Internal Audit and Program Evaluation Directorate
Audit of Access to Information and Privacy
October 2016

Table of contents

1.0 Introduction

The Access to Information Act (ATIA) gives every Canadian citizen, permanent resident and individual or corporation present in Canada the right to access records—in any format—that are held under the control of a government institution subject to certain specific and limited exceptions. The Privacy Act (PA) protects the privacy of all Canadian citizens and permanent residents regarding personal information held by a government institution. However, it gives these individuals, including those in Canada who are not permanent residents or citizens, the right to access their own personal information. Both acts came into effect on July 1, 1983 and were last amended in 2016. The process of obtaining information under the control of a government institution is often referred to as Access to Information and Privacy (ATIP) and is the subject of this report.

The management of the CBSA’s ATIP requests is carried out by the ATIP Division under the Corporate Affairs Branch. One of the objectives of CBSA’s ATIP Division is to manage the Access to Information and Privacy requests within the allotted timeframe set out by the ATIA and the PA. The Division also manages other tasks that arise out of the operation of the two Acts, such as: updating Info Source Footnote 1; providing advice on Privacy Impact Assessments; applying redactions for reports related to Professional Standards and Human Resources employee conduct or disciplinary cases; and also by reviewing alleged privacy breaches.

The volumes of both ATIA and PA requests the Agency receives continue to increase year over year; each increased more than 300% since 2010–11 (see Table 1). The carry-over of requests also continues to increase.  

Table 1

  Access to Information Act Requests Privacy Act Requests
Fiscal Year Received Closed Carried forward Received Closed Carried forward
2010–11 1,607 1,580 226 2,896 2,808 308
2011–12 1,866 1,757 320 6,674 6,330 650
2012–13 3,147 2,891 590 13,379 13,191 838
2013–14 4,671 4,079 1,180 11,890 11,420 1,307
2014–15 6,705 6,802 1,087 12,769 12,024 2,055
Source: Analysis of ATIP annual reports

The ATIP Division is located in the National Headquarters and comprises five units: an Administration section, two Case Management units, and two Policy units. The Administration section receives all incoming requests and consultations and supports both Case Management units in their day-to-day business related to ATIP requests. The Case Management units task all branches and regions with retrieval requests and provide daily operational guidance and support to CBSA employees. The ATIP Policy and Governance unit develops policies, tools, and procedures to support ATIP requirements within the CBSA and provides training to employees. The Information Sharing and Collaborative Arrangement Policy unit maintains the policy framework for the CBSA’s information sharing and domestic written collaborative arrangements.

During fiscal year 2014–15, approximately 53 full-time equivalents, four part-time and casual employees, and four consultants were employed in the ATIP Division. Functionally, the Division is further supported by 16 primary ATIP Liaison Officers (LOs) who are dispersed across the Agency’s regional offices and branches. These LOs provide administrative support to the ATIP Division in the retrieval of records and provision of disclosure recommendations.

2.0 Significance Of The Audit

The audit of ATIP is of interest to the CBSA management because of the increasing volumes of ATIP requests and the requirement for timely responses, as well as the need for effective controls surrounding the disclosure of information. Further, in his November 2015 mandate letter to the Minister of Public Safety and Emergency Preparedness, the Prime Minister called for a higher bar for openness and transparency in government.Footnote 2

The audit objective was to assess the adequacy of the ATIP management control framework, including: the management of human resources; business processes; compliance with legislative timelines; and controls that mitigate the risk of disclosing exempted information.

The scope of this audit included training and tools in place to support Agency staff in processing ATIP requests; controls to manage ATIP requests; and continuous improvement activities related to the ATIP processes.

The audit scope excluded:

The audit criteria can be found in Appendix A.

3.0 Statement of Conformance

The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The audit approach and methodology followed the International Standards for the Professional Practice of Internal Auditing as defined by the Institute of Internal Auditors and the Internal Auditing Standards for the Government of Canada, as required by the Treasury Board’s Policy on Internal Audit.

4.0 Audit Opinion

Overall, the Agency has an effective management control framework in place for the management of ATIP requests to support compliance with legislative, Treasury Board and departmental requirements. As volumes of ATIP requests continue to increase, the ATIP function will be required to continuously optimize the function to meet the legislated response timelines and respect internal process controls. In addition, human resources planning could be strengthened with formalized strategic plans that address the ATIP function’s future resource requirements.

