Audit of Internal Controls over Data-Sharing Agreements

Audit Report

November 14, 2013
Project Number: 80590-80

Executive Summary

Data-sharing agreements (DSAs) under sections 11 and 12 of the Statistics Act have become a key business process. These agreements now number approximately 500, cover nearly all of the business surveys and a majority of household surveys, and enjoy certain exceptions regarding the release of confidential respondent information. The accumulation of DSAs is a reflection of the need for cooperation between Canadian organizations in the collection, compilation and publication of the statistical information. In recent years, data-sharing has become a growing and increasingly complex area to manage and ensuring confidentiality protection of shared data, a key value of Citizen-Focused Service, Public Service Values and Stewardship at Statistics Canada, is a challenge.

The objectives of this audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that:

  • The Agency has an adequate and effective management control framework in place to ensure DSA management processes are consistently designed, fully implemented, and ongoing monitoring of DSAs is carried out; and
  • The Agency's Data Sharing Agreements are internally managed to comply with relevant TBS policies, Statistics Canada policies, and legislative requirements.

The audit was conducted by Internal Audit Division in accordance with the Government of Canada's Policy on Internal Audit.

Key Findings

Roles and responsibilities for key stakeholders with respect to the development; implementation, management and monitoring of data-sharing agreements have been formally defined. Clarifying the governance over the electronic file transmission (e-FT) service would ensure a consistent service model and provide support to statistical programs.

The suite of policy instruments related to the governance and application of DSAs are not cross-referenced and do not indicate which policy overrides the other when they overlap. This has resulted in confusion and inefficient application of requirements across divisions.

Within some statistical programs, segregation of duties between data preparation and approval prior to transmission of information is not in place. Requirements in the Directive on Data Sharing under Sections 11 and 12 (the Directive) with respect to the status of DSAs, sharing of information, monitoring and ongoing review are not followed and an inventory of all valid DSAs under sections 11 and 12 signed by Statistics Canada at a given point in time was not available.

Practices for the management of data-sharing agreements are in place and overall, statistical programs are compliant with the relevant TBS and Statistics Canada policies, and legislative requirements.

Electronic transmission of information under DSAs is in place and effectively protects and safeguards Statistics Canada's confidential information. Information transmitted by portable storage devices did not always have the appropriate security in place for secure transmittal.

Overall Conclusion

Improving the policy framework for the management of DSAs will help with consistent understanding and efficient application of requirements across divisions. Additionally, implementing the requirements of the Directive will ensure sound management and protection of confidential information. Efficiencies can be gained by strengthening some of the elements of the management control framework, such as: clarifying the governance for the e-FT service to ensure a consistent service model and provide support to statistical programs; and enforcing segregation of duties between data preparation and approval of data prior to transmissions to ensure that confidentiality of information is protected in the delivery of services.

The Agency has deployed significant effort and attention to the management of DSAs over the past two years. As a result, the audit found that practices for the management of data-sharing agreements are in place and overall, statistical programs are compliant with the relevant TBS and Statistics Canada policies, and legislative requirements. Through audit testing, no breaches of privacy were observed. However, because the impact of any security breach would be high, security practices for transmission by portable storage devices should be clarified and enforced.

Conformance with Professional Standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) Internal Standards for the Professional Practice of Internal Auditing.

Patrice Prud'homme
Chief Audit Executive

Introduction

Background

An important aspect of Statistics Canada's mandate is to work with other government departments - federal, provincial or municipal – and legal entities in the collection, compilation and publishing of statistical information. In working with these organizations Statistics Canada addresses another aspect of its mandate: to promote the reduction in the duplication of efforts in collecting statistical information. Data- sharing is a means to achieving this objective. Data-sharing is formalized in a written agreement between the two organizations.

