Audit of the Utilization of Inquiries & Investigations Branch Information for Management Decision-Making

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Office of the Privacy Commissioner of Canada

March 2011


1. Executive Summary

1.1 Background and Context

The Office of the Privacy Commissioner of Canada (OPC) is an Agent of Parliament mandated to oversee compliance with both the Privacy Act (PA), which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.

As outlined in the OPC’s 2010-2011 Report on Plans and Priorities (RPP), OPC’s strategic outcome is to ensure that the privacy rights of individuals are protected. As an advocate for the privacy rights of Canadians, the Privacy Commissioner’s powers include:

  • Investigating complaints, conducting audits and pursuing court action under the two federal laws identified above;
  • Publicly reporting on the personal information-handling practices of public- and private-sector organizations;
  • Supporting, undertaking and publishing research into privacy issues; and,
  • Promoting public awareness and understanding of privacy issues.

The Investigations and Inquiries (I&I) Branch manages the inquiries process and investigates complaints received from individuals under Section 29 of the PA, primarily regarding allegations of mismanagement of personal information or problems with obtaining access to one’s own personal information. In addition, the Branch investigates incidents, which typically relate to the unauthorized disclosure of personal information.

The I&I Branch has been subject to several significant changes in the last two years, including a new organizational structure and changes to business processes. This includes a new Complaints Registrar position which supervises the inquiries function and reviews all complaints before they are sent to either a formal investigation or to the new early resolution (ER) process, which is intended to streamline the investigation process and assist the resolution of complaints at the inquiry stage. Although the I&I Branch remains responsible for all inquiries, investigations of complaints received from individuals under Section 11 of PIPEDA are now conducted by a separate PIPEDA unit. The unit is also responsible for the new case management system (Ci2) that has been developed and implemented within the OPC and used to manage inquiry and investigation files.

The OPC received over 10,000 inquiries for fiscal year 2009-10, with approximately three-quarters of these call relevant to the mandate of the OPC (i.e., inquiries or complaints related to PIPEDA and the Privacy Act). For the same fiscal year, the I&I Branch received 665 Privacy Act complaints and closed 1,154 Privacy Act complaints, the large discrepancy in number of complaints received against those closed due to the focus the OPC placed on eliminating the backlog of investigations, through the hiring of resources and streamlining of processes.

I&I Branch information is generally used to make decisions that are related to a specific file (i.e. an inquiry or an investigation), or to make decisions related to the performance of the Branch (e.g. the timeliness of responses to inquiries and complaints, or other administrative matters (e.g. budget and human resources). I&I information is also useful for other Branches to better understand trends and emerging issues.

Considering the importance to the OPC of efficiently and effectively leveraging information from inquiries and investigations, an audit of the utilization of Inquiries and Investigations (I&I) Branch information for management decision-making was identified in OPC’s risk-based audit plan. The purpose of this audit engagement is to provide assurance on the effectiveness of risk management, controls, and governance processes supporting the utilization of I&I Branch information for management decision-making.

1.2 Summary of Observations

The key observations with regards to the utilization of I&I Branch information for management decision-making are provided below.

Strengths

  • The I&I Branch has identified several planned activities through its Business Plan to improve the efficiency and effectiveness of the use of information, including enhancing the taxonomy for inquiries and investigations, addressing design deficiencies in the Ci2 system, implementing a Ci2 reporting module, and working closely with the Communications Branch and the Audit and Review Branch to help ensure appropriate information is exchanged.
  • Significant effort has been invested in defining system requirements for Ci2.

Findings

  • Performance targets have not been defined related to the timeliness of investigations, and the quality of investigations and responses to inquiries is not being measured. The OPC Monthly Scorecard does not report back on targets or on trends.
  • The requirements for the sharing of information between the I&I Branch and other OPC branches have not been formally defined. Roles and responsibilities related to the sharing of information have also not been defined.
  • Inquiries and investigations are difficult to classify and report on given current OPC taxonomy, most inquiries are not well documented, and a quality assurance program has not been implemented within the I&I Branch.
  • The current functionality and reporting capability of the case management system utilized by the I&I Branch (i.e., Ci2) does not sufficiently meet the information sharing and reporting requirements of the I&I Branch and the OPC.

1.3 Conclusion

Based on the aforementioned observations and overall scope of the audit, the OPC has significant issues related to the effectiveness of its current risk management, controls, and governance processes that support the utilization of information for management decision-making within the I&I Branch.The recommendations included in this report are intended to strengthen the risk management, controls, and governance processes that support the responding to inquiries function. Management responses are included at the end of each finding.

