Audit of Responding to Inquiries

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Office of the Privacy Commissioner of Canada

March 2011


1. Executive Summary

1.1 Background and Context

The Office of the Privacy Commissioner of Canada (OPC) is an Agent of Parliament mandated to oversee compliance with both the Privacy Act (PA), which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.

As outlined in the OPC’s 2010-2011 Report on Plans and Priorities (RPP), OPC’s strategic outcome is to ensure that the privacy rights of individuals are protected. As an advocate for the privacy rights of Canadians, the Privacy Commissioner’s powers include:

  • Investigating complaints, conducting audits and pursuing court action under the two federal laws identified above;
  • Publicly reporting on the personal information-handling practices of public- and private-sector organizations;
  • Supporting, undertaking and publishing research into privacy issues; and,
  • Promoting public awareness and understanding of privacy issues.

The Investigations and Inquiries (I&I) Branch manages the inquiries process and investigates complaints received from individuals under Section 29 of the PA, primarily regarding allegations of mismanagement of personal information or problems with obtaining access to one’s own personal information. In addition, the Branch investigates incidents, which typically relate to the unauthorized disclosure of personal information.

The I&I Branch has been subject to several significant changes in the last two years, including a new organizational structure and changes to business processes. This includes a new Complaints Registrar position which supervises the inquiries function and reviews all complaints before they are sent to either a formal investigation or for the new early resolution (ER) process, which is intended to streamline the investigation process and assist the resolution of complaints at the inquiry stage. Although the I&I Branch remains responsible for all inquiries, investigations of complaints received from individuals under Section 11 of PIPEDA are now conducted by a separate PIPEDA unit. A new case management system (Ci2) has also been developed and implemented within the OPC and is used to manage inquiry and investigation files.

The OPC received over 10,000 inquiries for fiscal year 2009-10, with approximately three-quarters of these calls relevant to the mandate of the OPC (i.e., inquiries or complaints related to PIPEDA and the Privacy Act). The inquiry process begins when an inquirer contacts the OPC by letter, phone or in person. Inquiry Officers provide information on the law and the role of the OPC.

Considering the importance to the OPC of efficiently and effectively responding to inquiries from Canadians, an audit of responding to inquiries was identified in OPC’s risk-based audit plan. The purpose of this audit engagement is to provide assurance on the effectiveness of risk management, controls, and governance processes that support the I&I Branch in responding to inquiries from the public.

1.2 Summary of Observations

The key observations with regards to responding to inquiries are provided below.

Strengths

  • The I&I Branch has identified several planned activities through its Business Plan to improve the inquiries function, including the implementation of an “on-line” complaint form, working with Provinces to provide improved inquiries services, enhancing data collection and classification of inquiries to better identify emerging trends, implementing a Ci2 reporting module and other necessary changes to Ci2, and providing focused training to the Inquiry Officers.
  • The Complaints Registrar and Early Resolution processes have helped to achieve a more consistent treatment of inquiries that may become a formal investigation, as well as reduce the total number of formal investigations, given the ability to resolve complaints before they reach this stage.

Findings

  • While roles and responsibilities have changed, human resource capacity, capabilities and requirements for the inquiries process have not been formally assessed.
  • Although several policies, procedures, and manuals exist for the inquiries process, in several cases documented procedures do not reflect current roles and responsibilities or current inquiry practices. In addition, most inquiries are not well documented.
  • There are currently no formal mechanisms to capture the knowledge gained within the inquiries process or for the sharing of information or collaboration between the inquiries function and other OPC branches.
  • There is no formal quality assurance process for inquiries, including follow-up with inquirers to determine their satisfaction with the inquiries process.
  • The inquiries process has been primarily positioned as a complaint intake process, and the ability of the public to utilize the inquiries process to obtain information on current privacy topics and an individual’s privacy rights has not been made clear either internally within the organization or externally. In addition, service standards for the inquiries process have not been formally documented.

1.3 Conclusion

Based on the aforementioned observations and overall scope of the audit, the OPC has significant issues related to the effectiveness of its current risk management, controls, and governance processes that support the responding to inquiries function. The recommendations included in this report are intended to strengthen the risk management, controls, and governance processes that support the responding to inquiries function. Management responses are included at the end of each finding.

