Audit of the Canadian Centre for Data Development and Economic Research (CDER)

April 15, 2016
Project Number: 80590-92

Executive Summary

The Canadian Centre for Data Development and Economic Research (CDER) was established to encourage the use of Canadian statistical information/data in research initiatives. Operating entirely on a cost-recovery basis since 2011, the program estimates that it will recover anywhere from $700,000 to $1.1 million annually. The CDER program's main objective is to provide researchers, whose projects are approved, with secure access to business and economic microdata for analytical research. CDER is a repository containing both business and economic microdata files that have sufficient details for complex analysis.

Located within Statistics Canada's Head Office, CDER falls under the responsibility of the Economic Analysis Division (EAD). It enables Statistics Canada to close a number of data and capacity gaps, which impose limitations with respect to the development and analysis of business and economic microdata. Specifically, CDER has been designed to enable highly trained economists/researchers to conduct important policy-relevant economic research analysis on topics such as productivity, international trade, investment patterns, and firm dynamics, while assuring the confidentiality and security of the data that are used. CDER has one location only.

The objectives of the audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that the CDER program

  • has established an adequate accountability framework in support of maintaining the confidentiality of sensitive statistical information / data
  • has established effective control mechanisms to safeguard the confidentiality of data sources and to ensure compliance with applicable Treasury Board Secretariat (TBS) and Statistics Canada policies and guidelines regarding information technology (IT) and physical security, with respect to the delivery of its services.

The scope of this audit included a detailed examination of the adequacy and effectiveness of the systems and processes established to ensure the protection and confidentiality of sensitive statistical CDER information / data.

The audit was conducted by Statistics Canada's Internal Audit Division in accordance with the Government of Canada's Policy on Internal Audit.

Key Findings

Roles, responsibilities and accountabilities have been defined and communicated and are understood by the key personnel responsible for the CDER program as well as by researchers who are deemed Statistics Canada employees. There is an opportunity for the program to assess its strategic direction, overall operational needs and knowledge sharing requirements to ensure ongoing sustainability.

A robust project proposal review and approval process and governance mechanisms have been established and formally documented. These include (1) an assessment of the feasibility and costs of the project (2) a peer / professional review to assess the professional merit of the project and the researcher's qualifications (3) an assessment of the project's alignment with Statistics Canada's mandate and (4) a formal approval process. Testing of a sample of projects confirmed overall compliance with the existing process, but was not always supported by complete documentation. Project renewal and approval processes were consistently applied with appropriate approvals.

Processes for compiling and creating synthetic databases from real microdata have been established prior to their release to researchers. However, the methodology for creating synthetic data has not been formally documented or reviewed to ensure that data has been sufficiently anonymized, to protect the confidentiality of data sources, and correctly allocated to the appropriate researcher.

The CDER program is developing formalized guidelines on how to document the confidentiality vetting process to ensure that all necessary datasets provided to researchers are sufficiently protected, but these have not yet been provided to the analysts. Furthermore, there is no requirement for a formal review and sign-off of vetted data results.

A robust process for data linkage is in place and consistently followed, and proper approval processes are followed by the CDER program for all data linkage requests.

Physical access to the Statistics Canada facility is secure, but researchers are not always actively monitored by the CDER staff while on the premises. Monitoring requirements of researcher activities are not defined in current CDER guideline documents. Logical access controls and effective practices for identification and authentication safeguards are working as intended. Neither an IT Security Threat and Risk Assessment (TRA) nor periodic inspections of the program has yet been conducted.

Overall Conclusion

Roles, responsibilities, and accountabilities have been formally established for the CDER program, including for researchers who are deemed Statistics Canada employees. Effective oversight and governance mechanisms have also been established to oversee the successful delivery of the program. Formal committees and processes are in place to assess and approve all research proposals to ensure that all accepted projects fall within the mandate of Statistics Canada, and that Statistics Canada's reputation for objectivity and neutrality is not jeopardized.

Processes have been designed within the CDER program to protect confidential information, such as those relating to the creation of synthetic data, confidentiality-vetting of datasets prior to their release to researchers, as well as the ongoing monitoring of researchers' activities when accessing real microdata. These processes are well understood within the program. However, they have not been formally documented; nor have oversight / review mechanisms been established within these processes. The program is currently documenting these processes and developing robust procedural documentation, guidelines, and checklists.

In view of the expectation to protect confidential information, appropriate physical and IT controls must be established within the CDER program. Vulnerabilities were noted relative to access by researchers to the Statistics Canada facility and the level of supervision of researchers while on site.

