Audit of Data-sharing agreements Manitoba Health, Healthy Living and Seniors

September 14, 2015
Project Number: 80590-88

Executive Summary

Data-sharing agreements (DSAs) are a key Statistics Canada business process. In recent years, data sharing has become a growing and increasingly complex area to manage. Ensuring confidentiality of data is becoming more complicated as business processes and organizational structures are continually changing. Health Statistics Division of Statistics Canada enters into DSAs with provincial health ministries under the authority of section 12 of the Statistics Act.

Two new omnibus agreements replacing existing DSAs were signed on February 14, 2014, between Statistics Canada and Manitoba Health, Healthy Living and Seniors (Manitoba Health) for the collection and sharing of information from several selected health and nutrition surveys. The first DSA allows for the sharing of statistical health survey information obtained through the Canadian Community Health Survey (CCHS), the National Population Health Survey and the Survey on Living with Chronic Diseases in Canada. The second DSA allows for the sharing of information on the nutrition component from the CCHS.

To protect the confidentiality and sensitive nature of the information collected, the DSAs contain terms and conditions (T&Cs) to ensure that confidentiality of information is not compromised.

The objective of this audit is to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that the terms and conditions of the DSAs between Statistics Canada and Manitoba Health are met.

The audit was conducted by Internal Audit Division in accordance with the Government of Canada's Policy on Internal Audit.

Key findings

Authorities are defined and the Statistics Canada policy framework sets out clear roles, responsibilities and practices for the management and implementation of DSAs.

Authorities, responsibilities and accountabilities are clearly defined, understood and monitored at Manitoba Health to support effective management of the T&Cs of the omnibus DSAs. While the employees managing the Statistics Canada data are long-term employees who understand their roles and responsibilities, the data custodian has not signed a confidentiality agreement as stipulated in Appendix C of the DSAs, and the responsibilities and procedures related to the management of Statistics Canada data under the DSAs have not been formally documented. Furthermore, the existence of the DSAs and the security compliance requirements stipulated therein had only recently been communicated to the Information Systems Branch, which is responsible for ensuring the security of the UNIX server where the Statistics Canada data are stored.

Management at Manitoba Health identifies and assesses the appropriateness of existing controls to effectively manage its risks, and it responds to and monitors its risk exposure.

Statistics Canada data are protected at Manitoba Health. Logical and physical access controls and procedures exist to safeguard the data in compliance with the DSAs. However, access to the Statistics Canada folder on Manitoba Health's secure network drive was not restricted only to those individuals who require access to the Statistics Canada data and who have signed confidentiality agreements.

Overall conclusion

Statistics Canada entered into statistical DSAs with Manitoba Health to assist and support health planning and decision making. The omnibus DSAs include T&Cs governing the use, confidentiality, access, monitoring and compliance of information, and of physical and IT security.

While the audit revealed that authorities, responsibilities and accountabilities are clearly defined, understood and monitored at Manitoba Health to support effective management of the T&Cs of the omnibus DSAs, strengthening some of the practices and procedures within Manitoba Health is necessary for the sound management and protection of Statistics Canada confidential information:

  • Responsibilities and procedures related to the management of Statistics Canada data under the DSAs should be formally documented.
  • The data custodian should sign a confidentiality agreement.
  • The existence of the DSAs and the security compliance requirements should be communicated to all staff involved in ensuring the confidentiality and security of the Statistics Canada data.

Policies and risk management processes exist to ensure the protection of restricted data at Manitoba Health. Logical and physical access controls are established to safeguard the data in compliance with the DSAs. However, access to the Statistics Canada folder on Manitoba Health's secure network drive should be restricted, on a 'need-to-know' basis, to employees who have signed a confidentiality agreement in compliance with the T&Cs of the DSAs. Nevertheless, the audit did not reveal any evidence that Statistics Canada confidential information had been accessed by unauthorized personnel.

Conformance with professional standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the audit.

