November 27, 2015
Project Number: 80590-91
- Executive summary
- Introduction
- Background
- Audit objectives
- Scope
- Approach and methodology
- Authority
- Findings, recommendations and management response
- Control Environment for the Management of the Data-sharing Agreement
- Data Stewardship
- Physical and Information Technology Security
- Appendices
- Appendix A: Audit criteria
- Appendix B: Acronyms and initialisms
Executive summary
Data-sharing agreements (DSAs) are a key Statistics Canada business process. In recent years, data sharing has become a growing and an increasingly complex area to manage. Ensuring confidentiality of data is becoming more complicated as business processes and organizational structures are continually changing. Statistics Canada's Health Statistics Division (HSD) enters into DSAs with provincial health ministries under the authority of section 12 of the Statistics Act.
The new omnibus agreement signed March 10, 2014, between Statistics Canada and the New Brunswick Department of Health (NBDH) allows for the collection and sharing of information from several selected health surveys. Under this agreement, statistical health survey information obtained through the Canadian Community Health Survey (CCHS), the National Population Health Survey (NPHS) and the Survey on Living with Chronic Diseases in Canada (SLCDC) is shared with the NBDH.
To protect the confidentiality and sensitive nature of the information collected, the DSA contains terms and conditions (T&Cs) to ensure that confidentiality of information is not compromised.
The objective of this audit was to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that
- the terms and conditions of the Data-sharing Agreement between Statistics Canada and New Brunswick Department of Health were met.
The audit was conducted by Internal Audit Division in accordance with the Government of Canada's Policy on Internal Audit.
Key Findings
Statistics Canada's policy framework and the omnibus DSA provide clear roles, responsibilities and practices for the management and implementation of the DSA.
At the NBDH, the employees managing the Statistics Canada data are long-term employees who understand their roles and responsibilities as they relate to the receiving, storing and sharing of Statistics Canada data, but practices for the administration and use of Statistics Canada confidential information need to be strengthened. The process for granting network access to approved users by the Data Custodian and the process of reviewing the aggregate data reports prepared by the analysts before distribution are informal practices and lack documented evidence of review and approval.
Processes and procedures have been established and are monitored to fulfill the requirements in the DSA, however, the Data Custodian is not fulfilling all of the responsibilities prescribed in the DSA for the management of Statistics Canada data. The NBDH confidentiality document has not been updated to reflect all of the T&Cs in Appendix C of the DSA and, as such, employees are not familiar with the requirements that apply to them in the DSA. At the time of the audit, the Data Custodian had not signed a confidentiality agreement. The official Register of Data Files Received from Statistics Canada and the Register of Access to Data Files are not maintained as stipulated in Appendix C of the DSA.
Effective controls for physical access to the NBDH's premises and physical storage at its off‑site data centre are in place. Logical access controls and effective practices for identification and authentication safeguards are working as intended.
Assessment of electronic access privileges to Statistics Canada data files revealed that employee access privileges are only removed when employees leave the NBDH or move to new position. The audit noted that one approved user had access to Statistics Canada data from their residence.
Management at the NBDH identifies and assesses the appropriateness of existing controls to effectively manage their risks, and responds to and monitors their risk exposure. A monitoring clause is included in the omnibus DSA and the NBDH DSA template for third-party sharing. Currently the NBDH does not have any third-party agreements in place.
Overall Conclusion
Statistics Canada entered into a statistical data-sharing agreement with the NBDH on March 10, 2014, to assist and support health planning and decision-making. The omnibus DSA includes T&Cs governing the use, confidentiality, access, monitoring and compliance of information, and physical and information technology (IT) security.
While the audit revealed that processes and procedures have been established to support the handling and management of the T&Cs of the omnibus DSA, the NBDH must strengthen them to provide consistent understanding and efficient application of the requirements in the DSA and to ensure the sound management of Statistics Canada confidential information. The process for granting network access to approved users by the Data Custodian and the process of reviewing the aggregate data reports prepared by the analysts before distribution should be formalized to provide documented evidence of approval. The confidentiality document should be updated to reflect the requirements in Appendix C of the DSA. The Register of Data Files received from Statistics Canada and the Register of Access Privileges to Statistics Canada data should be maintained.