Given the current maturity level of the program, there is an opportunity to re-examine the program's activities and responsibilities and, in doing so, to establish a formal organizational structure for ensuring ongoing sustainability and aligning the controls in place with the security risks associated with the confidential data the CDER program is protecting. In carrying out this re-examination, there may be the opportunity to leverage the existing infrastructure established by Statistics Canada's Microdata Access Division (MAD) with its Research Data Centre (RDC) program.

Conformance with Professional Standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) and the International Standards for the Professional Practice of Internal Auditing.

Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the audit.

Steven McRoberts
A/Chief Audit Executive

Introduction

Background

Under section 3 of the Statistics Act, Statistics Canada is mandated to "to collect, compile, analyse, abstract and publish statistical information relating to the commercial, industrial, financial, social, economic and general activities and condition of the people" and "to collaborate with departments of government in the collection, compilation and publication of statistical information."

The Canadian Centre for Data Development and Economic Research (CDER) was established to encourage the use of Canadian statistical information / data in research initiatives. Operating entirely on a cost-recovery basis since 2011, the program estimates that it will recover anywhere from $700,000 to $1.1 million annually. The CDER program's main objective is to provide researchers whose projects are approved with secure access to business and economic microdata for analytical research. CDER is a repository containing both business and economic microdata files sufficiently detailed for complex analysis.

The CDER program was first launched to federal government affiliated bodies in December 2011. In October 2012, it was extended to non-federal government institutions. To date, more than 60 projects and 100 researchers have made use of the CDER facilities. The CDER program model is similar to that of the RDC program of Statistics Canada's MAD, which processes confidential social microdata, whereas the CDER program does the same with business / economic microdata.

Located within Statistics Canada's Head Office, CDER falls under the responsibility of the Economic Analysis Division (EAD). It enables Statistics Canada to fill a number of data and capacity gaps, which impose limitations with respect to the development and analysis of business and economic microdata. Specifically, CDER has been designed to enable highly trained economists / researchers to conduct important policy-relevant economic research analysis on topics such as productivity, international trade, investment patterns, and firm dynamics, while assuring the confidentiality and security of the data that is used. CDER has one location only.

Researchers wishing to access CDER data must submit a research proposal and be able to cover all associated project costs. The Analysis Coordination Committee (ACC) evaluates proposals on the basis of their congruence with Statistics Canada's mandate. Furthermore, the proposal review process includes an assessment of the outputs of the research project and of the project's impact on the confidentiality of data providers. Research projects that may breach the confidentiality of data providers are not accepted.

Once a research proposal is approved, only the data required for the approved project are provided to the researchers. The data are first stripped of all identifying information, such as names, contact information, business numbers, detailed geography, and industry of data providers, and then shifted in order to create a synthetic database. Batch mode processing, which includes a vetting process by an assigned economic analyst within EAD, is also used in order to ensure that researchers are unable to identify individual observations in their databases.

In addition to existing memoranda of understanding (MOUs) established with other government departments, all researchers must sign a Microdata Research Contract (MRC), which outlines their responsibilities and accountabilities, as well as the nature of the services rendered by Statistics Canada. These MRCs indicate that researchers are deemed employees under the Statistics Act and must abide by all confidentiality requirements to which Statistics Canada employees are subject, including a security screening process, the Statistics Canada Oath, and the Values and Ethics Code for the Public Service.

Audit Objectives

The objectives of the audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that the CDER program

  • has established an adequate accountability framework in support of maintaining the confidentiality of sensitive statistical information / data
  • has established effective control mechanisms to safeguard the confidentiality of data sources and to ensure compliance with applicable Treasury Board Secretariat (TBS) and Statistics Canada policies and guidelines regarding information technology (IT) and physical security, with respect to the delivery of its services.

Scope

The scope of this audit included a detailed examination of the adequacy and effectiveness of the systems and processes established to ensure the protection and confidentiality of sensitive statistical CDER information / data. Specific areas examined included the following:

  • the assignment of roles, responsibilities and accountabilities, including those of researchers;
  • the research proposal review, assessment and approval processes;
  • the establishment of Microdata Research Contracts (MRC) and the procedure followed for obtaining required security clearances for researchers;
  • the data masking and vetting processes; and
  • the physical and IT controls in place for the CDER program.

The audit also assessed the compliance with TBS and Statistics Canada policies and guidelines relating to the security and confidentiality of data.

Approach and Methodology

The audit work consisted of an examination of relevant documentation, interviews with key senior management and personnel, as well as detailed testing of project files to ensure compliance with relevant policies and guidelines.