Patrice Prud'homme
Chief Audit Executive

Introduction

Background

Health Statistics Division (HSD) at Statistics Canada has the mandate to provide accurate, timely and relevant information about the health of Canadians. HSD provides statistical information about the health of the population, the determinants of health, and the scope and utilization of Canada's health care resources. This information is used to assist and support health planners and decision makers at all levels of government, to sustain demographic and epidemiological research, and to report to the Canadian public about their collective health and health care system. HSD works in partnership with provincial and territorial vital statistics registrars and cancer registries as well as data providers and users at the federal level (Health Canada and the Public Health Agency of Canada), provincial level (provincial ministries of health), and regional level (health regions).

To achieve its mandate, HSD enters into statistical data-sharing agreements (DSAs) with other organizations under the authority of sections 11 and 12 of the Statistics Act. These agreements cover nearly all of the business surveys and a majority of household surveys, and enjoy certain exceptions regarding the release of confidential respondent information either with or without the respondent's consent, provided that the legal requirements for the provision of data-sharing information, consent rights and confidentiality protection are respected by all parties. In general, data sharing for statistical purposes occurs when statistical and information inquiry is initiated by joint survey partners, or where a common data resource is equally and jointly owned by two or more partners. Data sharing is exercised when there are significant reductions in response burden and compliance costs for data-sharing partners, as well as improvements in statistical data accuracy, coverage, relevance and timeliness.

In recent years, DSAs have become a key business process because ensuring confidentiality and protection of data can pose challenges. Currently, Statistics Canada has two agreements with Manitoba Health covering health surveys, under the authority of section 12 and Sub-section 17(2) of the Statistics Act. Health surveys for the Canadian Community Health Survey (CCHS), National Population Health Survey (NPHS) and Survey on Living with Chronic Diseases in Canada (SLCDC) are included in the first agreement. The second agreement is specific to the disclosure of information on the nutrition component from the CCHS.

Through its mandate, the CCHS program collects information related to health status, health care utilization and health determinants for the Canadian population. The first component of the CCHS program is an annual survey that relies upon a large sample of respondents and is designed to provide reliable estimates at the health region level. The second component focuses on specific health-related topics such as nutrition, mental health or healthy aging and is conducted approximately every three years. The uniqueness of the annual survey arises from the regional nature of both content and survey implementation.

The NPHS is a longitudinal survey providing unique information about the health of Canadians. The final cycle of this survey covered the period of 2010/2011. This survey, which was performed every two years, consisted of the same individuals providing current and in-depth information on their physical and mental health status, use of health care services, physical activities, life in the workplace and social environment. It collected information related to the health of the Canadian population and related socio-demographic information. The last release will provide researchers access to nine cycles of Canadian longitudinal health data to examine the dynamics of population health from 1994/1995 to 2010/2011.

The SLCDC is a cross-sectional survey sponsored by the Public Health Agency of Canada that collects information related to the experiences of Canadians with chronic health conditions. The SLCDC takes place every two to three years, with two chronic diseases covered in each survey cycle. The objectives of the survey are to

  • assess the impact of chronic health conditions on quality of life
  • provide more information on how people manage their chronic health conditions
  • identify health behaviours that influence disease outcomes
  • identify barriers to self-management of chronic health conditions.

The last survey was performed in 2014.

The data are used extensively by the research community and other health professionals. Federal and provincial departments of health and human resources, social service agencies and other types of government agencies use the information collected from the respondents to plan, implement and evaluate programs to improve health and the efficiency of health services. Non-profit health organizations and academic researchers use the information for research on ways to improve health.

Audit objective

The objective of the audit is to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that the terms and conditions of the data-sharing agreements between Statistics Canada and Manitoba Health are met.

Scope

The scope included an examination for compliance to the terms and conditions (T&Cs) prescribed in the DSAs to ensure that confidentiality of information and the sensitive nature of the information collected are protected. The audit focused on the confidentiality and security (physical access, IT storage and transmission, physical storage, information copying and retention, and record management) safeguards at Manitoba Health to ensure that data are protected and confidentiality is maintained.