5.0 Key findings

The audit confirmed that effective controls had been established throughout the ATIP process to ensure compliance with legislation and policy requirements, and to reduce the risk of unintentionally releasing exempted information.

From 2010–11 to 2014–15, ATIP requests received by the Agency have increased over 300%. Although the ATIP Division pursued additional resources to address this increased demand on their organization, a Human Resources (HR) plan for the function has not been prepared. Without an HR Plan, the ATIP Division may continue to be reactive to its operating environment, which in turn may lead to delays in processing requests and increases in the time to release information.

ATIP-related training and tools were available to all employees. An opportunity exists to define training requirements for those with functional responsibilities related to the administration of the relevant acts.

Monitoring of the ATIP process occurs at multiple levels throughout the Agency, and by external Commissioners. The Agency’s case management system contained relevant data to support timely decision making as well as the creation of the Agency’s two respective annual reports. The information used for regular reporting and decision making was found to be accurate. The ATIP Division generates multiple reports including a measurement of the timeliness of responses to ATIP requests. To allow for further analysis and decision making, an opportunity exists to report on different types of requests separately. Controls that limited access to the case management system were in place. However, user profiles should be further restricted to appropriately control access to ATIP information.

6.0 Summary of Recommendations

The audit makes two recommendations relating to:

7.0 Management Response

The Corporate Affairs Branch agrees with the audit report and accepts the recommendations.

The recommendations include a review of access controls within the ATIP Division, the implementation of more comprehensive reporting, and the development of an HR strategy which includes resource planning and mandatory training.

By addressing the recommendations of this audit, we will strengthen the overall administration of the ATIP program at the CBSA.

8.0 Audit Findings

8.1 Control Environment

Audit Criteria:

Roles, Responsibilities and Authorities

To achieve its objectives and address related risks, management establishes organizational structures, assigns responsibilities, and defines job descriptions that prescribe duties and expectations. This includes a clear definition of the reporting lines and the oversight of performance management.Footnote 3

Roles and responsibilities of ATIP analysts were formally documented and communicated through job descriptions and were included in the ATIP reference manual. The reporting lines were clear: each ATIP analyst reported to a team leader and a manager. The managers reported directly to the Director of ATIP.

The management of the ATIP Division updated some work descriptions of key ATIP positions, determined training needs and developed an inventory of ATIP related courses and updated work descriptions for a number of positions. The Agency is awaiting generic work descriptions for the ATIP specialist community from the Treasury Board Secretariat.

ATIP Liaison Officers (LOs) are CBSA employees outside of the ATIP Division responsible for receiving ATIP requests from ATIP Division and tasking out the search and location of all relevant records within their area and sending the response package to the ATIP office. These employees are typically program officers, administrative and clerical staff, and human resources staff. The ATIP Division is not involved in the selection of LOs. The LOs’ roles and responsibilities are defined in the ATIP reference manual which summarizes their responsibilities.

Depending on the region and Branch of the Agency, the LO’s required level of effort related to ATIP duties differs significantly. This is best illustrated by regions where the employee’s official title is ATIP Liaison Officer, although no formal work description exists for this position. Most LOs explained that their ATIP related duties were not considered as part of their performance management evaluation.

Including ATIP-related duties in LO’s performance agreements and ATIP Division’s involvement in the selection of LO personnel could help improve the consistency of LOs’ performance processing ATIP requests.

Human Resources Planning

Human Resources (HR) planning is an essential and mandatory step that facilitates the identification of current and future HR needs in support of meeting the Agency’s mission, mandate and objectives.Footnote 4

The ATIP Division engaged in HR planning at the operational level by determining the level of staff needed to deliver services in the short and medium term, and by filling vacant positions.

The 2015-18 Integrated Business Plan for Corporate Affairs Branch called for ATIP to develop an HR Plan in Q1 2015–16. At the time of the audit, this Plan has not been developed. Over the five year period (FY2010–11 to FY2014–15), the staff availableFootnote 5 to support the ATIP function has increased from 39 to 61 (56%). Over this same period, the number of requests has increased from 4,503 to 19,474 (332%). The level of staff available has not kept pace with the increase in volume of requests. In the spring of 2016, ATIP Division requested additional resources to help address the continued volume increases.