Effective physical and logical access controls are in place to safeguard Statistics Canada data in compliance with the DSA. However, access to Statistics Canada data should be granted to employees as necessary and only from a secure location within the premises of the NBDH to prevent unwanted disclosure of Statistics Canada data. Audit observations did not reveal any evidence that Statistics Canada confidential information was compromised.
Conformance with professional standards
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.
Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined, and for the scope and time period covered by the audit.
Patrice Prud'homme
Chief Audit Executive
Introduction
Background
The Health Statistics Division (HSD) at Statistics Canada has the mandate to provide accurate, timely and relevant information about the health of Canadians. The HSD provides statistical information about the health of the population, the determinants of health, and the scope and utilization of Canada's health care resources. This information is used to assist and support health planners and decision-makers at all levels of government, to sustain demographic and epidemiological research, and to report to the Canadian public about their collective health and health care system. The HSD works in partnership with provincial and territorial vital statistics registrars and cancer registries as well as data providers and users at the federal level (Health Canada and the Public Health Agency of Canada), provincial level (provincial ministries of health), and the regional level (health regions).
To achieve its mandate, the HSD enters into statistical data-sharing agreements (DSAs) with other organizations under the authority of sections 11 and 12 of the Statistics Act. These agreements cover nearly all of the business surveys and a majority of household surveys, and include certain exceptions regarding the release of confidential respondent information either with or without the respondent's consent, provided the legal requirements for the provision of data-sharing information, consent rights and confidentiality protection are respected by all parties. In general, data-sharing for statistical purposes occurs when a statistical and information inquiry is initiated by joint survey partners, or where a common data resource is equally and jointly owned by two or more partners. Data-sharing is exercised when there are significant reductions in response burden and compliance costs for data-sharing partners, as well as improvements in statistical data accuracy, coverage, relevance and timeliness.
DSAs are a key business process and ensuring the confidentiality and protection of data can pose challenges. Currently, Statistics Canada has an omnibus data-sharing agreement with the New Brunswick Department of Health (NBDH) covering health surveys, under the authority of section 12 of the Statistics Act. Health surveys for the Canadian Community Health Survey (CCHS), National Population Health Survey (NPHS) and Survey on Living with Chronic Diseases in Canada (SLCDC) are included in the agreement.
Through its mandate, the CCHS program collects information related to health status, health care utilization and health determinants for the Canadian population. The first component of the CCHS program is an annual survey (CCHS – annual), which relies on a large sample of respondents and is designed to provide reliable estimates at the health-region level. The second component focuses on a specific health-related topic such as nutrition, mental health or healthy aging, and is conducted approximately every three years. The uniqueness of the annual survey arises from the regional nature of both content and survey implementation.
The NPHS is a longitudinal survey providing unique information about the health of Canadians. The final cycle of this survey covered the period from 2010 to 2011. This survey, which was performed every two years, consisted of the same individuals providing current and in‑depth information on their physical and mental health status, use of health care services, physical activities, life in the workplace and social environment. It collected information related to the health of the Canadian population and related socio-demographic information. The last release will provide researchers with access to nine cycles of Canadian longitudinal health data to examine the dynamics of population health from 1994 to 1995 and from 2010 to 2011.
The SLCDC is a cross-sectional survey sponsored by the Public Health Agency of Canada that collects information related to the experiences of Canadians with chronic health conditions. The SLCDC takes place every two to three years, with two chronic diseases covered in each survey cycle. The objectives of the survey are to assess the impact of chronic health conditions on quality of life; provide more information on how people manage their chronic health conditions; identify health behaviours that influence disease outcomes; and identify barriers to the self-management of chronic health conditions. The last survey was performed in 2014.
The data are used extensively by the research community and other health professionals. Federal and provincial departments of health and human resources, social service agencies, and other types of government agencies use the information collected from the respondents to plan, implement and evaluate programs to improve health and the efficiency of health services. Non-profit health organizations and academic researchers use the information for research on ways to improve health.
Audit objectives
The objective of the audit was to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that:
- the terms and conditions of the Data Sharing Agreement between Statistics Canada and New Brunswick Department of Health were met.
Scope
The scope included an examination of compliance with the terms and conditions prescribed in the DSA to ensure that confidentiality of information and the sensitive nature of the information collected were protected. The audit focused on the confidentiality and security (physical access, IT storage and transmission, physical storage and information copying, and retention and record management) safeguards at the NBDH to ensure that data were protected and confidentiality was maintained.