Based on our professional judgment as auditors, sufficient and appropriate audit procedures have been conducted in accordance with the Treasury Board (TB) Policy on Internal Audit, and evidence gathered supports the accuracy of the conclusions contained in this report. The conclusion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed to with management. The evidence has been gathered to provide senior management with reasonable assurance of the accuracy of the conclusions drawn from this audit. This report and audit were conducted for OPC management purposes. Use of this report for other purposes may not be appropriate.

2. Audit Objective, Scope and Approach

2.1 Background

The Office of the Privacy Commissioner of Canada (OPC) is an Agent of Parliament mandated to oversee compliance with both the Privacy Act (PA), which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.

As outlined in the OPC’s 2010-2011 Report on Plans and Priorities (RPP), OPC’s strategic outcome is to ensure that the privacy rights of individuals are protected. As an advocate for the privacy rights of Canadians, the Privacy Commissioner’s powers include:

  • Investigating complaints, conducting audits and pursuing court action under the two federal laws identified above;
  • Publicly reporting on the personal information-handling practices of public- and private-sector organizations;
  • Supporting, undertaking and publishing research into privacy issues; and,
  • Promoting public awareness and understanding of privacy issues.

To achieve this strategic outcome and fully utilize the powers at her disposal, the Commissioner structured OPC’s activities in four (4) areas as follows:

  • Compliance Activities;
  • Research and Policy Development;
  • Public Outreach; and,
  • Internal Services.

As well, the OPC has five strategic priorities which have been identified for 2010-2011. These priorities are updated annually. The five strategic priorities are:

  • Redefine service delivery through innovation to maximize results;
  • Provide leadership to advance four priority privacy issues (see below);
  • Strategically advance global privacy protection for Canadians;
  • Support Canadians, organizations and institutions to make informed privacy choices; and,
  • Enhance and sustain the organizational capacity.

The OPC also identified four top strategic policy priorities to focus its approach to emerging privacy issues over the coming few years. These four top strategic policy priorities are:

  • Information Technology;
  • National Security;
  • Identity Integrity and Protection / Identity Theft; and,
  • Genetic Information.

The I&I Branch manages the inquiries process and investigates complaints received from individuals under Section 29 of the PA, primarily regarding allegations of mismanagement of personal information or problems with obtaining access to one’s own personal information. In addition, the Branch investigates incidents, which typically relate to the unauthorized disclosure of personal information. They come to the attention of the OPC through the self-reporting of institutions, and on rare occasions, through the media and other sources. In the case of an incident, a formal complaint is usually not filed. The Branch examines these incidents in an effort to assist institutions in ensuring that such incidents do not recur and the personal information of the Canadian public is properly managed.

The I&I Branch is lead by a Director General (DG) that reports to the Assistant Commissioner. The I&I Branch has approximately 44 full-time equivalents (FTEs) that account for a salary budget of approximately $3.1M and a non-salary operating budget of $352,000. In addition to Inquiries Officers and Investigators, the I&I Branch has a Planning and Performance Unit staffed with two (2) individuals that are responsible for quality assurance, planning, and performance reporting within he Branch.The unit is also responsible for the new case management system (Ci2) that has been developed and implemented within the OPC and used to manage inquiry and investigation files.

The I&I Branch has been subject to several significant changes in the last two years, including a new organizational structure and changes to business processes. This includes a new Complaints Registrar position which supervises the inquiries function and reviews all complaints before they are sent to either a formal investigation or for early resolution (ER). The ER process is intended to streamline the investigation process and assist the resolution of complaints at the inquiry stage. The ER process is used for complaints that could potentially be resolved quickly; this may be because the OPC has previously made findings on the issues, because the organization that is the subject of the complaint has already dealt with the allegations to the OPC’s satisfaction, or because it appears possible that the allegations can be easily remedied. Although the I&I Branch remains responsible for all inquiries, investigations of complaints received from individuals under Section 11 of PIPEDA are now conducted by a separate PIPEDA unit, whose Director reports to the Assistant Commissioner and not the DG I&I Branch.

The OPC received over 10,000 inquiries for fiscal year 2009-10, with approximately three-quarters of these call relevant to the mandate of the OPC (i.e., inquiries or complaints related to PIPEDA or the Privacy Act). For the same fiscal year, the I&I Branch received 665 Privacy Act complaints and closed 1,154 Privacy Act complaints, the large discrepancy in number of complaints received against those closed due to the focus the OPC placed on eliminating the backlog of investigations, through the hiring of resources and streamlining of processes.

2.2 Audit Objective

The purpose of this audit engagement was to provide assurance on the effectiveness of risk management, controls, and governance processes supporting the utilization of I&I Branch information for management decision-making. Detailed audit criteria can be found in Appendix B.

2.3 Audit Scope

For the purposes of this audit, the utilization of information for management decision-making includes activities within that I&I Branch that pertain to information collection, categorization, dissemination, and use of information in the decision-making processes. For the purposes of this audit, activities directly related to responding to inquiries are within the scope of a separate audit occurring in parallel to this audit.

