Audit of the Canada Revenue Agency - page 9

Observations and Recommendations
1. Our audit observations and recommendations
are organized in four categories:
• privacy management and accountability;
• information technology security
and governance;
• employee access and monitoring; and
• privacy breaches.
2. To meet the obligations of the
Privacy Act
, an
organization must establish accountability for
its compliance with the law. Our past audits of
government institutions have shown that when
accountability is not clearly defined, gaps exist in
the coordination and implementation of privacy
related responsibilities. Those accountability
gaps can place personal information at risk.
3. The Minister of National Revenue is accountable
for the CRA’s administration of the
Privacy Act
and its compliance with Treasury Board’s (TB)
policy instruments. As the CRA’s chief executive
officer, the Commissioner is responsible for the
day-to-day administration of the program legisla-
tion that falls under the Minister’s delegated
authority and for overall compliance with the
Privacy Act
4. The Access to Information and Privacy (ATIP)
Director is responsible for much of the delivery
of the Agency’s multifaceted privacy program.
The ATIP directorate responds to privacy
requests and complaints; develops policies,
procedures and training materials; reviews and
provides advice on privacy impact assessments;
and analyzes privacy breaches. The Director also
chairs the ATIP Oversight Review Committee,
which is a forum for branch directors to discuss
and resolve privacy and access to information
issues. The Director reports to the Assistant
Commissioner Public Affairs who sits on the
Agency Management Committee.
5. In recent years, the CRA has developed a
comprehensive suite of privacy policies and
related documents, including its Privacy Policy,
Privacy Practices Directive, Procedures for
Privacy Assessments, Privacy Breach Protocol,
and Discipline Policy among others. Overall, the
Agency’s privacy management and accountability
framework has a number of good features to ensure
the protection of taxpayers’ personal information.
Privacy Accountability needs to be defined
6. Considering the large volume and high sensitivity
of taxpayer information held by the Agency, we
expected to find that the CRA would have estab-
lished strong privacy leadership under the position
of a CPO to advance and monitor the CRA’s
privacy program and ensure compliance with the
Privacy Act
7. Many organizations in the public and private
sectors have come to realize that strong privacy
leadership at the top for the protection of clients’
personal information is essential to maintaining
their trust and goodwill. Client confidence is also
a prerequisite for an organization to carry out its
mandate and deliver its programs and services in
an effective and efficient manner.
Observations and Recommendations
1,2,3,4,5,6,7,8 10,11,12,13,14,15,16,17,18,19,...32
Powered by FlippingBook