The Statistics Act allows for two different types of data-sharing agreements (DSAs):

  • s.11 DSAs: permits data-sharing with provincial/territorial statistical offices that are subject to legislation similar to the federal Statistics Act which provides the authority to collect information for statistical purposes and to compel response from respondents and to request mandatory data-sharing; it stipulates legal requirements to ensure confidentiality protection of the respondent information and to notify respondents of the planned data-sharing;

    s.12 DSAs: permits data-sharing with other federal government departments, non-statistical provincial government departments, municipal corporations and the statistical agencies in Prince Edward Island, the Northwest Territories and Nunavut and other legal entities, which either have (according to their own legislation) or do not have the legal authority to compel response and to request mandatory versus voluntary data-sharing. In fact, Statistics Canada can enter into a section 12 agreement with any organization that is a legal entity. Therefore it cannot have a sharing agreement with an individual researcher, but could have one with a university. Section 12 DSAs stipulate legal requirements to ensure confidentiality protection of the respondent information, to notify respondents of the planned data-sharing, and, in case of the voluntary data-sharing, to inform respondents about their right to object to data-sharing.

DSAs have become a key business process. These agreements now number approximately 500 and most are classified as providing for voluntary data-sharing. These fall under s.12 DSAs where respondents have the right to refuse to share the information. The remainder of the agreements are split between the mandatory data-sharing under s.11 provincial/territorial DSAs and mandatory data-sharing under so-called s.12+ DSAs. Data-sharing agreements cover nearly all of the business surveys and a majority of household surveys at Statistics Canada. The accumulation of DSAs is a reflection of the need for cooperation between Canadian organizations in the collection, compilation and publication of the statistical information.

In recent years, data-sharing has become a growing and increasingly complex area to manage. Ensuring confidentiality protection of shared data, a key value of Citizen-Focused Service, Public Service Values and Stewardship at Statistics Canada, is an ongoing challenge. DSAs are covered by a multi-party management framework, characterized by a distributed management under various responsibility arrangements between the units of Statistics Canada and DSA partners.

Audit Objectives

The objectives of the audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that:

  • The Agency has an adequate and effective management control framework in place to ensure DSA management processes are consistently designed, fully implemented, and on-going monitoring of DSAs is carried out; and
  • The Agency's Data-Sharing Agreements are internally managed to comply with relevant TBS policies, Statistics Canada policies, and legislative requirements.

Scope

The scope of this audit included an examination of the adequacy and effectiveness of the controls over the management and handling of DSAs. Specific areas examined included: operational processes and controls that enable consistent application of a common business process, as well as the tools, training and information management practices that support clear accountability and compliance to applicable policies and procedures.

The scope of the audit included the Business Statistics (Field 5) and Social, Health and Labour Statistics (Field 8) of the Agency and examined a sample of DSA files for which data sets were shared in fiscal years 2011-12 and 2012-13.

Approach and Methodology

The audit work consisted of examination of documents, interviews with key Senior Management and personnel, and a review of compliance with relevant policies and guidelines. (See appendix A: Audit Criteria for details.)

The field work included a review, assessment, and testing of the processes and procedures in place to ensure that operational processes and controls are consistently applied; and tools, training and information management practices support clear accountability and compliance to applicable policies and procedures. A random and judgmental sample of 42 DSA data files (see appendix B: Sample Selection) were selected and tested for compliance with the DSA and the survey template; compliance with the Policy on Official Release; transmission and data protection; and transmission only to a designated official contact.

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Authority

The audit was conducted under the authority of the approved Statistics Canada integrated Risk-Based Audit and Evaluation Plan 2013/14 to 2017/18.

Findings, Recommendations and Management Response

Objective 1: The Agency has an adequate and effective management control framework in place to ensure DSA management processes are consistently designed, fully implemented, and on-going monitoring of DSAs is carried out.

Governance

Roles and responsibilities for key stakeholders with respect to the development; implementation, management and monitoring of data-sharing agreements have been formally defined. Clarifying the governance over the electronic file transmission (e-FT) service would ensure a consistent service model and provide support to statistical programs.

The suite of policy instruments related to the governance and application of DSAs are not cross-referenced and do not indicate which policy overrides the other when they overlap. This has resulted in confusion and inefficient application of requirements across divisions.

Within some statistical programs, segregation of duties between data preparation and approval prior to transmission of information is not in place. Requirements in the Directive on Data Sharing under Sections 11 and 12 (the Directive) with respect to the status of DSAs, sharing of information, monitoring and ongoing review are not followed and an inventory of all valid DSAs under sections 11 and 12 signed by Statistics Canada at a given point in time was not available.