Approach and methodology
The audit work consisted of an examination of documents, interviews with key senior management and personnel, and a review of compliance with relevant policies and guidelines (see Appendix A: Audit Criteria for details).
The field work included the following:
- a review and assessment of the processes and procedures outlined in the T&Cs of the DSA with the NBDH, with emphasis on whether or not the security requirements were in place and complied with, and that confidentiality of data was maintained
- testing of system application controls and authentication and access procedures
- a review of the third-party data-sharing agreement template.
This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.
Authority
The audit was conducted under the authority of the approved Statistics Canada integrated Risk-Based Audit and Evaluation Plan 2015/2016 to 2019/2020.
Findings, recommendations and management response
Control Environment for the Management of the Data-sharing Agreement
Authorities are defined and the Statistics Canada policy framework sets out clear roles, responsibilities and practices for the management and implementation of the DSA.
Processes and procedures have been established and the DSA is managed by long-term employees who understand their roles and responsibilities. However, practices for the administration and use of Statistics Canada confidential information need to be strengthened. The process for granting network access to approved users by the Data Custodian and the process of reviewing the aggregate data reports prepared by the analysts before distribution are informal practices and lack documented evidence of review and approval.
A monitoring clause is included in the omnibus DSA and the NBDH DSA template for third-party sharing. Currently, the NBDH does not have any third-party agreements in place.
Authorities, responsibilities and accountabilities should be clearly defined and understood at all levels to support effective management of the T&Cs of the omnibus DSA. Monitoring of practices as outlined in the T&Cs of the omnibus DSA should be in place to prevent unwanted disclosure of Statistics Canada data.
Authorities are defined
Statistics Canada exercises its mandate to enter into statistical data-sharing agreements with other organizations under the authority of sections 11 and 12 of the Statistics Act. The Directive on Data Sharing under sections 11 and 12 sets out the roles and responsibilities for the development, implementation and monitoring requirements of DSAs. The directive notes that the Information Management Division (IMD), in consultation with Legal Services, is responsible for drafting DSAs when requested from directors of statistical programs. IMD is also required to support managers during the development of new or modified DSAs with receiving parties pursuant to section 12 of the Statistics Act. Subject‑matter divisions are responsible for communication with recipient organizations during the negotiations and drafting of the agreements.
Processes and procedures for the management of DSA have been established at the NBDH
Statistics Canada confidential information is managed by two branches within the NBDH: the Analytics Branch has responsibility for the life-cycle of the Statistics Canada data; and the Health Business and Technology Solutions Branch provides technical services related to the Statistics Canada data, such as IT access privileges, IT storage, maintenance and security, as well as the electronic file transmission (e-FT) process used for the receipt of Statistics Canada data. Both groups report to the Assistant Deputy Minister (ADM) of Corporate Services, who has ultimate responsibility for the Statistics Canada health survey information.
Statistics Canada data are managed by long-term employees who understand their roles and responsibilities as they relate to the receiving, storing and sharing of Statistics Canada data. The same person has been the Data Custodian for the past 11 years. However, he has recently been assigned to another project with another department, and will be transferring his data custodian-related responsibilities to the Director of Analytics Branch upon his departure. However, the processes and responsibilities of the Data Custodian to fulfil the requirements of the DSA have not been documented. Although this is not a prescribed requirement in the DSA, the NBDH agreed that, as a good business practice, they will document them.
Practices for the administration and use of Statistics Canada confidential information need to be strengthened at the NBDH
At the NBDH, six users have access to Statistics Canada data—two program analysts and four statistical analysts from the Analytics Branch with responsibility for analyzing the data and providing aggregate data to the programs within the NBDH and to external organizations.
For the past 11 years, the Data Custodian has performed the duties associated with data handling, storage, and approving access to Statistics Canada data. Requests from users are received either by email or phone by the Data Custodian and, in turn, he contacts the IT group by email or phone to allow access privileges for the approved user. This is an informal practice that lacks evidence of a documented approval process as required by the T&Cs of the DSA.