The field work also included a review, assessment, and testing of the physical security and IT controls in place to ensure the security and confidentiality of sensitive CDER information / data as part of the CDER facility in Statistics Canada's head office.

In order to test the effectiveness and consistency of key controls, a sample of research projects initiated within the last two years was selected.

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which include the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Authority

The audit was conducted under the authority of Statistics Canada's integrated Risk-Based Audit and Evaluation Plan 2014/15-2018/19.

Findings, Recommendations and Management Response

Control environment for the administration of the CDER program

Roles, responsibilities and accountabilities have been defined and communicated, and are understood by the key personnel responsible for the CDER program as well as by researchers who are deemed Statistics Canada employees. There is an opportunity for the program to assess its strategic direction, overall operational needs, and knowledge sharing requirements to ensure ongoing sustainability.

A robust project proposal review and approval process and governance mechanisms have been established and formally documented. These include (1) an assessment of the feasibility and costs of the project; (2) a peer / professional review to assess the professional merit of the project and the researcher's qualifications; (3) an assessment of the project's alignment with Statistics Canada's mandate; and (4) a formal approval process. Testing of a sample of projects confirmed overall compliance with the existing process, but was not always supported by complete documentation. Project renewal and approval processes were consistently applied with appropriate approvals.

Administration of the CDER program is a combination of assigned responsibilities and procedures to control access to, and protect the confidentiality of, data released to external researchers. Access to the facility should be restricted to researchers with valid security clearances and valid contracts. Researchers should have access only to data which have been approved for use for the specific contract.

Authority

The CDER program operates under the provisions of the Statistics Act, in accordance with all the confidentiality rules and requirements that govern Statistics Canada. The CDER program is accessible only to researchers with approved projects who have been sworn in under the Statistics Act as "deemed" employees.

Roles and responsibilities of key personnel for the CDER program have been defined and communicated, and are understood.

The roles, responsibilities, procedures and practices for the management and handling of the CDER program are defined and documented in the Guideline for CDER memo, dated June 23, 2015, and the Step by Step tasks and tips on good practice for CDER analysts memo, also dated June 23, 2015.

Both documents describe the roles and responsibilities for the EAD analyst assigned to a CDER researcher; CDER administrative staff, IT personnel and/or managers; CDER researchers (deemed employees); IT and subject-matter divisions (other than EAD); and internal and external committees. Procedures and practices for the submission, evaluation and approval of research proposals as well as for security screenings, contract set-up, becoming a deemed employee, system testing, and project conduct, and contract extensions are also covered in detail.

Interview evidence confirmed that the roles, responsibilities, and accountabilities of the key personnel responsible for the CDER program are well understood within the program and by key stakeholders.

Elements of CDER's operational structure and sustainability have not been fully established.

The CDER program is physically located in EAD. The director of EAD, as the CDER program manager, is responsible for its development and operation. Assisting the Director is a full-time economist and four analysts from EAD who have multiple responsibilities, including the CDER program. These responsibilities are in addition to their functional responsibilities as EAD analysts. As a result, reliance is on two full-time staff members to manage the program.

Interviews revealed that the program can sometimes have up to six or more researchers making use of its facilities during peak times. A review of the EAD sector risk profile revealed the following risk: "high turnover of staff, leaving a gap in the skill sets needed in CDER to serve clients."

As the program continues to grow and additional infrastructure becomes necessary to ensure both confidentiality and security of the data the program is sharing, there is an opportunity for the program to assess its strategic direction, overall operational needs and knowledge sharing requirements to ensure ongoing sustainability.

Roles, responsibilities and accountabilities of researchers have been clearly defined and are well understood.

Researchers are deemed employees under the Statistics Act by means of the Microdata Research Contract (MRC) between the program and the researchers. Once an MRC is issued, there is a process to ensure that the security clearance for "reliability" status has been obtained for each researcher by his or her sponsoring government or non-government institution prior to the researcher being given access to CDER data.

The MRC outlines the roles, responsibilities and accountabilities of the researcher and the nature of the research to be conducted. Once an MRC is signed, the researcher in question is expected to participate in a formal CDER orientation session, which covers the regulatory framework governing CDER, CDER guidelines, CDER operations, and the responsibilities of deemed employees in those areas. While these sessions are administered by an EAD analyst and are scheduled only periodically, the CDER program manager will provide an informal orientation to new researchers until they can attend the formal session. The orientation session reinforces the information communicated formally through the MRC, as well as researchers' obligations within the existing policies and guidelines, such as Statistics Canada's Policy on Privacy and Confidentiality and Directive on the Use of Deemed Employees.