Data-sharing agreements are covered by a multi-party management framework, characterized by a distributed management under various responsibility arrangements between the units of Statistics Canada and the DSA partners. Oversight, clear delineation of responsibilities and lines of communication to support effective coordination between all the stakeholders should exist to ensure efficient and effective operations. Guidance and processes and procedures should be fully integrated and documented and monitoring of operational performance should exist to detect errors or potential errors which would otherwise preclude the achievement of objectives and increase operational risk.

Strategic direction and oversight

Strategic direction and an oversight framework with respect to the management and handling of DSAs are in place at the Corporate and Operational level.

Corporate direction and oversight is provided by the Security Coordination Committee. It reviews all proposals for electronic transmissions before final approval by the Policy Committee. The newly formed Electronic File Transfer Dissemination Governance Committee, created by the Dissemination Division in the summer of 2012 provides strategic direction at the operational level. It has the mandate to establish consistent standards for all incoming and outgoing confidential data and to approve the release of survey data covered by a DSA. The committee has been active in approving the release of survey data since 2012.

Roles and Responsibilities

Information Management Division and Other Stakeholders

The primary responsibility for the implementation of the Directive resides with the Director, Information Management Division (IMD). Other stakeholders' responsibilities are also listed in the Directive such as those for directors of statistical programs, physical and IT security managers, Assistant Chief Statisticians, the Chief Statistician, the Chief Audit Executive, as well as heads of organizations receiving data from Statistics Canada under a DSA. The monitoring function is to be shared between IMD and the managers of statistical programs.

The audit revealed that, while many of the responsibilities outlined in the Directive have been implemented by IMD, there are certain sections that have not yet been implemented nor enforced. IMD's current Data Access and Control Services (DACS) database has limited capacity, configuration and reporting functionality to maintain the information required to be provided by the divisions regarding the status of DSAs and data shared under a DSA. Failure to implement and enforce the requirements stipulated in the Directive results in increased risk of not meeting the Directive's objective and expected results.

Statistical Programs

Roles and responsibilities for the operational implementation and management of sections 11 and 12 data-sharing agreements reside with the directors of statistical programs. Section 6.2 and Appendices B and C of the Directive describe in detail the requirements and processes that must be followed by the Director and Operational Manager of a statistical program. Therefore, it is the responsibility of each director to ensure that their divisions comply with the requirements of the Directive. In establishing roles and responsibilities related to the preparation of statistical information, Statistics Canada's Quality Guidelines recommends that certification or validation should be segregated such that validation is completed by individuals who did not take part in the production or preparation of the data.

Interviews revealed that each division has created its own structure based on the size of the division and the volume of DSA activity. In divisions with low DSA activity, only one or two people perform all tasks related to the management of DSAs and the dissemination and transmission of data; while divisions with higher volumes of DSA activity have several employees involved. Some divisions with higher volumes of DSA activity have a decentralized process where each unit within the division performs its own management, dissemination and data transmission functions; while other divisions have elected to centralize these functions within the division to promote efficiency and consistency.

The audit revealed that, regardless of the size or structure of the division or the volume of DSA activity, the roles of the employees involved with DSAs have evolved over time more so than being formally defined and, for the most part, these roles are being adequately performed. However, a lack of segregation of incompatible functions exists within some divisions. Whether a division has centralized or decentralized DSA functions, there were instances where the same employee was preparing and transmitting a share file with no independent verification and approval. Segregation of duties is a key internal control to prevent unintentional errors and ensure timely detection of errors that may occur.

Information Technology

The IT group's main responsibility with respect to the management of DSAs is the secure transmission of data via the Electronic File Transfer (e-FT) service which is the corporate system used by Statistics Canada for the transmission of protected information. The requirements of the users of the e-FT system are outlined in a guide called the e-File Transfer Service – STC Internal User Guide (the Guide). Due to the technical nature of the guide, it is not maintained on the intranet site and is distributed mainly to divisions that have had e-FT training. Due to time constraints and an increased demand for the e-FT services, not all divisions have received training on e-FT.

The audit revealed that, while the roles and responsibilities of the users of the e-FT system are outlined in the Guide, the roles and responsibilities of the Collection Systems Division (CoSD), the Collection Planning and Management Division (CPMD), and the Information Technology Operations Division (ITOD) require some clarification. Interviews revealed that corporately, there is lack of clarity regarding the official business ownership of the e-FT system, including the training function. Over the last two years, certain services had been transferred from CoSD to CPMD, and other services such as service delivery and training that were planned to be transferred had not yet been transferred.