Section 5 of the DSA has strict guidelines regarding the "Use of the Information." At the NBDH, the statistical analysts normally have access to the data for purposes of analyzing and providing aggregate data internally for statistical research purposes or as part of the NBDH's mandate to perform Community Health Assessments. The Data Stewardship Committee has developed a protocol to review their data against a list of identifiers before releasing or distributing aggregate data. Interviews revealed that there may be informal reviews performed on the aggregate reports prior to distribution, but this is not supported by a documented review and approval process. This is not in compliance with the DSA.
A monitoring clause is included in the omnibus DSA and in the NBDH DSA template for third-party sharing
Clauses with respect to monitoring are prescribed by Statistics Canada in the omnibus DSA with the NBDH. The DSA prescribes that third-party agreements entered into by the NBDH "shall contain a clause stipulating the right of Statistics Canada or the Receiving Party to review compliance with the terms of this Agreement."
The NBDH requires external organizations with which Statistics Canada data will be shared to sign a DSA. A review of the NBDH DSA template revealed that it includes an audit clause that states the "Contractor shall provide NBDH or its representatives with reasonable access to the Contractor and its facilities for the purpose of reviewing security measures and other records or information in order to perform audits and security reviews deemed necessary by DH and to ensure the Contractor's compliance with the terms and conditions of this Agreement."
The Data Custodian approves all requests for third-party sharing. Currently, the NBDH is not sharing Statistics Canada health survey information with any regional health authority, researcher under contract, provincial/territorial or university research institute, or any other organization.
Recommendations
The Assistant Chief Statistician, Social, Health and Labour Statistics field, should communicate with the New Brunswick Department of Health to ensure that
- the approval process for granting access to Statistics Canada data is formalized to provide evidence of approval
- the NBDH implements an approval or vetting process in compliance with the T&Cs of the DSA.
Management response
Management agrees with the recommendation.
- The Director Health Statistics Division will prepare a letter to the NBDH and request that the approval process for granting access to Statistics Canada data be formalized, and will remind the NBDH to implement an approval/vetting process that complies with the T&Cs of the DSA.
Deliverables and Timeline: HSD will prepare and send a letter by December 11, 2015 and request confirmation in writing.
Data Stewardship
At the NBDH, processes are in place and monitored to fulfill the requirements of the DSA, however, the Data Custodian is not fulfilling all of the responsibilities prescribed in the DSA for the management of Statistics Canada data. The NBDH confidentiality document has not been updated to reflect all of the T&Cs in Appendix C of the DSA and, as such, employees are not familiar with the requirements that apply to them in the DSA. At the time of the audit, the Data Custodian had not signed a confidentiality agreement. The official Register of Data Files Received from Statistics Canada and the Register of Access to Data Files are not maintained.
Management at the NBDH identifies and assesses the appropriateness of existing controls to manage its risks, and responds to and monitors its risk exposure.
Internal protocols and controls for the sound management of data should be in place to ensure the protection and safeguarding of Statistics Canada health survey information over the full lifecycle of the information.
Processes are in place and monitored to fulfill the requirements stipulated in the DSA
Data files are sent by Statistics Canada via e-FT directly to the Data Custodian at the NBDH. The files are password-protected and encrypted during transfer. Once a data file is received from Statistics Canada, the Data Custodian is notified that a file is in the e-FT vault and requests a password from Statistics Canada to access and decrypt the file. Afterwards, the Data Custodian sends Statistics Canada an acknowledgement of file receipt.
The data file is downloaded by the Data Custodian onto his secure personal network drive and then saved in a restricted folder within a Microsoft SharePoint folder where all the Statistics Canada data are stored and maintained. Once the file is saved in SharePoint, the Data Custodian deletes the file from his personal network drive. Testing revealed that the 'share files' received from Statistics Canada are stored in a SharePoint folder that is accessible by the employees who have been granted access to the data, and the 'link files' are saved in a SharePoint private folder accessible only by the Data Custodian. The Data Custodian is the only one who can approve access to the SharePoint document folder.
The Data Custodian is not fulfilling all the responsibilities prescribed in the DSA
As per Appendix C of the DSA, the Data Custodian is responsible for the following three key requirements: 1) prepare a confidentiality document and ensure that all individuals who access the Statistics Canada data sign this document; 2) maintain the Register of Data Files received from Statistics Canada; and 3) maintain the Register of Access to Data Files of all individuals granted access to Statistics Canada data files.