The scope of the audit included examining all third-party agreements and contracts entered into by Manitoba Health since the signing of the two new DSAs.

Approach and methodology

The audit work consisted of an examination of documents, interviews with key senior management and personnel, and a review of compliance with relevant policies and guidelines. (For details, see Appendix A: Audit criteria.)

The field work included the following:

  • a review and assessment of the processes and procedures outlined in the T&Cs of the DSAs with Manitoba Health, with emphasis on whether the security requirements are in place and complied with, and confidentiality of data is maintained
  • testing of system application controls and authentication, and access procedures
  • review of the agreement with the only third party recipient of Statistics Canada data at the time of the audit.

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

Authority

The audit was conducted under the authority of the approved Statistics Canada integrated Risk-Based Audit and Evaluation Plan 2014/15 to 2018/19.

Findings, recommendations and management response

Objective: The terms and conditions of the data-sharing agreements between Statistics Canada and Manitoba Health have been met.

Control environment for the management of the data-sharing agreements

While the employees managing the Statistics Canada data at Manitoba Health are long-term employees who understand their roles and responsibilities, these roles and responsibilities and the processes and procedures related to the management of Statistics Canada data under the data-sharing agreements (DSAs) are not documented.

The data custodian has not signed a confidentiality agreement as stipulated in Appendix C of the DSAs.

The DSAs' compliance requirements were only recently communicated to all staff involved in ensuring the confidentiality and security of the Statistics Canada data.

Authorities, responsibilities and accountabilities should be clearly defined and understood at all levels to support effective management of the terms and conditions (T&Cs) of the omnibus data-sharing agreements (DSAs). Monitoring of practices as outlined in the T&Cs of the omnibus DSAs should be in place to detect unwanted disclosures that would otherwise increase operational risk.

Authorities are defined

Statistics Canada exercises its mandate to enter into statistical DSAs with other organizations under the authority of sections 11 and 12 of the Statistics Act. The Directive on Data Sharing under sections 11 and 12 sets out the roles and responsibilities for the development, implementation and monitoring requirements of DSAs. The directive notes that Information Management Division (IMD), in consultation with Legal Services, is responsible for drafting data-sharing agreements when requested from directors of statistical programs. IMD is also required to support managers during the development of new or modified data-sharing agreements with receiving parties, pursuant to section 12 of the Statistics Act. Subject-matter divisions are responsible for communicating with recipient organizations during the negotiations and drafting the agreements.

Roles and procedures related to the management of Statistics Canada data are clearly established at Manitoba Health but need to be documented

Statistics Canada confidential information is managed by two branches within Manitoba Health—the Health Information Management (HIM) Branch and the Information Systems Branch (ISB)—as follows:

  • The executive director of HIM Branch at Manitoba Health has overall responsibility for the life cycle of Statistics Canada data. The manager of Management Information Systems, Data Management and Development, who reports to the executive director, HIM Branch, is the data custodian responsible for managing the DSAs and the Statistics Canada data.
  • The database administrator, who reports to the data custodian, performs the duties of data handling, storage, controlling access to the UNIX server where the Statistics Canada data are stored, and preparing the transmission of Statistics Canada to be sent to third parties.
  • Two senior statistical analysts reporting to the director of Analytics and Research within the HIM Branch are responsible for analyzing Statistics Canada data and sometimes providing aggregate data to other internal departments as required.
  • The ISB of Manitoba Health is responsible for the maintenance and security of the UNIX server.

HIM Branch at Manitoba Health has been a stable group for a number of years. There has not been any significant employee turnover in the functions related to the management of Statistics Canada data and employees understand their roles. However, these roles, responsibilities and procedures have not been formally documented. While this lack of documentation has not proven to be a problem to date, the audit revealed that the data custodian announced that she will retire in the coming year. Therefore, knowledge transfer and documentation of roles and responsibilities will be a key success factor before her retirement.