2. Audit Objective, Scope and Approach

2.1 Background

The Office of the Privacy Commissioner of Canada (OPC) is an Agent of Parliament mandated to oversee compliance with both the Privacy Act (PA), which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.

As outlined in the OPC’s 2010-2011 Report on Plans and Priorities (RPP), OPC’s strategic outcome is to ensure that the privacy rights of individuals are protected. As an advocate for the privacy rights of Canadians, the Privacy Commissioner’s powers include:

  • Investigating complaints, conducting audits and pursuing court action under the two federal laws identified above;
  • Publicly reporting on the personal information-handling practices of public- and private-sector organizations;
  • Supporting, undertaking and publishing research into privacy issues; and,
  • Promoting public awareness and understanding of privacy issues.

To achieve this strategic outcome and fully utilize the powers at her disposal, the Commissioner structured OPC’s activities in four (4) areas as follows:

  • Compliance Activities;
  • Research and Policy Development;
  • Public Outreach; and,
  • Internal Services.

As well, the OPC has five strategic priorities which have been identified for 2010-2011. These priorities are updated annually. The five strategic priorities are:

  • Redefine service delivery through innovation to maximize results;
  • Provide leadership to advance four priority privacy issues (see below);
  • Strategically advance global privacy protection for Canadians;
  • Support Canadians, organizations and institutions to make informed privacy choices; and,
  • Enhance and sustain the organizational capacity.

The OPC also identified four top strategic policy priorities to focus its approach to emerging privacy issues over the coming few years. These four top strategic policy priorities are:

  • Information Technology;
  • National Security;
  • Identity Integrity and Protection / Identity Theft; and,
  • Genetic Information.

The I&I Branch manages the inquiries process and investigates complaints received from individuals under Section 29 of the PA, primarily regarding allegations of mismanagement of personal information or problems with obtaining access to one’s own personal information. In addition, the Branch investigates incidents, which typically relate to the unauthorized disclosure of personal information. They come to the attention of the OPC through the self-reporting of institutions, and on rare occasions, through the media and other sources. In the case of an incident, a formal complaint is usually not filed. The Branch examines these incidents in an effort to assist institutions in ensuring that such incidents do not recur and the personal information of the Canadian public is properly managed.

The I&I Branch is lead by a Director General (DG) that reports to the Assistant Commissioner. The I&I Branch has approximately 44 full-time equivalents (FTEs) that account for a salary budget of approximately $3.1M and a non-salary operating budget of $352,000. Of those FTEs, approximately nine FTEs are dedicated to responding to Inquiries (six Inquiries Officers, two Early Resolution Officers (EROs) and a Complaints Registrar).

The I&I Branch has been subject to several significant changes in the last two years, including a new organizational structure and changes to business processes. This includes a new Complaints Registrar position which supervises the inquiries function and reviews all complaints before they are sent to either a formal investigation or for early resolution (ER). The ER process is intended to streamline the investigation process and assist the resolution of complaints at the inquiry stage. The ER process is used for complaints that could potentially be resolved quickly, this may be because the OPC has previously made findings on the issues, because the organization that is the subject of the complaint has already dealt with the allegations to the OPC’s satisfaction, or because it appears possible that the allegations can be easily remedied. Although the I&I Branch remains responsible for all inquiries, investigations of complaints received from individuals under Section 11 of PIPEDA are now conducted by a separate PIPEDA unit, whose Director reports to the Assistant Commissioner and not the DG I&I Branch. A new case management system (Ci2) has also been developed and implemented within the OPC and is used to manage inquiry and investigation files.

The OPC received over 10,000 inquiries for fiscal year 2009-10, with approximately three-quarters of these inquiries relevant to the mandate of the OPC (i.e., inquiries or complaints related to PIPEDA or the Privacy Act). The inquiry process begins when an inquirer contacts the OPC by letter, phone or in person. Inquiry Officers provide information on the law and the role of the OPC. If an inquiry appears to be a complaint, Inquiry Officers are instructed to ask the inquirer to clarify the complaint. The Complaints Registrar reviews each complaint to make sure it is appropriate for the OPC to investigate, and classify and prioritize the complaint. The result of this review is a decision either to not investigate, to launch a formal investigation, or to send the complaint to an ERO within the I&I Branch for those complaints that may be solved quickly.