The lack of clarity surrounding the e-FT service process has resulted in an inconsistent e-FT service model to the statistical programs. Some programs are not yet set-up with e-FT service and some of them had concerns about the time-consuming nature and complexity of the e-FT service set-up process. At the time of the audit, CoSD and CPMD were planning to have meetings to determine a course of action. A lack of clarity with respect to the business ownership of the e-FT service process results in users not fully understanding their duties and leads to ineffective or inefficient processes being applied.

Guidance for management of data-sharing agreements

At Statistics Canada, guidance and direction for handling and managing data-sharing agreements are contained in numerous legislative and policy instruments. Specifically:

  • The Directive on Data Sharing under Sections 11 and 12 which provides guidance on the development, implementation, and management and monitoring of data-sharing agreements.
  • The Statistics Act, Privacy Act, Policy on Privacy Impact Assessments, Policy on Informing Survey Respondents, Policy on Security of Sensitive Statistical Information, IT Security Policy, Policy on Micro-Data Release, Policy on Discretionary Disclosure, and The Security Practices manual which provide guidance on DSA confidentiality compliance; and dissemination and transmission requirements.
  • The Policy on Official Release outlines the timing and the conditions under which information can be released to the public in relation to the date specified in The Daily, Statistics Canada's official release vehicle, as well as circumstances under which information can be released prior to the official release date in The Daily.

The audit found that users have difficulty following and piecing together the information contained in the numerous policy instruments. Sometimes, guidance in the numerous policy instruments overlaps, without clearly indicating which policy instrument overrides the others. This combined with lack of clarity arising from legal and undefined terminology has created operational inefficiencies because users are frequently seeking clarification from subject matter divisions i.e. IMD, IT, Communication and Dissemination. For example, a review of the Directive effective May 15th, 2013 revealed that it did not include a section on the recent changes regarding the April 1, 2013 implementation of 2 new forms: Form 1 – Acknowledgement of Transfer by Directors, which is to be signed by the Director of a statistical program each time that information is to be shared with a partner; and Form 2 – Acknowledgement of Transfer by External Partners, which is to be signed by the sharing partner and returned to Statistics Canada upon receipt of data shared. Interviews revealed that users had only recently become aware of the new forms and most of them stated that either they had or would be contacting IMD for clarification and more information on these new requirements.

There is awareness of the Directive and the Policy on Official Release but not familiarity with all of their contents. Users expressed concerns about the limited training on the DSA process and on the requirements of the Directive and Policy on Official Release. A pilot training session on 'Disclosure controls for confidential information' was delivered by IMD in the summer of 2013 to select groups (at the director level) and plans are under way to deliver this training to divisions starting in the fall of 2013. Communications division has also scheduled information sessions in October 2013 for all Statistics Canada staff on the updated Policy on Official Release.

Documented processes and procedures for the management of DSAs

Each division has established its own practices, depending on their respective needs and which, for the most part, are functioning well. For some divisions, data transmission under a DSA occurs infrequently, such as only once a year, every two years or, in one case, every 10 years. In these cases, management and staff indicated that they normally rely heavily on IMD and or IT to assist them with the required steps to follow. Other divisions transmit data on a regular basis such as quarterly, monthly, or even weekly. Generally, these employees, particularly those who had been in their positions for many years, indicated that they are quite familiar with the process and, therefore, they would not require documented processes.

Manufacturing and Energy Division (MED) which has a large volume of DSAs has developed thorough documented processes and procedures. It has centralized the dissemination section to create an ongoing capacity, including trained and experienced staff. They have created an Excel document that is stored on a share drive outlining the specific procedures related to different types of data-sharing under various forms of DSAs. This mechanism helps the subject matter expert to easily consult procedures and inform the partner up-front what can and cannot be shared, thereby promoting a better relationship with the partner.

A summary worksheet outlines the rules and requirements for each type of DSA (i.e. Section 11, 12, 12+) and for Work-in-Progress (WIP) or other advance releases. It also includes hyperlinks to other worksheets, outlining specific rules for each situation.

Separate worksheets are used to maintain an inventory of DSAs for MED surveys by year, and an inventory of MED WIPs by year and ongoing, or for a one-time status. A checklist called Encryption Request Checklist has been developed for completion by the Analyst before it is submitted to the Dissemination section to request the encryption and e-FT of the data to the partner. The Dissemination section handles the e-FT and maintains a data encryption log to meet the requirements of the Directive. A Procedures-File Transmission document provides detailed steps on how to prepare a file for transmission, complete with print screen illustrations using Entrust for encrypting and password protecting the files and the steps to follow to prepare and share data files either via e-FT or CD.

Clearly documented processes and procedures would help statistical programs to establish consistent practices for the management of DSAs and the dissemination and transmission of confidential data. Documented processes are particularly helpful when staff turnover occurs, and would reduce divisions' heavy reliance on IT and IMD when data transmissions are few and far between, making the processes more efficient. Statistical programs that have not documented their own processes, could consider developing their own by leveraging and adapting MED's documented processes and procedures to meet their program's respective needs and practices.

Monitoring activities

The Statistical Agreements, Legislation and Licensing (SALL) section of IMD has the functional responsibility for the management of the DSAs under sections 11 and 12 of Statistics Act and to account for the legal authorizations provided by the Chief Statistician for the collection and release of confidential information. Statistical program areas rely on SALL to maintain an inventory of their data-sharing agreements and to provide them the information they need to manage their responsibilities related to DSAs.

SALL uses the Data Access and Control Services (DACS) database to keep an inventory of all currently valid data-sharing agreements signed by Statistics Canada under sections 11 and 12.

The audit noted that an inventory of all valid DSAs under sections 11 and 12 signed by Statistics Canada at a given point in time was not available; and ongoing review and comparison of the information in the database with actual existing DSAs does not occur. IMD has received approval for the renewal of the DACS database through Statistics Canada's Long Term-Planning process. The renewal initiative will start in April 2014.

Appendix C of the Directive on Monitoring of Data-sharing Agreements outlines the responsibilities related to the monitoring of compliance with DSAs to ensure that due diligence and legal requirements are met, particularly with respect to the protection of confidentiality and respondent information. The Directive states that IMD and managers of statistical programs have shared responsibilities for the monitoring of DSAs. Section 6.1.10 and Appendix B provides steps to follow for the amendment, renewal or termination of an existing DSA under s.12 and outlines the responsibilities for monitoring the term limits of DSAs and informing program managers of agreements nearing the termination date (at least every 6 months).

The audit revealed that 317 out of 495 (64%) DSAs under section 12 are not active but the data shared under these DSAs is still in the custody of the share partners, and are considered 'active' from a legal standpoint. These DSA templates did not have a finite termination period, compared to DSAs using the new template (as of 2010) which specify a termination period of 6 years. Two divisions account for the majority of these DSAs. Interviews with the directors of these divisions revealed that they were not aware of the large number of old DSAs in their divisions, or of the status of these DSAs, and were not clear about what is expected of them regarding the management and the ongoing review of the status of the DSAs, or how to proceed with that duty.

The audit concluded that there is a lack of monitoring and ongoing review of the status of the DSAs. This increases the risk of failure to detect confidentiality breaches in relation to the DSA legislative and policy requirements and failure to implement timely and effective corrective measures.

Recommendations:

The Assistant Chief Statistician Analytical Studies, Methodology and Statistical Infrastructure should ensure that:

  • Segregation of duties related to the preparation and approval of data for transmission is in place, where practical.
  • All governance instruments related to the management and application of DSAs are cross-referenced and indicate which policy overrides others when there are overlaps, to ensure a consistent understanding and efficient application of DSA requirements.
  • The current inventory for DSAs under section 12 is assessed for continued relevance; and the Directive requirements related to sharing of information, monitoring and ongoing review of the status of DSAs occurs on a regular basis in compliance with the Directive on Data Sharing under Sections 11 and 12.

Management Response:

Management agrees with the recommendations.

  • The Director of IMD will provide data sharing programs with guidelines and requirements on managing DSAs including segregation of duties where practical, in the context of managing data sharing agreements. Directors of programs with DSAs will be responsible to ensure implementation.

    Deliverables and Timeline: DSA toolkit will be developed. This will be completed by March 2014.
  • The Director of IMD will conduct a review of relevant governance instruments to ensure clarity of language and to establish precedence as required.

    Deliverables and Timeline: Updates to Statistics Canada Policy Suite as well as the DSA toolkit. This will be completed by December 2014.
  • The Director of IMD will establish and implement a process for regular and ongoing review of Section 12 DSAs and implement changes to Data Access Control System (DACS) to facilitate review, monitoring and assessment.

    Deliverables and Timeline: Implement process for regular and ongoing review of Section 12 DSAs. This will be completed by January 2014. Implement changes to Data Access Control System (DACS). This will be completed by December 2015.

Recommendations:

The Assistant Chief Statistician Census, Operations and Communications should ensure that:

  • Governance related to the electronic file transmission service is clarified.

Management Response:

Management agrees with the recommendations.

  • The Directive on the Transmission of Protected Information will be strengthened and communicated to all Agency managers by the Director of Dissemination Division and Director of IMD.

    Deliverables and Timeline: Update to the Directive on the Transmission of Protected Information. This will be completed by December 31, 2013.
  • All exemptions from using the e-FT service will now be approved by the Security Coordination Committee

    Deliverables and Timeline: Security Coordination Committee will develop a communication strategy to inform Agency managers on the changes to the Directive on the Transmission of Protected Information and the process to seek exemption. This will be completed by January 2014.

Objective 2: The Agency's Data Sharing Agreements are internally managed to comply with relevant TBS policies, Statistics Canada policies, and legislative requirements.

Stewardship

Practices for the management of data-sharing agreements are in place and overall, statistical programs are compliant with the relevant TBS and Statistics Canada policies, and legislative requirements.

Electronic transmission of information under DSAs is in place and effectively protects and safeguards Statistics Canada's confidential information. Information transmitted by portable storage devices did not always have the appropriate security in place for secure transmittal.

Sound internal controls to ensure compliance by users with all applicable policies, laws and legislative requirements should be in place and integrated into business practices to protect and safeguard Statistics Canada confidential information against loss, theft, compromise or improper disclosure.

Practices for Management of the Data Sharing Agreements

The audit tested a sample of 42 out of 557 (7.5%) data-sharing agreement data files shared in fiscal years 2011-12 and 2012-13 to:

  1. Verify if the information transmitted was in accordance to the DSA and the survey template.
  2. The data transmission date and time did not precede the Official Release date and time.
  3. The recipient information matched the contact information; and
  4. The method and level of security to transmit the data files followed an Agency approved method.

Data files were randomly and judgmentally selected from 8 divisions out of 17 in Field 5, and 5 divisions out of 9 in Field 8.

Content of share file complies with the DSA and the Survey template

The audit reviewed the data sets for the 42 data files shared in fiscal years 2011-12 and 2012-13 to the data-sharing agreement and the survey template covered by the DSA. The audit confirmed that for all of the 42 data files, the share partner, survey information, reference period and contents of the share files were valid and in compliance with the DSA and the survey template.

Compliance with the Policy on Official Release

The audit assessed if the 42 data files shared in fiscal years 2011-12 and 2012-13 were compliant to the Official Release policy. The audit found that 38 out of 42 files were final releases and confirmed through interviews and documentation review that the date and time of transmission of these files was after the official release date and time in The Daily. 4 out of 38 files were shared prior to official release. The audit confirmed that the conditions, types of arrangements and submission forms of the 4 files were valid and in compliance with the Official Release Policy.

Transmission and data protection

The audit verified the method of transmission and level of security used to transmit the data files to external partners. The audit noted that 8 out of 12 divisions that were included in our testing, are set-up for transmission via electronic file transmission (e-FT), although some statistical programs are still using CDs and DVDs because either the program or the external partner are still not set-up for transmission by e-FT. The audit also noted that the method of encryption and password protection by the programs is Entrust. The audit confirmed that 40 out of 42 files were encrypted and password protected before they were transmitted to the external partners, but 2 of the data files transmitted by CDs had not been encrypted and password protected. The audit also noted that there was no proof of delivery for 3 CDs that were hand delivered. In Statistics Canada's Security Practices Manual, Chapter 2 a "record of delivery" is required.

Data custodian

The Directive on Data Sharing under Sections 11 and 12 notes that the Data custodian is the person who receives the share files from Statistics Canada and has operational responsibility within the organization for the security of the information in these files. Statistical programs are required to update any changes to the contact information at the receiving party on an annual basis. For the 42 data files shared in fiscal years 2011-12 and 2012-13 the audit verified if the recipient name to whom the data file was transmitted was the same as the official contact information. Through documentation review and interviews, the audit confirmed that for 41 out of 42 data files, the recipient name to whom the data file was transmitted was the same as the official contact information. The recipient information for one of the files could not be confirmed as all coordination and confirmation for delivery was done by phone.

Practices for the management of data-sharing agreements are in place and overall, statistical programs are compliant with the relevant TBS policies, Statistics Canada policies, and legislative requirements.

Recommendations:

The Assistant Chief Statistician Analytical Studies, Methodology and Statistical Infrastructure should ensure that:

  • Information transmitted by portable storage devices has the appropriate security in place for secure transmission and complies with applicable policies.

Management Response:

Management agrees with the recommendations.

  • The Director of IMD will ensure information on security practices for transmission of data, as defined by departmental IT security policies and directives is replicated in DSA toolkit.

    Deliverables and Timeline: DSA toolkit will be developed. This will be completed by March 2014.

Appendices

Appendix A: Audit Criteria

Table 1: Audit Criteria
Control Objective / Core Controls / Criteria Sub-Criteria Policy Instrument
1. The Agency has an adequate and effective management control framework in place to ensure DSA management processes are consistently designed, fully implemented, and on-going monitoring of DSAs is carried out
Governance

1. Strategic direction and objectives for the management of DSAs exist, are clearly defined and communicated (G3 & G4).
1.1.1 Strategic direction and objectives are documented.

1.1.2 Processes and procedures exist, are documented and communicated.
Statistics Act

The Companion Guide to the Statistics Act

TBS Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors

Statistics Canada Directive on Data Sharing under Sections 11 and 12

Statistics Canada Policy on Official Release
Accountability

1.2 Authorities, responsibilities and accountabilities are formally defined, clear and communicated. A clear organization structure is established and documented. (AC-1; AC-2; AC-3; AC-4 & ST-13)
1.2.1 Employees' duties and control responsibilities as they relate to DSAs are clearly defined, documented and communicated to the relevant stakeholders.

1.2.2 The organizational structure for the management of DSAs is up-to-date and widely communicated.

1.2.3 Authority is formally delegated and delegated authority is aligned with individuals' responsibilities. Where, applicable, incompatible functions are not combined.
TBS Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors

Statistics Canada Directive on Data Sharing under Sections 11 and 12
Risk Management

1.3 Management identifies and assesses the existing controls that are in place to manage its risks, and communicates its risks and risk management strategies to key stakeholders. (RM-3 & RM-6)
1.3.1 Formal processes and guidelines exist and are applied to facilitate the identification of those controls which are in place to manage the identified risks.

1.3.2 Risk information is regularly presented to and discussed at established management and oversight committees and embedded in key performance reports.
TBS Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors

Statistics Canada Directive on Data Sharing under Sections 11 and 12

Statistics Canada Policy on Official Release

Statistics Canada Security Practices Manual

Statistics Canada Policy on the Security of Sensitive Statistical Information

Statistics Canada Policy on Privacy Impact Statements (PIA)

Statistics Canada Policy on Informing Survey Respondents (ISR)

Statistics Canada Policy on Micro-Data Release

Statistics Canada Policy on Discretionary Disclosure and Associated Guidelines

TBS – Government Policy on Security

TBS – Standard on Physical Security

TBS – Directive on Departmental Security Management
2. The Agency's Data Sharing Agreements are internally managed to comply with relevant TBS policies, Statistics Canada policies, and legislative requirements.
Stewardship

2.1 Assets, including information management practices and systems, are life-cycle managed and are protected and maintained in accordance with laws and regulations. (ST-7; ST-8; ST-9; ST-11 & ST-12)
2.1.1 Plans for the appropriate management of DSAs have been documented and implemented and includes short and long-term time frames for managing them.

2.1.2 Responsibility for monitoring the management of information is clearly assigned.

2.1.3 Access to data, records and information is limited to authorized individuals through the use of access controls such as unique user names and passwords.

2.1.4 Records data and information, and access to information, are appropriately secured in compliance with relevant TBS and Statistics Canada policies and legislative requirements.

2.1.5 Procedures to safeguard the Agency's assets upon change of duties of an employee exist and are adhered to.
TBS Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors

Statistics Canada Directive on Data Sharing under Sections 11 and 12

Statistics Canada Security Practices Manual

Statistics Canada Policy on the Security of Sensitive Statistical Information

TBS – Government Policy on Security

TBS – Standard on Physical Security

TBS – Directive on Departmental Security Management
2.2 Assets and records are periodically verified and appropriate reporting is communicated as required (ST-14 & ST-20) 2.2.1 The DSA database is periodically verified and compared to actual existing DSAs.

2.2.2 Comparisons between the database information and actual existing DSAs are reviewed by a superior and discrepancies are followed up on a timely basis. The database is updated as required.

2.2.3 Complete, accurate, relevant and timely reports on the status of DSAs are submitted as required.
TBS Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors

Statistics Canada Directive on Data Sharing under Sections 11 and 12

Statistics Canada Security Practices Manual

Statistics Canada Policy on the Security of Sensitive Statistical Information

TBS – Government Policy on Security

TBS – Standard on Physical Security

TBS – Directive on Departmental Security Management
People

2.3 The Agency provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities. (PPL-4)
2.3.1 A suitable training and development plan exists for the handling and management of DSAs.

2.3.2 Employees have access to sufficient tools, such as software, equipment, work methodologies and standard operating procedures.

2.3.3 An information-sharing process exists to support the efficient and targeted dissemination of relevant and reliable information to the appropriate stakeholders.
TBS Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors

Statistics Canada Directive on Data Sharing under Sections 11 and 12
Citizen Focused Service

2.4 Lines of communication exist between the Agency, users and other external stakeholders and the Agency leverages information technology to enhance user service and access. (CFS-1 & CFS-4)
2.4.1 Formal communication processes / mechanisms exist and support sharing of timely, relevant and reliable information to users, recipients and other external stakeholders.

2.4.2 Systems and processes are in place to facilitate inter-operability with users and partners.
TBS Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors

Appendix B: Sample Selection

Table 2: Sample Selection
Division S. 12 S.11 Files shared 2011/12 & 2012/13 Data Files Tested
Transportation 8 3 20 4
Investment, Science and Technology 7 0 15 4
Agriculture 28 9 17 3
Centre for Special Business Process 4 0 6 2
Consumer Prices 2 1 0 0
International Trade 0 0 0 0
Producer Prices 0 0 0 0
Industrial Organization and Finance 5 0 1 1
Manufacturing and Energy 18 0 254 9
Service Industries 2 0 2 1
Distributive Trade 0 0 0 0
Enterprise Statistics 0 0 0 0
Environment Accounts and Statistics 2 0 7 2
National Economic Accounts 1 0 1 1
Public Sector Statistics 1 0 0 0
Industrial Accounts 0 0 0 0
International Accounts and Statistics 0 0 0 0
Tourism and Education Statistics 211 0 33 5
Income Statistics 22 0 0 0
Labour Statistics 1 0 0 0
Special Surveys 116 1 4 1
Health Statistics 59 1 195 8
Canadian Centre for Justice Statistics 2 0 2 1
Demography 0 0 0 0
Microdata Access 0 0 0 0
Social & Aboriginal Statistics 6 0 0 0
Total DSAs 495 15 557 42

Appendix C: Acronyms

Table 3: Acronyms
Acronym Description
DSA Data Sharing Agreement
DAC Departmental Audit Committee
TBS Treasury Board Secretariat
e-FT Electronic File Transmission
IIA Institute of Internal Auditors
CS Chief Statistician
IMD Information Management Division
DACS Data Access Control Services
CoSD Collection Systems Division
CPMD Collection Planning and Management Division
ITOD Information Technology Operations Division
MED Manufacturing Energy Division
WIP Work-in-Progress
SALL Statistical Agreements, Legislation and Licensing
PIA Privacy Impact Statements
ISR Informing Survey Respondents