Responsibilities of the data custodian prescribed in the DSAs have been implemented but a confidentiality document needs to be signed

As stipulated under Appendix C of the DSAs, the data custodian is responsible for the following three key requirements:

  1. preparing a Confidentiality Document and ensuring that all individuals who will access the Statistics Canada data sign it
  2. maintaining a register of data files received from Statistics Canada
  3. maintaining a register of all individuals who have been granted access to the data files.

Appendix C stipulates that the data custodian will "prepare a document for the use of the Receiving Party's employees and contractors, outlining the T&Cs governing the use of the Information, as well as the procedures to send, receive, handle and store the Information (hereinafter the "Confidentiality Document")." Prior to granting access to Statistics Canada information, the data custodian must ensure that every employee and contractor who will access the Statistics Canada data has agreed in writing to comply with the terms of the DSAs by signing and acknowledging that they have read, understood and agree to comply with the T&Cs of the DSA as highlighted in the Confidentiality Document.

The audit revealed that a Confidentiality Document, which outlines the T&Cs governing the use of the information, exists and has been signed by all employees who have been granted access to the Statistics Canada information, with one exception: the data custodian had incorrectly assumed that certain documents signed with Statistics Canada at the time of becoming the data custodian replaced the need for a signed Confidentiality Document.

The register of data files received from Statistics Canada and the register of access granted to Statistics Canada data files have been implemented and are in use at Manitoba Health.

The DSAs' compliance requirements were only recently communicated to the relevant staff

The ISB of Manitoba Health is responsible for the maintenance and security of the UNIX server where the Statistics Canada data are stored. ISB must abide by Manitoba Health's overall security requirements for restricted information; this reduces the risk of non-compliance with the security requirements of the DSAs. The ISB employees were only recently informed of the existence of the DSAs and the security requirements stipulated therein, which could result in a potential breach of the DSAs going unnoticed.

Processes exist for activating access to the UNIX server and for sharing aggregate data with internal departments within the HIM Branch

Interviews revealed that the creation of a new UNIX account for new employees is approved by the executive director, HIM Branch, and requested from ISB by the database administrator in writing. This was not tested as there has not been a new employee requiring access to UNIX in several years. Once a new UNIX account is created by ISB, the database administrator has the capability of activating or disabling employees' access to the UNIX server. All access to the UNIX server is logged by the database administrator.

Primary users of the Statistics Canada data within the HIM Branch are two senior statistical analysts. A review of the access log for the past two years indicated that access was granted to the analysts only three times during that timeframe. The audit revealed that when the analysts request activation of their access to the UNIX server, the request is made verbally directly to the database administrator without the need for a supervisor's written authorization. Because of the close proximity of their offices, the analysts simply walk across the hall to the database administrator's office and request access. While not necessarily a requirement of the DSAs, it is prudent practice to implement more formal controls for authorizing access to the Statistics Canada data.

The purpose of the analysts' access to the Statistics Canada data on the UNIX server is to analyze and provide aggregate data internally within Manitoba Health, such as when meeting its mandate to participate in the Community Health Assessments that take place every five years. Interviews revealed that the analysts will sometimes ask a colleague or their supervisor to review the data before they send it internally via email, and the supervisor is copied on the email. However, there is no formal requirement for the analysts to obtain a supervisor's approval before the aggregate data are sent. While not a requirement of the DSAs, it would be a prudent practice to obtain a supervisor's written authorization before the distribution of aggregate data. A review of an aggregate data report provided internally indicated that there were no personal identifiers.

Manitoba Health's third party agreements include a clause for inspections or audits

Clauses with respect to monitoring are prescribed by Statistics Canada in the DSAs. The DSAs prescribe that third party agreements entered into by Manitoba Health "shall contain a clause stipulating the right of Statistics Canada or the Receiving Party to review compliance with the terms of this Agreement."

Paragraph 6.2.4 of the DSAs allows Manitoba Health to share information with the Manitoba Centre for Health Policy (MCHP) at the University of Manitoba. MCHP is not a legal entity in its own right but is a research unit of the University of Manitoba and the only third-party recipient of Statistics Canada data.