2.2 Audit Objective

The purpose of this audit engagement is to provide assurance on the effectiveness of risk management, controls, and governance processes that support the I&I Branch in responding to inquiries from the public. Detailed audit criteria can be found in Appendix B.

2.3 Audit Scope

For the purposes of this audit, responding to inquiries is defined as all processes and controls related to the inquiries process within the I&I Branch, and excludes the procedures and controls related to the formal investigation process that may result from an inquiry. The utilization of information collected by the OPC through the inquiries process for decision making is within the scope of a separate audit occurring in parallel to this audit.

2.4 Audit Approach

The approach and methodology used for this audit is consistent with the Internal Audit standards as outlined by the Institute of Internal Auditors (IIA), and is aligned with the Internal Audit Policy for the Government of Canada (GoC).

As an Agent of Parliament, OPC works independently from the GoC and is therefore not obligated to follow the management improvement initiatives put forward in the Federal Public Service. Nevertheless, the OPC strives to maintain a control framework that is reflective of industry leading practices. Consequently, the framework of Core Management Controls and Audit Criteria (CMC) established by the Office of the Comptroller General of Canada (OCG), and the Management Accountability Framework (MAF VII) were leveraged to develop the audit criteria detailed in Appendix B. Other criteria were also included to ensure appropriate coverage of the aforementioned audit scope.

Based on risks identified throughout the planning phase of the audit, a risk-based audit program was developed to provide more details on how the various audit criteria and risks were addressed. The audit program includes the following audit procedures:

  • Review of I&I Branch Business Plan and relevant committee and working group documents;
  • Review of policies and procedures and numerous other documents related to responding to inquiries;
  • Review of a sample of inquiries;
  • Interviews with individuals from across the OPC.

The list of interviewees can be found in Appendix A.

The audit was conducted within the following timelines:

  • Planning Phase : September 2010 – October 2010
  • Examination Phase: October 2010 - December 2010
  • Reporting Phase: December 2010 – March 2011
  • Presentation to the OPC Audit Committee: March 2011

3. Findings and Recommendations

3.1 Strengths Noted

The following strengths were noted with regards to the current approach to responding to inquiries:

  • The I&I Branch has identified several planned activities through its Business Plan to improve the inquiries function, including the implementation of an “on-line” complaint form, working with Provinces to provide improved inquiries services, enhance data collection and classification of inquiries to better identify emerging trends, implement a Ci2 reporting module and other necessary changes to Ci2, and provide focused training to the Inquiry Officers.
  • The Complaints Registrar and Early Resolution processes have helped to achieve a more consistent treatment of inquiries that may become a formal investigation, as well as reduce the total number of formal investigations, given the ability to resolve complaints before they reach this stage, in a more timely manner that satisfies both the complainant and organization subject to the complaint.

3.2 Audit Findings

3.2.1 Human resource capabilities and requirements have not been formally assessed

While roles and responsibilities have changed, human resource capacity, capabilities and requirements for the inquiries process have not been formally assessed.

With the introduction of the early resolution process, the implementation of Ci2 and other changes, roles and responsibilities related to the inquiries process has significantly changed in recent years. In addition, there are currently diverging views on the appropriate staffing levels for the inquiry process. Despite these factors, a formal assessment of the human resource capabilities and requirements of the inquiries process has not been conducted, including appropriate staffing levels and staff competencies. The organizational structure and the reporting relationships within the structure have also not been formally reviewed. For example, the Complaints Registrar role is a relatively new and complex position involving both operational and more strategic responsibilities, which include: supervising the inquiry and early resolution process and personnel, registering and reviewing complaints to be sent to the investigations unit, acting as a liaison between inquiries and other OPC branches, and acting as a liaison with the privacy regulators in other jurisdictions.

Impact and Risk Level

Without a formal assessment of human resources requirements, the inquiries process may not able to meet its objectives, especially given its expanded role and potential further expansion in the future (anti-spam reporting, online complaints). Furthermore, without a formal assessment, human resources may not be employed in an optimal fashion within the I&I Branch.

Recommendation #1

Review the current human resource capabilities and requirements for the inquiries process, to determine appropriate staffing levels, staff competencies, and organizational structure.

Management Response

General Comments that may impact on the Management Response and Action Plan.

