read and understood theStatistics Canada Values and Ethics Code for the Public Service. These actions are to be completed prior to the MRC being signed by Statistics Canada. Once a researcher has successfully completed these requirements and attended an orientation session, they are officially a 'deemed' employee of Statistics Canada. RDC researchers and other 'deemed' employees must reaffirm their oath of secrecy under two conditions: 1) when a researcher wishes to regain data access when there has not been an active contract for one year or more or; 2) when the current security clearance expires.
The audit tested to ensure that all required documentation was in place and valid for 40 researchers associated with 24 sampled contracts. Testing revealed that valid security clearances and oaths of office and secrecy had been signed by all researchers. Testing to ensure that researcher acknowledgements of the Values and Ethics Code for the Public Service found that of the 40 researchers associated with the sampled contracts, 33 had signed this acknowledgement and copies were on file. For another 7 researchers, there was no signed copy of the acknowledgement on file, despite the fact that all 7 of these researchers had contracts dated after August 2007—when the requirement was established. These researchers had however, initialed the Conflict of Interest section of the MRC, indicating that they will conduct themselves in accordance with the principles and spirit of the Values and Ethics Code for Deemed Employees.
The Microdata Research Contract is also signed by Statistics Canada, either by the manager of the RDC program (or her delegated authority), or the director of the survey division. Upon receipt of this signature, a researcher can be given access to confidential microdata approved for their project, and commence data analysis in the RDC. The audit determined that contracts were signed by the appropriate authority at Statistics Canada.
The audit tested compliance of the contract processing procedures by reviewing a sample of twenty-one active and completed contracts associated with the McMaster RDC. The audit noted that for one of the active contracts selected, there had been a misclassification and the contract was held at the Guelph RDC. A second contract was associated with a STC subject matter employee working in the McMaster RDC. All approvals and vetting took place at head office and were not found on file within the RDC. For the remaining 19 contracts - proposals, project descriptions, or course syllabus were found to be in place. Proposal evaluations were found on file at the McMaster RDC except in the case of three contracts. For these contracts, evaluations associated with the Survey of Labour and Income Dynamics (SLID) were not found in the electronic files at the RDC. This information was found on file at head office and one of the evaluations rejected the request for access to the data. This was not reflected in the final MRC and the audit team found during testing of userIDs, that the five researchers associated with this MRC had been given access to this dataset, despite the request being rejected. Internal Audit notified RDC management at head office of the issue and was subsequently advised that the access privileges to the microdata set in question had been revoked and that RDC staff had verified that researchers had not accessed this data.
Contract processing procedures are in place within the RDC program but should be enhanced to ensure that researchers with active contracts complete all the required acknowledgments and affirmations. Additionally, results of proposal evaluations associated with MRCs should be on file and validated against MRCs to ensure researchers obtain access to approved datasets only.
Confidentiality vetting
RDCs are repositories of Statistics Canada microdata files that are accessible to researchers with approved projects. Effective and appropriate processes and procedures for confidentiality vetting should be in place and adhered to in order to significantly reduce the risk of unwanted disclosure. Confidentiality vetting should be carefully administered by the RDC analyst, as per the established protocols, to ensure that confidentiality of data is not compromised.
Confidentiality vetting is the process of screening research outputs, syntax or any confidential data-related material to assess the risk of a prohibited disclosure. This is done by analysing whether obvious identification of individual cases or information about individual cases can be inferred or deduced from the statistical output.
Roles and responsibilities
The RDC Analyst's primary responsibility with respect to confidentiality vetting is to ensure confidentiality is not breached when allowing research outputs to leave the RDC. The analyst should review all materials that the researcher would like to remove from the RDC and the final responsibility and decision to release the output rests with the analyst. At the McMaster RDC, the majority of confidentiality vetting is completed by one of the part-time RDC analysts. This analyst works two days at the McMaster facility (working the three other days at a different RDC in Ontario). This same analyst has been working with the RDC program for several years and, along with having active MRCs, understands Statistics Canada data and the confidentiality requirements.
Confidentiality vetting is conducted using the survey-specific guidelines for all surveys housed in the RDCs. Questions or concerns related to the vetting process or to unfamiliar statistical techniques are addressed by the RDC regional manager or with the RDC Vetting Committee.
During the orientation session, researchers receive training related to the confidentiality vetting process and the required documentation for vetting requests. This documentation includes descriptions of variables, weighted and non-weighted counts, syntax and completion of the disclosure request form for every output request.
Processes and procedures
A detailed draft document entitled, Disclosure Control Rules for Outputs from Survey Data at RDCs provides instructions on how to conduct and perform confidentiality vetting. Guidelines on disclosure risk analysis for various data types and descriptive or tabular output and variance-covariance and correlation matrices, graphs, and models are included.
Confidentiality vetting guidelines and processes are found in the Researcher Guide. An important part of the process is for researchers to complete the 'Vetting Request Form' (formerly known as 'Disclosure Request Form'), which provides the required information for the analyst to conduct and document the vetting request. Information required from the researcher includes:
- the name of the output file, survey and cycles used
- characteristics of the population being analyzed
- the statistical procedure and weights used
- a description of the variables
- weighted and unweighted outputs.
Once the vetting is complete, output deemed non-confidential is released to the researcher.
The audit tested 19 active and completed contracts to ensure confidentiality vetting took place and was appropriate. Among the 19 active and completed contracts, no data had been submitted for vetting in 7 contracts. Among the remaining 12 active and completed contracts that required vetting, the audit found evidence that confidentiality vetting took place. However, completed confidentiality vetting forms were not found in files. The RDC analyst noted that, although researchers submit these forms with vetting requests, once the analyst has completed the vetting, forms are deleted or shredded and not kept in the records. Because each subsequent vetting request is dependent upon previously vetted information, the absence of completed vetting forms renders it inefficient and difficult for the analyst to easily determine what has been previously vetted. Moreover, should another RDC analyst take over the confidentiality vetting task, it would be time-consuming to trace back what has been vetted. Despite not having completed vetted forms in place, the audit team was able to determine, using submitted output and other documentation (such as syntax and variable lists), that, of the twelve contracts that required vetting of output, confidentiality vetting took place and was appropriate. 'To be vetted' folders contained syntax files, as well as weighted and unweighted outputs and previously vetted data (where appropriate) was evidenced. Vetted data folders contained evidence that confidentiality vetting was completed for all 12 contracts, including checks of minimum cell counts, removal of unweighted output and suppression of weighted output in cases where confidentiality was at risk.
The audit determined that confidentiality vetting takes place. Completed confidentiality vetting request forms are deleted upon completion of the request, making any subsequent vetting associated with the project inefficient and more difficult to trace back what had been completed.
Recommendations
It is recommended that the Assistant Chief Statistician of Social, Health and Labour Statistics should ensure that:
- When MRCs are created, updated, revised or extended, RDC staff confirms that researchers meet the all security, confidentiality, conflict of interest, and values and ethics code requirements in place at the time of the new or updated contract.
- Results of proposal evaluations are on file and validated against final MRCs to ensure that access to confidential microdata is restricted to researchers whose requests for data access have been approved.
- Completed confidentiality vetting request forms submitted with output for vetting are kept on file for future reference.
Management response:
Management agrees with the recommendations.
- The Director of MAD has been working with IMD to revise our Microdata Research Contract (MRC) so that we reduce multiple forms with multiple researcher signatures. The new MRC is almost ready and will be standard for CDER, the FRDC and the RDCs. This will clarify what signatures are required.
Deliverables and Timeline: New Microdata Research Contract. This will be completed by January 2014. - The Director of MAD will implement a new procedure to ensure that data sets not approved for access within a larger approved project are better identified for analysts.
Deliverables and Timeline: New procedure documented and implemented. This will be completed November 2013. - The Director of MAD notes that completed forms are already retained with each project, but where they are retained is inconsistent. We will establish a consistent location for all analysts to store vetting request forms.
Deliverables and Timeline: New procedure documented and implemented. This will be completed in March 2014.
Appendices
Control Objectives / Core Controls / Criteria | Sub-Criteria | Policy Instrument |
---|---|---|
1) The McMaster University RDC complies with applicable TBS and Statistics Canada policies and standards' regarding Information Technology Security and Physical Security to ensure that confidentiality of data is protected in the delivery of services. | ||
Stewardship | ||
1.1 Appropriate physical and IT controls exist. (ST-11) | 1.1.1 Logical access controls exist to ensure access to systems, data and program is restricted to authorized users. 1.1.2 Access to the RDC facilities in the region are physically restricted and enforced for the protection of sensitive assets. 1.1.3 Procedures exist and are applied in order to keep authentication and access mechanisms effective. |
TBS Government Policy on Security TBS Standard on Physical Security TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Statistics Canada IT Security Policy Internal RDC physical and IT security documentation Security of Sensitive Statistical Information Statistics Act Discretionary Disclosure Directive Policy on Deemed Employees |
1.2 Records and information and other sensitive assets are safeguarded using information systems which are maintained in accordance with applicable laws and regulations. (ST-12) | 1.2.1 Procedures to safeguard and protect the use of assets (i.e. authorized use only) exist and are adhered to. 1.2.2 Physical and IT security measures adhere to applicable TBS policies and Statistics Canada policies and procedures. 1.2.3 Exceptions to required TBS or Statistics Canada policies and procedures are identified and appropriate actions are taken. |
Security of Sensitive Statistical Information Discretionary Disclosure Directive Internal RDC physical and IT security documentation Internal RDC confidentiality documentation TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Statistics Canada IT Security Policy TBS Government Policy on Security TBS Standard on Physical Security Discretionary Disclosure Directive |
1.3 Management has established processes to develop and manage relevant agreements, Memorandum of Understandings (MoUs), and/or contracts, for the purposes of the RDC Program in the region. (ST-22) | 1.3.1 The processes governing access to data adhere to applicable TBS and Statistics Canada IT security policies. 1.3.2 For services delivered by external IT service providers, management has implemented a program to monitor their activities. |
Management Accountability Framework TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Statistics Act Security of Sensitive Statistical Information Discretionary Disclosure Directive Policy on Deemed Employees TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Statistics Canada IT Security Policy Internal RDC documentation |
1.4 Management has designed and implemented effective general computer controls for RDC systems. (ST-23) | 1.4.1 Appropriate levels of management have designed and implemented processes, procedures, and controls for safeguarding Statistics Canada microdata files including:
|
Management Accountability Framework RDC Security Inspection reports Statistics Canada Security Practices Manual |
2) The McMaster University RDC has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services. | ||
Accountability | ||
2.1 Authorities, responsibilities and accountabilities, are formally defined, clear and communicated. (AC-1) | 2.1.1 Responsibilities and accountabilities are formally defined and clearly communicated for Statistics Canada employees, researchers and RDC partners. 2.1.2 All applicable agreements and documents clearly outline each party's roles, responsibilities and accountabilities as it relates to the RDCs, and the confidentiality of Statistics Canada data. 2.1.3 Authority is formally delegated and delegated authority is aligned with individuals' responsibilities. Where applicable, incompatible functions are not combined. |
Management Accountability Framework Security Practices Manual Internal RDC roles and responsibilities documentation Policy on Deemed Employees Statistics Act Policy on the Security of Sensitive Statistical Information MRC contracts templates Oath / Affirmation of Secrecy Values and Ethics documents RDC Researcher Handbook Policy on the Security of Sensitive Statistical Information Internal Confidentiality Vetting documents |
2.2 A clear and effective organization structure is established and documented for the RDC program. (AC-2,3) | 2.2.1 Functional authority for physical and IT security is appropriately vested in and exercised by functional heads, as it relates to the RDC Program both at the program and regional RDC level. 2.2.2 The organizational structure for the RDC program, both at the program and regional level permits clear and effective lines of communication with external partners and reporting regarding confidentiality, IT and physical security |
Security Practices Manual Policy on Deemed Employees Procedures for opening an RDC Procedures for operating an RDC RDC Organizational documentation and chart RDC documentation for staff RDC documentation for Academic Directors RDC documentation for researchers |
Risk Management | ||
2.3 Management identifies, assesses and responds to the risks that may preclude the achievement of its objectives. (RM-2) | 2.3.1 Risks are identified at both the program and regional levels, respectively, and take into consideration the internal and external environments of the RDC Program. 2.3.2 Management led - physical and IT security control assessments exist with input from relevant corporate service functions. |
Management Accountability Framework Statistics Canada Security Practices Manual Statistics Canada IT Security Policy RDC Security Inspections |
2.4 Management identifies and assesses the appropriateness of existing controls to effectively manage its risks. (RM-3) | 2.4.1 Formal processes and guidelines exist to assess the controls in place to manage identified risks. | RDC Researcher Guide Policy on the Security of Sensitive Statistical Information Internal Confidentiality Vetting documents RDC Security Inspections |
Public Service Values | ||
2.5 Employees formally and periodically acknowledge compliance with Statistics Canada's policies, as it pertains to the confidentiality of sensitive statistical information. (PSV-5) | 2.5.1 Upon commencement with the organization, all Statistics Canada and deemed staff are required to sign a statement (e.g. the Statistics Act / Statistics Canada Oath) acknowledging understanding and compliance with relevant RDC Program policy. 2.5.2 Compliance is periodically acknowledged by Statistics Canada employees, deemed employees and external partners, where applicable. |
Statistics Act Oath of Secrecy Values and Ethics documents RDC Researcher Guide Policy on the Security of Sensitive Statistical Information Policy on Deemed Employees Statistics Canada Security Practices Manual Internal RDC security documentation |
Acronym | Description |
---|---|
ACL | Active Control Listing |
CIHR | Canadian Institute of Health Research |
CRDCN | Canadian Research Data Centre Network |
CRMS | Client Research Management System |
CS | Chief Statistician |
DAC | Departmental Audit Committee |
DS | Departmental Security |
FRDC | Federal Research Data Centre |
ICN | Internal Communication Network |
IIA | Institute of Internal Auditors |
IT | Information Technology |
MAD | Microdata Access Division |
MRC | Microdata Research Contract |
PUMF | Public Use Microdata File |
RAID | Redundant Array of Independent Disks |
RDC | Research Data Centre |
SLID | Survey of Labour and Income Dynamics |
SSHRC | Social Sciences and Humanities Research Council |
TBS | Treasury Board Secretariat |
USB | Universal Serial Bus |
WAN | Wide Area Network |
Notes
- Footnote 1
-
For a detailed description of the contract processing procedures refer to Appendix A.