In November 2006, Manitoba Health signed a contract called "Information Sharing and Protection of Privacy Agreement" with the University of Manitoba, allowing Manitoba Health to share information with MCHP. MCHP is intended to support Manitoba Health in coordinating health research, planning, evaluation and monitoring by acting as the focus for a program of data analysis for researching, planning, monitoring and evaluating the provision of health care, emerging health issues and the broader determinants of health primarily in Manitoba.

In addition to the above contract, in October 2014, Manitoba Health and the University of Manitoba signed a letter of agreement specifically for data transfer to and use of Canadian Community Health Survey data by the MCHP. The letter of agreement requires MCHP to comply with the confidentiality and security requirements of the DSAs signed between Manitoba Health and Statistics Canada in February 2014; these requirements are attached as appendices to the letter of agreement.

The Information Sharing and Protection of Privacy Agreement between Manitoba Health and the University of Manitoba includes an audit clause that allows Manitoba Health access to MCHP's premises and the authority to inspect, review or audit MCHP's records or information, privacy practices, policies, procedures or security arrangements. However, Manitoba Health has not established a plan to exercise its right to inspect or audit MCHP's compliance.

Recommendations

The assistant chief statistician Social, Health and Labour Statistics Field, should communicate with Manitoba Health and ensure that

  • employees' roles and responsibilities as well as processes and procedures related to the management of Statistics Canada data under the DSAs are documented
  • the data custodian signs a confidentiality agreement as stipulated in Appendix C of the DSAs
  • the DSA compliance requirements are communicated to all staff involved in ensuring the confidentiality and security of the Statistics Canada data.

Management response

Management agrees with the recommendations.

  • The director of Health Statistics Division (HSD) will issue a letter and recommend that Manitoba Health document the roles and responsibilities of employees and the processes related to the management of Statistics Canada health survey information.
  • The director of HSD will request that Manitoba Health confirm in writing that the data custodian has signed the confidentially agreement.
  • The director of HSD will request that Manitoba Health communicate the DSA compliance requirements to all staff involved in ensuring the confidentiality and security of the Statistics Canada data.

    Deliverables and timeline: HSD will prepare and send a letter by September 2015. Manitoba Health will notify HSD when these actions have been completed.

Data stewardship

At Manitoba Health, processes are in place and monitored to fulfill the requirements stipulated in the data-sharing agreements. The employees understood and complied with these processes.

Management at Manitoba Health identifies and assesses the appropriateness of existing controls to effectively manage its risks, and responds to and monitors its risk exposure.

Internal protocols and controls for the sound management of data should be in place to ensure the protection and safeguarding of Statistics Canada health survey information over the full life cycle of the information.

Processes are in place and monitored to fulfill the requirements stipulated in the data-sharing agreements

The audit revealed that processes, although not formally documented, are in place at Manitoba Health to fulfill the requirements stipulated in the data-sharing agreements (DSAs), and that employees in the Health Information Management (HIM) Branch understand and comply with the processes for the receipt, storing, handling and transmission of Statistics Canada data. These are longstanding employees who are very familiar with their duties.

Data files are sent by Statistics Canada via electronic file transmission (e-FT) directly to the data custodian at Manitoba Health. The files are password protected and encrypted during transfer. Once a data file is received from Statistics Canada, the data custodian is notified that a file is in the e-FT vault and requests a password from Statistics Canada to access the file. Then the data custodian sends Statistics Canada an acknowledgement of file receipt and updates the register of all files received from Statistics Canada.

The data file is downloaded by the data custodian onto a secure network drive in a separate Statistics Canada folder designated for the HIM Branch. The database administrator accesses these files from the network folder and saves them in the UNIX database where all the Statistics Canada data are maintained. The database administrator is the only one who can activate access to the UNIX server and he or she maintains a register of all access granted to employees.