On February 7, 2011, the Commissioner announced an organizational change that impacts OPC’s approach to responding to inquiries. The responsibility for responding to inquiries is being transferred to the Communications Branch. In reviewing the “responding to inquiries” work processes within I&I, it is apparent that the intake activity and the early resolution activity have been blended into the responding to inquiries activity. In implementing the re-organization decision, OPC management will decompose this blending of activities and only the “responding to inquiries” activity will be transferred to Communications. The intake and early resolution activities will form part of the PA Investigations Branch and the PIPEDA Investigations Branch, respectively.

Although this audit was to focus on just “responding to inquiries”, given the blending of activities as stated above, it is clear that the Auditors felt the need to comment on other activities. OPC management will respond to all aspects of the audit recommendation, while reflecting the response in the context of the revised division of responsibilities.

Note below that the key individual responsible for managing the “action” is identified in the last column. It is understood that there is also shared responsibility for certain activities (e.g., Director of Human Resources plays a role in supporting the implementation of actions related to organizational structure, staffing, etc. and the DG of Corporate Services plays a role in supporting the implementation of actions relating to Ci2, the system created to record and report on investigations and inquiries activities).

Management Response and Action Plan Responsibility / Deadlines
1. The OPC is conducting a study of best practices of inquiries functions in similar organizations, as well as reviewing inquiries statistics available. This work will support the development and proposal of a new structure for the inquiries function within Communications. 1. Director, Communications
April 30, 2011

3.2.2 Lack of defined and documented procedures, roles and responsibilities

Although several policies, procedures, and manuals exist for the inquiries process, in several cases documented procedures do not reflect current roles and responsibilities, or current inquiry practices. In addition, most inquiries are not well documented.

Process documents and manuals were largely created during the initial implementation of Ci2 (the case management system used for both the inquiry and investigation process), and have not been updated to reflect changes made to system functionality and processes since the implementation of Ci2. For example, both the Case Management Intake Manual (last updated December 2008) and the Ci2 Intake Training Manual (last updated September 2008) refer to a triage process that was required given the functionality of Ci2 when it was first implemented; however, these processes are no longer required. Although several new practices, such as the completion of an inquiry summary for each inquiry, were noted by those interviewed, these new practices are not reflected in any formal procedures, manuals or training material. Through testing, it was observed that these communicated standard inquiry practices are not being consistently applied to each inquiry.

Most inquiries are not well documented, and the events log may not be completed even for inquiries that may not have been immediately resolved, making it difficult to understand the progression of the inquiry or if it was resolved in an efficient manner. There is also a lack of documentation in summarizing the inquiry as well as the response provided by the Inquiry Officer. There are open text fields in Ci2 that allow the Inquiry Officer to capture this information, but they are not required to be completed. The Inquiry Officer is required to ‘classify’ the inquiry through drop down menus for Act (Privacy Act or PIPEDA), sector, and subject. The current taxonomy for sector and subject is very granular, and not useful for classification or reporting purposes, although a new and more useful taxonomy has been developed and will soon be implemented. The Inquiry Officer is also required to indicate how an inquiry was resolved utilizing high-level options from a drop down menu (e.g., provided information, referred to privacy officer of a specific organization).

Of note, despite some fields in Ci2 being indicated as mandatory, during testing it was observed that 16% of the closed cases reviewed did not have mandatory fields completed, including Province of inquiry and response to inquiry. Further related to Ci2 functionality, the ability to generate useful reports is limited, and most users rely on the ‘advanced search’ functionality, which can search for text within the inquiries summary text box; however, given that most inquiries do not have this summary completed, and there are no consistent practices related to how to complete the summary, generating useful or accurate information from this search is not always possible. In general, given current inquiry processes and the functionality of Ci2, obtaining timely, accurate and useful information related to inquiries is difficult.

Inquiries-related documentation does not outline the specific responsibilities in relation to the documentation of an inquiry by an Inquiry Officer. The responsibilities and supporting processes of the Inquiry Officer position have significantly changed in recent years, and these changes have not been formally documented. Formal procedures outlining when an inquiry should be considered a complaint and moved to early resolution or investigations (via the Complaint Registrar) have not been documented, nor has the early resolution process been formally documented and defined, including a job description for the Early Resolution Officer (ERO) position.. Of note, the classification of the early resolution of complaints is not transparent in Ci2, and complaints that are resolved via early resolution processes most often remain classified as inquiries.