Interviews with a sample of five researchers revealed that researchers are aware of their assigned roles, responsibilities and accountabilities, and the audit confirmed that they had followed the orientation session prior to being provided access to the data.

A robust project proposal review and approval process and governance mechanisms have been established but were not always supported by complete documentation.

The process for reviewing, assessing and approving research proposals includes the following four steps described in the Projects in CDER - Review of approval process - June 2015 document. They are (1) an assessment of the feasibility and costs of the project; (2) a peer / professional review to assess the professional merit of the project and the researcher's qualifications; (3) an assessment of the project's alignment with Statistics Canada's mandate; and (4) a formal approval process.

The audit tested a sample of eleven MRCs from a population of sixty-five MRCs issued for the period from July 2013 to July 2015. Five ongoing projects and six closed-out projects were selected on the basis of professional judgment. Of the five ongoing projects, two were proposals submitted by government-affiliated institutions and three were from non-government-affiliated institutions. This sample was used to assess compliance with the established process for the assessment of research project proposals, adherence to the CDER program requirements, and approval by appropriate governance bodies.

Testing revealed overall compliance with the existing process, but an inconsistent level of documentation was maintained to support the conduct of, and the results of, the project proposal review and approval process. Specifically, limited documentation was maintained to support the conduct of the assessment of the proposal's costs and feasibility, as well as the peer and institutional review.

Project renewal and approval processes were consistently applied with appropriate approvals.

Statistics Canada's security requires that an active MRC be in place in order for any researcher to be granted access. Furthermore, researchers as deemed employees must comply with the terms and conditions for access to microdata, as per the Statistics Canada Policy on Microdata Access.

Occasionally, projects are extended and require a contract amendment. In such cases, CDER staff receive an extension request from the researcher and verify that the researcher is still affiliated with his or her sponsor and has a valid security clearance for the entire renewal period.

The process for reviewing and approving project extensions was consistently applied. Of the sample of five ongoing projects selected for testing, three had requested project extensions. In all three cases, although there were gaps between the contract end date and the contract amendment date, documentation was maintained to demonstrate that the contract extension followed the correct process and that appropriate approvals were maintained. The access passes of the researchers were suspended during the gaps in contracts.

The audit also noted that an international researcher (IR) was included in one of the three projects that were tested for extensions. A documentation review revealed that the security clearance information for the IR had not been confirmed by the program for the requested extension period.

Enquiry by the audit confirmed that the individual did in fact hold a valid security clearance for the extended period.

Recommendations

It is recommended that the Assistant Chief Statistician, Analytical Studies, Methodology and Statistical Infrastructure ensure that

  • Improvements be brought to the CDER program, taking into consideration its current needs and the sustainability of the program going forward. This includes evaluating the optimal organizational structure for the program, ensuring appropriate segregation of duties, as well as adequate oversight and, as applicable, succession planning for key skills / expertise
  • Protocols for maintaining sufficient evidence of the conduct of each step of the project proposal review and approval process are embedded within the procedural documentation; when a contract is extended, verification is performed to ensure that the researcher continues to hold a valid security clearance during the contract extension period, and evidence of this verification is maintained

Management Response

Management agrees with the recommendations.

Management agrees fully that it is an opportune time to take action. As facilitation of research activities in the Economic Analysis Division (EAD) has grown from providing service to mainly two long-standing users at the launch of CDER to the current scale of servicing over 60 projects a year, the need to have dedicated CDER staff with clearly defined roles, responsibilities and job duties separate from those of other staff in EAD is essential for the sustainability and continued expansion of the program.

Management will re-examine and articulate the organizational structure of CDER and develop a human resource plan to staff vacant positions.

Management will define and segregate the role of the Director, CDER program manager, CDER analysts, CDER program administrative support and analysts working in EAD that support the CDER program and develop documents to support the development of key skills and expertise for each position (e.g. creation of synthetic data, confidentiality vetting guidelines and handbook).

Deliverables and Timeline: The Director of EAD will update the organizational chart and develop the human resource plan to staff vacant positions by June 2016. The Director will also ensure that the job duties and responsibilities of the individuals involved in delivering the CDER program and the documentation of the key skills and expertise for each position are completed by June 2016.

When CDER was originally launched, an approval process that divided potential projects into two categories was approved by the Executive Management Board. It was found that these two categories did not fully encompass the range of projects that eventually were undertaken at CDER.

To ensure that CDER staff can maintain documentation consistent with the project approval process, management will update the project approval process and present it to the Microdata Access Management and Analysis Coordination Committees.

Deliverables and Timeline: The Director of EAD has updated the CDER project approval process and presented it to the Microdata Access Management and Analysis Coordination Committees.