2.4 Audit Approach

The approach and methodology used for this audit is consistent with the Internal Audit standards as outlined by the Institute of Internal Auditors (IIA), and is aligned with the Internal Audit Policy for the Government of Canada (GoC).

As an Agent of Parliament, OPC works independently from the GoC and is therefore not obligated to follow the management improvement initiatives put forward in the Federal Public Service. Nevertheless, the OPC strives to maintain a control framework that is reflective of industry leading practices. Consequently, the framework of Core Management Controls and Audit Criteria (CMC) established by the Office of the Comptroller General of Canada (OCG), and the Management Accountability Framework (MAF VII) were leveraged to develop the audit criteria detailed in Appendix B. Other criteria were also included to ensure appropriate coverage of the aforementioned audit scope.

Based on risks identified throughout the planning phase of the audit, a risk-based audit program was developed to provide more details on how the various audit criteria and risks were addressed. The audit program includes the following audit procedures:

  • Review of I&I Branch Business Plan and relevant committee and working group documents;
  • Review of monitoring and performance reports (e.g., monthly internal scorecard);
  • Review of several other relevant documents related to the utilization of information by I&I; and,
  • Interviews with individuals from across the OPC.

The list of interviewees can be found in Appendix A.

The audit was conducted within the following timelines:

  • Planning Phase : September 2010 – October 2010
  • Examination Phase: October 2010 - December 2010
  • Reporting Phase: December 2010 – March 2011
  • Presentation to the OPC Audit Committee: March 2011

3. Findings and Recommendations

3.1 Strengths Noted

The following strengths were noted with regards to the current approach to the utilization of I&I Branch information for management decision-making:

  • The I&I Branch has identified several planned activities through its Business Plan to improve the efficiency and effectiveness of the utilization of information for management decision-making, including an enhanced taxonomy for inquiries and investigations, addressing design deficiencies in the Ci2 system and implementing a Ci2 reporting module, and working closely with the Communications Branch and Audit and Review Branch to ensure that information is being shared between Branches in an appropriate manner.
  • The IM governance structure and policies developed by the IM group for the OPC provide a good starting point for the management of information within the I&I Branch.

3.2 Audit Findings

  • Performance targets have not been defined related to the timeliness of investigations, and the quality of investigations and responses to inquiries is not being measured. The OPC Monthly Scorecard does not report back on targets or on trends.
  • The requirements for the sharing of information between the I&I Branch and other OPC branches have not been formally defined.Roles and responsibilities related to the sharing of information have also not been defined.
  • Inquiries and investigations are difficult to classify given current OPC taxonomy, inquiries may not always be well documented or consistently documented, and there is a quality assurance program has not been implemented for I&I.
  • The current utilization, functionality, and reporting capability of the case management system utilized by the I&I Branch (i.e., Ci2) does not sufficiently meet the information sharing and reporting requirements of the I&I Branch and the OPC.

3.2.1 Performance measurement and monitoring not conducive to effective management decision making

Performance targets have not been defined related to the timeliness of investigations, and the quality of investigations and responses to inquiries is not being measured. The OPC Monthly Scorecard does not report back on targets or on trends.

I&I Branch performance is being measured mainly through three performance indicators in the Performance Measurement Framework (PMF) related to the: 1) extent of acceptance and implementation of investigation recommendations; 2) timeliness of responses to inquiries and complaints; and, 3) quality of investigations.The PMF, however, has not been fully implemented as targets related to the timeliness of investigations have not been set, and a means of assessing the quality of investigations (i.e. through a quality assurance program) has not been implemented. In addition, there is no performance indicator related to the quality of responses to inquiries.

Similarly, I&I Branch performance is monitored mainly through the review of the OPC Monthly Scorecard, which provides measures related to the timeliness of responses to inquiries and complaints (e.g. percentage of investigations closed within service standard timelines). The Scorecard, however, does not report against any of the three targets set for I&I performance indicators (e.g. 95% of public inquiries should be responded to within 30 calendar days). The Scorecard also focuses on monthly data and does not report on trends, for example, if the volume of activity has increased or decreased in recent months.

Impact and Risk Level

The incomplete implementation of the PMF and the shortcomings in the OPC Monthly Scorecard limit the effectiveness of the decisions that management can make based on available performance measures, such as decisions related to the improvement of I&I processes or the reallocation of resources when needed.

Recommendation #1

Update the Performance Measurement Framework (PMF) by including targets for all I&I performance indicators and by measuring the quality of both investigations and responses to inquiries.

Management Response

General Comments that may impact on the Management Response and Action Plan.

