Audit of Access to Information and Privacy (AU1422)

TABLE OF CONTENTS

EXECUTIVE SUMMARY

INTRODUCTION

The Access to Information (ATI) Act came into force in July 1983. Based on principles of transparency, the ATI Act provides the legal framework for accessing the information in records under the control of government institutions. It ensures that government information is made available to the public and that necessary exceptions to the right of access for such information should be limited and specific. The ATI Act provides this right of access to government information to every Canadian citizen, permanent resident, and any other person or corporation present in Canada.

The Privacy Act, which also came into force in July 1983, governs the federal government’s collection, retention, use, protection, disclosure and disposition of personal information. The Privacy Act also provides individuals the right to access their own personal information.

Within the Department, the Access to Information and Privacy (ATIP) Secretariat is mandated to implement and administer the Access to Information Act and the Privacy Act and to ensure that legislative and central agency policies and procedures are met. As part of their responsibilities, the ATIP Secretariat provides advice to departmental officials on the operation of the Acts; promotes awareness of the Acts and the responsibilities of the Department, and provides other guidance and training, as required, to ensure ATIP requests are processed appropriately and within the legislated time frames. The Department’s Sectors also play an important role in the ATIP process by working closely with the ATIP Secretariat in a shared responsibility to retrieve the information required to respond to requests in accordance with the legislated requirements of the Acts as well as policies and procedures.

The Audit of Access to Information and Privacy was approved by the Deputy Minister as part of the Risk-Based Audit Plan for 2014-15.

The objective of this audit is to provide reasonable assurance on the effectiveness and efficiency of the management framework related to the ATIP function.

STRENGTHS

The ATIP Secretariat has a strong governance framework in place to support the ATIP function. A Director General Level committee exists to support the monitoring of access to information (ATI) requests, privacy matters^Footnote1 and complaints and to intervene as required to ensure on-time processing and release of requests. Senior management is provided with weekly briefings on the status of ATI requests through its Operations Committee which provides an effective oversight mechanism. In fiscal years 2012-13 and 2013-14 the ATIP Secretariat had a deemed refusal ^Footnote2 rate of 3.49% and 2.04%, respectively; considerably lower than the government wide average deemed refusal rate of 10.67% in 2012-13. In addition, the ATIP Secretariat effectively communicates with external stakeholders to provide information related to the ATIP process, as well as previously released requests on the Department’s internet site.

AREAS FOR IMPROVEMENT

The audit identified opportunities for improvement in the following areas:

• Providing additional training to departmental personnel with particular emphasis on communicating the importance of timeliness and completeness during the document retrieval process;
• Improving internal ATIP communication to Sector Liaison Officers and other department staff involved in the process; and
• Improving efficiency of business processes by leveraging the search and retrieval capabilities of the soon to be adopted IM system as well as exploring available technological solutions to eliminate the need to print large volumes of documents when processing certain requests.

INTERNAL AUDIT CONCLUSION AND OPINION

In my opinion, overall NRCan has an effective management control framework supporting the ATIP function. Opportunities for improvement were identified related to training and communication; as well as further improving the efficiency of business processes.

STATEMENT OF CONFORMANCE

In my professional judgement as Chief Audit Executive, the audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit Executive

ACKNOWLEDGEMENTS

The audit team would like to thank those individuals who contributed to this project and, particularly employees who provided insights and comments as part of this audit.

INTRODUCTION

The Access to Information (ATI) Act came into force in July 1983. The ATI Act provides the legal framework for accessing the information in records under the control of government institutions in accordance with the principles of transparency that government information should be available to the public and that necessary exceptions to the right of access should be limited and specific. The ATI Act provides this right of access to every Canadian citizen, permanent resident, and any other person or corporation present in Canada.

The Privacy Act, which also came into force in July 1983, governs the federal government’s collection, retention, use, protection, disclosure and disposition of personal information. The Privacy Act also provides individuals the right to access their own personal information.

The Minister of Natural Resources, as the head under the Access to Information and Privacy Acts, is responsible for the administration of the Acts within the Department of Natural Resources Canada (the Department). Within this context, the ATIP Secretariat, within the Portfolio Management and Corporate Secretariat Branch, is mandated to implement and administer the Access to Information Act and the Privacy Act and to ensure that legislative and central agency policies and procedures are met. As part of the management structure, senior executives within the sectors have a shared responsibility of ensuring that requests are processed in accordance with the legislated requirements of the Acts as well as related policies and procedures.

The ATIP Secretariat has the responsibility to advise departmental officials on the operation of the Acts and to ensure that requests made under the Acts are processed within the legislated time frames. Also, the Secretariat is required to promote awareness of the Acts to ensure departmental responsiveness to the obligations imposed on government institutions as well as inform employees on the implications of the Acts and on departmental policies and procedures with respect to the Acts.

The Department receives hundreds of ATI requests on an annual basis. During the 2013-14 fiscal year, for example, the Department received 689 new requests under the Access to Information Act, in addition to carrying forward 190 requests from the previous fiscal year. The volume of requests received by NRCan over the past six years has nearly doubled. With that said, of the 685 requests closed during 2013-14, only 14 went past the statutory deadline, which represents a deemed refusal rate of 2.04%. This is an improvement from the previous fiscal year of 2012-13 when the department had a deemed refusal rate of 3.49%. In contrast, the overall deemed refusal rate for the Government of Canada in 2012-13 was 10.67%. During the same period the Department received 44 requests for access to personal information under the Privacy Act and carried forward one request from the previous fiscal year. Of the requests received 41 were completed in the same fiscal year and four requests were carried over to the next fiscal year. This represents an increase over the previous year 2012-13 in which the Department received 13 privacy requests, carried forward two requests from the prior year and completed 14 requests within the year.

For fiscal 2013-14 the ATIP secretariat had 11.5 full-time employees in support of ATI and one full-time employee to support Privacy. The ATIP secretariat also engages the services of consultants, students and casual employees, as needed, to ensure that its deliverables are met.

AUDIT PURPOSE AND OBJECTIVES

The objective of the audit was to provide assurance on the effectiveness and efficiency of the management framework related to the ATIP function. Specifically, the audit assessed the extent to which:

• The governance framework adequately supports the ATIP function;
• Information related to the ATIP process is effectively communicated; and
• Access requests are effectively processed within the department in a timely manner.

AUDIT CONSIDERATIONS

The 2013-2016 Risk-Based Audit Plan (RBAP) identified the management and administration of the Access to Information and Privacy process at NRCan as a “High Audit Priority.”

A risk-based approach was used in establishing the objectives, scope, approach and criteria for this audit engagement. A summary of the key underlying risks that were taken into consideration are as follows:

• NRCan’s governance, communications, risk management  and stewardship processes relating to the management and administration of the Access to Information and Privacy Acts including processing of access requests may not be adequate or effective;
• Key business processes for the management and administration of the ATIP function may not be in compliance with  Departmental and Treasury Board policies, standards and procedures; and
• Resources and capacity may not be effectively aligned to meet the deliverables of the ATIP process.

SCOPE

The scope of this audit covered major aspects of the ATIP Process’ management control framework.

The audit included activities under the Department’s responsibility that are related to access to information and privacy from April 1, 2013 to the end of April 2014.

The audit included a review of the governance and processes in place for the management of privacy requests; however, due to the limited number of requests received by NRCan the testing component of the audit focused exclusively on ATI requests.

Since oversight regarding compliance with the Acts is exercised by the Office of Information Commissioner and the Office of the Privacy Commissioner, the Audit focused primarily on the processes in place within the Department to respond to requests.

Since corporate information management is managed separately from the ATIP Secretariat and the ATIP process, the scope of audit was limited to IM practices that have a direct impact on the processing of ATIP requests.

APPROACH AND METHODOLOGY

The audit methodology was based on the Treasury Board Policy on Internal Audit and Government of Canada Internal Audit Standards and included:

• Conducting interviews with key personnel with respect to the management of ATIP and related activities.
• Reviewing applicable TB and departmental policy instruments and procedures for the management and administration of the ATIP function.
• Reviewing a judgemental sample of ATI requests to determine if they meet internal timelines, and identify efficiencies in the process wherever possible.
• Consultation with an ATIP knowledge expert on accepted best practices.

CRITERIA

Please refer to Appendix A for the detailed audit criteria. The criteria guided the audit fieldwork and formed the basis for the overall audit conclusion.

FINDINGS AND RECOMMENDATIONS

GOVERNANCE AND GUIDANCE

Summary Finding

Overall the audit identified that the ATIP Secretariat has a strong governance framework in place. Oversight of the ATIP function is conducted through the weekly status reviews of ongoing files exercised by a Director General Level Committee and the Senior Management Operations Committee. In addition, various training and resources are made available to all Department staff; however, the audit noted an opportunity to provide additional training, with particular emphasis on communicating the importance of timeliness and completeness during the document retrieval process.

Supporting Observations

Delegated Authority

The Minister of Natural Resources, as the head under the Access to Information and Privacy Acts, is responsible for the administration of the Acts within the Department. The Director, Access to Information and Privacy (ATIP) Secretariat, has been delegated the authority by the Minister to exercise, within the Department of Natural Resources, powers, duties and functions conferred upon the head of the institution under the Acts and has overall operational responsibility for the administration of the Acts. This delegation structure was identified by the Treasury Board Secretariat as a best practice in contributing to a sound governance framework for ATIP functions.^Footnote3

Training, Tools and Resources Available for the Department

In 2013-14 the ATIP Secretariat provided 11 ATIP awareness sessions across the department. The ATIP Secretariat also collaborated with the Information Management Branch to make ATIP virtual classroom sessions available to the Department. Department employees could sign up for one of the monthly sessions through the Department’s intranet site.

Furthermore, each of the Department’s Sectors has formally appointed a Sector Liaison Officer (SLO) to address ATIP requests related to their respective Sectors. The SLO’s role is to act as a liaison between the ATIP Secretariat and their Sector in responding to ATIP requests and the main point of contact to address questions and/or follow-up with the ATIP Secretariat, as required. The SLO coordinate responses from their Sector to the ATIP Secretariat. These functions are often conducted at the working level and may be added to an employee’s existing roles and responsibilities, depending on the ATIP needs of their Sector.

The audit identified a need for additional training for Sector staff that are tasked with responding to ATIP requests and therefore directly involved in the process. It was generally noted through interviews that these individuals may not have a strong understanding of the ATIP process, which can sometimes result in delays in responding to requests. Some Sector Liaison Officers had taken the initiative to either request training from the ATIP Secretariat and/or directly provide training to staff in their respective Sectors.

The audit also noted that in some instances Sector staff had indicated to the ATIP Secretariat that they had provided a complete package of the requested information, only to identify later in the process the existence of additional information relevant to the request. These circumstances led to challenges in preparing the final response package for the requestor within the legislated timelines for these specific files.

Regarding the Sector Liaison Officers themselves, the audit found that many had been in their roles for extended periods (5 years or more). Through interviews, the audit team was advised that, in general, officers believed they had a sufficient knowledge of the process and common exemptions. This point of view was corroborated by interviews with ATIP Secretariat staff. The audit also found; however, that there is no formal training program for Sector Liaison officers and most indicated that they would welcome the opportunity to receive additional training since they had not received any formal training within the past five years.

Training, Tools and Resources Available to the ATIP Secretariat

All ATIP processes and documents are available to officers within the ATIP Secretariat on a shared network drive entitled ‘Procedures and Tools’. ATIP officers are also supported in their roles through weekly meetings to discuss the files processed during the week, as well as incoming files. Officers are also supported in their work through redaction software; key decisions and communication/documents are all tracked in the redaction software.

There is currently no ATIP professional development program in place; however, plans are underway to create one. ATIP officers are encouraged to pursue learning and development opportunities available externally such as university programs, TBS ATIP training and Canada School of Public Service courses.

Risk-based Planning and Monitoring Tools

As part of the management structure, senior executives within the sectors are held accountable for ensuring that requests are processed in accordance with the legislated requirements. A Director General Committee, with representatives from all of the Department’s Sectors, meets weekly to review the status of requests and complaints. The committee reviews all new and active ATI requests and privacy matters^Footnote4 to ensure effective oversight and frequent communication is in place so that sensitive files are highlighted, as required, for senior management’s attention. Within this context, issues relating to specific files may be raised by any of the members of the committee, and subsequently resolved and/or actioned, as necessary. The results of the Director General Committee meetings are included as a regular standing item for the weekly ADM level Operations Committee meetings, which is chaired by the Deputy Minister.

In addition, responsibilities of executives related to responding to ATIP requests in a timely manner have been incorporated in the Department’s performance agreement guidance, which the audit notes as a good practice. Specifically, executives are required to ensure that a minimum of 95% of retrievals are returned to the ATIP unit within 5 working days, with a signed “Statement of Completeness”.

RISK AND IMPACT

The ATIP Secretariat is highly dependent on Department staff to provide requested documentation and recommendations. General training and awareness of these responsibilities will support complete and timely responses to ATIP requests in order to meet legislated timelines. As such, if sufficient training is not made readily available for staff, it potentially exposes the Department to risks that may reduce its ability to respond to ATIP requests in a timely and effective manner.

RECOMMENDATIONS

1. Director General–Portfolio Management and Corporate Secretariat Branch should ensure that appropriate information related to Access to Information and Privacy (ATIP) is communicated to department staff by:

1. offering more in-depth training opportunities to Sector Liaison Officers, as well as staff regularly involved in the retrieval process with particular attention to timeliness and completeness of the document retrieval process; and
2. exploring opportunities to leverage existing departmental training sessions to further provide general ATIP training to the Department.

MANAGEMENT RESPONSE AND ACTION PLAN

Management agrees.

In response to recommendation 1a., the ATIP Secretariat is taking additional steps to support both ATIP Liaisons as well as staff that are involved in the ATIP retrieval process. During the current fiscal year, the Secretariat will ensure all ATIP Liaisons will receive appropriate training as required. Since June 2014, the ATIP Coordinator has held regular bi-weekly meetings with ATIP Liaisons to discuss various questions and issues of concern with respect the ATIP process. The ATIP Deputy Director has also held regular weekly meetings with key sector officials to better communicate and update them on key files and processes. The ATIP Secretariat will continue to work with its ATIP Liaisons to identify staff and divisions that could most benefit from in-depth ATIP training, and deliver targeted training and awareness material to program officials.

In response to recommendation 1b., the ATIP Secretariat will continue to work with the Information Management Division to identify opportunities to include ATIP training. The ATIP Secretariat will also branch out to other related areas in the department that deliver mandatory training (i.e. security) to discuss opportunities to include ATIP awareness. In addition, the ATIP Secretariat will develop and expand existing training materials (i.e. decks, manuals, etc.) as well as continue to improve its Wiki space to provide relevant reference material and guides to promote a better understanding of the Acts and facilitate the NRCan ATIP process.

Position responsible: Coordinator, Access to Information and Privacy Secretariat

Timing: ATIP will re-launch awareness sessions over the Fall of 2014 through to March 2015 and will continue to review and enhance its training program over 2015-16, including providing more in-depth guidance through its wiki page.

INTERNAL AND EXTERNAL COMMUNICATION

Summary Finding

The audit identified that information related to the ATIP process and results are effectively communicated to external stakeholders such as requestors, the Offices of the Information Commissioner and Privacy Commissioner, and Parliamentarians. There is an opportunity to improve the internal communication to Sector Liaison officers, and other department staff involved in the process.

Supporting Observations

Roles and Responsibilities

Clear roles and responsibilities of those involved in the ATIP process is essential towards ensuring that ATIP requests are responded to in an effective and timely manner. In meeting its need to document the roles and responsibilities, a summary is posted on the Department’s intranet. Two key roles within this process are the Sector Liaison Officers and the ATIP Secretariat staff, respectively.

Within this context, each sector is assigned a Sector Liaison Officer (SLO) that acts as a liaison between the ATIP Secretariat and the Sector in responding to ATIP requests. The SLO’s role is to act as a liaison between the ATIP Secretariat and their Sector in responding to ATIP requests and acts as the main point of contact with the ATIP Secretariat’s analysts to address any questions and/or follow-up, as required. The SLO coordinates the responses from the Sector to the ATIP Secretariat. This is a key function within the ATIP process which supports the retrieval of information for ATIP requests within the Sectors.

ATIP Secretariat staff is responsible for applying exemptions and exclusions specified in the Acts, for assisting sectors in formulating recommendations on the disclosure of information, advising on the collection, use and disclosure of personal information, responding to the requestor, and determining the need to consult internally or externally. In order to meet the need to clearly document and identify the roles and responsibilities of all Department staff regarding the ATIP process, a summary is provided on the Department’s intranet website. Regarding the roles and responsibilities of ATIP Secretariat staff, they are defined in their job descriptions. It should also be noted that NRCan is currently taking part in a government-wide project to develop generic job descriptions for ATIP officers, whose roles are generally similar across all departments.

Requestor Relations

In April 2014 NRCan joined other federal departments in the implementation of the pan-government pilot for ATIP Buy On-Line. Requestors can now use the ATIP Online Request Portal for a faster, easier and more convenient way to submit access to information or privacy requests.

There are essentially two types of requests that can be made under the Access to Information Act and the Privacy Act respectively: 1) Access to Information Requests for requesting information that is not of a personal nature and, 2) Personal Information Requests for requesting information of a personal nature. Access to Information requests may be made either formally or informally. A formal request is a request made under the Act in writing to the government institution that controls the record. An informal request is a request for records which does not invoke the right of access provided by the Act; specifically there are no formal time constraints, fees or opportunities for independent review of decisions for these types of requests.

Requestors may file a complaint with the Office of the Information Commissioner of Canada (OIC) or the Office of the Privacy Commissioner of Canada (OPC) if they are not satisfied with the Department’s processing of a formal request under the Access to Information Act or the Privacy Act respectively. The process for filing a complaint is posted on the Department’s website. 

There were 35 new complaints received by NRCan during 2013-14 under the ATI versus 21 in fiscal 2012-13. The majority of these complaints were administrative in nature with regards to delays in responding to requests and time extensions taken. NRCan received one complaint under the Privacy Act in 2013-14 versus nil in fiscal 2012-13. File reviews indicated that the ATIP office is generally prompt in its responses to both requestors and OIC and OPC investigations of complaints. In all files reviewed it was noted that ATIP Secretariat demonstrated its “duty to assist”^Footnote5.

Communication to External Stakeholders

In addition to requestors, other ‘external stakeholders’ include the Office of the Information Commissioner, the Office of the Privacy Commissioner and the Treasury Board Secretariat. The Department reports to all three of these organizations on a regular basis. The audit found that the ATIP Division complied with annual reporting requirements to Parliament and reporting requirements to the Treasury Board of Canada Secretariat. For example, as required by TBS, summaries of completed ATI requests are posted on the Department’s Internet site on a monthly basis, and reports to Parliament on the administration of both acts are prepared and submitted annually.

Communication to Internal Stakeholders

The Department’s intranet site provides staff with general information about the ATIP process, guidelines and procedures. However, at the time of the audit some information on the ATIP web page was incomplete and some of the content had not been updated. For instance the link to the ATIP Handbook which describes the procedures to be followed for the processing of requests was not available on the ATIP wiki page and awareness of its existence among staff was limited. There was also no information about the ATIP virtual classroom training sessions offered by the ATIP Secretariat.

Interviews with Sector Liaison officers indicated that communication and collaboration with the ATIP Secretariat was generally satisfactory however there is room for this to be strengthened. Sector Liaison officers indicated that they were not always notified of the status of requests, such as when files were put on or taken off of “hold”. Sectors indicated that they were previously provided with more detailed information on regular status of requests and new developments and also through periodic meetings with the ATIP Secretariat. Part of the challenge in generating more detailed updates for Sectors is to produce the reports in such a way as to minimize the level of effort required. The ATIP Secretariat informed the audit team that they are currently exploring the feasibility of a solution that will allow for communicating more detailed information on status updates to Sectors with minimal impact on time and resources required.

Reporting to Oversight Bodies

Weekly reports are prepared and provided to the DG Committee, as previously mentioned in the report.  In addition, NRCan, along with all departments, is required to submit its Annual Report on Access to Information Act (ATIA) to Parliament which includes detailed statistical information on the activities of NRCan’s ATIP function. The report also serves to inform the senior departmental officials, including personnel within the Minister’s office of the administration, of the ATIA within NRCan.

MANAGEMENT INITIATIVE

Management is currently exploring various software solutions that would allow them to develop customized reports that would provide more detailed information without increasing the administrative burden on ATIP Secretariat staff.

RISK AND IMPACT

The ATIP Secretariat and department staff working on ATIP requests are highly dependent on each other to process requests. Internal communication is important to ensuring that all involved parties are aware of the internal processes and timelines to be followed in order to meet legislated timelines and focus efforts more efficiently.

RECOMMENDATIONS

2. Director General-Portfolio Management and Corporate Secretariat Branch should review current processes for sharing of information between the Access to Information and Privacy (ATIP) Secretariat and Department staff in order to:

1. ensure relevant information such as changes in the status of requests (i.e. requests placed on hold or extended) or changes in ability to meet established timelines for collection of information are regularly communicated between Sector Liaison Officers and ATIP Secretariat to allow both groups to more effectively carry-out their collective responsibilities in responding to requests; and
2. Restore availability of information on the Departmental intranet site for ATIP, including processes, guidelines and procedures.

MANAGEMENT RESPONSE AND ACTION PLAN

Management agrees.

In response to recommendation 2a., the ATIP Secretariat now provides weekly written reports indicating the status of all closed, pending and active access to information requests. In order to enhance its communications with sectors, the ATIP Secretariat has acquired access to a technical solution that will facilitate the timely production of detailed and customized reports and to communicate relevant information in a timely manner, including sector performance information. The ATIP Secretariat has also streamlined the retrieval process to allow ATIP Liaisons to more effectively carry-out their responsibilities when responding to requests at the retrieval stage.  

In response to recommendation 2b., the ATIP Secretariat has been actively working on its intranet and wiki site as part of the broader Intranet Renewal Project. For example, the ATIP Secretariat has been archiving and taking down old content as part of the departmental Removal of Content (ROT) exercise. It will also develop and post practical tools and guides to promote a better understanding of the Acts and facilitate the NRCan ATIP process.

Position responsible: Coordinator, Access to Information and Privacy Secretariat

Timing: Fall 2014 through to March 31, 2015

BUSINESS PROCESSES

Summary Finding

The audit determined that access requests are effectively processed within the department in a timely manner, following a prescribed set of procedures that are generally understood. The DG Tracker was noted as a useful tool for monitoring new and active requests at the senior level. There is an opportunity to further improve efficiency by leveraging the search and retrieval capabilities of the soon to be adopted GCDOCS IM system as well as exploring available technological solutions to eliminate the need to print large volumes of documents when processing certain requests.

Supporting Observations

Guidelines and Procedures

The ATIP Secretariat has developed a set of procedures and guidelines that are maintained on a shared drive available to ATIP Secretariat staff. An ATIP Handbook used to be accessible to all staff on the Department’s intranet site which outlined the process for responding to ATI and Privacy requests. During the course of this audit the handbook was removed from the intranet site and we were advised that this document is in process of being updated. (Refer to Recommendation #2b.)

Inherent to the Access to Information process is the risk that information retrieved may be incomplete or inaccurate. Several best practices have been implemented at NRCan to attempt to mitigate this risk. One of these best practices is the establishment of a Director General Committee that meets weekly to review the status of requests and complaints. Director Generals also sign off on the ‘Statement of Completeness’ document that Sectors return to the ATIP Secretariat with retrieved documents. However, the audit noted that the Department does not currently have a comprehensive Information Management System. This has resulted in a search and retrieval process that is heavily reliant on corporate knowledge of staff, as well as time consuming searches of numerous personal and shared network drives where documents are stored. It should be noted that the Department is currently in the process of implementing GCDOCS as a comprehensive IM solution, which may improve the efficiency of the search and retrieval process for ATIP requests.

During review of sampled retrieval request files the audit also observed that current processes require the printing of large volumes of digitally generated documents that are then scanned into case management software. Staff involved in the process expressed concern about the limitations of the current case management software that requires the printing of digital documents that are subsequently scanned back into a digital format.

Monitoring Mechanisms

As previously mentioned, given that senior executives within the sectors have a shared responsibility of ensuring that compliance with the legislation is met, a Director General Committee, with representatives from all of the Department’s Sectors, meets weekly to review the status of requests and complaints. The Director General Committee meetings provide an opportunity to engage Director Generals early in the process and to identify whether other sectors should be involved in new requests. The DG tracker is a critical monitoring mechanism to track outstanding ATI requests. This weekly report provides relevant information such as request status and legislated dates to respond, enabling management to track and monitor progress. In addition, the audit found that some Sector Liaison Officers have also developed their own monitoring systems to address specific needs within their sectors, enabling them to track the status of requests within their respective Sector.

Protection of Sensitive Information

The ATIP Secretariat has implemented appropriate controls and mechanisms to safeguard sensitive information. Documents received by the ATIP Secretariat can include information that is subject to exemptions and exclusions under the ATI and Privacy Acts which must be safeguarded. Standard departmental policies as well as ATIP specific handling processes are formally documented. The redaction software used to record ATIP requests is also segregated on a standalone network and the office is physically separated from the rest of the floor by a monitored access door.

RISK AND IMPACT

The creation of large volumes of redundant paper files, as well as printing and scanning of documents increases the administrative burden on ATIP Secretariat staff, resulting in inefficiency and further increasing existing pressure to meet legislated deadlines. Lack of a comprehensive IM system may also result in inefficiencies related to the search and retrieval of documents to fulfil ATIP requests.

RECOMMENDATIONS

3. Director General-Portfolio Management and Corporate Secretariat Branch, should explore the feasibility of technological solutions to enhance the business processes related to the Access to Information and Privacy (ATIP) function by:

1. Identifying the full potential of leveraging the search capabilities of GCDOCS to achieve efficiencies; and
2. Implementing a technological solution to reduce the redundancy of paper files and related administrative burden on staff.

MANAGEMENT RESPONSE AND ACTION PLAN

Management agrees.

In response to recommendation 3a., NRCan ATIP has been examining the process and challenges related to moving toward an electronic ATIP process. It has already consulted with another department who has adopted an electronic process and will reach out to other departments who have already transitioned to GCDOCS for additional lessons learned. The ATIP Secretariat will also continue to work with the GCDOCS Implementation Team to ensure that we take full advantage of examining efficiencies.

In response to recommendation 3b., the ATIP Secretariat has had a representative actively participating in the GCDOCS IM Working Group since its inception in October 2012 to ensure that the requirements related to the ATIP process are being met in the basic structure and implementation of GCDOCS. The ATIP Secretariat will continue to work with the IM Division on developing business processes that can be integrated with GCDOCS. The focus will be on identifying efficiencies to leverage the capabilities of GCDOCS to streamline the process at the retrieval stage. The ATIP Secretariat is also piloting a technical solution that will assist in importing electronic documents directly to its case management system. It is expected that this will reduce paper-based processes.

Position responsible: Coordinator, Access to Information and Privacy Secretariat

Timing: March 2015

APPENDIX A – AUDIT CRITERIA

The audit criteria were derived from widely recognized control models (e.g. Management Accountability Framework, CICA Criteria of Control – CoCo) and relevant policies, acts and legislation. Actual performance was assessed against the audit criteria resulting in either a positive finding or the identification of an area of improvement.

The objective of the audit was to provide reasonable assurance on the effectiveness and efficiency of the management framework related to the ATIP function.

The following audit criteria were used to conduct the audit:

Audit Sub-Objectives	Audit Criteria
Sub-Objective 1: The governance framework adequately supports the ATIP function.	1.1 Proper authority has been delegated and applied during the Access to Information and Privacy process to support a sound governance framework.
	1.2 ATIP Division provides departmental personnel with the necessary training, tools, resources and information to support their role in the application of the Acts.
	1.3 ATIP Division personnel have access to appropriate tools and training on the Acts.
	1.4 ATIP Division has in place risk-based planning tools, operational plans and procedures to assist in achieving its strategic objectives.
Sub-Objective 2: Information related to ATIP is effectively communicated.	2.1 Roles and responsibilities involved in the ATIP process have been clearly communicated to all Departmental personnel.
	2.2 Requestor complaints or concerns are addressed and changes to the Access to Information and Privacy processes are accurately and adequately communicated to Departmental personnel and external stakeholders.
	2.3 Information in regards to the Access to Information and Privacy Processes are accurately and adequately communicated to Departmental personnel and external stakeholders.
	2.4 Reports prepared for management and oversight bodies such as the Office of the Information Commissioner, Office of the Privacy Commissioner, Annual Report to Parliament, TBS are appropriate.
Sub-Objective 3: Access requests are appropriately processed.	3.1 ATIP Division has appropriate guidelines and procedures in place and implemented for the processing of access to information and privacy requests.
	3.2 ATIP Division has in place a mechanism to monitor requests ensuring internal processing in a timely manner.
	3.3 ATIP Division has in place appropriate controls and mechanisms to safeguard sensitive information.