Confidentiality Document
Appendix C stipulates that the Data Custodian will "prepare a document for the use of the Receiving Party's employees and contractors, outlining the T&Cs governing the use of the information, as well as the procedures to send, receive, handle and store the information (hereinafter the "Confidentiality Document")." Prior to granting access to Statistics Canada data, the Data Custodian must ensure that every employee and contractor who will have access to the data has agreed in writing to comply with the terms of the DSA by signing and acknowledging that they have read, understood and agree to comply with the T&Cs of the DSA as highlighted in the Confidentiality Document.
The audit revealed that the confidentiality document used at the NBDH is outdated and has not been updated to reflect all of the requirements in Appendix C of the omnibus agreement signed on March 10, 2014, specifically related to sections 4, 5, 6 and 10, and Appendix A and Appendix B of the DSA. As a result, employees are not familiar with the requirements of these sections. All approved users with the exception of the Data Custodian have signed the outdated confidentiality agreement.
Register of Data Files
The audit revealed that the Register of Data Files received from Statistics Canada has not been maintained, as required. The NBDH had incorrectly assumed that all information required to be maintained was recorded in the SharePoint document folder. However, a review of the SharePoint site revealed that it was missing some of the required information such as the name of employee who received the file from Statistics Canada, the name of individual at Statistics Canada who sent the file, and the name of the employee responsible for safekeeping of the file.
Register of Access to Data Files
The Register of Access to Data Files has not been maintained either, as required. The NBDH provided a listing of all employees who had access to the Statistics Canada data on SharePoint, but the listing did not include all the required information such as the file name and reference period, name of employee or contractor to whom access is given, justification for access, name of person who authorized access, date of authorization, and start and end dates of the period for which access is authorized.
The NBDH has established a risk-management process to identify and monitor risks
The audit revealed that risks to the New Brunswick Department of Health (NBDH) are managed through its core policy framework (Corporate Privacy Policy; Privacy and Security Guide; and Information Security Framework Policy), which are based on the Right to Information and Protection of Privacy Act (RTIPPA) and the Personal Health Information Privacy and Access Act (PHIPAA) legislation, as well as the New Brunswick Government Information Technology Systems Security Policy (GISSP) Standards and Directives.
The Chief Privacy Officer (CPO) oversees the NBDH's privacy management program, which is a corporate-wide oversight and management component of the NBDH's privacy risks and responsibilities. A data stewardship committee chaired by the CPO deals with changes to policy and large data requests, and a working group assesses corporate gaps and ensures that gap recommendations are being addressed.
Employees are required to complete the General PHIPAA Training within six weeks of employment and annually thereafter; they are also asked to acknowledge and sign that they have reviewed and understood privacy and access, conflict of interest and Internet policies as part of their annual performance evaluations.
Processes for reporting privacy breaches are in place and governed by the Corporate Privacy Policy administered by the CPO, who records and investigates all privacy incidents. Interviews and a review of the NBDH 2014 Incident Report did not reveal any privacy incidents involving Statistics Canada data.
Recommendation
The Assistant Chief Statistician, Social, Health and Labour Statistics field, should communicate with the New Brunswick Department of Health to ensure that
- the NBDH's confidentiality document is updated to reflect the requirements prescribed in Appendix C, and signed by the Data Custodian and approved users
- the NBDH maintains the official Register of Data Files received from Statistics Canada with all of the information required under Appendix C of the DSA
- the NBDH maintains the Register of Access privileges provided for Statistics Canada data as prescribed in Appendix C of the DSA.
Management response
Management agrees with the recommendation.
- The Director Health Statistics Division will prepare a letter to remind the NBDH to update the confidentiality document to reflect the requirements prescribed in Appendix C of the DSA and to have it signed by the Data Custodian and all approved users; and to maintain the Register of Data Files Received from Statistics Canada and the Register of Access privileges as prescribed in Appendix C of the DSA.
Deliverables and Timeline: HSD will prepare and send a letter by December 11, 2015 and request confirmation in writing as well as copies of the completed registers.
Physical and Information Technology Security
Effective controls for physical access to the NBDH's premises and physical storage at its off-site data centre are in place. Logical access controls and effective practices for identification and authentication safeguards are working as intended.