Given the current state of manuals and procedures, the degree to which they are not up to date or comprehensive, and the lack of formally documented roles and responsibilities, training of new inquiries staff is more difficult.

Impact and Risk Level

A lack of clearly defined roles and responsibilities, in addition to the lack of up to date and comprehensive procedures, especially during large organizational and process changes, can lead to role confusion and a lack of understanding or the fulfillment of responsibilities. This can also lead to a duplication of efforts and/or diminished service to the public as an inquiry/complaint progresses through the intake and inquiry process to either early resolution or an investigation. The current state of manuals and procedures, and the degree to which they are not up to date or comprehensive, also reduces the efficiency and effectiveness of new Inquiry Officer training.

Complaints resolved via early resolution processes being classified as inquiries does not accurately reflect the activities of the Branch, making it difficult to accurately assess workload or resource requirements.

Recommendation #2

Ensure current policies, procedures, and manuals describing the inquiry and early resolution process be modified to reflect current roles and responsibilities for inquiry staff and current inquiry processes, and these are updated regularly as the inquiry process is further defined to reflect the more thorough documenting of an inquiry, and other considerations outlined in additional findings within this report. Ensure individuals are trained according to these defined processes.

Management Response and Action Plan Responsibility / Deadlines
As part of the OPC reorganization, the Inquiries Unit will move to Communications, and this unit will handle requests for information from the public and organizations. The unit will no longer handle formal intake of complaints. The reorganization also involves creating two distinctive branches – one for the Privacy Act and one for PIPEDA, each with their own Complaints Registrar and early resolution function. This will require ensuring enhanced coordination between the Communications Branch, and the two Investigations Branches, in relation to “intake.”  
1. Review all policies, procedures and manuals relating to the inquiries function. 1. Director, Communications
April 30, 2011
2. Identify the information that should be captured for all inquiries and implement procedures to ensure that that information is recorded. 2. Director, Communications
April 30, 2011 (and ongoing)
3. Update policies, procedures and manuals to reflect the changes in organizational structure, and any change in responsibilities of the function. 3. Director, Communications
June 30, 2011
4. Ensure training is provided on #2 and #3 as required. 4. Director, Communications / DG CSB
June 30, 2011
5. Identify the Investigations Branch structures, the interface points between Communications, Records, and investigations, the processes for complaints, and implement those changes. 5. Investigations Branches Heads
May 30, 2011
6. Develop and implement early resolution procedures and documentation. 6. Investigations Branches Heads
June 30, 2011

Recommendation #3

Proceed with improving systems functionality to support the capture and reporting of more useful information, as well as implementing the newly developed taxonomy for inquiries.

Management Response and Action Plan Responsibility / Deadlines
The Investigations Branch is currently revising its “taxonomy,” a list of privacy-related terminology in order to improve its information capturing and reporting of investigations issues. This taxonomy may or may not be the appropriate tool for easily and effectively reporting on inquiries trends.  
1. Review the taxonomy project in relation to Ci2 to determine whether any adjustments are required. The best practices study may also yield useful information for these purposes. 1. Director, Communications
April 30, 2011
2. Work with IMIT to make any adjustments to the system, if necessary. 2. Director, Communications
June 30, 2011
3. Ensure all inquiries staff are trained on the system and that all inquiries information is being entered into the system for reporting purposes. 3. Director, Communications
June 30, 2011

Recommendation #4

Implement a new taxonomy for inquiries and investigations to facilitate the searching and reporting of related information, and ensure it can support the generation of useful information to management for decision making.

Management Response and Action Plan Responsibility / Deadlines
1. Define the role and responsibilities of the early resolution officer. 1. Investigations Branches Heads
March 31, 2011
2. Update and/or write work descriptions, and have the position(s) classified. 2. Investigations Branches Heads
May 31, 2011
3. Complete staffing process(es). 3. Investigations Branches Heads
August 1, 2011

Recommendation #5

Complaints that are resolved via early resolution processes should be differentiated from inquiries within Ci2 to allow for accurate reporting related to the early resolution process.

