Audit of Administrative Data Management

September 2016
Project Number: 80590-95

Table of Contents

Executive Summary

As Canada's national statistical office, Statistics Canada has the mandate to ensure that Canadians have access to a trusted source of statistics on Canada to meet their highest-priority needs. An important aspect of Statistics Canada's mandate is to work with other government departments - federal, provincial or municipal and other organizations to promote the reduction in the duplication of efforts in collecting statistical information. These externally collected data are called 'administrative data' or 'secondary data'. Statistics Canada collects administrative data under the authority of section 13 of the Statistics Act.

Administrative Data Management at Statistics Canada has undergone significant change since 2012 due to strong pressure from governments and business respondents to increase the use of administrative data. As a result there has been a major shift to maximize the efficiency and effectiveness of the use of administrative data in statistical programs while reducing the response burden on respondents and collection costs. This has represented a major change for Statistics Canada and has introduced requirements for considerably more rigour in the acquisition of administrative data from external sources and the management of administrative data.

The objectives of this audit were to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that:

  • Statistics Canada has established an adequate governance framework that is consistently applied to support effective management of administrative data; and
  • Effective control mechanisms for security and confidentiality of administrative data are in place and ensure compliance with the Statistics Act, and applicable legislation, policies and directives.

The scope of this audit assessed administrative-data activities for the period January 1, 2014 to December 31, 2015, for nine divisions that were judgementally selected.

Why is this important?

In recent years the increased use of administrative data has become a growing and complex area to manage. Effective management of administrative data requires that it be supported with an adequate governance framework that is consistently applied.

Section 17 of the Statistics Act places a strict obligation on Statistics Canada to protect and keep confidential all individual information obtained under the Act. Ensuring respect for the privacy of respondents and the maintenance of confidentiality is a key priority for Statistics Canada.

Key Findings

A corporate approach, strategic direction and support for efficient and effective acquisition, management and use of administrative data are provided by two policy suite instruments developed and documented by the Administrative Data Division (ADD): the Directive on Obtaining Administrative Data under the Statistics Act, and Statistics Canada Policy on The Use of Administrative Data obtained under the Statistics Act.

Administrative data are defined in the policy instruments. These instruments only cover data sources obtained under the Statistics Act. This definition does not include data available to the public and explanations regarding the context under which they can be obtained. This has led to inconsistent understanding and practices for the handling and management of administrative data within programs.

Roles, responsibilities and accountabilities along with processes and procedures have been formally established to assist statistical programs with their administrative data acquisition activities, but there is inconsistent understanding of the newly created role of the administrative data custodian. Training on the Directive on Obtaining Administrative Data under the Statistics Act was available but was not mandatory.

Some key communication initiatives by ADD to promote sharing of knowledge of methods and processes for increased statistical use of administrative data have not been completed as planned.

A corporate culture focused on protecting all data exists at Statistics Canada, and the Statistics Canada Policy Suite collectively reinforces the importance of integrity and ethical values.

Information Technology desktop controls are in place and working as intended to protect the confidentiality of data, but practices for creating security groups and directory structure vary across the agency. Access privileges are managed using two different systems with no formal monitoring procedures to ensure access privileges are limited to a need-to-know basis.

Overall Conclusion

Progress has been made by the ADD and the Administrative Data Management Committee to provide strategic direction for the effective and efficient acquisition, management and statistical use of administrative data.

The audit found that overall, key stakeholders are engaged in implementing the requirements of the newly released policy instruments for administrative data management. Adapting policy instruments to include a definition for "data available to the public”, will help with consistent understanding and practices for the management of administrative data across all statistical programs. Mandatory training on the new role and responsibilities of the administrative data custodian; completion of key communication initiatives as planned; and strengthening some elements of the information management practices will help with the efficient and sound management of administrative data holdings.

Conformance with Professional Standards

This audit engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of a quality assurance and improvement program.

Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the audit.

Steven McRoberts
Chief Audit & Evaluation Executive

Introduction

Background

An important aspect of Statistics Canada's mandate is to work with other government departments - federal, provincial or municipal and other organizations in the collection, compilation and publishing of statistical information. In working with these organizations Statistics Canada addresses another aspect of its mandate: "to promote the reduction in the duplication of efforts in collecting statistical information". These externally collected data are called 'administrative data' or 'secondary data'.

Administrative data are collected under the authority of section 13 of the Statistics Act. The Chief Statistician or a person authorized by the Chief Statistician, can obtain access to any documents or records collected by any federal, provincial or territorial department or in any municipal office, corporation, business or organization for their own purposes. Statistics Canada's use of the information for statistical purposes is secondary to the objective of the original collector of the information.

The statistical use of administrative data to complement or supplement Statistics Canada's census and survey programs became an explicit organizational priority in the 2013-2014 and 2014-2015 Report on Plans and Priorities. Statistics Canada's 2014-15 to 2016-17 Corporate Business Plan has also explicitly elaborated on this priority of exploiting administrative data sources to reduce program costs and response burden, while improving quality and providing additional statistical and analytical outputs relevant to information needs.

In response to the new strategic direction to increase the use of administrative data, Statistics Canada created the Administrative Data Secretariat (ADS). In keeping with its mandate to develop and implement a governance framework to support the efficient acquisition, management and use of administrative data, the ADS has proposed a corporate approach for a more efficient use of administrative data through the creation of the Administrative and Alternative Data Sources Utilization Program proposal document. The document provides a roadmap for making maximum possible use of administrative data in statistical programs. The expected result is to reduce response burden, lower costs, improve quality and introduce new data series for users, while maintaining public trust by protecting all administrative data.

On April 1, 2014, Statistics Canada created the Administrative Data Management Committee (ADMC). This committee has a mandate to encourage the effective and efficient acquisition, management and statistical use of administrative data and to advise the Executive Management Board on how to increase and improve the use of administrative data at the agency. To support efficient and effective management of administrative data, the ADS merged with the Tax Data Division to become the Administrative Data Division (ADD). The ADD has a mandate to acquire administrative data that have broad use; to support statistical programs in their acquisition of administrative data by providing them the tools and support; and to maintain an inventory of administrative-data files.

A new Directive on Obtaining Administrative Data under the Statistics Act the "Directive" came into effect on April 1, 2015 replacing the former Directive on Obtaining Access to Records Maintained by Other Organizations. The new Directive provides a clear definition of administrative data in the context of the Statistics Act. It also provides for the creation of an administrative-data custodian role, and it proposes three types of agreements for acquiring administrative data from external sources: a data acquisition agreement, written communication, and a contract with a private-sector organization involving payment of a fee. Statistics Canada Policy on The Use of Administrative Data obtained under the Statistics Act "the Policy" was implemented on December 2, 2015.

Audit Objectives

The objectives of the audit were to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that:

  • Statistics Canada has established an adequate governance framework that is consistently applied to support effective management of administrative data; and
  • Effective control mechanisms for security and confidentiality of administrative data are in place and ensure compliance with relevant Statistics Canada legislation, policies and directives.

Scope

The scope of this audit included an examination of the adequacy and effectiveness of the controls over the management and handling of administrative data. Specific areas that were examined included:

  • Operational processes and controls that enable consistent application of common business practices and processes;
  • Tools, training and information management practices that support clear accountability and compliance to applicable policies and procedures and confidentiality; and
  • Security safeguards (IT storage and transmission, physical storage and information copying, and retention and record management) to ensure that data is protected and confidentiality is maintained.

Approach and Methodology

The audit work consisted of an examination of documents, interviews with key Senior Management and personnel, and a review of compliance with relevant legislation, policies and guidelines.

The field work consisted of a review and assessment of the processes, procedures and controls in place to ensure they are consistently applied; and that the tools, training and information management practices support clear accountability and compliance to applicable policies and procedures.

A sample of records reported in the second version of the Administrative Data Inventory were selected judgementally for the nine divisions in the sample and tested to:

  • Trace the data sets to an agreement to ensure that the data set has been acquired under the authority of section 13 of the Statistics Act and the intended use has been documented.
  • Ensure that appropriate IT security safeguards are in place for the storage and protection of administrative data records.
  • Validate access permissions for users to ensure access was limited to authorized employees.
  • Review the list of Corporate Access Request Services (CARS) and Service Request Management (SRM) users to verify appropriate authorizations are on file for the sampled users.

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Authority

The audit was conducted under the authority of the approved Statistics Canada Integrated Risk-based Audit and Evaluation Plan 2015/2016 to 2019/2020.

Findings, Recommendations and Management Response

Control Environment for the Management of Administrative Data

A corporate approach, strategic direction and support for efficient and effective acquisition, management and use of administrative data are provided by two policy suite instruments developed and implemented by the Administrative Data Division: the Directive on Obtaining Administrative Data under the Statistics Act, and Statistics Canada Policy on the Use of Administrative Data obtained under the Statistics Act.

Administrative data are defined in the policy instruments. These instruments only cover data sources obtained under the Statistics Act. This definition does not include data available to the public and explanations regarding the context under which they can be obtained. This has led to inconsistent understanding and practices for the handling and management of administrative data within programs.

Roles, responsibilities and accountabilities along with processes and procedures have been formally established to assist statistical programs with their administrative data acquisition activities, but there is inconsistent understanding of the newly created role of the administrative data custodian. Training on the Directive on Obtaining Administrative Data under the Statistics Act was available but was not mandatory.

Some key communication initiatives by Administrative Data Division to promote sharing-of-knowledge of methods and processes for increased statistical use of administrative data were not completed as planned.

Roles, responsibilities and accountabilities for administrative data management should be clearly defined and communicated, with effective coordination between all the stakeholders to ensure efficient and effective operations. Programs should be supported with a solid framework of internal protocols, practices, procedures and corporate tools to encourage increased, efficient and effective use of administrative data.

Authority

Statistics Canada exercises its mandate to obtain documents or records collected by any federal, provincial or territorial department or in any municipal office, corporation, business or organization for their own purposes under the authority of section 13 of the Statistics Act. Statistics Canada's use of the information for statistical purposes is secondary to the objective of the original collector of the information.

Strategic direction for administrative data management has been defined and communicated

Until recently, the internal governance framework for administrative data at Statistics Canada was developed in an environment where individual statistical programs had the responsibility of identifying, acquiring, evaluating, using and managing the administrative data files used in their programs. This framework was characterized by a distributed management under various responsibility arrangements between the units of Statistics Canada and the external partner. Strong pressure from governments and business respondents to make greater use of administrative data prompted the need for the agency to adopt a corporate approach that centralizes the efforts for acquiring administrative data, in an effort to maximize the efficiency and effectiveness of the use of administrative data in statistical programs, while reducing the response burden on respondents and costs. This major shift in operations introduced requirements for considerably more rigour in the acquisition of administrative data from external sources; and management of administrative data.

As a result, the ADD developed the Directive to provide a corporate approach, strategic direction and support for efficient and effective acquisition, management and use of administrative data. The new Directive came into effect on April 1, 2015, and replaced the former Directive on Obtaining Access to Records Maintained by Other Organizations. Noted in the Directive is a clear definition of administrative data for the agency; detailed functional roles, responsibilities and accountabilities of key stakeholders; and processes and procedures to assist statistical programs with their administrative data acquisition activities.

Following the implementation of the Directive, the Policy came into effect on December 2, 2015 to support the Directive. Included in the Policy are responsibilities of key stakeholders mirroring those already set out in the Directive, as well as the newly defined responsibilities of the administrative data custodian.

A clear definition of what is meant by administrative data is included in the policy instruments, however, this definition does not include data available to the public

To support statistical programs in the effective and efficient use and management of administrative data a clear definition of what is meant by administrative data in the context of the Statistics Act, is outlined in the policy instruments:

"Information collected by other organizations and departments for their own purposes; and is sought, at the micro or aggregate level, by Statistics Canada in respect to the objects of the Statistics Act… Statistics Canada's use is secondary to the objective of the original collector of the information…..data sets received from the Canada Revenue Agency, and also alternative sources….data from surveys conducted by others and data generated by electronic devices (e.g. satellites, sensors, scanners, mobile phones) gathered by other organizations."

Exclusions: "Administrative data should not be confused with products that may be obtained from other organizations such as publications, reports, guides, metadata and computer programs. They also exclude data or information that is publicly available, including on the internet, or data that can be obtained, under license or not, by anyone, with or without a fee".

The audit revealed that immediately following the implementation of the Directive, the ADMC made a proposal to change the corporate mandate to include the acquisition and effective and efficient management, of:

"Information that is publicly available, including on the internet, or data that can be obtained, under license or not, by anyone, with or without a fee."

The audit also revealed that the Information Management Division, (IMD) planned to develop separate guidance to cover the legal aspects of acquiring this information.

However, plans to develop the guidance were discontinued by IMD, as direction on how to assess and ensure Statistics Canada's compliance to various website terms and conditions was determined to be unnecessary. This was because the risk to the agency to acquire the information without guidance from IMD was assessed to be very low.

Interviews revealed that there is confusion within statistical programs. Programs managing both sets of data were unsure if they should or should not include it in their inventory count and expressed a requirement for clarity and corporate guidance on information that is available to the public.

Key stakeholder roles and responsibilities are defined and communicated in the Directive, but there is inconsistent understanding of the newly created role of the administrative data custodian

To ensure the coordination and integration of administrative data activities with departmental operations and functions, the Directive sets out clearly the roles and responsibilities of key stakeholders – senior managers, ADD, IMD, Corporate Support Services Division and ADMC.

Statistical Programs

Roles and responsibilities for the operational implementation and management of the Directive reside with senior managers (assistant chief statisticians, directors general and directors) responsible for statistical programs or for programs that support statistical programs. Section 6.4 and Appendices B through G of the Directive describe, in detail, the requirements that statistical programs must fulfill and the processes that they must follow. Since the delegated administrative data custodian is required to "to obtain the data…" and is "…in charge of the negotiation… and the primary point of contact for the agreement" it is the responsibility of each director to ensure that their divisions comply with the requirements of the Directive.

Interviews revealed that each division has created its own structure based on the size of the division and the volume of administrative data activity, and directors have delegated the responsibilities of the administrative-data custodian to program managers. As the administrative data custodians, the program managers are responsible for being the single point of contact between Statistics Canada and the data provider(s). Program managers must also inform the ADD of restrictions that are imposed by the data provider(s); document the arrangements with the data provider in an agreement, and manage the requirements in the agreement. In addition, program managers must register all administrative data in the corporate inventory of administrative data maintained by ADD, authorize access to administrative data in accordance with the need-to-know principle, and manage and ensure protection of administrative data files for which administrative data custodians are responsible, in accordance with all relevant legislation, policies and procedures.

In statistical programs with low administrative data activity, only two or three employees perform all tasks related to the management of administrative data, while divisions with higher volumes of administrative data activity have several employees involved. Divisions with high volume of administrative data activity have developed their own software, work methodologies and standard operating procedures to handle and manage administrative data, with some having receipt and pre-processing arrangements with other divisions, such as Operations and Integration Division (OID). Regardless of the size or structure of the division or the volume of administrative data activity, the roles of the employees involved with administrative data have evolved over time, more so than had they been formally defined; for the most part, these roles are being adequately performed.

However, the audit revealed that not all directors held discussions with their program managers and teams to discuss the newly created role and responsibilities of the administrative data custodian. This has resulted in confusion and inconsistent understanding of the role of the administrative data custodian across the agency. Program managers are seeking better understanding and clarity with respect to their roles and responsibilities. Failure to implement and enforce the requirements stipulated in the Directive increases the risk of not meeting the Directive's objectives and expected results.

Training on the Directive was provided to over 300 employees at the program manager level and above. Interviews revealed that not all section chiefs or managers handling administrative data attended the training on the Directive: some admitting to looking at it more closely for the first time, in preparation for their interview with the audit team. Ongoing training on the Directive is being offered as a course through Statistics Canada's Learning Management System and the Directive is available on the Statistics Canada website and the ADD intranet site. The lack of training on the part of the program managers has resulted in their being aware of, but not familiar with, the Directive. This has led to inconsistent levels of engagement on the part of program managers as demonstrated by some programs not being aware of ADD's new responsibilities.

Administrative Data Division

Responsible for the implementation of the Directive and the Policy, the Director, ADD is tasked with the following key responsibilities:

  • Corporate inventory: Developing and maintaining, on the basis of input from statistical programs, a comprehensive and up-to-date corporate inventory of administrative data obtained by Statistics Canada for statistical purposes and providing statistical programs access to the inventory.
  • Acquisition and use of administrative data: Determining corporate-wide needs for administrative data, and making recommendations to the ADMC on the acquisition of administrative data that have a broad corporate use or that involve a complex acquisition process and on who should acquire, and have custody of the data.
  • Evaluation framework: Managing the development, implementation and maintenance of a data-quality evaluation framework.
  • Core processing of administrative data: Core processing of administrative data that have a broad corporate use is carried out in a coordinated and central manner for further local processing and use in statistical programs.
  • Corporate Templates and Tools: Assisting statistical programs in their acquisition of administrative data, by guiding them to a set of corporate templates for data acquisition agreements.

Corporate inventory

The first corporate Administrative Data Inventory was established in 2013. The intent was to produce an updated and improved inventory on a yearly basis.  The second version was produced in October 2014 which established a count of over 650 administrative data sets and over 800 primary users and 2500 secondary users. The coverage of the second inventory was expanded but a number of discrepancies were identified in the inventory records such as duplicates, omissions, and files that didn't meet the definition. A third update based on an improved design was produced in the fall of 2015. To assist statistical programs in capturing the required information for this latest inventory update, the ADD developed an inventory template and an Administrative Data Inventory Reporting Guide. Training on their use was provided to a representative from each division.

Interviews revealed that the timeline for completing the update to the corporate count has been delayed because statistical programs continue to struggle with what data records should or should not be included. The timeframe for updating the inventory was from October 2015 to February 2016. As of March 2016, only one division had responded; the ADD reviewed and approved this response. The ADD continues to vet the inventory updates and to meet one-on-one with respondents. The ADD has now asked the directors for each division to review and approve their inventory list before final submission to the ADD.

Acquisition and use of administrative data

To assist statistical programs in establishing corporate-wide needs for administrative data, ADD has developed a database for potential new acquisitions in an issue and project tracking application tool called JIRA. This application tool allows statistical programs to track, issues and provide real-time updates on their development efforts. Review of the database revealed that new opportunities for potential acquisitions of administrative data were listed and are being communicated to the programs using a broadcast template. In addition, the audit noted that the ADD has established fifteen new partnerships and eight more are in progress. This is in keeping with the requirements set out in the Directive for the ADD to acquire and act as a custodian for administrative data that have a broad corporate use or that involve a complex acquisition process.

Evaluation framework

ADD has coordinated the development of an Administrative Data Evaluation framework to assist statistical programs assess the fitness for use of administrative data. The framework which was developed by the Household Survey Methods Division includes a guide and a questionnaire.

Core processing of administrative data

ADD carried out an organizational scan of the pre-processing of administrative data acquired by statistical programs from external organizations The results of the scan led to a number of recommendation that were presented to the ADMC in February 2015. As a result, the ADMC recommended that the OID develop a proposal for a common model for receipt and pre-processing of administrative data.

Corporate templates and tools

To implement a corporate approach for acquiring administrative data, the Director, ADD is required to assist statistical programs with their acquisition of administrative data, by guiding them to a set of corporate instruments (templates for data acquisition agreements). The audit noted that, in consultation with the IMD, the ADD has developed templates for data acquisition agreements to help programs formalize their arrangements.

An electronic Administrative Data Handbook which describes the processes, general policy, and guidance on the acquisition, management and use of administrative data and serves as a basic reference on administrative data was scheduled for release in the spring of 2016. Follow-up with ADD revealed that its release has been delayed; it will now be ready for release in March 2017. Access to timely, reliable and relevant information will promote the sharing of knowledge of methods or processes for increased statistical use of administrative data.

In addition, the ADD had plans to develop an easily accessible intranet site to which employees could turn to find information on governance, questions and answers on how to resolve issues, and links to key documents and tools. A scan of the ADD intranet site revealed that these items have not yet been developed. Follow-up with the ADD revealed that it is working with the Communications Division to post a set of common questions and answers. In the meantime, newsletters provide updates on new and current events, and changes to current development processes, governance and best practices. The ADD also makes ongoing presentations to senior management.

Information Management Division

Section 6.2 of the Directive describes the requirements for the Director, IMD. The Director is required to support statistical programs by:

  • preparing standard templates for data acquisition and providing them with legal advice and support in drafting administrative data agreements
  • maintaining a register of the administrative data agreements and section 13 delegations
  • updating and registering Statistics Canada's Personal Information Bank (PIB) on the Internet for administrative data received by Statistics Canada from other organizations that contain personal information

Interviews with ADD, IMD and statistical programs revealed that the IMD supports statistical programs with: standard data acquisition templates, legal advice; and is maintaining a register of administrative data agreements. An annual call letter from the IMD reminds statistical programs to register personal information included in administrative data received from other organizations containing personal information. Transparency with the use of personal data is an important element in maintaining public confidence. The audit traced and verified the registration of PIB files. It determined that nine files in the sample should have been registered. Review of the PIB site revealed that only seven files were registered. Follow-up with the program responsible for the remaining two files revealed that the program was preparing the information for submission to IMD for registration.

Corporate Support Services Division

Section 6.4 of the Directive describes the requirements for the Director, Corporate Support Services Division. The Director is required to ensure that statistical programs complete the Goods and Services requisition form, follow the established procurement practices, and promote long-term contracts for the acquisition of administrative data from a private source obtained at a cost.

The audit selected 12 data files for the nine divisions in the sample and traced them to their respective agreement. This was done to ensure that the arrangements had been formalized; that the data had been acquired under the authority of section 13 of the Statistics Act; the intended use of the data had been documented; and an administrative data custodian was the single point of contact from Statistics Canada.

The audit noted that three agreements were long-term contracts for the acquisition of administrative data from a private source obtained at a cost, and that the statistical program had completed the Goods and Services requisition form and followed the established procurement practices. The rest were memoranda of understanding. The audit revealed that a valid and signed delegation of authority form was on file for all the agreements and that their intended use had been documented. It was noted that one of the agreements was composed of a mix of formal and informal agreements throughout the agency with each program dealing directly with the external partner, instead of there being a single point of contact from Statistics Canada.

Administrative Data Management Committee

The audit noted that, in keeping with the ADMC's mandate to provide strategic direction for the effective and efficient acquisition, management and use of administrative data and advise the Executive Management Board on the approach or measures to improve or increase the use of administrative data at the agency, the committee is actively engaged in organizing and directing initiatives for administrative data with participation from all the statistical programs. ADMC holds regular monthly meetings with a full agenda and action items are tracked by the secretary.

The audit concluded that ADD and ADMC are actively engaged in directing initiatives for administrative management by setting strategic direction for the acquisition, use, handling and management of administrative data through the policy instruments. However, there is confusion within programs over the change in the corporate mandate which added information that is available to the public that is currently not included in the definition of "administrative data". There is confusion and inconsistent understanding across the agency with respect to the newly created role of the administrative-data custodian. Program managers are aware of the "Directive" but are not familiar with it. Some key communication initiatives to promote the sharing of knowledge of methods and processes for increased statistical use of administrative data have not been completed as planned by the ADD.

Recommendations:

It is recommended that the Assistant Chief Statistician Analytical Studies, Methodology and Statistical Infrastructure Field should ensure that:

  • The policy instruments are adapted to include a definition for "data available to the public" to provide guidance and clarity for consistent practices across the agency.
  • Training on policy instruments for administrative data developed by the ADD is mandatory for administrative data custodians to ensure that there is a consistent understanding across the agency of the role and responsibilities of the data custodian.
  • Key communication initiatives by ADD to promote sharing of knowledge of methods and processes for increased statistical use of administrative data are completed as planned.

Management Response:

Management agrees with the recommendations.

The existing policy instruments will be modified to include a definition for "data available to the public" and to document the context in which they can be obtained.

A strategy will be developed to foster better knowledge and understanding of the following policy instruments:

  • Policy on the Use of Administrative Data Obtained under the Statistics Act
  • Directive on Obtaining Administrative Data under the Statistics Act

While course material already exists for the Policy and the Directive, a review will take place that will provide insight on the existing course framework in order to identify which elements will be most beneficial to its end users. The results of the review will include recommendations on scope, intended audience and delivery mechanisms.

Work has already begun on a planned communication strategy that will include the:

  • Development and dissemination of a handbook; and,
  • Development and implementation of a communication plan and communication materials to inform employees about the tools available to support the acquisition including the handbook.
Deliverables and Timeline:

The Director, ADD and the Director, Communication and Dissemination Branch will:

  • Provide updated policy instruments by March of 2017;
  • Provide a report with the results of the review by June of 2017 and will implement the approved recommendations by October of 2017; and,
  • Publish the handbook on the Internal Communications Network and develop a communication plan and communication materials by June of 2017. The plan will be implemented by October of 2017.

Data Stewardship in Statistical Programs

A corporate culture focused on protecting all data exists at Statistics Canada, and the Statistics Canada Policy Suite collectively reinforces the importance of integrity and ethical values.

IT desktop controls are in place and working as intended to protect the confidentiality of data.

Practices for creating security groups and directory structure vary across the agency. Access privileges are managed using two different systems with no formal monitoring procedures to ensure access privileges are limited to a need-to-know basis.

System access controls, authentication and access procedures should be in place, and be in compliance with relevant Statistics Canada policies, standards and directives as they relate to the confidentiality of sensitive statistical information. Compliance with these policies helps ensure access to systems, data and program is restricted to authorized users. Monitoring of operational performance should take place to detect errors or potential errors which would otherwise increase operational risk.

Corporate Environment

A corporate culture focused on protecting all data has been created at Statistics Canada

Interviews revealed that employees that handle administrative data do not differentiate them from survey data. All data that are collected are protected in keeping with Statistics Canada's Code of Conduct which states that "Employees are required at all times to protect the confidentiality of collected data and to uphold the public trust in the Agency. Confidential information must be shared on a need-to-know basis….only with appropriate personnel."

All employees must sign an oath when they are hired in order to access confidential statistical information. They must read and acknowledge the Network Use Policy every ninety days and take a test ninety days prior to renewing their security pass. Email broadcasts are used to remind employees on the importance of good information management and security practices when handling sensitive statistical information. As well an entire week (Security Awareness Week) is dedicated to promoting security practices and procedures and reinforcing the importance of good information management practices. When possible, security of information is embedded in employees' performance review. Interview evidence confirmed that employees are aware, and have a good understanding, of security requirements

Statistics Canada Policy Suite collectively reinforces the importance of integrity and ethical values

Documentation review revealed that there are numerous policies in place that are part of an overall framework to ensure the protection of sensitive statistical information at Statistics Canada. One of the expected results stated in the Directive is to "maintain public trust by documenting the use of administrative data and communicating it to the public via the website." Controls such as the requirement for written agreements for all acquisitions; clear definition of roles and responsibilities; and delegation of section 13 authority are prescribed in the Directive to ensure adherence to the confidentiality provisions stated in the Statistics Act.

The Statistics Canada Policy on Information Management addresses all information holdings and requires all employees to apply information management principles, standards and practices in the performance of their activities. Interviews revealed that programs are engaged in implementing Statistics Canada's Information Management Action Plan to address the requirements of the Treasury Board Directive on Recordkeeping and the requirements of the Directive of the Management of Aggregate Statistics and the Directive on the Management of Statistical Microdata Files regarding the retention and destruction of all data holdings. Managers indicated that implementation of these initiatives was tied to their annual performance evaluations.

The Statistics Canada Policy Suite collectively reinforces the security and privacy of information holdings with regular reminders to employees that they are obligated to meet compliance requirements.

IT Controls

Desktop controls are in place to protect the confidentiality of data

Security around user workstation rights has been tightened to prevent employees from saving files on the hard drive of their workstations or granting access to a file within their profile. Employees can only save files in their 'user profile folder' located on the Statistics Canada corporate network drive. Through testing and walkthroughs, the audit determined that users cannot access information on their workstation that is stored under another user's profile.

Laptop workstation hard drives are encrypted and all Universal Serial Bus (USB) ports on workstations require a Statistics Canada approved encrypted USB key received from the Information Technology Operations Division (ITOD). A business justification and approval from a director are required to obtain access to an encrypted USB key.

There is a strong awareness of the requirement to maintain confidential administrative data on Network A.

Statistics Canada's IT Security Policy notes that all information provided in confidence must be processed, stored, accessed or transmitted only on Network A. To validate whether each division's administrative data holdings are stored only on the division's secure network drive located on Network A, data custodians were asked to provide a walkthrough of their administrative data holdings. The walkthroughs demonstrated that administrative data holdings in the custody of each program are stored on their respective secure network drive under separate folders on Network A and cannot be accessed via Network B.

Information Management Practices

Good information management practices ensure that:

  • Information is managed through its life-cycle;
  • Information is not duplicated (i.e. numerous versions of the same document across divisions are minimized);
  • Information contained within the infrastructure is reliable
  • Information is easily accessible;
  • Procedures exist for clean-up and archival; and,
  • Consistent security practices are used to protect confidential data holdings with compliance to the need-to-know principle.
There are varying practices for creating security groups and directory structures for administrative data holdings across the agency

As part of the current information management structure, all divisions are responsible for creating their folder structure to store, organize and secure their information, including confidential administrative data. All folders are linked to a Security group that defines the applicable permissions (i.e. read, modify, delete or combination thereof), identify the owner of the Security group and provide the directory path.

Interviews and walkthroughs demonstrated that lack of an agency-wide standard to provide guidance on how Security groups and directory structures should be created and named, has resulted in inconsistent practices across the agency on how data holdings are organized and managed. The varying practices have made it difficult for the IT accounts team in ITOD to document and implement a unified corporate approach for processing user access requests. This increases the risk that user access permissions for administrative data may not be limited to a need-to-know basis as access privileges could be granted erroneously or intentionally to a folder; and numerous versions of an administrative data file could be duplicated and held by users.

To minimize these risks, IMD is seeking corporate approval at its Field Planning Board for the CARS to be used as the corporate system for managing the approval process for access permissions to all protected A and B information (which includes administrative data). As well, IMD has developed best practices for the storage of all Statistics Canada restricted data holdings for which programs will be required to organize their data holdings in restricted folders and label and identify them; naming conventions for the Security groups and folders will be standardized; and restricted folders will be flagged for authorization to be generated only through CARS. Plans are in place to test the best practices and their application within CARS through a proof of concept.

Access privileges are currently being managed using two different systems - either informally through SRM or formally through CARS

Employees have to request access privileges for all data holdings either through the SRM system or through CARS. Over the past two years, efforts have been made to migrate users from the Data Access Request System (DARS) to CARS as DARS was scheduled to be decommissioned by Shared Services Canada on March 31, 2016. The audit revealed that currently only a few programs have migrated to CARS and of the nine divisions in the sample, three divisions were in the process of migrating to CARS with no timeline for completion.

SRM approval request process:

The approval process for data holdings managed through the SRM system follows an informal process. Users request access privileges by sending an email or by telephone. Once approval is provided the user or the data custodian submits an SRM request. The request is actioned manually by the ITOD accounts team. Since the approval process is informal and records are not kept, the audit could not examine a sample of users in SRM to verify if they had been approved by the appropriate level of authorization. The audit noted that one division has created a 'Data Release Form' for use by employees from other programs for data request and justification with approval by their respective supervisor and director.

CARS approval request process:

The approval process for data holdings managed through CARS allows statistical programs to automate the approval process and control access privileges to data. Users are required to login (same as workstation login); identify who they are and the data set requested; provide justification; enter an expiry date (maximum allowed is one year); read and accept the terms and conditions, and then submit the completed request for approval. The system then initiates the approval process. The request is forwarded for approval first to the program supervisor, followed by the program director, the respective data custodian and then director with section 13 authority for the administrative data set. CARS then generates an SRM request to the IT Accounts team to manually set up the approved user access privileges. CARS keeps an audit trail of the authorization process and provides reports on number of users and the data accessed.

Data request and justification, and appropriate approval levels were examined for ten users judgementally selected in CARS. An audit trail of the data request and justification, and approval levels was available in CARS for nine users. Approval had been given to one user but information on the data sets they would be accessing was not listed.

Access privileges granted through the SRM approval process do not have an expiry date

For all programs areas not using CARS, access privileges granted to a security group do not have an expiry date and the data custodian is responsible for removing user access privileges for administrative data.

Interviews revealed that there are no formal monitoring procedures in place. Monitoring activities are performed on an ad hoc basis and monitoring of employees that move between programs is not performed rigorously; therefore, allowing employees to continue to have access to data holdings that they no longer need in performing their new responsibilities and not respecting the need-to-know principle. An IT application called Active Directory Search developed in-house allows IT administrators to identify and manage user access within the security groups. This tool has been made available to some programs that use it to monitor and update their security groups and user accesses.

Users requesting access to administrative data through CARS must enter an expiry date that cannot be more than one year. Before a request expires, a notification is sent to the users informing them that if continued access is required they should enter another CARS request. If no action is taken, a CARS notification is sent to the IT Accounts team in ITOD to have the user's access removed. The process is automated by CARS to enforce the "need-to-know principle".

The audit concluded that a corporate culture focused on protecting all data has been created at Statistics Canada and the Statistics Canada Policy Suite collectively reinforces the importance of integrity and ethical values. There is a strong awareness of the requirement to maintain confidential administrative data on Network A and IT desktop controls are in place to protect the confidentiality of data, but practices for creating security groups and directory structure vary across the agency. Access privileges are managed using two different systems with no formal monitoring procedures to ensure access privileges are limited to a need-to-know basis.

Recommendations:

It is recommended that the Assistant Chief Statistician Analytical Studies, Methodology and Statistical Infrastructure Field should ensure that:

  • An agency-wide standard and naming convention for creating Security groups and directory structures is developed and documented to achieve consistent practices across the agency for the management of data holdings.
  • There is a uniform corporate approach to process access permissions for all administrative data to maintain an audit trail of the authorization process, the number of users and the data accessed.
  • Best practices are developed and documented by IMD for the management of all Statistics Canada restricted data holdings to achieve consistent practices across the agency on the organization and management of confidential data holdings.
  • User access privileges and security groups are monitored regularly by the program managers to ensure access privileges are limited on a need-to-know basis.

Management Response:

Management agrees with the recommendations.

An agency-wide standard for creating security groups and directory structure is being developed. Standards and a naming convention will be established and will be tested through a proof of concept.

  • The results of the proof of concept will determine the course of action, including the development of an implementation strategy and schedule.
  • There will be a communication plan to inform users of the new standards.

CARS will provide a uniform corporate approach to process access permissions and to maintain audit trails, the number of users and the data accessed. However, in the majority of divisions, CARS is not used to manage all the datasets. Currently, CARS is only used by a subset of divisions within the organisation and, within these divisions, used only to manage a subset of all datasets. CARS does not enforce the implementation of a uniform corporate approach (it follows divisional requirements). The plan is to implement a uniform approach using CARS and to implement CARS in all divisions.

When CARS is adopted by all divisions, user access privileges and security groups will be monitored by the programs through CARS.

The IMD will ensure that it supports the implementation of access privilege and security groups if new infrastructures are implemented within Statistics Canada.

Deliverables and Timeline:

The Director, IMD and the Director, Communications and Dissemination Branch will:

  • Develop and test the proof of concept for the standard and structure by March 2017. The development and implementation of a strategy and schedule will be in place by May of 2017. A communication plan will be implemented by September 2017;
  • Develop a roadmap for onboarding divisions onto CARS by May of 2017. A timeline will be determined in May 2017 for the implementation of CARS; and,
  • Conduct reporting on the use of CARS upon its implementation within the agency. A timeline will be determined in May 2017.

Appendices

Appendix A: Audit Criteria

Audit Criteria
Control Objective / Core Controls / Criteria Sub-Criteria Policy Instrument
Objective 1: Statistics Canada has established an adequate governance framework that is consistently applied to support effective management of administrative data.

1.1 Strategic direction and objectives for the management of administrative data exist, are clearly defined and communicated.

1.1.1 Strategic direction and objectives are documented.

1.1.2 Processes and procedures exist, are documented and communicated.

1.1.3 Appropriate and adequate oversight bodies have been established to monitor the management of administrative data.

  • Management Accountability Framework (MAF)
  • Core Management Control
  • Statistics Canada Organizational Chart
  • Statistics Canada Quality Guidelines
  • ADMC Meeting Minutes
  • Policy on Information Management
  • Policy on the Use of Administrative Data Obtained under the Statistics Act (Draft)
  • Directive on Obtaining Administrative Data under the Statistics Act
  • Directive on the Management of Statistical Microdata Files
  • Directive on Security of Sensitive Statistical Information
  • Directive on Record Linkages (6.0)

1.2 Roles, responsibilities and accountabilities for the management of administrative data are clear and well communicated.

1.2.1 Roles, responsibilities and accountabilities for the acquisition of administrative data by ADD are clearly documented and are well understood with Statistics Canada.

1.2.2 The role, responsibilities and accountabilities of data custodians and various working groups tasked with the management of administrative data are clearly documented and are well understood.

1.3 There are appropriate risk management practices surrounding the security of confidential administrative data.

1.3.1 Risk mitigation strategies have been developed to address key risks and are monitored on an on-going basis for the security and confidentiality of administrative data.

1.3.2 Employees are aware of values and ethics directives and understand who and where to report potential wrongdoing.

1.4 The ADD and ADMC provides employees with the necessary, tools, resources, information and training to support the discharge of their responsibilities and achieve expected results.

1.4.1 A suitable training and development plan exists for stakeholders involved in the administrative data management process.

1.4.2 Employees have access to sufficient tools, such as software, equipment, work methodologies and standard operating procedures.

1.4.3 An information-sharing process exists to support the efficient and targeted dissemination of relevant and reliable information to the appropriate stakeholders.

1.5 The organization leverages, where appropriate, collaborative opportunities to obtain administrative data and to minimize the burden on citizens.

1.5.1 Statistics Canada uses its strategic planning process to identify opportunities for collaboration with external partners.

1.5.2 Formal communication processes / mechanisms exist and support sharing timely, relevant and reliable information.

Objective 2: Effective control mechanisms for security and confidentiality of administrative data are in place and ensure compliance with relevant Statistics Canada legislation, policies and directives.

2.1 The confidentiality of administrative data is safeguarded.

2.1.1 Access to administrative data is limited to authorized individuals.

2.1.2 Directors keep track of the location, users and use made of administrative data information held in their division.

2.1.3 Administrative data records are appropriately secured in compliance with Statistics Canada policies, directives and privacy legislation.

2.1.4 Procedures are in place to monitor and remove access to administrative data upon change of an employee’s duties.

  • Management Accountability Framework (MAF)
  • Core Management Control
  • Statistics CanadaOrganizational Chart
  • Statistics Canada Quality Guidelines
  • ADMC Meeting Minutes
  • Policy on Information Management
  • Policy on the Use of Administrative Data Obtained under the Statistics Act (Draft)
  • Directive on Obtaining Administrative Data under the Statistics Act
  • Directive on the Management of Statistical Microdata Files
  • Directive on Security of Sensitive Statistical Information
  • Directive on Record Linkages (6.0)

2.2 Management has established processes to develop and manage administrative agreements with third parties.

2.2.1 The process in place adheres to relevant legislative and policy requirements and is in line with Statistic Canada’s values, ethics and codes of conduct.

2.2.2 The processes are understood and are complied with.

2.2.3 The acquisition of administrative data is:

  • Formally documented
  • Approved by Section 13
  • Supported by suitable agreement and terms and conditions

2.2.4 ADD/IMD provide advice and guidance on the acquisition of administrative data.

2.3 Management receives relevant and timely information for decision- making

2.3.1 Management and oversight body / bodies request and receive sufficient, complete, timely and accurate information.

2.3.2 The inventory of administrative data records is accurate, well organized and maintained in a central repository.

2.3.3 Confidential administrative data is maintained on Network A.

2.3.4 Administrative datasets containing personal information are identified and tracked for reporting to the Personal Information Bank. Personal identifiers are deleted.

2.4 Management assesses the appropriateness of the mix of controls in place to ensure confidentiality of administrative data; and monitors the effectiveness of the controls on a periodic basis.

2.4.1 Security controls include a mix of automated and manual controls.

2.4.2 The operating effectiveness of controls is periodically tested.

2.4.3 Exceptions to required policies and procedures are identified and appropriate actions are taken.

2.5 Management through its actions demonstrates that the organization's integrity and ethical values cannot be compromised (i.e. promotes secure acquisition of administrative data and insists on a process that complies with established policies and procedures).

2.5.1 Management periodically reinforces through communication the importance of integrity and ethical values in the secure acquisition, management and disposal of administrative data records.

2.5.2 Prompt and appropriate remedial action is taken by management in response to departures from approved policies and procedures.

Appendix B: Acronyms

Acronyms
Acronym Description
ADD Administrative Data Division
ADMC Administrative Data Management Committee
ADS Administrative Data Secretariat
CARS Corporate Access Request System
DARS Data Access Request System
IIA Institute of Internal Auditors
IMD Information Management Division
IT Information Technology
ITOD Information Technology Operations Division
OID Operations and Integration Division
PIB Personal Information Bank
SRM Service Request Management
USB Universal Serial Bus