Assessment of electronic access privileges to Statistics Canada data files revealed that employee access privileges are only removed when employees leave the NBDH or move to a new position. The audit noted that one approved user had access Statistics Canada data from their residence.
Control and protection of information, either physical or electronic, should be executed in a manner that protects against loss, theft, compromise or improper disclosure. Access to the data should only be granted to employees or contractors as necessary to produce a survey-related product or service for the sole benefit and mandate of the NBDH.
Physical access and storage is secure
The NBDH offices are located in downtown Fredericton, and its data centre (where the Statistics Canada data server resides) is located off-site at a New Brunswick Government-owned facility managed by the New Brunswick Information Services Agency (NBISA). Stringent physical access controls exist at both locations, including the use of locked doors and a physical access card system, which is used for both the elevator and the rest of the premises. No guest-pass-card access is permitted, and visitors must be escorted by an NBDH-authorized person at all times. Interviews revealed that access cards are regularly updated to reflect employee departures.
A visit to the data centre revealed that the entrances to the building are equipped with security cameras. Pre-authorization is required to visit the data centre and, upon sign-in at reception, visitors must also sign a non-disclosure document. An annual audit of the sign-in log is conducted and reconciled against the access tickets issued to visitors. All servers and equipment are locked in cabinets and security cameras are located along certain server rows. The server room is equipped with a fire suppression system, cooling systems, and a backup power generator. The physical area housing the servers is protected by concrete walls, ceilings and floors.
Clauses for termination and return or destruction of the shared data no longer needed are included in the DSA. Prior to the implementation of the e-FT data transmission process, the Statistics Canada files were sent to the NBDH via encrypted CD ROMs. While all of the Statistics Canada data received by either CD ROM or e-FT are still in use and saved on the NBDH network, the Data Custodian indicated that the CD ROMs have now been destroyed.
Effective security measures are in place for identification and authentication safeguards, IT storage and data transmission
Testing of logical access controls with the Data Custodian and other employees of the Analytics group revealed that only employees who had been granted access to the Statistics Canada data could access the related SharePoint folder where the Statistics Canada data are maintained; and that only the Data Custodian had access to his personal folder on SharePoint where the Statistics Canada link files are maintained. A password was required to access the NBDH network, which automatically provides access to the SharePoint document folder. Access to the Statistics Canada data on SharePoint is restricted to employees approved by the Data Custodian. Only the Data Custodian and the Director of Analytics have read/write access to the data on SharePoint. The other six users have been granted read‑only access. Analysts download a copy of the file onto their secure private drive to work with the data as needed for their research/statistical purposes and they indicated that, once their analysis has been completed, they delete the file from their private drive.
Network access to Statistics Canada data files is not compliant with the T&Cs of the DSA
The T&Cs of the DSA stipulate that access to Statistics Canada confidential information at the NBDH is to be granted to employees as necessary to produce a survey-related product or service for the sole benefit and mandate of the NBDH. The audit tested this requirement by reviewing who has access privileges to the directory where the Statistics Canada data files are stored, along with the purpose and frequency of such access. The audit revealed that once employees have been granted access to the data, their access privileges are only removed when they move to a new position or leave the NBDH. Access privileges are not periodically reviewed.
Section 1 in Appendix A of the DSA states that "information must be accessed within a secure location that allows unescorted access, only to Authorized Persons." Interviews revealed that one approved user of Statistics Canada data can access data remotely from his home. The Data Custodian informed the audit team that the user has been verbally directed not to access Statistics Canada information remotely. The employee stated that he has not worked on or accessed Statistics Canada data in the last three to four years, but that he is still able to access the data from his residence. This is not compliant with the requirements of the DSA and could result in unauthorized access and use of the data, and confidential information being compromised.
Sound security measures exist for information copying, retention and records management
Information stored on the database servers is backed-up daily on encrypted tapes, which are stored off‑site in a secure building. A review of the NBDH's Security Policy Framework revealed that their security policies prohibit the transmission of data through fax or emails and data cannot be stored on transportable media devices (i.e., CD-ROMs, USB sticks, hard drives or laptops). Data are not to be removed from the premises or reproduced. Employees are required to ensure that confidential information is placed in locked shredding bins, the contents of which are to be removed by a private shredding company.