Management Response and Action Plan Responsibility / Deadlines
1. Define and implement redefined processes to better capture ER activity. 1. Investigations Branches Heads
April 30, 2011

3.2.3 Lack of formalized knowledge sharing

There are currently no formal mechanisms to capture the knowledge gained within the inquiries process or for the sharing of information or collaboration between the inquiries function and other OPC branches.

There are currently no formal mechanisms to capture the knowledge gained within the inquiries process, including previous inquiries and how they were resolved, to ensure Inquiry Officers have access to the information they need to resolve inquiries in an efficient, consistent and timely manner.

Inquiry Officers have access to MS Word response and knowledge guides within Ci2 that provide guidance on responding to specific situations or inquiries on specific issues; however, these guides are static and have not been updated since Ci2 was implemented. Inquiry Officers do have access to other inquiries and investigations within Ci2 to determine if a past inquiry, complaint or investigation can help resolve a current inquiry; however, given the lack of documentation recorded for each inquiry and the functional constraints of Ci2 reporting, this is often not feasible. A weekly meeting, led by the Complaints Registrar, of all the Inquiry Officers has recently been implemented, and is intended to promote the sharing of concerns and information between Inquiry Officers; however, information is not formally captured during these meetings.

There are no formally established mechanisms to capture the information required by the inquiries process from other OPC branches (i.e., information used to resolve inquiries), and the information required from the inquiries process by other OPC branches (i.e., information on inquiries, such as trends and hot topics). In addition, formal mechanisms have not been established for the sharing and use of this information between the inquiries process and other OPC branches.

Impact and Risk Level

The lack of formalized mechanisms and/or process for knowledge sharing can lead to the inefficient, inconsistent, inappropriate or non timely resolution of inquiries. The lack of formal knowledge sharing mechanisms and/or processes with other OPC branches may also diminish the opportunity for these other branches to proactively address inquiry trends and hot topics.

Recommendation #6

Develop a process to ensure inquiry response guides are reviewed and updated on a periodic basis, and new response guides are developed when required.

Management Response and Action Plan Responsibility / Deadlines
1. Conduct review of response guides and other available information to identify gaps and develop missing tools for inquiry officers. 1. Director, Communications
June 30, 2011
2. Implement a program for regular identification of information required for inquiry officers. This question will be raised at each bi-monthly branch meeting. 2. Director, Communications
April 30, 2011
3. Update the existing guides if they are out of date. 3. Director, Communications
June 30, 2011
4. Begin developing new guides to satisfy the need for additional information required (see #2). This must be done on an ongoing basis. 4. Director, Communications
May 30, 2011

Recommendation #7

Consider implementing and actively using ‘knowledge centre’ functionality that allows for the collaboration and sharing of information for Inquiry Officers; for example, a wiki that allows OPC staff to discuss and provide information on relevant or topical inquiries and provide links to resource material, such as updated fact sheets, news releases, research, policy advice, PIA reviews and audit reports.

Management Response and Action Plan Responsibility / Deadlines
The OPC is implementing SharePoint, an online collaboration and project management tool, across the organization. Over the next couple of years, SharePoint is expected to replace the OPC’s current information management system.

The OPC has many opportunities for horizontal collaboration, including the four priorities working groups.
 
1. Ensure that Inquiries Officers have access to information about fact sheets, news releases, policy advice, PIA reviews and audit reports through bi-monthly Communications Branch meetings, where these issues are discussed and relevant information is shared. 1. Director, Communications
March 31, 2011
2. Ensure that Inquiries Officers have access to the SharePoint sites of branches across the OPC. 2. Director, Communications
April 30, 2011
3. Ensure that Inquiries Officers actively review and contribute to the Communications Branch SharePoint sites. 3. Director, Communications
April 30, 2011 (and ongoing)
4. Encourage Inquiries Officers to actively participate in the development and sharing of response guides and/or responses to public inquiries with the rest of their team. 4. Director, Communications
May 30, 2011 (and ongoing)
5. Explore whether a SharePoint site for Inquiries Officers may be of benefit to the group and, if so, implement. 5. Director, Communications
May 30, 2011
6. Ensure that Inquiries Officers are active participants in the four priorities working groups. 6. Director, Communications
May 30, 2011

3.2.4 Lack of a quality assurance process for Inquiries

There is no formal quality assurance process for inquiries, including follow-up with inquirers to determine their satisfaction with the inquiries process.

