Introduction

Statistics Canada is committed to respecting the privacy of individuals and businesses—whether they are responding to one of our surveys, providing personal information, purchasing a product or service or using our website. To fulfill this commitment, Statistics Canada has created a Privacy Framework that describes the approved practices, procedures and governance related to privacy.

All personal information collected, used, disclosed or retained by Statistics Canada is protected by the Privacy Act and by the Statistics Act whether it was provided by a respondent or received from a third party. This means that you will be advised of the authority for such collection.

Privacy and confidentiality of personal information

Role of the Chief Privacy Officer

The Chief Privacy Officer (CPO) is a privacy expert whose role includes ensuring that Statistics Canada’s policies, directives, guidelines and practices are in line with current Government of Canada privacy legislation, policies and directives. The CPO must also track privacy incidents and breaches and provide advice on how to prevent similar incidents from arising in the future. If you have any concerns about your privacy, please contact:

Pierre Desrochers
Chief Privacy Officer
Office of Privacy Management and Information Coordination
Statistics Canada
R.H. Coats Building, 2^nd floor
100 Tunney's Pasture Driveway
Ottawa, Ontario K1A 0T6
Pierre.Desrochers@statcan.gc.ca
613-894-4086

What happens when there is a privacy breach?

A privacy breach is the loss of, unauthorized access to, or disclosure of, personal information. This can occur as a result of the theft or loss of information or data storage equipment, or the improper or unauthorized collection, use, disclosure, access, storage or disposal of information, including misdirected correspondence. When Statistics Canada discovers or is made aware of a breach, we take immediate action, in compliance with the Directive on Privacy Practices and Guidelines for Privacy Breaches established by the Treasury Board Secretariat.

Survey respondents

Statistics Canada's commitment to keeping the confidentiality of the information obtained from the Canadian public is enshrined in the Statistics Act and the Agency's various policies and practices related to data collection, analysis and dissemination activities as well as the Privacy Act.

All information provided to Statistics Canada through surveys, the census or any other source is confidential. Statistics Canada does not release any information that identifies an individual or group without prior consent. Similarly, no other government institution has the right to see the answers given in confidence to Statistics Canada without this consent.

Because of its unique mandate as the national statistical agency in collecting personal information solely for statistical and research purposes, Statistics Canada has prepared privacy impact assessments that address privacy issues associated with its survey activities.

One aspect of the statistical work undertaken by the Agency could involve record linkage projects that bring together information about individual respondents for research purposes. This is a recognized source of valuable statistical information but must serve a public good. To address the potentially privacy-intrusive nature of this type of research, Statistics Canada not only has a directive in place but practices a well-defined review and approval process for all microdata linkages.

Collection of information on minors

From time to time, Statistics Canada collects information on minors, a practice that presents unique challenges in terms of striking a balance between individual privacy and public welfare. While the collection of information from children can be sensitive, this information fills an important public policy void: reliable data on younger demographics is crucial to the development of sound policy that supports the delivery of important services to vulnerable segments of the population.

As with information from other respondents, information on minors is protected by the Privacy Act and by the Statistics Act. Under the Privacy Act, a parent/guardian may request access to a minor's personal information, on his or her behalf. Statistics Canada, prior to collecting information from minors, determines which types of information could potentially cause harm to a child; this information is never released under any circumstance.

Clients

Statistics Canada is fully committed to protecting the confidentiality of the personal information provided by our clients who purchase products or services. This information is used only to support our relationship with you as a client of Statistics Canada.

More information: Protecting your privacy as a client

Third-Party Social Media

Statistics Canada is using social media to provide access to relevant, accurate and timely statistical information and to foster engagement, cooperation and information-sharing among people who use statistical information. Social media accounts are public and are not hosted on Government of Canada servers. Statistics Canada uses Facebook, Twitter and YouTube. Users who choose to interact with Statistics Canada via those social media should read the terms of service and privacy policies of these third-party service providers and those of any applications you use to access them. You may have to change your language preference in order to see the information in English.

• Facebook Data Use Policy
• Twitter Privacy Policy
• YouTube Privacy Policy (Google)

Personal information that you provide to the Government of Canada via social media accounts is subject to the provisions of the Access to Information Act and the Privacy Act. This information is collected to capture conversations (e.g. questions and answers, comments, "likes", retweets) between you and Statistics Canada. It may be used to respond to inquiries, or for statistical, evaluation and reporting purposes. Comments posted that violate Canadian law will be deleted and disclosed to law enforcement authorities. Comments that violate our Social media rules of engagement could also be deleted. The personal information is included in Personal Information Outreach Activities (PSU 938).

No endorsement of any social media products or services is expressed or implied. Please read our Social media rules of engagement and Terms of use for Facebook, Twitter, and YouTube.

Visitors to the Statistics Canada website

The Government of Canada and Statistics Canada are committed to providing visitors with websites that respect their privacy. The following summarizes the privacy policy and practices on Statistics Canada websites.

Safeguarding your personal information

The Statistics Canada website does not automatically gather any specific personal information from you, such as your name, phone number or email address. We would only obtain this type of information if you supply it by sending us an email or registering in a secure portion of the site. The information that is received and stored is safeguarded to prevent unauthorized disclosure.