Projects at CDER tend to have long gestation periods and long periods of inactivity due to the fact that some researchers need to make arrangements (e.g., travel, accommodation, sabbatical, etc) to come to Ottawa to access the data after project approval has been obtained. Thus, even though a security clearance has been obtained, it is necessary in cases to have them reconfirmed before the start or before a contract extension.

Management will confer with departmental security and develop operating procedures for CDER staff to follow to ensure that security clearances for CDER researchers are valid before the beginning of a project and are reconfirmed before an extension is granted.

Deliverables and Timeline: The Director of EAD will ensure that operating procedures for security clearances are completed by March 2016.

Data Stewardship, Confidentiality vetting and Data linking

Processes for compiling and creating synthetic databases from real microdata have been established prior to release to researchers. However, the methodology for creating synthetic data has not been formally documented and is not formally reviewed to ensure that data has been sufficiently anonymized to protect the confidentiality of data sources and it is correctly allocated to the appropriate researcher.

The CDER program is developing formalized guidelines on how to complete the confidentiality vetting process to ensure that all necessary data sets provided to researchers are sufficiently protected, but these have not yet been provided to the analysts. Furthermore, there is no requirement for a formal review and sign-off of vetted data results.

A robust process for data linkage is in place and consistently followed, and proper approval processes are followed by the CDER program for all data linkage requests.

Internal protocols and controls for the sound management of data should be in place to ensure the protection and safeguarding of Statistics Canada information over the full lifecycle of the information.

Data Stewardship

Effective processes for compiling and creating synthetic databases have been established, but are not documented and are not formally reviewed

To protect the confidentiality of data, real microdata are never released to researchers; only synthetic data are. An EAD analyst compiles the databases required by the researcher once the project proposal is approved.

Synthetic data are created using an algorithm that was developed by the director of the CDER program. Synthetic data are created by reviewing the real data to identify any potential confidentiality issues and determining which data variables need to be preserved. All identifying information is removed from the databases and any specific characteristics of a given company are shuffled. The extension "_syn.dat" is added to the end of the synthetic data file name. This is the key identifier that the data has been converted. All synthetic data are treated as confidential data and can be accessed only in the CDER program area. This process is a key control used by the CDER program to ensure the safeguarding of data sources and to avoid any potential confidentiality issues.

The audit noted that the process for creating synthetic data has not been formally documented and that only the director and the full-time dedicated employee to the program have access to, and knowledge of, the methodology behind the use of this algorithm. Given the restricted number of individuals who can apply the algorithm, there is a potential risk for the loss of knowledge for this key control should these employees leave the division or the organisation.

The audit also noted that there is no requirement for the formal review of synthetic data files to ensure that not only has the data been sufficiently shifted to protect the confidentiality of the data providers, but also that it has been correctly allocated to the proper researcher user ID, as per their approved MRC.

Confidentiality Vetting

Confidentiality vetting is the process of screening research outputs, syntax or any confidential data-related material to assess the risk of a prohibited disclosure. This is done by analyzing whether obvious identification of individual cases or information about individual cases can be inferred or deduced from the statistical output.

The CDER program is a repository of business and economic microdata files of Statistics Canada that are accessible to researchers with approved projects. Effective and appropriate processes and procedures for confidentiality vetting should be in place and adhered to in order to reduce the risk of unwanted disclosure. Confidentiality vetting should be carefully administered by the program analyst, as per the established protocols, to ensure that confidentiality of data is not compromised.

Practices and procedures to conduct and perform confidentiality vetting are carried out, but they have not been documented. There is currently no requirement for a formal review and sign-off of the vetted data results

Researchers review and analyze their synthetic data, and then, request permission from the CDER program to release their research work outside of Statistics Canada. The research work contains analyses performed on the synthetic data in aggregate form.

Prior to the release of any data, CDER staff complete a confidentiality vetting process. The onus is on the assigned EAD analyst to identify situations in which the confidentiality of data could be compromised during processing. These potential confidentiality concerns are embedded within an automated disclosure control application tool developed within Statistics Canada, called G-Confid. This tool provides the appropriate level of protection for confidential data tables, while minimizing the loss of any synthesized information. Training and guidance documentation provided to analysts is focused solely on how to use the G-Confid application tool. However, to a great extent, subjectivity exists within the vetting process, based on the complexity of the research.

Interviews confirmed that confidentiality vetting of data is carried out; however, testing revealed that no documentation is currently available that outlines the vetting steps to follow, including the assumptions and situations to be considered by the EAD analyst. No vetting evidence was available for the five ongoing projects that were tested and for which evidence was requested by the audit team. As well, the audit determined that evidence of formal sign-offs by the CDER program manager of the vetted data results for the five projects were not available.