Establishing a human resources plan, aligned with the business plan, will allow for proactive alignment of priorities, development of strategies and availability of budgeted resources. The plan may also describe employee development and retention strategies. Without an HR Plan, the ATIP Division may continue to be reactive to its operating environment which in turn may lead to delays in processing requests and increases in the time to release information.

Training and Tools

To carry out their responsibilities, ATIP employees, ATIP LOs and CBSA employees require the necessary tools and training.

The ATIP intranet site contains information related to processing ATIP requests that all employees can access. It also includes the ATIP Reference Manual which provides important information and describes the key responsibilities of employees when administering privacy and access legislation. During the audit period, the ATIP Division also held regular conference calls with ATIP Liaison Officers to discuss relevant issues.

An inventory of courses is available to support ATIP staff through central agencies, including Treasury Board Secretariat and the Canada School of the Public Service and other professional organizations. Training needs of ATIP employees are assessed and identified during annual performance management assessments. While there is no formal training program in place for ATIP staff, employees indicated that “on the job training” was the most effective form of training.

The ATIP Division developed an online course, available Agency-wide but not mandatory, which outlines an employee’s roles and responsibilities related to management of ATIP requests. The course also included guidelines on managing and safeguarding the Agency’s information. Though there is no mandatory training for LOs, 9 out of 16 individuals successfully completed the online training. Across the Agency, 890 employees (6.5% of Agency staff) successfully completed this online ATIP training, which included 12 executives and 40 individuals one level below executive managementFootnote 6. In 2014–15, there were also 13 ATIP awareness sessions held at various branches which were attended by 206 employees.

If key CBSA employees, including LOs and key management positions, are not aware of the functional requirements of the ATIP legislation and the CBSA specific process, this may cause delays in responding to ATIP requests. Further, employees may not understand their legislated requirement to gather all related information which includes penalties if information is not purposefully released.

The findings noted in the above section are addressed through recommendation #2.

8.2 Control Activities

Audit Criteria:

System Access Controls

The AccessPro Case Management (APCM) is a case tracking and reporting solution that automates many of the tasks associated with information disclosure processes.

Controls should be in place to prevent individuals responsible for programming the system from also having access to the production environment. The audit confirmed that access to the production environment was granted only to authorized employees. Access to the system is only given according to defined positions within the ATIP Division and user authorizations and restrictions are updated as needed by a system administrator. Controls around user identification and passwords were found to be sufficient, although it was noted that passwords do not expire. In cases where employees left the Division, their accounts were usually deactivated.

For each ATIP request logged into APCM, a record with a unique file number is generated. Only the system administrator can delete a record. Authority to make changes to information in APCM is linked to the hierarchy of the position: i.e. analyst, team leader, manager. Despite this hierarchy, most users had access to add, edit and delete information on individual records, including closed files. In addition, the system only tracks the last change made to the record. Unrestricted access and an incomplete history of the changes made to records may result in reduced data integrity essential for internal and external reporting.

Key Controls

Management is expected to have procedures and controls in place that identify, assess and manage the appropriate release of information.

To assess the operating effectiveness of the key controls in the ATIP process, a sample of 45 PA requests and 45 ATI Requests were reviewed. Overall, the following strengths were identified:

Segregation of Duties

Segregation of duties is an internal control intended to reduce the risk of erroneous and inappropriate actions conducted by one person who has complete access to, and control over a process.Footnote 7

As part of an ATI request, the ATIP Division is also responsible for collecting fees. Requesters can choose to pay the fee online by credit card, or by mail via cheque, money order or cash payment. In 2014–15, the Division collected $620 in cashFootnote 8. We reviewed the cash handling process around funds collected for ATI requests. A clerk prepared the cash deposit which was reviewed by a supervisor. The same supervisor also prepared the deposit package and sent it to a processing centre for deposit. These activities would benefit from being segregated or an independent periodic verification should be conducted.

Timeliness of Responding to Requests

An ATIP request must be responded to within the legislated timeframe of 30 calendar days, unless an extension has been applied. ATIA requests can be extended for a “reasonable” amount of time, while PA requests can be extended by a maximum of 30 days unless additional time is required to translate or convert the records in an acceptable format. Service standards, aligned with the legislated requirements, were clearly established in the ATIP reference manual.

In FY2014–15, 60% of all ATIA requests and 82% of all PA requests received by the CBSA came from individuals seeking their Traveller History Report. In 2014–15, the Agency “on time” response rate for completed traveller history requests was 99%. This high rate and high volume has concealed the poorer performance of other ATIP requests. This is because the Agency’s reports only included the “on time” responses for all PA and ATIA requests, which are dominated by the traveller history volumes.

In our sample, “on time” response rate for ATI and PA requests were 53% and 60%, respectively. It is important to note that the traveller history requests were excluded from our sample. The low “on time” response rates can be attributed to the complexity of the files, the volume of requests the Agency received and limited resources available. Table 2 presents the status of the requests in the audit sample.

By including the traveller history requests into our sample, the “on time” response rates for ATI and PA would increase to 74% and 91%, respectively—much higher than our results.

Table 2: Status of ATIP requests in the audit sample (excluded traveller history requests)

Status Access to Information Act (ATI) Privacy Act (PA)
% Requests % Requests
On time 53% 24 60% 27
Late 42% 19 36% 16
Request still open but not late 4% 2 4% 2
Sample Total 100% 45 100% 45
Population - 1,477 - 1,159
Source: CBSA

ATIP Division explained that one contributing factor to the decreasing on-time response rates for ATIP requests was due to the prioritization of late files. In April 2014, the Agency carried forward 547 late ATIP requests and by December 2015, this almost tripled to 1,336Footnote 9. As the volume increases, the current resourcing levels cannot keep pace with new requests and address the backlog.

The findings noted in the above section are addressed through recommendation #2.

Controls existed that limited access to the case management system. However, user profiles should be refined to limit the ability to modify existing information depending on the responsibilities of the position. The accuracy of this information collected in the APCM system is important as it is used for decision making and reporting. To respond to the increasing volume of ATIP requests and to meet legislative requirements, the ATIP Division will need to continue to find efficiencies in its processes. More granular reporting can help improve the analysis of the process as well as provide relevant information for decision making.

Recommendation 1:

The Vice-President of Corporate Affairs Branch should ensure the user profiles within the AccessPro Case Management system are restricted, where operationally feasible, to appropriately control access to ATIP information and identify access control requirements for future ATIP-related software releases.

Management Response: Completion Date:
The Corporate Affairs Branch agrees with the audit recommendation. A feasibility assessment on the impact of more restrictive access controls in the current ATIP case management system will be undertaken. We will also work with Treasury Board of Canada Secretariat to propose enhanced access controls in future ATIP case management systems. March 31, 2017

8.3 Risk Assessment

Audit Criteria:

Risk Management

The process for identifying and analyzing risks, determining how risks should be managed and the consideration of possible changes in the external and internal environment should be considered to avoid impediments from achieving objectivesFootnote 10.

The FY 2010–12 Corporate Secretariat Risk Profile identified the following key risks related to the ATIP function:

The FY 2015–18 Corporate Secretariat Risk Profile was being finalized at the time of the audit but management explained that the key risks have remained the same.

Each of the 2010–12 risks had a risk sponsor (the Director of ATIP), and identified risk drivers, impacts, and controls. Management’s response to increasing ATIP volume was “accept and watch” while the other two risk responses related to sharing the risk information within the Agency. The rapid increase in volume of ATIP requests is a noteworthy risk for the Agency. To mitigate this risk, ATIP management has developed a strategy and requested additional funding for temporary and permanent resources to address the current and future workloads.

Change management

Management is expected to provide a method for considering and assessing the impact of significant change.Footnote 11

The CBSA ATIP Division works directly with the Department of Justice and the Treasury Board of Canada Secretariat regarding key changes impacting the ATIP community. Depending on the nature and size of the change, information was communicated internally through electronic tools, regularly scheduled team meetings and conference calls with regional ATIP LOs.