The nature of the Internet is such that Web servers automatically collect certain information about a visit to a website, including the visitor's Internet Protocol (IP) address. IP addresses are unique numbers assigned by Internet Service Providers (ISP) to all devices used to access the Internet. Web servers automatically log the IP addresses of visitors to their sites. The IP address, on its own, does not identify an individual. However, in certain circumstances, such as with the co-operation of an ISP for example, it could be used to identify an individual using the site. For this reason, the Government of Canada considers the IP address to be personal information, particularly when combined with other data automatically collected when visitor requests a Web page such as the page or pages visited, date and time of the visit.

How your information is used

Information on individual website visitors is used by Statistics Canada employees who need to know the information in order to respond to your request or to ensure the security of this system. We only share the information you give us with another government department if your inquiry relates to that department. We do not use the information to create individually identifiable profiles, nor do we disclose this information to anyone outside the federal government.

Electronic transmission of sensitive personal information

Unless specifically noted otherwise, neither electronic systems nor email are secure information transmission methods. It is not recommended that sensitive personal information be transmitted electronically.

Data encryption

The website is equipped with a Secure Socket Layer (SSL) encryption to ensure a secure connection between the server and an SSL-compatible browser. SSL protocol provides a safe passage for transmitting and authenticating data by encrypting the information. Data cannot be compromised when SSL is in use. This is the most secure form of encryption commonly available in North America.

Network traffic monitoring

Statistics Canada employs software programs to monitor network traffic, and to identify unauthorized attempts to upload or change information, or otherwise cause damage. These programs are also used to gather anonymous information such as statistics to improve the functionality of our site. These software programs receive and record the Internet Protocol (IP) address of the computer that has contacted our websites, the date and time of the visit and the pages visited. We make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage the site has been detected. The programs are never used to gather specific personal information such as your name, your phone number or your e-mail address.

Your privacy is protected

Your personal information is protected by the Privacy Act and will only be disclosed as permitted by that Act.

Cookies

Statistics Canada occasionally uses session cookies to track how our visitors use this site, determine sites previously visited or facilitate the use of secure portions of this site. Information from the cookies is compiled for statistical analysis on traffic patterns and is used to assess and improve the efficiency of the website. A cookie is a file that may be placed on your hard drive without your knowledge by a website to allow it to monitor your use of the site.

The cookies we use do not allow Statistics Canada to identify individuals. Our use of session cookies ensures your online privacy and security. Here's why:

• The contents of our session cookies are not linked, shared or associated in any way with personal information that you may have supplied to us or made available elsewhere.
• Our cookies can only be "read" by Statistics Canada servers, meaning that you cannot be tracked or profiled using our cookie when you surf across multiple sites on the Web.

Statistics Canada's website primarily uses session cookies, which automatically expire at the end of the user session. Occasionally we use persistent cookies to facilitate the use of secure portions of the website and to conduct on-line surveys to improve the website. Persistent cookies have pre-determined expiry dates.

Visiting our website with cookies disabled will have no significant impact on your browsing experience. You can set your browser to detect and reject cookies. Please consult your browser's Help Menu for instructions.

Web Analytics

Web analytics is the collection, analysis, measurement, and reporting of data about Web traffic and visits for purposes of understanding and optimizing Web usage. For the purpose of performing web analytics, certain types of information are tracked during visits to Statistics Canada's website. For the purposes of the Privacy Act, this information is treated as personal information.

Statistics Canada uses Adobe Analytics and log file analysis to improve its web site. When your computer or other device requests a Statistics Canada Web page, information is collected for the purpose of web analytics. The type of information collected includes, but is not limited to:

• IP address of the device that has contacted the Statistics Canada' website (which is not stored or retained in a format that can be used to identify a visitor)
• type of browser used
• type of operating system used
• the date and time of the visit
• pages visited and documents downloaded

Statistics Canada uses log file analysis internally. The information is not disclosed to an external third party service provider.

Web analytics is carried out using services from the third-party service provider Adobe Systems Inc. (Adobe Analytics). This service provider is based in the United States of America (USA), which means that the personal information collected is transmitted outside of Canada and may be subject to USA laws, including the USA Patriot Act. In addition, Adobe operates servers in other countries on which the web analytics data may be processed. Consequently, the data may be subject to the governing legislation of the country where it is processed. For Adobe Analytics, the Government of Canada has specified that personal information can only be stored on servers in Canada, the United States, the European Union, Australia, Israel, New Zealand, Norway, and Switzerland.

For more information about the privacy policies of this service provider, please visit Adobe Experience Cloud Privacy

To track visits to Statistics Canada for web analytics, Adobe Analytics requires the use of digital markers ("cookies"). If you wish, you may opt out of having your visit tracked by:

• changing your browser settings to refuse cookies, disabling JavaScript within your browser, or
• downloading and installing a browser add-on from Adobe prevents your visit data from being used.

If you change your browser settings to refuse cookies or disable JavaScript so that your Statistics Canada visit will not be tracked, no information will be collected but your visit may be affected in other ways, including making it difficult to access any secure services that require a username and password.

To further protect information about visitors to Statistics Canada' website, Adobe Analytics uses a feature that hides part or all of the IP address of a visitor before it is stored.

The chart is a flow chart description of the Integrated Strategic Planning Process (ISPP) which consists of six steps. The first four steps of the ISPP are known as the LTP process which is the first phase of the ISPP, and steps five and six take place during Project Implementation, which is the second phase of the ISPP.