A quality assurance process was defined for inquiries, but has not been implemented. Quality assurance of the inquiries process is not currently being performed either through the review of inquiry files in Ci2, through quality assurance calls or monitoring, or through other mechanisms. A comprehensive quality assurance process would currently be difficult to implement given the lack of formally documented inquiries procedures and the lack of documentation in Ci2 for each inquiry.

There is currently no mechanism to solicit feedback from inquirers on their satisfaction with the inquiries process. Furthermore, when an inquirer is provided with additional information and/or redirected to the individual responsible for privacy at a specific organization, follow up is not conducted to determine if the information provided to an inquirer has been useful or if their issues has been satisfactorily addressed.

Impact and Risk Level

The lack of a quality assurance process may result in ineffective, inconsistent or inappropriate inquiry practices not being brought to the attention of management, and the potential reduction in trust or satisfaction from the public in the OPC’s inquiry process.

Recommendation #8

Implement a quality assurance process to assess both the effectiveness of inquiry processes and the satisfaction of inquirers with the inquiry process. Implement a process to solicit feedback from inquirers on their satisfaction with the inquiries process and if the information provided to an inquirer has been useful and their issues have been satisfactorily addressed. The effectiveness of the quality assurance process will be limited if an appropriate level of information is not documented for each inquiry.

Management Response and Action Plan Responsibility / Deadlines
1. Develop and implement a “user satisfaction” feedback mechanism for inquiries, to gauge individuals’ and organizations’ satisfaction with the process and to identify further improvements. 1. Director, Communications
September 30, 2011
2. Conduct an internal review of the inquiries process to gauge whether the action plan tactics have been effective in meeting the audit recommendations. Update and/or fine-tune process as required. 2. Director, Communications
December 31, 2011
3. Define and implement a Senior Management Committee (SMC) approved quality assurance program for Inquiries that will ensure service standards are upheld and inquiries are conducted appropriately. 3. Director, Communications
December 31, 2011

3.2.5 Lack of outreach to the public and defined service standards

The inquiries process has been primarily positioned as a complaint intake process, and the ability of the public to utilize the inquiries process to obtain information on current privacy topics and an individual’s privacy rights, has not been made clear either internally within the organization or externally. In addition, service standards for the inquiries process have not been formally documented.

Documentation relating to the inquiry process tends to frame it as a complaint intake function, or the first stage of a formal privacy investigation, rather than an actual inquiry function that is intended to provide information to the public, and depending on the inquiry could potentially lead to the registering of an official privacy complaint. Terminology related to an inquiry function is not provided in public communications, as the OPC website only refers to submitting a complaint (complaint forms are available on the OPC website for written complaints). Of note, there is a significant amount of resource material available to the public on the OPC website. Individuals that do not wish to provide a written complaint by mail can contact the OPC by phone. There is not a specific inquiries number; individuals can call the OPC’s toll free number and are redirected to an Inquiry Officer by the receptionist. If the Inquiry Officer on duty for which the call was directed does not answer, the caller is asked to leave a message. There is a specific number and contact name on the website for the DG of Communications and many members of the public contact Communications directly. Currently, individuals cannot send an inquiry to the OPC via email.

In addition, formally defined service standards for the inquiries process have not been developed. On an informal basis, service standards have been developed for resolving inquiries (7 days), and for the early resolution process (45 days); however, these service standards are not formally communicated to inquiries staff, and tracking performance against these informal standards is not possible / or not performed regularly. Although an overdue inquiries report can be generated, it is not regularly reviewed, and furthermore, would have reduced validity as Ci2 automatically sets the due date to 7 days after an inquiry is opened, but an Inquiry Officer can reset the due date to any date he/she wishes. Standards on length of time an Inquiry Officer should set for responding to an inquirer’s follow up questions or submission of documentation, or how long to leave an inquiry open while waiting for further information from an inquirer, has not been formally defined.

Impact and Risk Level

Current methods for accessing Inquiry Officers, and publicly available documentation on the inquiries process (or lack thereof), may leave the public unsure of the role of the OPC inquiries process, which may not align with the OPC’s objective of “promoting public awareness and understanding of privacy issues” as well as its corporate priority to “Redefine service delivery through innovation to maximize results”, and may reduce the trust or satisfaction from the public in the OPC’s inquiry process.

