Audit of the Canada Revenue Agency - page 10

AUDIT REPORT OF THE PRIVACY COMMISSIONER OF CANADA,
2013
8
CANADA REVENUE AGENCY
8. The appointment of a CPO by a federal government
institution is not a requirement of the
Privacy
Act
, nor is the role defined by Treasury Board
policies
1
. Nevertheless, the appointment of such
a senior privacy official has become increasingly
a norm among many large organizations that
manage extensive holdings of sensitive personal
information. A CPO, appointed at the executive
level of the organization, is responsible for
overall strategic privacy direction and compli-
ance of an organization.
9. The CPO is also responsible for ensuring that
privacy impact assessments are conducted for
new programs involving personal information. To
fulfill these overlapping roles, the CPO is usually a
member of the organization’s senior management
committee, where the CPO can speak authorita-
tively to colleagues on privacy matters; ensure that
issues are understood; and solicit management
support for organization-wide measures to reduce
or mitigate privacy risks.
10. In 2009, the Agency committed to the naming
of a Chief Privacy Officer and defining their role.
Over the following three years, the Agency drafted
a framework for the appointment of a CPO.
However, the framework was not approved or
implemented so no CPO was named over that
period of time. Therefore, until quite recently
the Agency did not have a privacy champion at
its executive levels to promote the protection
of personal information across the organization.
Nevertheless, from 2009 to 2013, ATIP developed
a number of key privacy policies and procedures
and delivered diverse training initiatives.
11. On April 3, 2013, the CRA Commissioner notified
Agency staff that a CPO had been appointed at the
Assistant Commissioner level to ensure compli-
ance with the
Privacy Act
, and to carry out other
management, educational, risk assessment and
reporting roles. This appointment was an impor-
tant step in strengthening the Agency’s privacy
management regime. However, for the full benefit
of the appointment of the CPO to be felt across
the organization; the extent of the mandate, role
and core activities of the official appointed needs
to be formalized and defined more fully.
The Canada Revenue Agency should define
fully the role of the Chief Privacy Officer and
monitor the implementation of the CPO
mandate in terms of employee privacy
awareness, privacy risk reduction and overall
Agency compliance with the
Privacy Act
.
12. RECOMMENDATION
Agency’s response:
As noted in the report, the appointment of
a Chief Privacy Officer (CPO) by a federal
government institution is not a requirement
of the
Privacy Act
, and the role is not defined
by Treasury Board policies.
Nonetheless, the Canada Revenue Agency (CRA)
agrees with this recommendation, and appointed
a CPO to oversee privacy management in the
Agency in April 2013. The CPO is a member
of the Agency Management Committee (AMC)
and has a broad mandate for privacy oversight
in the Agency, including:
overseeing decisions related to privacy,
including privacy impact assessments;
championing personal privacy rights in
accordance with legislation and policy,
including management of internal privacy
breaches—a shared responsibility with
Security; and
overseeing privacy awareness within the
Agency through fulfillment of diverse
communications and training activities.
1
Our Office has issued guidance to organizations about how to define the role of a CPO to meet their particular needs
(
Getting Accountability Right with a Privacy Management Framework
2012). While this document was intended for
organizations subject to private sector privacy legislation, public sector institutions may also find it helpful.
1,2,3,4,5,6,7,8,9 11,12,13,14,15,16,17,18,19,20,...32
Powered by FlippingBook