Third party sharing of Statistics Canada data

All information shared with external parties must be approved by Manitoba Health's data custodian, who physically arranges for the transmission of Statistics Canada data via encrypted CD to the Manitoba Centre for Health Policy (MCHP) of the University of Manitoba. The database administrator zips and password protects the files on an encrypted CD. The data custodian then arranges for the delivery of the CD to MCHP via bonded courier. Once the CD has been received by the contact at MCHP, he or she must contact Manitoba Health's data custodian to obtain a password to open the file.

Although under Paragraph 6.2.4 of the DSA Manitoba Health is allowed to share personal identifiers with MCHP, testing of the Canadian Community Health Survey 2012 share file sent to MCHP in 2013 (the only one shared in the past two years) revealed that there were no personal identifiers present.

A risk management process is in place at Manitoba Health to identify and monitor risks

The audit revealed that a risk management process has been implemented at Manitoba Health over the last two years. The Management Services Branch is responsible for providing the overall risk management framework to the organization and for supporting the various branches in preparing the risk management section of their annual work plans. The process entails each branch identifying its risks and the related action plans to mitigate those risks.

Each branch's executive director and reporting assistant deputy minister must sign a 'Risk Management Plan Accountability Statement to the Deputy Minister' attesting to the fact that the risk assessment performed has considered all categories of risks, appropriate action plans and mitigation strategies, and that the assistant deputy minister has been debriefed and will ensure that the branch will update its risk assessment cyclically.

Currently, Manitoba Health's risk assessment process is at the stage where each branch identifies its risks but they have not yet consolidated the risks from a corporate level standpoint. There is no risk management committee and no formal corporate risk management policy; this process is still in its early development. Management indicated that they are in the process of considering these tools and evaluating corporate-wide risks.

Management within the HIM Branch is proactive in identifying and assessing risks of non-compliance with the DSAs

The HIM Branch mitigated its risk of non-compliance with the security requirements of the DSAs by performing a thorough analysis of the updated requirements of the new omnibus DSAs and, where required, updated their internal operating procedures to ensure compliance with the terms and conditions of the DSAs. Furthermore, the HIM Branch requested that MCHP perform a similar analysis to assess whether they were also complying with the DSAs. A review of these two analyses showed how each organization met each of the security requirements of the DSAs.

Policies and ongoing training exist at Manitoba Health to mitigate exposure to risk

A key document used at Manitoba Health—one that outlines policies and procedures employees must follow under the Personal Health Information Act (PHIA)—is the PHIA Manual. This is a document of policies in use at Manitoba Health to protect sensitive personal information within the organization. For example, Policy VIII: Security of Personal Health Information lists the procedures and safeguards in place to protect personal information. Another is Policy IX: Corrective Procedures to Address Security Breaches Involving Personal Health Information, a policy on breaches. Through it, Manitoba Health, as a trustee under the PHIA, can address complaints and conduct investigations related to personal health information security breaches, in accordance with the requirements of PHIA and the Personal Health Information Regulation. The policy outlines the steps to be taken under the various types of breaches, how to proceed with a security breach investigation, and what forms to complete. If a breach occurs, a Security Breach Reporting Form needs to be completed by the branch involved and provided to the assistant deputy minister and the Legislative Unit, along with the findings of the investigation. Interviews revealed that there have not been any breaches related to Statistics Canada data.

The Legislative Unit of Manitoba Health provides guidance to the department in ensuring that it is in compliance with the many statutes for which it is responsible, including thePHIA. Mandatory PHIA training is provided to all new employees and refresher training to all existing employees every three years.

Physical and information technology security

Logical and physical access controls and procedures exist to safeguard the data in compliance with the data-sharing agreements. However, access to the Statistics Canada folder on Manitoba Health's secure network drive is not restricted only to those individuals who require access to the Statistics Canada data and who have signed confidentiality agreements.

Control and protection of information, either physically or electronically, should be executed in a manner that protects against loss, theft, compromise and improper disclosure. Access to the data should be given only to employees or contractors on a 'need-to-know' basis as part of their duties.

Logical access controls are in place at Manitoba Health

Testing of logical access controls with the database administrator revealed that a password was required to enter into the Manitoba Government network and a separate password was necessary to enter the UNIX server where the Statistics Canada data are maintained. Access to the UNIX server is restricted to a limited number of employees and access is disabled by the database administrator when staff members are not using the data. The register of user access is updated by the database administrator each time access to the data in UNIX is granted, as required under the data-sharing agreements (DSAs).

Access to the Statistics Canada shared folder in the Manitoba Health network drive should be restricted to those individuals who need access to the Statistics Canada data

When the data custodian receives a data file from Statistics Canada, the file is downloaded onto a temporary secure network drive in a designated Statistics Canada folder within the Health Information Management (HIM) Branch directory. The database administrator accesses the file from the folder and saves it in the UNIX database where all the Statistics Canada data are maintained. Once saved on the UNIX server, the database administrator deletes the data file from the folder in the network drive. Normally, the length of time between the files being placed temporarily in the network drive folder by the data custodian and their being deleted from the folder by the database administrator is no more than a day or two. During that time, however, the data portion is accessible to approximately 20 employees in the HIM Branch.

The audit testing revealed that two data files had not been deleted from the shared network folder and data were accessible to all individuals within the HIM Branch. Upon discovery during the audit, the two files were deleted from the shared folder. Access should be restricted to individuals who need to be involved with the Statistics Canada data and who have signed a confidentiality agreement.

Physical access is secure

Statistics Canada data resides in two locations at Manitoba Health—the server room within the Information Services Branch (ISB) where the UNIX server and Statistics Canada data are stored, and the HIM Branch where the data are accessed.

Physical access to the Manitoba Health premises is controlled by physical card access systems. Each secured area (ISB and HIM Branch) is protected by locked doors with card scanners. Staff must swipe their cards to enter the restricted area. Visitors must sign in at the security desk in the main lobby, obtain a visitor's card, and be escorted by authorized people at all times.

Interviews revealed that security guards are on duty weekly from 6:00 a.m. to 12:00 a.m. (18 hours) in the main lobby of the Manitoba Health building. Building security is responsible for monitoring building access and maintaining a register of all visitors. When building security is not on duty, the building is locked and only accessible to people with access cards. Access logs are reviewed by building security and there are security cameras in the hallways. In the event of employee termination, managers must follow the Checklist – Departing Staff and all access to the systems, as well as physical access to the premises, must be terminated.

The UNIX server where the Statistics Canada data are stored resides in the server room, which is accessed through the command centre. Access to these rooms is limited to approximately 30 ISB staff and sometimes to a few registered contractors and vendors. All visitors upon entry must sign a visitor log located in the command centre.

Cameras are positioned outside each of these secure locations to monitor individuals entering these areas. Alarms detect anyone breaking into these rooms and notify building security. A pass card access log to the command centre is generated and reviewed monthly by ISB's IT security officer.

Security measures exist for information copying and retention, and records management

Policy VIII of the Personal Health Information Act Manual requires that whenever sensitive data are removed from a secure environment, they must be encrypted. Furthermore, Manitoba Health's policy on Secondary Use and Disclosure Processes for Ad hoc Requests states that data can be transmitted only at aggregate levels. If quasi identifiers are present, then data must be transmitted via encrypted CD.

Statistics Canada data cannot be directly accessed or removed from the servers since the servers do not have USB ports. The server security includes multiple layers of firewall, choke routers, switchers, intrusion detectors, virus scanning and network monitoring. The UNIX server is backed up daily on encrypted tapes that are housed on site and sent off site each week, to a private storage company.

There are three levels of data security at Manitoba Health: public, internal and restricted. Statistics Canada data are classified as restricted (highest level of security). All shredding and disposal of documents is in accordance with restricted information as outlined in the Manitoba Government Electronic Media Disposal Standards and Procedures. A private shredding company is used for the secure disposal of confidential information.

Clauses for termination and return or destruction of the shared data no longer in use are included in the DSAs as well as in the agreement with the University of Manitoba's Manitoba Centre for Health Policy.

Recommendations

The assistant chief statistician Social, Health and Labour Statistics Field, should communicate with Manitoba Health and ensure that

  • access to the Statistics Canada folder on Manitoba Health's secure network drive is restricted, on a 'need-to-know' basis, to employees who have signed a confidentiality agreement in compliance with the terms and conditions of the DSAs.

Management response

Management agrees with the recommendation.

  • The director of Health Statistics Division (HSD) will remind Manitoba Health of this requirement and request that they take immediate action to ensure that access to Statistics Canada data is restricted.

    Deliverables and timeline: HSD will prepare and send a letter by September 2015. Manitoba Health will notify HSD when this action has been completed.

Appendices

Appendix A: Audit criteria

Appendix A: Audit criteria
Control objective, core controls and criteria Sub-Criteria Policy Instrument
The terms and conditions of the data-sharing agreements (DSAs) between Statistics Canada and Manitoba Health are met.
1.1 Authorities, responsibilities and accountabilities are defined and communicated, and the segregation of duties is appropriately established. 1.1.1 Responsibilities are formally defined and clearly communicated.
1.1.2 Authority is formally delegated and delegated authority is aligned with individuals' responsibilities. Where applicable, incompatible functions are not combined.
Statistics Act

The Companion Guide to the Statistics Act

Statistics Canada – Directive on Data Sharing under sections 11 and 12

Statistics Canada – Policy on Official Release

Statistics Canada – Security Practices Manual

Statistics Canada – Policy on the Security of Sensitive Statistical Information

Statistics Canada – Policy on Privacy Impact Assessments

Statistics Canada – Policy on Informing Survey Respondents

Statistics Canada – Policy on Microdata Release

Statistics Canada – Policy on Discretionary Disclosure and associated guidelines

Treasury Board Secretariat (TBS) – Government Policy on Security

TBS – Standard on Physical Security

TBS – Directive on Departmental Security Management

TBS – Core Management Controls

Omnibus DSAs between Statistics Canada and Manitoba Health
1.2 Manitoba Health has established an appropriate framework to manage the requirements set out in the DSAs. 1.2.1 Processes are in place to fulfill the requirements set out in the DSAs.
1.2.2 Processes are understood and are complied with.
1.2.3 Compliance with processes is monitored.
2.1 Management at Manitoba Health identifies and assesses the appropriateness of existing controls to effectively manage its risks, and responds to the risks that may preclude the achievement of its objectives. 2.1.1 Risks are identified.
2.1.2 Formal processes and guidelines exist to assess the effectiveness of controls in place to manage identified risks.
2.1.3 Management formally responds to and monitors its risk exposure.
3.1 Assets are protected at Manitoba Health. 3.1.1 Access to data is limited to authorized individuals and is appropriately secured in compliance with the DSAs.
3.1.2 Access is physically
restricted.
3.1.3 Procedures exist to safeguard the shared data upon termination of an agreement.
3.1.4 Procedures exist to protect the use of data from abuse or fraud.
3.2 Appropriate system application controls exist at Manitoba Health. 3.2.1 Logical access controls exist to ensure that access to systems and data is restricted to authorized users, e.g., systems require users to log on using unique user names and passwords.
3.2.2 Authentication and access procedures and mechanisms exist, and are applied, to keep authentication and access mechanisms effective.
4.1 Management monitors actual performance against planned results and adjusts course as needed to better address the requirements and needs of the program. 4.1.1 Responsibility for monitoring is clear and communicated; results are reported to required authority levels.
4.1.2 Active monitoring is demonstrated.

Appendix B: Acronyms

Appendix B: List of acronyms
Acronym Description
CCHS Canadian Community Health Survey
DSA Data-sharing agreement
e-FT Electronic file transmission
HIM Health Information Management Branch
HSD Health Statistics Division
IMD Information Management Division
ISB Information Services Branch
IT Information technology
MCHP Manitoba Centre for Health Policy
NPHS National Population Health Survey
PHIA Personal Health Information Act
TBS Treasury Board Secretariat
T&Cs Terms and conditions
SLCDC Survey on Living with Chronic Diseases in Canada