The lack of formal service standards and monitoring performance against service standards may cause management to not be aware of inquiries and early resolution complaints that may not be resolved in a timely or efficient manner, which may also reduce the trust or satisfaction from the public in the OPC’s inquiry process.

Recommendation #9

Develop formal service standards and implement formal mechanisms to track performance against these standards for both inquiries and the early resolution process. Ensure the functionality of Ci2 can support the tracking and reporting on those standards.

Management Response and Action Plan Responsibility / Deadlines
1. The best practices study will help the OPC identify, establish and communicate service standards for inquiries. Once confirmed, these will be reviewed on a monthly basis, at a minimum, in conjunction with other statistical information (eg, inquiries information captured in the scorecard). This information will be considered for inclusion in the monthly scorecard. The ability to track and report on those standards is dependent on the use and functionality of the supporting Ci2 system. 1. Director Communications
May 30, 2011
1. DG Corporate Services
May 30, 2011
2. The OPC will initiate a discussion on standards for investigations with provincial counterparts in order to confirm its own service standards. Once confirmed, these will be reviewed on a monthly basis, at a minimum, in conjunction with other statistical information (e.g, information from the scorecard). The ability to track and report on those standards is dependent on the use and functionality of the supporting CI2 system. 2. DG, PA Investigations; and Director, PIPEDA Investigations.
June 30, 2011 (See Recommendation 2 from MAP
3. The functionality of Ci2 will be reviewed to ensure OPC can track and report on service standards for inquiries. 3. DG, Corporate Services
September 30, 2011

Recommendation #10

Review and document the objectives of the inquiries process, and if required, proceed with the development and implementation of the process to allow the public to email the OPC with inquiries and otherwise make the inquiries process easier to use by the public.

Management Response and Action Plan Responsibility / Deadlines
1. Implement the actions identified which respond to Recommendations #2 and #3 of the audit. 1. See Recommendations #2 and #3
2. The best practices study will help the OPC determine whether or not other similar organizations accept email inquiries, and whether the OPC should consider accepting email inquiries as well. The Director of Communications will make a recommendation to the Commissioner and Assistant Commissioner. 2. Director, Communications
April 30, 2011
3. If the recommendation is to accept email inquiries, proceed with implementation. 3. Director, Communications
June 30, 2011

Appendix A – Interviewees

The following key individuals were interviewed as part of the audit process:

  • Privacy Commissioner
  • Assistant Commissioner
  • Director, Communications
  • Director General, Corporate Services
  • Director, IM/IT, Corporate Services
  • Systems Manager, Information Technology, Corporate Services
  • Manager, IM Programs and Services, Corporate Services Branch
  • Senior Security and Technology Advisor, Research, Education and Outreach
  • Director, Financial and Administrative Services
  • General Counsel, Legal Services, Policy and Parliamentary Affairs
  • Director, Research, Education and Outreach
  • Director, Human Resources
  • Director General, Audit and Review
  • Director, PIPEDA
  • Director General, I&I Branch
  • Complaint Registrar, I&I Branch
  • Early Resolution Investigator, I&I Branch
  • Inquiries Officer, I&I Branch
  • Manager, Investigations, I&I Branch
  • Manager, Planning and Performance, I&I Branch
  • Program Coordinator, I&I Branch

Appendix B – Audit Criteria

  Criteria
1.1 Operational plans and objectives have been established and communicated, related to the inquiries process and are linked to the mandate and identified priorities of the OPC.
1.2 Roles and responsibilities for the inquiries process have been defined and communicated.
1.3 The organizational structure for the inquiries process is appropriate and conducive to the achievement of OPC objectives.
2.1 A comprehensive policy framework has been established for the inquiries process, and is supported by appropriate tools and a training and awareness program.
2.2 Inquiries are resolved in an efficient and effective manner, addressed consistently and according to policy and procedures, across intake channels and between inquiry staff.
2.3 The OPC has made the inquiry process well known to the public and easy to navigate and understand.
3.1 Performance standards are defined and there is an overall quality assurance and continuous improvement process related to responding to inquiries.
Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: