Audit of the Canada Revenue Agency - page 11

Observations and Recommendations
The CPO, who is responsible for liaison with the
Office of the Privacy Commissioner, will
monitor and report on overall Agency compli-
ance with the
Privacy Act
by reporting to the
Agency’s senior management on the state of
privacy management in the CRA at least twice
each fiscal year.
Employees understand their duty to protect
taxpayer information
13. Compliance with the requirements and spirit of
Privacy Act
depends largely on how well its
requirements are understood by officials handling
personal information in their employment duties.
Employees must be educated on departmental
privacy policies, procedures and guidelines, and
should possess a clear understanding of their
roles and responsibilities to protect clients’
personal information.
14. We therefore expected to find that the CRA would
have training and awareness measures in place to
ensure that its employees fully understand their
responsibilities to properly manage and protect
taxpayers’ information. We reviewed privacy,
security and values and ethics training materials
and other information resources available to
employees on the Agency’s intranet site. We also
interviewed employees, and received briefings
from officials responsible for coordinating privacy
and security awareness training initiatives.
15. With close to 26,000 employees accessing
taxpayer information on a daily basis, delivering
ongoing privacy and information security training
is a major task and it is for that reason that the
CRA makes use of both formal and informal
means to reach its employees.
16. We found that the CRA has invested considerable
time and resources to develop comprehensive
privacy and information security training plans.
Privacy training involves face-to-face sessions
and other awareness activities delivered through
the Agency intranet, e-mail or meetings with
employees. More than 5,600 CRA employees and
managers have received direct privacy training
since 2010. The Agency continues to make
significant efforts to maintain and enhance
privacy awareness.
17. Our interviews with CRA managers and supervi-
sors confirmed that they had received privacy
and security awareness training. These middle
managers supervise large numbers of front-line
employees. We also found that these officials had
a sound understanding of their responsibility to
ensure that they and their employees respect and
safeguard personal information at all times.
Tools have been developed to assess
privacy risks
18. Under the
Treasury Board Policy Framework
for Management Risks
, Deputy Heads are
responsible for managing their organization’s
risks by leading the implementation of effective
risk management practices—both formal
and informal.
19. Organizations use a range of tools to evaluate
and manage privacy risks, including corporate
risk assessments, internal audits, threat and risk
assessments and privacy impact assessments.
We expected that the Agency—depending on
the circumstances—would use one or more of
these tools to assess, limit and mitigate risks
related to the management and protection of
taxpayer information.
1...,2,3,4,5,6,7,8,9,10 12,13,14,15,16,17,18,19,20,21,...32
Powered by FlippingBook