The flow chart begins with the first column that is labeled the LTP process. The first box in the LTP process column in Stage 1: Idea Generation shows that the first step of the ISPP starts in April in each year with a Strategic Direction session to align strategic direction with priorities and emerging issues and that the second step of the ISPP is from May to June, when managers develop a high level business proposal to request funding through the LTP process. Proposals are grouped into three main categories for decision- Corporate Business Architecture (CBA) improvements and initiatives; Continuity and Quality maintenance (CQM) of existing programs; and, New Initiatives / Enhancements. Proposals supported for further consideration by Senior Management Review Board move to the second box in the LTP process column. The second box in the LTP process in Stage 2: Project Assessment shows that the third step of the ISPP is from July to October, when programs develop investment proposals which are presented in Step 4 in November at the Senior Management Review Conference for approval. This marks the end of the LTP process.

Projects approved in November from this point move to the Project Implementation column which is the second phase of the ISPP. The first two boxes in the Project Implementation column in Stage 3: Project Initiation and Stage 4: Project Planning show that the fifth step of the ISPP is from December to March when programs initiate, plan and communicate with the stakeholders about the new LTP projects. The last two boxes in the Project Implementation column in Stage 5: Project Execution and Stage 6: Project Close-out show that the sixth and final step of the ISPP is the on-going monitoring of the LTP projects.

This chart illustrates the two stages of the LTP process that falls within the Integrated Strategic Planning Process (ISPP).The first four steps of the ISPP are known as the LTP process. These four steps have been divided into two stages in the flow chart. The first two steps correspond to the first stage of the LTP process which is the Idea Generation stage and the two other steps correspond to the second stage of the LTP process which is the Project Assessment stage.

The flow chart begins with the Stage 1 Idea Generation where CBA and non-CBA business proposals are prepared by programs for review and approval. The chart illustrates that Corporate Business Architecture (CBA) proposals go through an approval process by both the CBA management committee and Field Planning Boards (FPBs). The flow chart shows that non-CBA projects only go through the FPBs for approval. Both CBA and non-CBA proposals that have been approved flow to the SMRB for gate 1 approval and consideration for funding. Proposals approved for consideration, move to Stage 2 Project Assessment. In this stage, programs must prepare a Project Complexity and Risk Assessment (PCRA), a Business Case, and Business Case Costing (BCC) template for all CBA and non-CBA proposals. The chart illustrates that CBA proposals separate from non-CBA proposals and must go back to the CBA Management Committee for approval. Once this approval is given then CBA proposals merge back with non-CBA proposals and then move to the FPBs to have the Business case and BCC forms approved. Those approved proceed to SMRB Gate 2 for approval and funding. All approved LTP proposals are recorded in the Agency’s Decision Record known as the Blue Book.

Audit Report

April 22, 2013
Project Number: 80590-77

• Executive Summary
• Introduction
  • Background
  • Audit Objectives
  • Scope
  • Approach and Methodology
  • Authority
• Findings, Recommendations and Management Responses
  • Control Environment for the Management of the Agreement
  • Data Stewardship
  • Physical and Information Technology (IT) security
• Appendices
  • Appendix A: Audit Criteria
  • Appendix B: Acronyms

Executive Summary

Data Sharing Agreements (DSAs) are a key Statistics Canada business process. In recent years, data sharing has become a growing and increasingly complex area to manage. Ensuring confidentiality of data is a challenge. Health Statistics Division (HSD) enters into DSAs with provincial Health Ministries under the authority of section 12 of the Statistics Act. The DSAs currently in place with the British Columbia Ministry of Health (the Ministry) allow for sharing of statistical health survey information obtained through the Canadian Community Health Survey (CCHS) and the National Population Health Survey (NPHS).

Currently, Statistics Canada is replacing its existing DSAs with an Omnibus data sharing agreement governing the collection and sharing of information from several selected health surveys with the British Columbia Ministry of Health. The Omnibus DSA includes terms and conditions (T&Cs) governing the use, confidentiality, access, monitoring and compliance of information, and physical and information technology security. This audit was conducted as the Ministry prepares to implement the T&Cs of the Omnibus DSA, in order to assess the extent to which practices are in place to meet the requirements set forth in the Omnibus DSA.

The objective of this audit is to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) that:

• The Terms and Conditions of the Omnibus data sharing agreement between Statistics Canada and the British Columbia Ministry of Health are met.

The audit was conducted by Internal Audit Services in accordance with the Government of Canada's Policy on Internal Audit.

Key Findings

Authorities, responsibilities and accountabilities for the management and handling of Statistics Canada health survey information are appropriately segregated and formally defined, documented and communicated at the Ministry's Senior Management level; however further work is required to ensure functional roles and responsibilities are documented, communicated and understood at the operational level.

The Ministry has established appropriate internal protocols to meet the requirements set out in the Omnibus data sharing agreement. The Ministry has transferred responsibility for the management of Statistics Canada health survey information out of the program area (where it previously resided), and into the Ministry's Health Sector Information Management and Information Technology Division. The Ministry has designed a set of practices for protection and safeguarding of Statistics Canada health survey information that is housed within the Ministry.

The Ministry has yet to put in place revised third party agreement templates reflective of the requirements set forth in the Omnibus data sharing agreement. This is an important activity for the Ministry to undertake, to ensure that appropriate safeguards are in place over the full lifecycle of Statistics Canada health survey information.

Effective controls for physical access to the Ministry's premises and physical storage have been designed. The Ministry's Policies and Procedures Manual provides prescriptive guidance and direction in the areas of physical and electronic access;identification and authentication safeguards, IT storage and transmission; and information copying, retention and records management to meet the requirements set out in Statistics Canada's Omnibus data sharing agreement. It is important to note that at the time of the audit, the Ministry was implementing these requirements.

Overall Conclusion

Statistics Canada is replacing its existing DSAs with an Omnibus data sharing agreement governing the collection and sharing of information from several selected health surveys with the British Columbia Ministry of Health. The Omnibus DSA includes terms and conditions governing the use, confidentiality, access, monitoring and compliance of information, and physical and information technology security.

An examination of the adequacy and, where possible, the effectiveness of the processes and practices put in place by the Ministry to comply with the requirements set out in the Omnibus data sharing agreement revealed that the Ministry has taken steps to design practices, policies and procedures to meet the requirements set forth in the Omnibus data sharing agreement. However, further work is required in two areas, prior to the release of statistical health survey information to the BC Ministry of Health: (1) Functional roles and responsibilities for the management and handling of Statistics Canada health survey information need to be clearly defined and communicated to staff at the operational level. (2) Third party agreement templates must fully reflect the requirements of the Omnibus data sharing agreement that is being implemented between Statistics Canada and the BC Ministry of Health.

Conformance with Professional Standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) Internal Standards for the Professional Practice of Internal Auditing.

Introduction

Background

The Health Statistics Division (HSD) at Statistics Canada has the mandate to provide accurate, timely and relevant information regarding the health of Canadians. HSD provides statistical information about the health of the population, the determinants of health, and the scope and utilization of Canada's health care resources. This information is used to assist and support health planners and decision-makers at all levels of government, to sustain demographic and epidemiological research, and to report to the Canadian public about their collective health and health care system. The HSD works in partnership with provincial and territorial vital statistics registrars and cancer registries as well as data providers and users at the federal level (Health Canada and the Public Health Agency of Canada), provincial level (provincial ministries of health), and the regional level (health authorities).

To achieve its mandate, Statistics Canada may, pursuant to section 12 of the Statistics Act (the Act),enter into an agreement for the exchange of information collected from a Respondent, and the Chief Statistician may, pursuant to paragraph 17(2)(a) of the Act, disclose information collected by persons, organizations or departments for their own purposes and communicated to Statistics Canada. These agreements cover a majority of household surveys, and enjoy certain exceptions regarding the release of confidential respondent information provided that the legal requirements for the provision of data-sharing information, consent rights, and confidentiality protection are respected by all parties.

Statistics Canada is replacing its existing data sharing agreements (DSAs) with the British Columbia Ministry of Health (the Ministry) with an Omnibus data sharing agreement for the collection and sharing of information from several selected health surveys, including the Canadian Community Health Survey (CCHS) and the National Population Health Survey (NPHS).

The Canadian Community Health Survey (CCHS) is a cross-sectional survey which collects information related to health status, health care utilization and health determinants for the Canadian population. It is an annual survey which relies upon a large sample of respondents and is designed to provide reliable estimates at the health region level. The uniqueness of these surveys arises from the regional nature of both content and survey implementation. These aspects allow for analysis of health data at a regional level, across Canada.

The National Population Health Survey (NPHS) collects information about the health of the Canadian population and related socio-demographic information. Every two years, the same individuals provide current and in-depth information on their physical and mental health status, use of health care services, physical activities, life in the workplace and social environment. The NPHS has now been discontinued.

The data collected through CCHS and NPHS are used extensively by the research community and other health professionals. Federal and provincial departments of health and human resources, social service agencies, and other types of government agencies use the information collected to plan, implement and evaluate programs to improve health and the efficiency of health services. Non-profit health organizations and academic researchers use the information for research on ways to improve health.

Audit Objectives

The objective of the audit is to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) that:

• The Terms and Conditions of the Omnibus data sharing agreement between Statistics Canada and the Ministry are met.

Scope

Under the Omnibus data sharing agreement, the Ministry may share the data with third party recipients such as Health Authorities (HAs) within its jurisdiction; recognized provincial or university Research Institutes or Organizations; and researchers under contract to the Ministry. To protect the confidentiality and sensitive nature of the information collected by Statistics Canada, the agreement contains Terms and Conditions (T&Cs) to ensure that confidentiality of the information is not compromised.

The scope of this audit included an examination of the adequacy and, where possible, the effectiveness of the processes and practices put in place by the Ministry to comply with the requirements set out in the Omnibus data sharing agreement. The audit focused on the confidentiality and security (physical access, IT storage and transmission, physical storage, information copying, retention, and records management) safeguards that have been put in place by the Ministry to ensure data is protected and confidentiality is maintained.

Approach and Methodology

A site visit was conducted in December 2012 to assess the processes and procedures the Ministry has put in place to ensure the T&Cs of the new Omnibus data sharing agreement between Statistics Canada and the Ministry are met in preparation for receiving Statistics Canada confidential health survey information. The approach consisted of interviews with key Senior Management and personnel, and review of the processes, procedures and guidelines developed by the Ministry to meet the T&Cs of the agreement between Statistics Canada and the Ministry.

This audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TBS Policy on Internal Audit.

Authority

This audit was conducted as a result of a risk-based senior management request.

Findings, Recommendations and Management Responses

Objective:  The Terms and Conditions of the Data Sharing Agreement (DSA) between Statistics Canada and the Ministry are met.

Control Environment for the Management of the Agreement

Authorities, responsibilities and accountabilities should be clearly defined and understood at all levels, to support effective management of the T&Cs of the Omnibus data sharing agreement. Monitoring of practices as outlined in the Omnibus data sharing agreement T&Cs should be in place to detect errors or potential errors which would otherwise increase operational risk.

Authority

Statistics Canada exercises its mandate to enter into statistical data sharing agreements with other organizations under the authority of sections 11 and 12 of the Statistics Act. The statistical health survey information provided to the BC Ministry of Health supports the Ministry in policy development, evaluating programs to improve health and the efficiency of health services, and sustaining demographic and epidemiological research.

Under section 12 of the Statistics Act, Statistics Canada is replacing its existing DSAs with the Ministry with an Omnibus data sharing agreement for the collection and sharing of information from several selected health surveys.

Roles and Responsibilities

The audit determined that roles and responsibilities for the management and handling of Statistics Canada health survey information are formally defined in two key documents: the CCHS Secure Lab Process document and the Ministry of Health Statistics Canada Health Survey Information: Policies and Procedures Manual.

Three levels of signing authority have been defined for the handling of Statistics Canada health survey information: the Assistant Deputy Minister, the Chief Data Steward, and the Data Custodian.

The Chief Data Steward and Executive Director, Information Management & Knowledge Services (IMKS) branch of the Ministry's Health Sector Information Management and Information Technology Division (HSIMT) will be the designated "Receiving Party's Official", responsible for ensuring processes and procedures are in place to fulfill the requirements set out in the DSA, and for ensuring that adequate protection is in place to provide for the security of the health survey information.

The Data Access and Stewardship Director, as the Data Custodian will be responsible for receipt and distribution of Statistics Canada health survey information. The Data Custodian will assume the responsibilities set out in Appendix 'C' of the Omnibus DSA for the whole lifecycle of Statistics Canada health survey information: data receipt, handling, storage, and transmission. As well, the Data Custodian will assume the responsibilities set out in the Ministry's information management policies, procedures and practices.

The Data Access and Stewardship group is supported in the handling and management of Statistics Canada health survey information by Data Warehouse Operations. The Director, Data Warehouse Operations serves as back-up for the Data Custodian. Data Warehouse Operations provides information technology support to IMKS branch, and will provide support for the secure lab housing Statistics Canada health survey information. This support includes the physical set-up of the secure lab, and performance of data processing and handling activities on an on-going basis.

At the operational level, responsibility for the management of third party contracts resides with the Data Access and Stewardship group. One team lead within the Data Access and Stewardship group will handle provincial university research institutes and British Columbia Health Authorities, and the second team lead will handle Information Sharing Agreements (ISAs) for researchers requested by the program areas. Members of the teams will deal with all the requests the Ministry receives from recognized provincial or university Research Institutes or Organizations, Health Authorities, and researchers. The team will review and adjudicate data requests, working with subject matter experts within program areas to determine whether information being requested is only that which is required to perform the work.

The audit found that while roles and responsibilities are defined and understood at the senior level within the Ministry, the same level of clarity and understanding is not in place at the operational level.  Functional roles and responsibilities for the team leads and team members in Data Access and Stewardship are not clearly defined and documented. Team members are not certain of how their roles will evolve once the Omnibus data sharing agreement is in place, and Statistics Canada confidential health survey information is received.

Lack of clearly defined and documented functional roles and responsibilities at the operational level may result in the prescribed T&Cs not being met, and Statistics Canada confidential health survey information not being adequately and effectively protected.

Monitoring

Clauses with respect to monitoring are prescribed by Statistics Canada in the Omnibus data sharing agreement. The Omnibus DSA states that

"Statistics Canada shall have the right, when it determines necessary, to perform reviews of compliance with this Agreement". The DSA also prescribes that third party agreements entered into by the Ministry "shall contain a clause stipulating the right of Statistics Canada or the Ministry (the Receiving Party) to review compliance with the terms of this Agreement".

The audit found that the Ministry has not engaged in monitoring of agreements entered into with third parties in the past.

Interviews revealed that the Ministry intends to include a clause pertaining to monitoring of third parties when it revises its third party agreement templates. However, at the time of the audit, these revisions had not been completed. As a result, the audit team could not review the third party agreement templates to confirm whether or not a monitoring clause has been included. (This finding is addressed through the recommendations made under Data Stewardship.)

Recommendation:

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should communicate with the Ministry to ensure the following is implemented:

• Functional roles and responsibilities at the operational level, related to the handling of Statistics Canada Health Survey Information are defined, documented and communicated.

Management Response:

Management agrees with the recommendation.

• The Director, HSD will request a list of all employees and their roles and responsibilities in terms of handling Statistics Canada Health Survey Information.
  
  Deliverable and Timeline: Letter to the Ministry, by April 2013.
• As part of the Health Statistics process for on-going monitoring of access that will be implemented, the Ministry will be required to provide a list of employees with access to Statistics Canada Health Survey Information, including their roles and responsibilities.
  
  Deliverable and Timeline: A list of employee names with access to Statistics Canada Health Survey Information, including their roles and responsibilities, every six months.

Data Stewardship

The Ministry has established an appropriate framework to manage the requirements set out in the Omnibus data sharing agreement. Internal protocols for the sound management of data should be in place to ensure the protection and safeguarding of Statistics Canada health survey information over the full lifecycle of the information.

Data Management

The BC Ministry of Health has transferred responsibility for the management of Statistics Canada health survey information from the Population and Public Health Division to the Health Sector Information Management and Information Technology (HSIMT) Division. This is a key control, as HSIMT is the Ministry's dedicated group for the management of health data, and not the ultimate users of the data.

Within HSIMT, responsibility for the administration and management has been appropriately segregated between two areas: Data Access and Stewardship, and Data Warehouse Operations.

As described under the Control Environment for the Management of the DSA, the Director of Data Access and Stewardship will be the designated Data Custodian and recipient, and will act as the liaison between Statistics Canada and the Ministry. Three Research Officers (ROs) reporting to the Data Custodian will be authorized to use the secure lab facility to work with the Statistics Canada confidential information. The ROs' role will include initial record linkage for survey respondents who have agreed to have their information linked; validation work; information maintenance; implementation of study specifications, and working in the secure lab to prepare research extracts.

Three Data Base Analysts (DBAs) reporting to the Director, Data Warehouse Operations group, will be authorized to use the secure lab facility, where they will provide the technical skills needed to prepare data files for use by the ROs.

Third Party Sharing

The Ministry can provide access to Statistics Canada confidential health survey information to:

• Researchers working under contract directly for the Ministry to provide a Survey-related product or service for the sole benefit of the Ministry.
• Provincial/territorial or university research institutes working under contract directly for the Ministry to provide a Survey-related product or service for the sole benefit of the Ministry.
• Six British Columbia regional Health Authorities. However, Statistics Canada health survey information can only be provided to HAs if respondents were notified that their Survey Reponses would be provided to HAs in their province of residence. Otherwise, the HA can only work under contract for the Ministry to provide a Survey-related product or service for the sole benefit of the Ministry.

The Ministry confirmed that the above-stated third party recipients will only have access to Statistics Canada confidential health survey information from which Personal Identifiers (i.e. person's name, address, telephone number or other direct means of identifying an individual) have been removed as prescribed in the Omnibus agreement. The Ministry also confirmed that these third parties will not have access to the Ministry secure lab housing Statistics Canada confidential health survey information.

If Statistics Canada health survey information access is provided on the premises of the university research institutes or HAs, then the Ministry is required to include in their agreements the physical and IT security measures as set out in the Omnibus data sharing agreement, which states:

"The Receiving Party (the Ministry) shall ensure that the terms and conditions of this Agreement respecting the use, confidentiality, protection and security of the Information are included in all agreements and arrangements the Receiving Party (the Ministry) enters into, under the terms of which any other organization is granted access to the Information in accordance with subsection 6.2 of this Agreement".

Interviews revealed that the Ministry is currently in the process of revising its third party agreement templates. However, at the time of the audit, these revisions had not been completed. As a result, the audit team could not review the third party agreement templates to confirm whether or not the requirements respecting the use, confidentiality, protection and security of Statistics Canada health survey information have been reflected in the templates.

Recommendations:

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should communicate with the Ministry to ensure the following is implemented:

• Third party agreement templates are developed and reflect the requirements set out in Statistics Canada Omnibus data sharing agreement.

Management Response:

Management agrees with the recommendation.

• The Director HSD, will request from the Ministry their proposed templates for third party agreements to ensure that they reflect the requirements set out in Statistics Canada Omnibus data sharing agreement.
  
  Deliverable and Timeline: The Director HSD, to request from BC Ministry of Health their proposed third party agreement templates, by April 2013.
• The Director, HSD will monitor on a regular basis, third party access privileges to ensure that third party templates are being used appropriately.
  
  Deliverable and Timeline: Report from the Ministry on third party access privileges, every six months.

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should ensure that:

• A review of the third party agreement templates is conducted to ensure that they include the terms and conditions contained in the Omnibus data sharing agreement respecting the use, confidentiality, protection and security of the information, and monitoring clauses, before providing Statistics Canada confidential health survey information to the Ministry.

Management Response:

Management agrees with the recommendation.

• Statistics Canada Health Survey information will only be provided after a thorough and satisfactory review of the proposed third party agreement templates by the Director HSD, to ensure that they meet the terms and conditions of the Omnibus data sharing agreements.
  
  Deliverable and Timeline: The Director HSD will inform the Ministry of any gaps in their templates, and will notify Statistics Canada senior management once the templates are compliant, immediately upon receipt of the templates.

Physical and Information Technology (IT) security

Information provided to the Ministry is designated as 'Protected B' information as defined in the federal Policy on Government Security. The Ministry is required to ensure that the control and protection of the information, either physically or electronically, is carried out in a manner that protects against loss, theft, compromise or improper disclosure.

Physical Access to the Ministry's Premises and Physical Storage

A physical inspection was conducted of the Ministry's site during the examination phase of the audit. The audit noted that the Ministry's policy allows visitors with unaccompanied visitor card access once signed into the building, with the exception of access to the Ministry's server room and the secure lab housing Statistic Canada health survey information. There is a card scanner outside each secured area. Staff and visitors must swipe their access card through the card scanner to enter the secured area.

Statistics Canada health survey information will be stored, accessed, used, linked and analyzed in a secure lab room located in the Ministry's HSIMT division. A motion sensor-activated security camera that can operate on an uninterrupted power supply in the event of a power failure is located facing the lab door, to record all activity occurring in front of the lab door. Facilities Management is responsible for monitoring the camera, and the tapes can only be accessed by the Chief Data Steward and Executive Director.

Access to the secure lab is permitted only to 'Identified' persons. Persons holding visitor cards cannot access the lab independently; visitors to the lab must be escorted by an 'Identified' person. A visitor log book noting name, date, time in and out, is required to be signed by escorted visitors accessing the secure lab.

The audit verified if only 'Identified' persons could access the secure lab. Three employees determined not to have access to the secure lab were asked to swipe their access cards at the card scanner located outside the lab. Their access cards did not allow them to access the secure lab. The auditors also tested their visitor access card, and the visitor access card did not allow access to the secure lab.

The audit also verified if the security camera placed outside the lab was operating as intended. The audit team viewed the camera tape for the activity of the 3 employees asked by the audit team to access the lab. The audit noted that the motion sensor-activated security camera recorded the activity of the 3 employees at the lab door.

Physical and Electronic Access to Health Survey Information Data Files

The Ministry has a formal process in place for requesting access to the secure lab from the Data Custodian. A Request for Access to Secure Area Form has to be completed and signed by every 'Identified' person, and then signed by the Data Custodian signifying authorization of that person's access to the secure lab.

As well, every 'Identified' person has to agree in writing to comply with the terms of the DSA by signing an acknowledgement. The acknowledgement states they have read, understood and agree to comply with the T&Cs of the DSA between the Ministry and Statistics Canada, as highlighted in the Ministry's Policy and Procedures Manual, and by signing a 'Protection of Confidential Information Agreement for Ministry of Health Employees', as required by appendix 'C' of the DSA. The Ministry stated that the Policy and Procedures Manual will be mandatory reading for all 'Identified' persons.

The secure lab has been set up as an isolated network with a stand-alone Oracle server on a desk-top computer and two workstations which are connected to the server by a port and Ethernet Cable. There is no internet access, as required by appendix 'A' of the DSA, and electrical cables are the only external cables in the lab. Statistics Canada information will be stored on the Oracle server and only 'Identified' persons can access the information either from the server or the two workstations.

A secured cabinet with a key lock is located in the lab to store transportable media and print-outs of Statistic Canada health survey information. The data custodian holds the key for this cabinet.

Identification and Authentication Safeguards, IT Storage and Transmission

The stand-alone Oracle server housing Statistics Canada health survey information and the two desk-top computers will have "named user accounts" for each 'Identified' person. 'Identified' persons will be required to provide their named user account ID and Oracle username ID and complex password (minimum 8 alphanumeric characters with at least one upper case letter, one lower case letter and one number) to log in and access Statistics Canada health survey information.

The card scanner outside the lab and the visitor log book will create an audit trail on physical access to the lab. As well, the named user account ID and Oracle username ID will be tracked to provide an audit trail on the two desk-top computers and the server.

The Ministry's Policies and Procedures Manual states that health survey files transmitted by Statistics Canada to the Ministry by electronic file transfer (e-FT) will be downloaded on a portable hard drive by the Data Custodian, and then saved on the Oracle server in the secure lab. No other type of transportable media such as flash memory stick, laptops, etc will be used to transport the downloaded files. The portable hard drive will utilize full encryption and require password to access. After the transport has finished, it will be securely overwritten, to prevent recovery efforts by unauthorized individuals. The portable hard drive will not be used to store Statistics Canada health survey information. When not in use, the drive will be stored in the key locked cabinet.

If survey files are transported by CDs, then information will be downloaded on the server and the CDs will be stored in the locked cabinet in the secure lab. The Policies and Procedures Manual states that backup of the Oracle server will not be maintained. If the server drives are damaged in an incident and are not recoverable, then brand new data will be requested from Statistics Canada. As well, electronic transmission by facsimile or e-mail is not allowed.

Information Copying, Retention and Records Management

The Ministry's Policies and Procedures Manual does not allow paper copies or electronic extracts of Statistics Canada health survey information. At the time of the audit, the secure lab did not have a printer. Printing outside the secure lab will not be permitted. A policy statement directing printer use will be prominently displayed in the lab and communicated to 'Identified' persons when they are granted access privileges. Statistics Canada information will only be held in the secure lab, and its transmission or transport elsewhere will not be permitted. Electronic transmission by facsimile or e-mail will not be allowed.

The DSA requires the Data Custodian to maintain a register of all data files received from Statistics Canada. The audit noted that the Ministry's Policies and Procedures Manual lists this as one of the responsibilities of the Data Custodian. The audit corroborated this understanding with the Data Custodian via interview.

Effective controls for physical access to the Ministry's premises and physical storage are in place. The Ministry's Policies and Procedures Manual provides prescriptive guidance and direction in the areas of physical and electronic access;identification and authentication safeguards, IT storage and transmission; and information copying, retention and records management to meet the requirements set out in Statistics Canada's Omnibus data sharing agreement. It is important to note that at the time of the audit, the Ministry was implementing these requirements.

Recommendation:

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should ensure that:

• A follow-up audit is conducted if and when the new Omnibus data sharing agreement is signed and data has been shared with the Ministry.

Management Response:

Management agrees with the recommendation.

• The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field, will inform Statistics Canada's Policy Committee once the Omnibus data sharing agreement is signed and data has been shared with the Ministry.
  
  Deliverable and Timeline: Decision by Policy Committee members on if and when a follow-up audit should be conducted.

Appendices

Appendix A: Audit Criteria

The table in Appendix A identifies the Audit Criteria, audit sub-criteria as well as the policy instrument used as the source of these criteria.

Objective / Core Controls / Creteria	Sub-Criteria	Policy Instrument
1.1 Authorities, responsibilities and accountabilities, are defined, communicated, and the segregation of duties is appropriately established.	1.1.1 Responsibilities are formally defined and clearly communicated. 1.1.2 Authority is formally delegated and delegated authority is aligned with individual's responsibilities. Where applicable, incompatible functions are not combined.	TBS Core Management Controls Omnibus data sharing agreement
1.2 Management at the Ministry identifies, assesses the appropriateness of existing controls to effectively manage its risks, and responds to the risks that may preclude the achievement of its objectives.	1.2.1 Risks are identified at both the program and regional levels, respectively, and take into consideration the internal and external environments of the RDC Program. 1.2.2 Formal processes and guidelines exist to assess the controls in place to manage the identified risks.
1.3 Assets are protected at the Ministry.	1.3.1 Access to data is limited to authorized individuals and is appropriately secured in compliance with privacy legislation. 1.3.2 Access is physically restricted. 1.3.3 Procedures to safeguard the shared data upon change of duties of an employee exist and are adhered to. 1.3.4 Procedures exist to protect the use of data from abuse or fraud. 1.3.5 Logical access controls exist to ensure access to systems and data, is restricted to authorized users, e.g., systems require users to logon using unique user name and password. 1.3.6 Authentication and access procedures and mechanisms exist for and are applied in order to keep authentication and access mechanisms effective. 1.3.1 Access to data is limited to authorized individuals and is appropriately secured in compliance with privacy legislation. 1.3.2 Access is physically restricted. 1.3.3 Procedures to safeguard the shared data upon change of duties of an employee exist and are adhered to. 1.3.4 Procedures exist to protect the use of data from abuse or fraud. 1.3.5 Logical access controls exist to ensure access to systems and data, is restricted to authorized users, e.g., systems require users to logon using unique user name and password. 1.3.6 Authentication and access procedures and mechanisms exist for and are applied in order to keep authentication and access mechanisms effective.
1.4 Management monitors actual performance against planned results, and adjusts course as needed, to better address the requirements/ needs of the program.	1.4.1 Responsibility for monitoring is clear and communicated and results are reported to required authority levels. 1.4.2 Active monitoring is demonstrated.

Appendix B: Acronyms

Appendix B Acronym

Acronym	Description
ACS	Assistant Chief Statistician
CCHS	Canadian Community Health Survey
CD	Compact Disk
CS	Chief Statistician
DAC	Departmental Audit Committee
DBA	Data Base Analyst
DSA	Data Sharing Agreement
e-FT	Electronic File Transfer
HA	Health Authority
HSD	Health Statistics Division
HSIMT	Health Sector Information Management and Information Technology Division
ID	Identification
IIA	Institute of Internal Auditors
IMKS	Information Management & Knowledge Services
ISA	Information Sharing Agreement
IT	Information Technology
LOE	Line of Enquiry
NPHS	National Population Health Survey
RO	Research Officer
TBS	Treasury Board Secretariat
T&Cs	Terms and Conditions

Key financial controls: Process Overview

The chart is a flow chart description of the process of Assessment of Internal Controls over Financial Reporting (ICFR) presenting the 4 core activities involved and their outputs described just below each activity. Activities and results/outputs are differentiated by colors and forms. The flow chart is set up in 5 key steps aligned with arrows from left to right. A box groups the 4 core activities for the assessment of ICFR. The flow chart begins with the first step on the left, which is Planning & scoping. Outputs from this activity are Strategic Plans for ICFR & ITGC and work plans. From this point, the process moves at right to Documentation of in-scope business processes. Outputs from this activity are Process Narratives or Flow Charts. Going right onto the third step, the process progresses to the activity of Tests of Design of Key Controls and involves, when required, Letters of Recommendations (LoR) regarding Design. Finally, Tests of Effectiveness of Key Controls is the last activity performed within the process of Assessment of ICFR. LoRs are also an output shown for this step. With arrows from top to bottom, the chart demonstrates that ongoing monitoring and risk management are performed at each step throughout the assessment process. Once the process of the Assessment of ICFR is fully completed, there is a resulting step described outside the box, at right. Reporting to the CS, CFO and Field Senior Management includes progress towards implementing PIC, results of the assessment of ICFR, and the state of audit readiness. Finally, an arrow showing an output from reporting, which is the Statement of Management Responsibility including ICFR labelling the signatures of the CS and CFO.