Statistics Canada's statistical programs must meet agency standards for both IT and physical security. Physical security includes access controls to work places where personal information is stored, maintained or used, Identification cards for authorized individuals and monitoring cameras in public spaces. IT Security includes controlled physical access to the server for authorized personnel only, password protection for access to the server and to the database/tool, configuration and use of a firewall. For this reason, the threat and risk assessment (TRA) grid rates unauthorized access by either Statistics Canada employees or individuals outside Statistics Canada as low probability.
Upon discovery of an actual or suspected breach of security (however unlikely), the following steps would be taken:
- Immediate notification of the Departmental Security Officer (Assistant Chief Statistician of Census, Operations and Communications Field) and the departmental Privacy Coordinator (Director, Information Management Division). Response could include suspending operation of the program(s).
- In collaboration with Departmental Security and IT Security, there would be an internal investigation that would include recommendations to prevent any recurrence. Any investigation would document in detail the circumstances that gave rise to the privacy breach, and determine what information may have been breached, the impact of the breach, and what measures have been introduced to eliminate the risk of any subsequent breach.
- In the case of a "material privacy breach", in accordance with the TBS Directive on Privacy Practices, Statistics Canada would notify the Office of the Privacy Commissioner (OPC) and the Treasury Board Secretariat (TBS). "Material breaches" are those involving sensitive personal information and that could reasonably be expected to cause serious injury or harm to the individual.
- Impacted individuals would be provided with an explanation of the situation and the steps being taken to remove the information from the possession of those not authorized to have it. Individuals would also be informed that they have the right to file a complaint with the Office of the Privacy Commissioner (OPC). The OPC and TBS will be informed of the individual(s) whose information was disclosed, the investigation and what actions have been taken to prevent a re-occurrence.
The Protocol is reviewed on a regular basis to ensure continued relevance. Incident reports are reviewed regularly and lessons learned from incidents are incorporated into relevant policies, directives and survey practices.