The audit was informed that CDER is developing a guidelines document and a checklist to be completed by the analysts when vetting the confidentiality of the data outputs.

Data Linking

A robust process for data linkage is in place and consistently followed

Occasionally, researchers make data linkage requests. In order to do so, a record linkage form must be submitted by the program, which includes extensive details about the proposed linkage, including the security measures in place to protect the confidentiality of the linked data. These submissions are prepared through consultations with the researcher and the responsible Statistics Canada program area. Requests are then reviewed by the director of the program area to determine the potential impact of the data linkage request on the confidentiality of the data sources. The request follows an approval process, which includes Statistics Canada's Information Management Division (IMD), the Assistant Chief Statistician (ACS) who is accountable for the program area, and ultimately the Executive Management Committee (EMB), where the Chief Statistician provides consent. This process, along with the responsibilities of the Statistics Canada program areas involved, is found within the Directive on Record Linkage, which is available through the Statistics Canada's Internal Communication Network (ICN).

Of the five ongoing projects that were tested, one of the projects had a linkage request. The audit team requested the request form for data linkage for the project and noted that it had been approved by the ACS for the division and the CS prior to access being provided to the data.

Overall, the audit noted that a robust process is in place, and is consistently followed to verify that data linkage requests do not create opportunities for data sources to be revealed, and that the proper approval process is followed for requests from the CDER program.

Recommendations

It is recommended that the Assistant Chief Statistician, Analytical Studies, Methodology and Statistical Infrastructure ensure that:

  • Processes within the program are formally established and documented for
    • the creation and formal review of all synthetic databases before they are copied and stored in the research project folder on the network drive
    • the conduct and performance of confidentiality vetting, including a formal review and approval process of the vetted results.

Management Response

Management agrees with the recommendations.

For much of the existence of the CDER program, the creation, review and transfer of synthetic databases to CDER researchers has been the responsibility of the director of the CDER program.

To ensure that the synthetic databases used within the CDER program continue to provide the desired level of protection going forward, management will document the process for creating synthetic data files; develop SAS macros to ensure that the process is applied consistently across projects; and develop a review process for synthetic files to ensure that data have been appropriately masked and that synthetic data are transferred to the correct CDER research project folders.

Deliverables and Timeline: Management has completed the documentation of the process for creating synthetic data files. The development of the SAS macros is scheduled to be completed by March 2017. Review of the CDER research project folders to ensure that synthetic data have been properly created and correctly transferred to the correct CDER research project folder will be completed by May 2016.

CDER researchers generally are only able to obtain limited summary statistics that support the building of the context for their analytical work. The vetting of these summary statistics are often done in consultation with the appropriate subject-matter divisions. The main challenge CDER staff face is the vetting of the analytical outputs, where judgment needs to be applied to transform the more complex analysis into a form that can be handled by the G-Confid application (which is designed for tabular output). The treatment of analytical output (such as regression output) as if it were simple tabular output is a conservative approach that helps mitigate the higher risk due to the sensitivity of business data.

To ensure practices are consistently applied when output is requested, management will develop a checklist to be completed by the analysts when vetting the confidentiality of outputs; and will develop a Confidentiality Handbook containing vetting procedures for common and recurring requests for analytical outputs.

Deliverables and Timeline: Management has completed the checklist for vetting the confidentiality of outputs before their release. The Confidentiality Handbook is scheduled to be completed by December 2016.

Physical and Information Technology Security

Physical access to the Statistics Canada facility is secure, but researchers, are not always actively monitored by the CDER staff while on the premises. Monitoring requirements of researcher activities are not defined in current CDER guideline documents.

Logical access controls and effective practices for identification and authentication safeguards are working as intended. An IT Security Threat and Risk Assessment (TRA) or periodic inspections of the program have not been conducted.

Physical and information technology (IT) controls within the CDER program should be comply with applicable Treasury Board and Statistics Canada policies and guidelines.

Physical access to the Statistics Canada facility is secure, but researchers, are not always actively monitored by the CDER staff while on the premises

Once an MRC is signed, a CDER researcher, as a "deemed employee" of Statistics Canada, is issued a photo identification access card that allows him or her to gain physical access to the CDER program physically located in EAD in the R.H. Coats Building at Statistics Canada.

The audit revealed that although the CDER program operates within the same physical security environment as regular programs, it does not have its own designated space with restricted physical access. Designated researcher workstations are housed in open cubicles, whereby some workstations are grouped together, and others are isolated or intermingled with other EAD staff members on the floor.