The Agency is currently implementing Apollo, a centralized document management system, which will impact internal business processes related to searching and collecting documents in response to ATIP requests. Apollo is intended to consolidate unstructured information stored in multiple independent sources such as shared drives, emails, and filing cabinets. Although ATIP Division is not directly involved in the implementation of Apollo, the development of guidance related to the use of Apollo during an ATIP request would support employees and ATIP LOs during the search and collection of documents.

The continuous consideration of change in the internal and external environment would have allowed for early identification of risks and the development of strategies to address them. Internally, the ATIP Division has an opportunity to proactively address risks related to the Apollo implementation. The 2016 Audit of Information Management included a recommendation that addressed the need for full implementation of standard information management tools and guidance, which included Apollo.

8.4 Information and Communication

Audit Criteria:

The Agency’s information systems should contain data that is complete, accurate and up to date to make informed decisions.Footnote 12

The Agency’s APCM system contained relevant data to support timely decision making as well as the creation of the Agency’s two respective annual reports on ATI and PA. The audit confirmed that the figures presented in these annual reports had been calculated accurately. These figures were validated using the same data extracts generated at the time of production of the FY 2014–15 annual reports. However, the audit team was not able to reproduce the same information from the data extracted from the system at a later time. The system cannot reproduce reports that were used for annual reporting due to changes within a request over time, which may be a result of the minimal access restrictions presented earlier in the report. A further opportunity for improvement exists to document the data extraction process.

Overall, the information gathered in the system was accurate and communicated through both internal reports and formal publicly available documents.

8.5 Monitoring Activities

Audit Criteria:

Monitoring is a cornerstone of delivering any program. Government departments and agencies are expected to monitor management practices and operational controls so that remedial action can be taken when control deficiencies are identified or improvements are needed and performed in a timely manner.

Monitoring the legislative time line

The year-over-year increases in the volume of ATIP requests and a renewed focus on requests that are already late impacted the ATIP Division’s capacity to respond within the legislated timelines. ATIP analysts monitor their own work against the 30 day timeline while managers explained that they focus on managing both on-time and late files to minimize complaints.

Reports are created throughout the year to monitor the performance related to closing ATIP requests. These include reporting on an annual, quarterly, monthly and weekly basis. Additional ad hoc reports are provided to management as needed.

The Agency Performance Summary is a quarterly report that includes information related to timeliness of responses against the legislated 30 days as well as an internal measurement of time it takes to gather and refer information to the ATIP Division. Finally, a monthly ATIP Request Status Report provides trending data from the previous year and compares it with current data. It also provides an overview of requests where the response is late.

The annual reports consist of both the Annual Report to Parliament on the compliance with the Access to Information Act and the Annual Report to Parliament on the compliance with the Privacy Act. These reports are posted on the CBSA’s website and include statistics on the timeliness of the response to the requester and related complaints.

While monitoring of the ATIP process occurs at multiple levels throughout the Agency, and by external Commissioners, the continued increase in ATIP requests as well as the deteriorating timeliness of ATIP responses may require further optimization of the process.

Response to Complaints

Complaints related to ATIP requests are administrated by either the Office of the Information Commissioner of Canada (OIC) or the Office of the Privacy Commissioner of Canada (OPC). The complaint process is defined in each of the acts and the ATIP Division includes this information in the ATIP reference manual. The description in the manual describes the process from the perspective of the requester, but could include a description of how the ATIP Division manages the complaint.

In FY 2014–15, the Agency received 71 ATI and 36 PA complaints, respectively. Considering the volume of requests, these rates are low, with 1.1% of complaints received against ATI requests and 0.3% for PA requestsFootnote 13. Both the OIC and OPC oversee the complaint process and ultimately review and accept each of the Agency’s responses. In 2014–15, 54 ATIA complaints were resolved, 29 of which were determined to be founded. Similarly, for PA, 22 complaints were resolved and 13 were deemed to be founded. The CBSA responded to the complaints with a corrective action when required. In the 10 complaint files reviewed by the audit team, where the complaint was deemed to be founded, only one complaint exceeded the OPC timeline.

The ATIP Director reviews each complaint. Depending on the results of the investigation and the nature of the complaint, the observations arising from the investigation may not apply to other case files. In cases where the complaint is deemed well founded and the lessons can be applied to other files, the information is communicated and shared with staff. Some information related to complaints is also presented in the Agency’s Annual Report for ATI and PA.

Given that the complaint process is driven from the OIC and OPC, the risk of not addressing complaints is limited. The rigour surrounding root cause analysis could be improved, if trends related to complaints begin to increase.

During the audit period, the ATIP Division provided regular reporting on its monitoring activities to different management levels of the Agency and had regular oversight by external oversight committees on each response to complaints from ATIP requestors.

Although the Agency has an effective management control framework in place for the ATIP function, as volumes of ATIP requests continue to increase, the ATIP function will be required to continuously optimize the function to meet the legislated response timelines and respect internal process controls.

Recommendation 2:

The Vice-President of Corporate Affair Branch should optimize the ATIP function which could include: determining which key functional positions within the Agency require mandatory ATIP training; establishing a human resources plan; and providing reports that are sufficiently detailed to drive process improvement.

Management Response: Completion Date:
The Corporate Affairs Branch agrees with the audit recommendation. Key positions within the Agency that require training will be identified and the ATIP Division’s human resource strategy will be aligned with its business plan. More detailed reports to support optimizing the ATIP function have already been created for internal use. March 31, 2017

Appendix A – About The Audit

Audit Objectives and Scope

The objective of the audit was to assess the adequacy of the ATIP management control framework: including the management of human resources; business processes; compliance with legislative timelines; and controls that mitigate the risk of disclosing exempted information.

The audit examined: training and tools in place to support Agency staff in processing Access to information and Privacy Act (ATIP) requests; controls to manage ATIP requests; and continuous improvement activities related to the ATIP processes.

The audit period covered April 1, 2013 to November 30, 2015 for the ATIP Management Control Framework. The audit period for testing a representative sample of both ATIA and PA requestsFootnote 14 was April 1, 2015 to September 30, 2015 which provides coverage of two fiscal quarters.

Exclusions:

Low risk areas identified in the planning phase are excluded from the audit. These include:

Risk Assessment

A preliminary risk assessment was conducted during the planning phase to identify potential areas of risk and audit priorities; it included interview findings and document reviews. It identified the following key risk areas:

Human resources

Business processes

Compliance

Approach and Methodology

The examination phase of this audit was performed using the following approach:

Audit Criteria

The Audit criteria are aligned with the management control principles from the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Given the preliminary findings from the planning phase, the following criteria were chosen:

Lines of Enquiry Audit Criteria
1. Control Environment 1.1. Roles, responsibilities and authorities are defined for the management of ATIP requests.
1.2. A human resources plan is in place that provides a strategy to support ATIP Division in reaching its objectives.
1.3. ATIP Employees, ATIP Liaison Officers, and CBSA employees are provided with the necessary training and tools to discharge their responsibilities.
2. Risk Assessment 2.1. The risks facing the ATIP Division are identified and addressed, with appropriate responses developed and actioned.
2.2. The potential for fraud is identified and fraud risks are analyzed and responded to.
2.3. Changes that could significantly impact the system of internal control are identified, assessed and responded to.
3. Control Activities 3.1. Key controls are in place to achieve objectives and respond to ATIP risks.
3.2. ATIP requests are processed within legislated timelines and CBSA service standards.
4. Information and Communication 4.1 Accurate performance information is gathered and communicated internally and externally.
5. Monitoring Activities 5.1 Monitoring activities are undertaken and deficiencies are corrected on a timely basis to support continuous improvement.

Appendix B – List of Acronyms

APCM
AccessPro Case Management
ATIA
Access to Information Act
ATIP
Access to Information and Privacy
CBSA
Canada Border Services Agency
COSO
Sponsoring Organizations of the Treadway Commission
CSPS
Canada School of Public Service
FY
Fiscal Year
HR
Human Resources
IAD
Internal Audit Directorate
LOs
ATIP Liaison Officers
OPI
Office of Primary Interest
OIC
Office of the Information Commissioner of Canada
OPC
Office of the Privacy Commissioner of Canada
PA
Privacy Act
RFP
Request for Proposal
Date modified: