Audit Report

Statistics Canada
March 31, 2011
Project Number: 80590-63 ( Document (PDF, 319.08 KB) )

• Executive Summary
  • Key Findings
  • Overall Conclusion
• Introduction
  • Background
  • Objectives
  • Scope and Approach
  • Authority
• Findings, Recommendations and Management Responses
• Governance
  • Roles and Responsibilities, Accountability, and Processes and Procedures for Physical Security Requirements
  • DOC Physical Security Oversight, Objectives, Procedures and Plans
  • Monitoring and Assessment
• Physical Security
  • Stewardship
• Appendices
  • Appendix A: Audit Criteria
  • Appendix B: Policies, Standards and Guidelines

Executive Summary

The Census Data Operations Centre (Census DOC) located in Gatineau, Quebec, is one of fourteen projects which make up the 2011 Census Program. The Census DOC project is responsible for implementing the systems and procedures required to process the Census data at a centralized processing site. This includes the set-up and infrastructure of the building itself, as well as the recruitment and hiring of temporary staff to carry out the activities and operations. Physical Security procedures were developed for implementation by Census DOC Management Services and took into consideration the Census DOC objectives, equipment to be installed, and the number of staff who will work at the Census DOC.

The objectives of this assurance engagement were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with reasonable assurance that the governance related to security for the Census DOC is adequate and effective; and the Census DOC complies with the relevant physical security policies and guidelines prescribed by the Treasury Board Secretariat (TBS).

The audit was conducted by Internal Audit Services in accordance with the Government of Canada's Policy on Internal Audit.

Key Findings

The audit found that oversight exists to ensure the coordination and integration of security activities for decision making and plans are in place to protect sensitive information. Physical zones at the Census DOC were well established and maintained to protect sensitive Statistics Canada information and assets. Security requirements were considered throughout the contracting process and described in documents provided to contractors. The security screening process of individuals, were in accordance with relevant personnel security policies and procedures and most of the recommendations made in the Threat Risk Assessment (TRA) conducted by a third party consultant, were accepted and implemented.

The Census program has a matrix organizational structure. Roles and responsibilities describing the relationships and assigned responsibilities between Facilities Management (FM), Departmental Security (DS) and the Census DOC with physical security responsibilities were not clearly defined, documented and communicated. Statistics Canada's Security Practices Manual is outdated and does not include reference to external sites such as the Census DOC. The responsibilities of the Business Continuity Planning (BCP) coordinator do not reflect those listed in TBS' Operational Security Standard – Business Continuity Planning Program policy. As well, emergency plans need to be finalized and posted at the Census DOC.

Overall Conclusion

The Census DOC governance related to physical security is adequate and effective and compliant with the applicable physical security requirements prescribed by TBS.

While both objectives of the audit are met, the audit results highlighted opportunities for improvement related to the Agency's Departmental Security governance. Areas to be strengthened are: 1) Updating the Security Practices Manual to reflect the current organizational structure, define roles and responsibilities for physical security at all Statistics Canada facilities, and include the processes and procedures to follow for the integration of physical security requirements at all Statistics Canada facilities 2) To ensure segregation of duties, Departmental Security should be approving the implementation of physical security requirements carried out by Agency programs. 3) The BCP coordinator's responsibilities should be expanded to reflect those listed in TBS' policy.

Introduction

Background

The Census of Population is Statistics Canada's largest survey program. Every five years, the Census obtains information from the entire population of Canada. Census is the most publicly visible and significant operations at Statistics Canada; it was ranked as high risk in the management workshops. The 2011 Census Data Operations Centre (Census DOC) is a critical component of the Census data collection and processing.

Census Day in 2011 will be May 10. A huge collection and processing effort is required to handle the 13 million census questionnaires in an efficient and timely fashion. To achieve Census objectives, the Census Program is divided into 14 projects, of which the Census DOC with a budget of $28.9 million is one. The Census DOC project team is responsible for implementing the systems and procedures required to process the Census data at a centralized processing site. This includes the set-up and infrastructure of the building itself as well as the recruitment and hiring of temporary staff to carry out the activities and operations.

Statistics Canada Census DOC personnel have been on-site since the beginning of July 2010 along with personnel from Census, Informatics Technology Services Division (ITSD), System Development Division (SDD) and Facilities Management (FM). Approximately 1,200 temporary staff will be employed over several shifts from 6:30 a.m. to 11:30 p.m., seven days per week, during the period of May to August 2011 with some follow-up activities from August to October 2011. Physical Security procedures were developed for implementation by Census DOC Management Services; taking into consideration the Census DOC objectives, equipment to be installed, and the number of staff who will work at the Census DOC.

These procedures describe physical security measures to safeguard the materials, equipment, and personnel working at the Census DOC. They also encompass personal security for:

• temporary staff employed during the operational phase;
• visitors to the site;
• service personnel external and internal to Statistics Canada;
• contractors; and
• employees of other divisions requiring access to the Census DOC.

Objectives

The objectives of this audit were to provide the Chief Statistician (CS) and the DAC with reasonable assurance that:

• Census DOC governance related to security is adequate and effective; and
• Census DOC complies with the relevant physical security policies and guidelines prescribed by the Treasury Board Secretariat (TBS).

Scope and Approach

The audit engagement was conducted in conformity with the Government of Canada and the Institute of Internal Auditors (IIA) standards on internal auditing and the Treasury Board of Canada Policy on Internal Audit. All work was conducted in collaboration with key senior managers and staff. The audit approach was inspired by the Treasury Board Core Management Control Guidelines, issues by the Office of the Comptroller General.

The scope of the audit focused on the Census DOC physical security, security clearance process for temporary staff, and procurement activities relating to security to ensure compliance with the TBS requirements. The audit also examined the effectiveness and adequacy of the current security governance structure of the Census DOC. The audit work consisted of an examination of documents, interviews with key senior management and personnel, and a review for compliance with relevant policies and guidelines.

The field work was performed in two stages:

• The first consisted of a review and assessment of the security governance structure, as well as the processes and procedures related to physical security, security clearance and procurement activities; and
• The second stage followed with detailed testing of areas mentioned above.

Authority

The audit was conducted by IAS under the authority of Statistics Canada Multi-Year Risk-Based Audit Plan (RBAP) for the fiscal years of 2010/11-2012/13. The RBAP was approved by the Departmental Audit Committee (DAC) on April 15, 2010.

Findings, Recommendations and Management Responses

With respect to governance, an adequate and effective Census DOC governance related to physical security would establish security governance mechanisms (e.g. committees, working groups) to ensure the coordination and integration of security activities with departmental operations, plans, priorities and functions to facilitate decision making. As well, it would ensure that accountabilities, delegations, reporting relationships, and roles and responsibilities of departmental employees with security responsibilities are defined, documented and communicated to relevant persons.

The audit found that oversight exists to ensure the coordination and integration of security activities for decision making and plans are in place to protect sensitive information. Roles and responsibilities describing the relationships and assigned responsibilities between FM, DS and the Census DOC with security responsibilities were not clearly defined, documented and communicated; Statistics Canada's Security Practices Manual is outdated and it does not include reference to external sites, such as the Census DOC; responsibilities assigned to the BCP coordinator's role do not reflect those identified in TBS' Operational Security Standard – Business Continuity Planning Program policy; and Emergency plans need to be finalized and posted at the Census DOC.

With respect to physical security, compliance with the relevant physical security policies and guidelines prescribed by TBS by the Census DOC would ensure that the facility be designed and managed to create conditions that, together with specific physical security safeguards, would reduce the risk of violence to employees, protect against unauthorized access, detect attempted or actual unauthorized access and activate an effective response.

The audit found that physical security zones at the Census DOC were well established and maintained to protect sensitive Statistics Canada's information and assets. Security requirements were considered throughout the contracting process and described in documents provided to contractors and security screening process of individuals was in accordance with relevant personnel security policies and procedures. The final TRA determined that all of the physical security deficiencies and concerns identified in the initial TRA were appropriately addressed to mitigate the associated risk.

All recommendations and management response and action plans that follow in the sections below should be considered within the existing Statistics Canada's management structure.

Governance

Roles and Responsibilities, Accountability, and Processes and Procedures for Physical Security Requirements

The Census program, of which the Census DOC project is one of its 14 projects, has a matrix organizational structure. Clear delineation of responsibilities, delegated authorities and lines of communication to support effective coordination between all parts of the Census operations should exist to ensure efficient and effective operations. Processes and procedures for identifying physical security requirements compliant with applicable policies should be fully integrated and documented in the planning process for selecting and modifying the Census DOC facility. This would ensure that management identifies and responds to risks that may preclude the achievement of objectives and follow-up.

Roles and Responsibilities

Positions relevant to the Census DOC project were formally documented, and delegated authority was aligned with each position's roles and responsibilities. The organizational chart for the Census DOC was up-to-date and permitted the identification of clear and effective lines of communication and reporting, at both the Census operations and Census project level.

The audit revealed that inefficiencies existed in the early implementation stage of the project. This was due to the fact that the responsibilities of DS and the relationship and linkages between DS and FM had not been defined, documented, or communicated. Given the DOC project manager's limited knowledge and experience with security matters and requirements, significant effort was required to obtain clarity on every one's roles and responsibilities throughout the process. Through eventual discussions with DS management, the Census DOC project manager found that DS only played an 'advisory' role, and not one that provides 'direction and guidance' as was anticipated. Furthermore, specifically at the planning stage of the project, regular meetings were held with all the relevant stakeholders from corporate services; however the DS representative did not attend the meetings on a regular basis, which created further inefficiencies in obtaining security related information.

Segregation of Duties

Segregation of duties, a key internal control was not present between FM and DS. FM is responsible for taking care of the physical infrastructure such as the design, environment issues and implementation. DS is responsible for ensuring compliance to required security standards and measures. Census DOC project management identified the physical security requirements to be implemented at the Census DOC facility. FM then implemented the requirements, and subsequently approved their own work, since no one else was performing this function. Independent oversight, verification and approval to TBS and Statistics Canada security policies should have been performed by DS, since they are the delegated authority on security.

Accountability

The audit team reviewed the Security Practices Manual to determine which position within DS was directly responsible for providing direction and guidance on the physical security program for the Census project. The audit team determined that the Chief of DS is the position responsible to manage the physical security program for the Statistics Canada complex. The complex is defined to include the three buildings at Tunney's Pasture, and excludes the Census DOC. Consequently, the Chief of DS only provides advice to program managers and regional managers on security and emergency matters.

According to the Security Practices Manual, Regional Directors are designated Regional Security Officers (RSO). As such, they are responsible for administering the security programs in their regions and are responsible for physical security, including safety and security of employees and premises, access and visitor control. The manual however, is not clear as to who is responsible for providing Statistics Canada RSO, programs, and project managers with guidance and direction on required security measures and standards, especially with regards to external sites such as the Census DOC, Research Data Centres (RDCs) and Data Centres in the regions. Clarity is therefore required with regards to external sites. As well, the manual, originally written in 1986, does not reflect the current organizational structure of Statistics Canada.

Process and Procedures

Considering that Statistics Canada conducts a Census every five years, review of the Security Practices Manual and the DS function revealed that they do not contain information on the processes and procedures to follow for the integration of physical security requirements in the selection of operational accommodations outside the Statistics Canada complex, such as the Census DOC site. As well, there is no standardized baseline security documentation for use as a reference tool and for providing a framework, guidance and direction on physical security measures and standards, e.g. information on the handling of 'suspicious packages' and the requirement of having a separate room with ventilation for handling and processing mail. Such documentation would improve the efficient and effective use of corporate resources by reducing duplication of efforts every time a new operational accommodation is acquired outside the Statistics Canada complex.

Nevertheless, in the absence of documenting this type of information, DS follows TBS' Policy on Government Security (PGS)^{Footnote 1}, RCMP guidelines and other Statistics Canada policies that mirror the PGS.

As well, the Census DOC project management identified and included the physical security requirements included in both the Census 2011 Baseline Requirements document, and in the Tenancy Requirement Plan (TRP), provided to PWGSC as a guide for identifying potential sites for a Census DOC facility in National Headquarters (NH). These requirements were based on the following:

• a Physical Security document prepared by FM that outlines the minimum security requirements for Statistics Canada operational area accommodations, outside the NH complex, and provides guidelines for security levels which impact fit-up costs;
• the Census 2006 Baseline Requirements;
• past experiences of employees gained in their respective positions over many years; and
• advice and recommendations received from DS.

Recommendation No. 1 & 2

It is recommended that the Assistant Chief Statistician of Census and Operations should ensure that:

• The Security Practices Manual is updated to reflect the current organizational structure; define roles and responsibilities for physical security at all Statistics Canada facilities, between FM, DS, and Census Operations; and include the processes and procedures to follow for the integration of physical security requirements at all Statistics Canada facilities.
• Departmental Security approve the implementation of physical security requirements carried out by Agency programs to ensure segregation of duties.

Management Response

Management agrees with recommendation #1. The Agency's Security Practices manual will be updated based on the direction that will be established by the Agency's Security Plan that is scheduled to be approved by Policy Committee in the spring of 2012. The revised manual will reflect the governance and provide clear guidance on required resources and standards for external sites. In addition, at the beginning of specific projects, the roles and responsibilities of Facilities Management and Departmental Security will be established as they relate to defining and implementing security requirements. These will be reviewed and approved by the Departmental Security Coordination Committee.

Deliverable

Updated Security Practices manual; and defined and approved roles and responsibilities for the implementation of security requirements.

Accountability

The Director, Corporate Support Services Directorate is responsible for ensuring that the Security Practices manual is updated as stipulated.

The Director General, Operations Branch is responsible for ensuring that defined roles and responsibilities for the implementation of security requirements are established at the beginning of each new project, and that they are reviewed and approved by the Departmental Security Coordination Committee.

Timeline

Immediately: Procedure of establishing defined roles and responsibilities for the implementation of security requirements at the beginning of new projects.

June 2012: Updated and Policy Committee approved Security Procedures manual.

Management agrees with recommendation #2. Physical Security will form an integral part of the project team and provide direction relative to the physical security requirements to ensure compliance with Departmental standards and requirements, as stated in the Security Practices manual. The Departmental Security Coordination Committee will approve the implementation of physical security requirements for each project. The approval will be reflected in the committee's minutes.

Deliverable

Physical Security will provide direction on projects relative to the physical security requirements to ensure compliance with Departmental standards and requirements.

Documented approval by the Departmental Security Committee of the implementation of physical security requirements for each project.

Accountability

The Director, Corporate Support Services Directorate will ensure that Physical Security provides direction on projects relative to the physical security requirements.

The Chair, Security Coordination Committee will ensure that the Departmental Security Committee approves the implementation of physical security requirements for each project.

Timeline

Immediately.

DOC Physical Security Oversight, Objectives, Procedures and Plans

Independent oversight should exist to monitor and ensure compliance with the Census DOC physical security objectives, priorities, procedures and all applicable government policies and standards. Plans should be in place to respond to emergency situations, and for the continuity of critical business operations.

Oversight

The audit determined that independent oversight exists at both the operational level and departmental level. At the operational level the, Census Steering Committee, Census Project Team, and Integrated Project Team (IPT) provide oversight. The IPT convened, as required, to discuss all operational requirements related to the Census DOC. The Census Manager, as the accountable authority, was debriefed on these discussions and provided regular status updates. At the departmental level, the Security Coordination Committee (SCC), which ultimately reports to the Policy Committee, was found to have formal processes in place.

Objectives, Procedures and Plans

Manuals and handbooks have been prepared by the Census DOC project management team and address, in detail, the physical security procedures to protect sensitive information, assets and employees. The 2011Census Processing Operations Management Process – Data Operations Centre covers the operational goals, objectives, roles, responsibilities, processes, tools, and governance, as well as the policies and procedures for managing Census DOC operations.

The 2011 Census DOC Physical Security Procedures document covers the requirements for physical security, health and safety procedures for the pre-operational phase, the operational phase and the closing out and defit phase. As well, section 2.8 of the 2011 Census Employee Handbook has been dedicated to 'Security' in all its aspects, as it pertains to the employees of the 2011 Census.

The audit determined that the Census project management team has developed a draft Business Continuity Plan (BCP) for the Census DOC, and they intend to finalize it and present it to the Policy Committee for approval before operations commence in April, 2011. Furthermore, the audit confirmed, by reviewing the departmental BCP document, that the Census DOC which is set to be a permanent leasehold for both the 2011 and 2016 Census is included in the BCP. Detailed procedures for the continuity of critical business operations of the Census DOC site are in the process of being developed for inclusion.

Review of the TBS' Operational Security Standard – Business Continuity Planning Program policy and discussions with management at Corporate Support Services Division (CSSD) revealed that the responsibilities assigned to the BCP coordinator's position do not reflect those identified in TBS' Operational Security Standard – Business Continuity Planning Program required by the policy.

A walk-through of the Census DOC facility by the audit team in November 2010 revealed that the Government of Canada (GoC) approved Emergency Plans, i.e. evacuation procedures and fire drills were not ready. This is a requirement and has to be provided to Statistics Canada by the Department of Public Works and Government Services Canada (PWGSC), as the leasing agent for the Census DOC facility. Currently, some emergency procedures, such as evacuation procedures, have been provided by the landlord and posted around the building. As of January 2011, the audit team was advised by the Census DOC project management team, that Emergency Plans have been submitted by PWGSC for approval to the City of Gatineau.

Recommendation No. 3

It is recommended that the Assistant Chief Statistician of Census and Operations should ensure that:

• The responsibilities of the BCP coordinator reflect those in the TBS' Operational Security Standard – Business Continuity Planning (BCP) Program policy.

Management Response

Management agrees with recommendation # 3. The Departmental Security Coordination Committee will ensure that the Agency's BCP coordinator's role and responsibilities align with the TBS' Operational Security Standard – Business Continuity Planning (BCP) Program policy, in the Departmental Security Plan. A BCP coordinator will be nominated.

Deliverable

An approved Agency Security Plan which defines the role and responsibilities of the BCP coordinator, in alignment with the TBS' Operational Security Standard – Business Continuity Planning (BCP) Program policy.

The nomination of an Agency BCP coordinator.

Accountability

The Chair, Security Coordination Committee is responsible for ensuring that the Agency has an approved Agency Security Plan which defines the role and responsibilities of the BCP coordinator, in alignment with the TBS' Operational Security Standard – Business Continuity Planning (BCP) Program policy. The Chair is also responsible for ensuring that an Agency BCP coordinator is nominated.

Timeline

Summer 2011: Agency BCP coordinator is nominated.

November 2011: An approved Agency Security Plan which defines the role and responsibilities of the BCP coordinator, in alignment with the TBS' Operational Security Standard – Business Continuity Planning (BCP) Program policy.

Monitoring and Assessment

Changes and risks related to the physical security requirements of the Census DOC should be proactively monitored and reviewed, and the information gathered should be used for making informed decisions and taking corrective actions.

Monitoring

The audit revealed that documentation developed by the Census operations management i.e. the 2011 Census Processing Operations Management Process – Data Operations Centre provides sufficient guidance and direction on risk identification for monitoring actual performance against planned results.

Three different but interrelated Statistics Canada systems were utilized for recording risks and issues. One of these applications is the Outstanding Issues System (OIS), which is separate but linked to the second and third systems, known as the Risk Management System (RMS) and the Change Management System (CMS), respectively. When a risk was identified, it was posted in the RMS, and categorized with regards to its probability, impact and time frame. A report with the risk identification number, name of the Census project manager affected, description and status of the risk could be generated at either the Census program level or the Census project level for review and monitoring by the Census program management. Decision statements on each risk or issue were also posted in the OIS for continuous monitoring by the Census program management. A review of randomly selected issues revealed that the applicable Census project team addressed them for resolution.

Assessment

As a governance mechanism, a Threat Risk Assessment (TRA) performed by a third party consultant in September 2010, was used as a formal process to validate physical security requirements. As part of the assessment, the consultant performed a physical inspection, reviewed the specified safeguards, and completed a risk analysis of the physical security of the Census DOC. A follow-up or Supplementary Physical Security review was performed in December 2010, to ensure that recommendations made in the initial TRA were accepted and implemented. Following this, the TRA report was finalized in December 2010.

The audit assessed that for the 2011 Census project, select activities, such as the responsibility for monitoring and updating security measures by the Census project team were clear and communicated. Corrective actions were taken on security issues and these were appropriately documented, reported and acted upon by the required authority levels.

Physical Security

Stewardship

The second objective of this audit was to assess whether the Census DOC facility, complied with the relevant physical security policies and guidelines. To determine this, the audit examined the following:

• Physical security zoning requirements for the Census DOC were established, and maintained with appropriate access control mechanisms, to protect sensitive information and assets as per TBS' Policy on Government Security (PGS);
• Security requirements were considered throughout the contracting process, and were described in documents provided to contractors;
• The security screening process of individuals was in accordance with relevant personnel security policies and procedures. Procedures existed to safeguard Statistics Canada's assets, upon the change of duties of an employee working for the Census DOC project; and
• The final version of the TRA to ensure that the Physical Security and Security Management practices were conducted as per the relevant physical security policies and guidelines.

Zoning Requirements

Along with a review of the TRA, a walk-thru of the Census DOC site determined that physical security zones – public access, reception, operations, security and high security zones were well established and maintained as per TBS' PGS, to protect sensitive Statistics Canada's information and assets.

Contracting Process

Statistics Canada took possession of the Census DOC site in October, 2010. Until then, PWGSC as the leasing agent was responsible for all aspects of the contracting process. The audit determined that contract files and supporting documentation, as of October 2010, included security requirements and were considered in the contracting process. Security information of employees working for contractors with access to the Census DOC was examined. The security level of each employee, along with their effective and expiry clearance dates respectively were listed and confirmed to be valid.

Personnel Security Screening and Safeguarding of Assets

To assess whether the security screening process of individuals was in accordance with relevant personnel security policies and procedures, the personnel files of 15 of the total 25 (60%) Statistics Canada personnel, and all 5 (100%) of the cleaning staff working at the Census DOC were tested. Six of the 15 files belonged to corporate services employees involved in the Census DOC project, and were deemed by the audit team to be critical to the project's overall operations. The remaining files were chosen randomly. Test results and follow-up interviews found that, Statistics Canada took the necessary steps to ensure that security clearances were valid for all employees and workers affiliated with contractors. Review of documentation provided by Human Resources (HR) revealed that necessary guidance and procedures exist to safeguard Statistics Canada's assets, upon the change of duties of an employee working at the Census DOC.

Threat Risk Assessment

The final TRA determined that all of the physical security deficiencies and concerns identified in the initial TRA were appropriately addressed to mitigate the associated risk and concluded "that the Statistics Canada DOC is suitably secured for the business needs of Census 2011^{Footnote 2}"

It should be noted that two risks and related recommendations remain, as Census Operations management assessed the likelihood of these events occurring to be low.

The first is the risk of unauthorized access to the Census DOC. The TRA recommended that a video camera be installed on the building to monitor unauthorized access to the roof. FM advised us that Census project management has decided to accept this risk due to other compensating mitigation means.

The second risk is related to the unleased part of the facility. There is no assurance that the other tenant will be a GoC Department or Agency, given that the Census DOC is a commercial lease facility. FM and Census DOC project management advised us that a tenant committee will be set-up as required by TBS policy to address security issues and concerns, if and when a new tenant is identified.

Based on the evidence gathered and our findings for the DOC physical security line of enquiry; no recommendations are necessary.

Appendices

Appendix A: Audit Criteria

Appendix A: Audit Criteria

MAF Element	Criteria
Lines of Enquiry #1: Census DOC governance related to security is adequate and effective
Governance:	Effective oversight bodies are established. The Census DOC has in place operational plans and objectives aimed at achieving its strategic objectives. Management has developed plans to protect sensitive information, assets, and employees during all types of emergencies and increased threat situations. Plans are developed to provide for the continuity of critical business operations, services, and assets following an unplanned interruption.
Accountability:	Authority, responsibility and accountability are clear and communicated. A clear and effective organizational structure is established and documented
Risk Management:	Management identifies and responds to the risks that may preclude the achievement of its objectives.
Results and Performance:	Management monitors actual performance against planned results and responds to risks as it relates to Census DOC physical security.
Lines of Enquiry #2: DOC complies with the relevant physical security requirements prescribed by Treasury Board Secretariat (TBS)
Stewardship:	Management has established processes to identify and manage contracts. Assets are protected. The procedures for personnel security at the Census DOC are adequate.

Appendix B: Policies, Standards and Guidelines

To support the physical security assessment section within the TRA report, the following GoC standards, policies, and guidelines were found to be used –

• Government of Canada Policy on Government Security (PGS);
• GC Operational Standard for Physical Security;
• GC Harmonized Threat and Risk Assessment Methodology (HTRA);
• RCMP G1-001 - Security Equipment Guide;
• RCMP G1-004 - Construction of a Special Discussion Area;
• RCMP G1-005 - Preparation of Physical Security Briefs;
• RCMP G1-006 - Identification Cards / Access Badges;
• RCMP G1-009 – Transport and Transmittal of Protected and Classified Information;
• RCMP G1-013 - Security Control Room Space Requirements;
• RCMP G1-024 - Control of Access;
• RCMP G1-025 - Protection, Detection and Response; and
• RCMP G1-026 - Application of Physical Security Zones.

Notes:

Independent Validator Statement

Reference Number: IA-Con-2011 ( Document (PDF, 124.96 KB) )

Validators were engaged to conduct an independent validation of Statistics Canada's Internal Audit Services self-assessment. The primary objectives of the validation were to verify the assertions made in the self-assessment report concerning:

• Statistics Canada and the Internal Audit Services' conformity to the requirements of the Treasury Board Policy on Internal Audit Suite, as well as the Internal Auditing Standards for the Government of Canada, as stated in the Treasury Board of Canada Secretariat's Internal Audit Practice Inspection Guidebook (June 2010); and
• The Internal Audit Services' conformance with the Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing (Standards) and the Code of Ethics.

In acting as Validators, we are fully independent of the organization and have the necessary knowledge and skills to undertake this engagement. The validation, conducted during September to November 2011, consisted primarily of a review and testing of the procedures and results of the self-assessment.

In addition, interviews were conducted with the Chief Statistician, the acting Chair and external member of the Departmental Audit Committee, selected senior management, the CFO, CAE, and several members of the internal audit staff.

We concur with Statistics Canada Professional Practices Management's conclusions that:

• Statistics Canada's Chief Statistician, Departmental Audit Committee and the Internal Audit Services are in general conformance with the requirements of the Treasury Board Policy on Internal Audit Suite, as well as the Internal Auditing Standards for the Government of Canada; and
• The Internal Audit Services is in general conformance with the Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing (Standards) and the Code of Ethics.

Our observations and recommendations were integrated in the Professional Practice Inspection Report dated December 1st, 2011. Independent validation suggestions for improvement against best practices, intended to build upon the strong foundation already in place, were provided to the CAE for consideration.

The geographic classifications include the Standard Geographical Classification (SGC) as well as other classifications of Canada. Also included are the classifications of countries and areas of interest for the world.

Canada

Standard Geographical Classification (SGC)

• SGC 2021 - Volume I, The Classification
• SGC 2021 - Volume II, Reference Maps
• SGC 2016 - Volume I, The Classification
• SGC 2016 - Volume II, Reference Maps
• SGC 2011 - Volume I, The Classification
• SGC 2011 - Volume II, Reference Maps
• SGC 2006 - Volume I (Final) The ClassificationArchived
• SGC 2006 - Volume II, Reference MapsArchived
• SGC 2006 - Volume I, (Preliminary) The Classification (PDF, 333kb)Archived
• SGC 2001Archived
• SGC 1996Archived

Population Centre and Rural Area Classification

• Population Centre and Rural Area Classification 2016

Health Regions (HR)

• Health Regions (HR)

Classification of the Economic Territory of Canada (CETC)

• CETC 2011

Standard Classification of Countries and Areas of Interest (SCCAI)

• SCCAI 2022
• SCCAI 2019
• SCCAI 2018
• SCCAI 2017
• SCCAI 2016
• SCCAI 2011
• SCCAI 2010
• SCCAI 2009
• List of Countries, Dependencies and Other Areas of Interest (2006)

Standard Drainage Area Classification (SDAC)

• SDAC 2003

Ecological Land Classification (ELC) 2017

• ELC 2017

Other

• American National Standards Institute (ANSI) – States codes
• List of Countries - European Union (EU) 2020
• List of Countries – European Union (EU) 2013
• List of Countries – European Union (EU) 2007
• Statistical Division of the United Nations - Standard country or area codes for statistical use (M49)

Introduction

Statistics Canada is preparing to launch an interactive consultation tool on its website for the purpose of engaging and seeking further input from Canadians by inviting them to discuss, comment and vote in a one-question online poll, titled "Question of the month," about one of the Agency's products, services or website features.

Objective

A privacy impact assessment for the Interactive Online Consultation Tool was conducted to determine if there were any privacy, confidentiality and security issues associated with the tool, and if so, to make recommendations for their resolution or mitigation.

Description

The Interactive Online Consultation Tool will be made available in the Consulting Canadians module (http://www.statcan.gc.ca/interaction/consultation/).

Participants are asked to provide a user name (alias) and their email address, which may be used to correspond with them if required, and indicate by checking a box whether they wish to participate in Statistics Canada's future consultations (excluding the online "Question of the month" poll).
The online poll comment sections will be moderated. Users will be informed that their comments will be held until they are vetted by the moderator.

Unregistered visitors may also indicate their wish to take part in consultations by filling out an electronic form available from the left-hand menu of the Consulting Canadians module.  Participants who indicated a wish to participate in consultations may be invited via email by Statistics Canada's Consultation Services in Communications Division to participate in a consultation.

Conclusion

This assessment of the Interactive Online Consultation Tool did not identify any privacy risks that cannot be managed using existing safeguards.

Reliable economic and social statistical information is necessary for evidence-based policy, for efficient decision-making and for better measurement of development results. For that reason, it is crucial to increase the statistical capacity of emerging countries.

Statistics Canada signed an international co-operation agreement with the Canadian International Development Agency to help improve the management capabilities of the national statistical offices of some countries in Africa, Latin America and the Caribbean. One of the components of the agreement, signed by International Cooperation Division, is the International Statistical Fellowship Program which began in 2011 and ended in March 2016.

The program addressed identified gaps in the leadership and management of national statistical offices and systems in more than 40 participating countries in Africa, Latin America and the Caribbean. This entailed both acquisition of management knowledge and continued local development and ownership. After two weeks of training in Ottawa, attendees and their statistical office engaged with Statistics Canada by developing organizational action plans to apply what was learned in the training period. Statistics Canada monitored how these country-specific action plans were implemented over a two-year period.

For more information, contact statcan.international-international.statcan@statcan.gc.ca.

Statistics Canada has co-operated with China’s National Bureau of Statistics (NBS) for many years through the Statistical Information Management Program (SIMP). The program supported statistical capacity-building in China, with special emphasis on the sustainability aspect of the activities. This ensured that the NBS would have both the knowledge and the intention to implement the results of the projects.

The first phase of SIMP (SIMP I), from 1996 to 2004, covered national accounts, household surveys, a survey skills development course, and resource management.

SIMP II, from 2005 to February 2013, was also supported with cost-recovery funds from the Canadian International Development Agency and the Chinese Ministry of Commerce. SIMP II had four main components: a social statistics project to integrate rural and urban household surveys; an economic statistics project to create an economic survey structure enable better gross domestic product estimates; an environment statistics project to enhance environmental statistics, in order to create environmental accounts; and an overarching management component.

Statistics Canada and the NBS decided to continue their co-operation: the two nations signed a memorandum of understanding (MOU) in March 2013.

The MOU identifies two main co-operative projects: corporate business architecture and quality assurance for household surveys. The MOU also states that Statistics Canada, from time to time, will participate in workshops organized by the China International Statistical Training Center of the NBS.

For more information, please contact statcan.international-international.statcan@statcan.gc.ca.

Statistics Canada's provides technical assistance to international organizations and statistical offices and systems in other countries through two main types of activities:

• on-site technical assistance in other countries, either as single missions or as part of broader projects
• in-house technical assistance, either through formal training or brief study visits.

Statistics Canada's technical assistance activities are designed to help other countries develop their national statistical systems, providing them with information they need to monitor their social and economic programs. This, in turn, helps to improve the quality of international statistical system which is important for the global community and helps ensure better international comparability across statistical domains.

The provision of technical assistance also helps Statistics Canada to better understand the statistical needs of developing countries, which helps the agency carry out its global responsibilities.

For more information, please contact International Co-operation

Multilateral relations are activities done under the auspices of a multilateral organization. Most multilateral organizations have their own statistical programs and corresponding secretariat staff; Canada is a member of most of these organizations, and Statistics Canada is widely involved in multilateral statistical activities.

The centre of multilateral statistical activities is the United Nations and its family of institutions. The United Nations Statistical Commission meets once a year. Supported by the United Nations Statistics Division, the commission's meetings cover topics related to economic, social and environmental statistics, classifications, reviews of statistical programs, development indicators and other topics of current and emerging importance.

The Organisation for Economic Co-operation and Development (OECD) is also very active in the statistical field. Many of its expert groups regularly produce relevant work for Statistics Canada in the areas of national accounts, classification, environment statistics and social statistics. Statistics Canada is involved in many of these expert groups.

For more information, please contact Multilateral Relations

Introduction

Beginning in spring 2007, Statistics Canada will conduct the Canadian Health Measures Survey (CHMS). This new survey will collect information through self-reported data on health and through direct physical measures. It is anticipated that approximately 5,000 respondents will complete the entire survey, with one or two persons between the ages of 6 and 79 selected per household.

Objectives

A privacy impact assessment for the CHMS was conducted to determine if there were any privacy, confidentiality and security issues associated with the survey, and if so, to make recommendations for their resolution or mitigation.

Description

The CHMS will collect information that will help evaluate the extent of health problems among Canadians in such areas as chronic diseases (e.g., diabetes and cardiovascular disease), infectious diseases, lifestyle characteristics (e.g., physical activity and nutritional status) and environmental exposures. The survey will also provide a means to explore emerging public health issues and new measurement technologies.

The CHMS will collect data both through a questionnaire administered in the household and physical measure tests administered in a mobile health clinic. As part of the data collection, respondents will undergo a series of physical tests and will be asked to provide tissue samples (blood and urine) that will be subsequently sent to various government laboratories under contract to Statistics Canada to perform tests.

Because of the highly personal nature of the information being collected, tested and processed, the privacy impact assessment identified a number of potential privacy issues and risks. They include:

• Transmission of information/samples between mobile clinics and Statistics Canada Headquarters and the laboratories
• Reporting back survey and laboratory results to respondents
• Storage of physical specimens (blood, urine and DNA)
• Retention of personal identifiers
• Permission of respondents for future tests
• Age of consent regarding children in the survey

Measures put in place to address these issues include providing comprehensive information in order to obtain written informed consent from respondents, anonymous ID numbers on stored samples and other security procedures to ensure the confidentiality and integrity of respondents’ information.

Consultations and Review Boards

Privacy issues were discussed with, and input obtained from, the Office of the Privacy Commissioner of Canada. Similarly meetings to discuss the survey have been held with the offices of provincial privacy commissioners in all provinces.

As well, numerous other committees were used to direct the development of the survey and to address privacy and research ethics questions related to the survey. These include the CHMS Expert Advisory Committee, the Physician Advisory Committee and the Laboratory Advisory Committee. The CHMS also engaged in detailed discussions with the Health Canada Research Ethics Board and received their approval to proceed.

Conclusion

The conclusion is that with the enhanced and existing Statistics Canada safeguards and procedures and those to be in place at the mobile clinics and the laboratories, any remaining risks will be either negligible or are such that Statistics Canada is prepared to accept and manage these risks.