Recommendation
The Assistant Chief Statistician, Social, Health and Labour Statistics field, should communicate with the New Brunswick Department of Health to ensure that
- access privileges to Statistics Canada data are periodically reviewed and access is only granted to employees in compliance with the T&Cs of the DSA
- employees only access Statistics Canada data from a secure location at NBDH premises in compliance with the T&Cs of the DSA.
Management Response
Management agrees with the recommendation.
- The Chief Statistician has requested the NBDH implement measures eliminating access to Statistics Canada data from outside a secure location.
Deliverables and Timeline: The letter was forwarded on November 2nd, 2015 and a written confirmation was requested. - The Director Health Statistics Division will prepare a letter to remind the NBDH of the T&Cs related to granting access to Statistics Canada and of the physical access requirements stipulated in the DSA.
Deliverables and Timeline: HSD will prepare and send a letter by December 11, 2015.
Appendices
Appendix A: Audit Criteria
Control Objective / Core Controls / Criteria | Sub-criteria | Policy instrument |
---|---|---|
The T&Cs of the Data Sharing Agreement between Statistics Canada and New Brunswick Department of Health are met. | ||
1.1 Authorities, responsibilities and accountabilities are defined and communicated, and the segregation of duties is appropriately established. | 1.1.1 Responsibilities are formally defined and clearly communicated. 1.1.2 Authority is formally delegated and delegated authority is aligned with individuals' responsibilities. Where applicable, incompatible functions are not combined. |
The Statistics Act The Companion guide to the Statistics Act Statistics Canada - Directive on Data Sharing under sections 11 and 12 Statistics Canada - Policy on Official Release Statistics Canada - Security Practices Manual Statistics Canada - Policy on the Security of Sensitive Statistical Information Statistics Canada - Policy on Privacy Impact Assessments (PIA) Statistics Canada - Policy on Informing Survey Respondents (ISR) Statistics Canada - Policy on Micro-Data Release Statistics Canada - Policy on Discretionary Disclosure and associated guidelines TBS - Government Policy on Security TBS - Standard on Physical Security TBS - Directive on Departmental Security Management TBS – Core Management Controls Omnibus Data-sharing Agreement between Statistics Canada and NBDH |
1.2 NBDH has established an appropriate framework to manage the requirements set out in the DSA. | 1.2.1 Processes are in place to fulfill the requirements set out in the DSAs. 1.2.2 Processes are understood and are complied with. 1.2.3 Compliance with processes is monitored. |
|
2.1 Management at NBDH identifies and assesses the appropriateness of existing controls to effectively manage its risks, and responds to the risks that may preclude the achievement of its objectives. | 2.1.1 Risks are identified. 2.1.2 Formal processes and guidelines exist to assess the effectiveness of controls in place to manage identified risks. 2.1.3 Management formally responds to and monitors its risk exposure. |
|
3.1 Assets are protected at NBDH. | 3.1.1 Access to data is limited to authorized individuals and is appropriately secured in compliance with the DSA. 3.1.2 Physical access is restricted. 3.1.3 Procedures exist to safeguard the shared data upon termination of an agreement. 3.1.4 Procedures exist to protect the use of data from abuse or fraud. |
|
3.2 Appropriate system application controls exist at the NBDH. | 3.2.1 Logical access controls exist to ensure access to systems and data, is restricted to authorized users- (e.g., systems require users to logon using a unique user name and password). 3.2.2 Authentication and access procedures and mechanisms exist and are applied in order to keep authentication and access mechanisms effective. |
|
4.1 Management monitors actual performance against planned results, and adjusts course as needed, to better address the requirements/ needs of the program. | 4.1.1 Responsibility for monitoring is clear and communicated, and results are reported to required authority levels. 4.1.2 Active monitoring is demonstrated. |
Appendix B: Acronyms and initialisms
Acronym | Description |
---|---|
ADM | Assistant Deputy Minister |
CCHS | Canadian Community Health Survey |
DSA | Data-sharing Agreement |
e-FT | Electronic file transmission |
NBDH | New Brunswick Department of Health |
HSD | Health Statistics Division |
IIA | Institute of Internal Auditors |
IMD | Information Management Division |
IT | Information Technology |
NPHS | National Population Health Survey |
TBS | Treasury Board Secretariat |
T&Cs | Terms and conditions |
SLCDC | Survey on Living with Chronic Diseases in Canada |