Interviews revealed that CDER researchers have to be supervised by their EAD analyst when they access the CDER program facilities between 8:00 a.m. to 6:00 p.m., from Monday to Friday. Monitoring of researcher activities is not covered in the current guidelines. Interviews with EAD analysts and a sample of researchers revealed, that, most analysts finish their work between 4:00 and 6:00 p.m., but do not verify whether their assigned researcher is still on the premises before they leave, and researchers do stay, unsupervised, until 6:00 p.m., from time to time.

As a compensatory control, an automatic computer shutdown at 6:00 p.m. used to occur so that researchers could not access data after the close of CDER's hours of operations. However, since a system migration in fiscal year 2015–2016, this functionality was disabled and was not reinstalled. This provides researchers with the opportunity to stay beyond the operating hours of the program, and to continue with their research work unsupervised.

Researchers are not allowed to use cellular phones, but interviews with CDER staff revealed that this is not being actively monitored or enforced by them.

Effective access, identification and authentication safeguards are in place

The CDER program has an established process in place, where an IT user account for a researcher can be created only when a MRC is approved and becomes active. At the MRC's termination date, the IT user account for the researcher is removed, and can be reinstated only in cases where the MRC is granted an extension by the Director of EAD.

Through the set-up of the IT user account and password, researchers are granted access to their research project folder on the CDER server network. Stored in the research project folder are approved datasets created specifically for the project by their assigned EAD analyst. IT activity on the program's server is randomly spot checked through the use of an 'active directory' system in Microsoft.

To confirm that researchers had access only to approved datasets as stipulated in their MRC, the audit judgementally selected and tested the user ID privileges of five researchers, from a sample population of 65 MRCs issued for the audit period of July 2013 to July 2015. Test results confirmed that researchers could access only their research project folder, and that the datasets stored in their folder were in accordance with their MRC. Attempts to view other research project folders on the server using their IT user account and password were denied.

An audit trail has been established, as part of the batch submit system, to log the activities of the researchers when accessing real microdata. Once data are released and available to researchers, EAD staff members assigned to the CDER program are responsible for monitoring researcher access to the microdata; however, there is currently no formal protocol as to how often this monitoring should take place and how the results should be documented.

IT system safeguards are working as intended

Through testing, the audit revealed that the researchers' workstations do not allow access to the Internet or EAD printers. Only a designated workstation located in an isolated area allows access to the Internet. USB ports are disabled, and the workstations do not have wireless keyboards and/or mice.

An assessment of the IT controls in place for the program has not been done

Interviews revealed that neither an IT security, threat and risk assessment (TRA), prior to the launch of the CDER program, nor periodic inspections of the program, were conducted. The absence of a TRA or ongoing security inspections makes it difficult to assess or mitigate vulnerabilities resulting from inadequate monitoring of researchers. In turn, the sound management and protection of the confidentiality of CDER information is compromised.

Recommendations

It is recommended that the Assistant Chief Statistician, Analytical Studies, Methodology and Statistical Infrastructure ensure that

  • CDER management work with Statistics Canada IT Security to ensure that all workstations designated for use by CDER researchers are automatically shut off at 6:00 p.m. to prompt the researchers to vacate Statistics Canada premises by the end of the program's hours of operation
  • Researcher access to the CDER and its microdatais monitored and the frequency and documentation of this monitoring should be defined
  • The CDER program perform periodic assessments of its IT environment to mitigate current internal and/or external risksto the confidentiality of Statistics Canada business data used by its researchers. Based on the results of the assessments, a formal response of the safeguards implemented should be documented.

Management Response

Management agrees with the recommendations.

Prior to the introduction of a new operating system in 2015-2016, workstations at CDER automatically shut-off at 6pm. This capacity was temporarily lost, but will be reintroduced.

All workstations designated for use by CDER researchers have been configured to shut down at 5:00 pm and procedures have been put in place to prompt researchers to leave CDER facilities by 5:00 pm. In addition to this prompt, CDER staff will make rounds at 5:00 pm to ensure that work has indeed stopped and that CDER researchers leave the premises.

Management will request that a Threat Risk Assessment be undertaken and that there are periodic inspections of the program to monitor evolving risks.

Deliverables and Timeline: The Director will ensure that a Threat Risk Assessment is conducted and a plan is developed to respond to the assessment by March 2017.

Appendices

Appendix A: Audit Criteria

Appendix A: Audit criteria
Table summary
The table in Appendix A identifies the Audit Criteria, control objective / core controls / criteria, the sub-criteria as well as the policy instrument used as the source of these criteria.
Control Objective / Core Controls / Criteria Sub-criteria Policy Instrument
Objective 1: The CDER program has established an adequate accountability framework in support of maintaining the confidentiality of sensitive statistical information / data.
1.1 Roles, responsibilities and accountabilities of key personnel responsible for the CDER program and researchers, have been clearly defined and adequately communicated. 1.1.1 The roles, responsibilities and accountabilities of key personnel responsible for the CDER program have been clearly defined and are well understood.

1.1.2 The roles, responsibilities and accountabilities of researchers/ deemed employees have been clearly defined and are well understood.

1.1.3 Management engages in succession planning to ensure that the experience and expertise of key individuals responsible for the program continue to meet the needs of the program.
Management Accountability Framework (MAF) – Core Management Control (CMC)

Statistics Act

Discretionary Disclosure Directive

Policy on Deemed Employees
1.2 Effective accountability structures have been established and are consistently applied in the assessment of research project proposals and the development and approval of relevant CDER agreements, including Memorandums of Understanding (MOUs), and/or Microdata Research Contracts (MRCs). 1.2.1 An effective proposal review and approval process has been established to ensure that only projects that meet the requirements of the CDER program are approved, and approvals are obtained per delegated authorities.

1.2.2 Effective project renewal processes have been established to ensure that projects are renewed appropriately and in line with delegated authorities.

1.2.3 A process exists to ensure that only researchers with adequate security clearance are granted access to the data they require for their project.
Management Accountability Framework (MAF) – Core Management Control (CMC)

Statistics Act

Discretionary Disclosure Directive

Policy on Deemed Employees
Objective 2: The CDER program has established effective control mechanisms to ensure the confidentiality of data sources, and compliance with applicable TBS and Statistics Canada policies and guidelines regarding information technology and physical security through the delivery of its services.
2.1 Effective control mechanisms have been established and are consistently applied to ensure that data sources remain protected. 2.1.1 Prior to the release of synthetic data to researchers, a process has been established to ensure that data are appropriately shifted to mask data sources.

2.1.2 A process has been established to verify that data linkage requests do not create opportunities for data sources to be revealed.

2.1.3 A standardized and appropriate process has been established for the vetting of datasets prior to their release to researchers in order to ensure that data sources are protected.
Management Accountability Framework (MAF) – Core Management Control (CMC)

TBS Government Policy on Security

Statistics Canada Security Practices Manual

Security of Sensitive Statistical Information

Statistics Act

Discretionary Disclosure Directive

Policy on Deemed Employees
2.2 The physical environment in which the CDER program operates complies with TBS and Statistics Canada policies and guidelines. 2.2.1 Adequate physical-access controls are in place to ensure the effective safeguarding of sensitive CDER data.

2.2.2 Ongoing monitoring of CDER's physical environment takes place to ensure compliance to policies.
Management Accountability Framework (MAF) – Core Management Control (CMC)

TBS Government Policy on Security

TBS Standard on Physical Security

TBS Directive on Departmental Security Management

Statistics Canada Security Practices Manual

Security of Sensitive Statistical Information

Statistics Act

Policy on Deemed Employees
2.3 The IT environment in which the CDER program operates complies with current TBS and Statistics Canada policies and guidelines. 2.3.1 IT access and exchange of data controls are in place and documented for the effective safeguarding of confidential data.

2.3.2 Regular periodic IT security inspections take place to ensure compliance to policies and guidelines, and results from the inspections are remediated on a timely basis.
Management Accountability Framework (MAF) – Core Management Control (CMC)

TBS Government Policy on Security

TBS Directive on Departmental Security Management

Statistics Canada Security Practices Manual

Statistics Canada IT Security Policy

Security of Sensitive Statistical Information

Statistics Act

Policy on Deemed Employees

Appendix B: Acronyms

Appendix B: Acronyms
Acronym Description
ACC Analysis Coordination Committee
ACS Assistant Chief Statistician
CDER Canadian Centre for Data Development and Economic Research
CS Chief Statistician
DAC Departmental Audit Committee
EAD Economic Analysis Division
EMB Executive Management Board
ERRC Economic Research Review Committee
ICN Internal Communications Network
IIA Institute of Internal Auditors
IT Information technology
LAN Local area network
MAD Microdata Access Division
MAF Management Accountability Framework
MAMC Microdata Access Management Committee
MOU Memorandum of Understanding
MRC Microdata research contract
RDC Research Data Centre
SAS Statistical analysis software
TBS Treasury Board Secretariat
TRA Threat and risk assessment