On February 7, 2011, the Commissioner announced an organizational change that impacts OPC’s approach to responding to inquiries. The responsibility for responding to inquiries is being transferred to the Communications Branch. In reviewing the “responding to inquiries” work processes within I&I, it is apparent that the intake activity and the early resolution activity have been blended into the responding to inquiries activity. In implementing the re-organization decision, OPC management will decompose this blending of activities and only the “responding to inquiries” activity will be transferred to Communications.

The intake and early resolution activities will form part of the PA Investigations Branch and the PIPEDA Investigations Branch, respectively.

The responsibility for the management (design, development and support) of the Case Management System was transferred to Corporate Services Branch.

Management Response and Action Plan Responsibility / Deadlines
Note: OPC is currently reviewing the PMF as part of its 3 year cyclical review. Initiative lead by DG Corporate Services.  
1. As the OPC is currently reviewing the complete PMF and scorecard, performance targets will be identified, established and communicated. The ability to track and report on those targets is dependent on the use and functionality of the supporting Ci2 system. These performance targets should also complement the service standards identified in the Action Plan – Internal Audit of Responding to Inquiries. 1. Director Communications

May 30, 2011
2. As the OPC is currently reviewing the complete PMF and scorecard, performance targets will be identified, established and communicated. The ability to track and report on those targets is dependent on the use and functionality of the supporting Ci2 system. 2. Branch Head Investigations

June 30, 2011.

Recommendation #2

Update the OPC Monthly Scorecard to report on I&I performance targets, and consider also reporting on trends.

Management Response and Action Plan Responsibility / Deadlines
Note: OPC is currently reviewing the monthly scorecard for all Branches. Initiative lead by DG Corporate Services.

Note: Develop and implement a trend reporting tool. Options include; as part of the monthly scorecard, as a separate quarterly scorecard, as part of an anytime dashboard.
 
1. Specifically, the OPC will review the current Ci2 taxonomy project to determine whether any adjustments are required to capture and report on inquiries trends. 1. Director Communications and Investigation Branch Heads

April 30, 2011
2. IMIT will then be engaged to adjust the system if required. Inquiries, PIPEDA & PA staff will need to be fully trained on the system. 2. Director Communications

May 31, 2011
3. Inquiries staff will be required to enter all inquiries information *as defined as relevant in the taxonomy) into the system for reporting purposes, so that the system can produce the information required, so that the Director Communications may report on inquiries trends in Privacy Working Group. 3. Director Communications

June 30, 2011
4. Investigations staff will be required to enter all investigation information (as defined as relevant in the taxonomy) into the system for reporting purposes, so that the system can produce the information required, so that the Investigation Branch Heads may report on investigations trends in Privacy Working Group. 4. Investigations Branch Heads

June 30, 2011

3.2.2 The ongoing sharing of information between I&I and other OPC Branches has not been formally defined

The requirements for the sharing of information between the I&I Branch and other OPC branches have not been formally defined. Roles and responsibilities related to the sharing of information have also not been defined.

Some sharing of information related to inquiries and investigations is done at the most senior management level through the Privacy Working Group (represented by the Director General (DG)-level and above). The DG I&I Branch presents investigations of interest and, beginning in October 2010, an Inquiries Report, which provides a high level summary of the number and types of inquiries. Joint meetings with DGs from different branches have also begun.

For investigations, the development of an investigation plan ensures that representations from other branches are included in the investigation if required. There are few other formal processes within the I&I Branch or between the I&I Branch and other OPC branches to collaborate or share information on an ongoing basis at lower level management or staff positions. Within the I&I Branch, there are mechanisms for communication between staff in a group setting; for example, there is a weekly I&I Branch management meeting. These meetings do not have formal agendas and information is not formally captured during these meetings through meeting minutes or otherwise.Formal mechanisms for regular meetings or the sharing of information between I&I Branch staff and other areas of the OPC (e.g., Communications Branch, Research, Educational and Outreach (REO) Branch, Audit and Review Branch) have not been defined, and sharing of information is done informally. The four working groups that focus on OPC’s key priority areas (IT, Public Safety, Identity Protection, and Genetics), although they have I&I representatives, have not been structured as a forum for the sharing of information between the I&I Branch and other areas of OPC.

Roles and responsibilities related to the provision of I&I information to other OPC groups, for example the PIPEDA Investigations Unit, have not been defined.

Impact and Risk Level

The lack of appropriate I&I Branch information sharing can lead to the inefficient or inconsistent resolution of inquiries and, to a lesser extent, investigations. The lack of formal knowledge sharing with other OPC branches may diminish the opportunity for these other branches to proactively address inquiry and investigation trends and emerging topics.

Recommendation #3

Develop and document the requirements and mechanisms (including roles and responsibilities) to share I&I information within the I&I Branch and with other OPC branches. These mechanisms may include implementing/utilizingCi2 collaboration functionality, formalizing meetings within the I&I Branch (e.g. Terms of Reference for weekly meetings, meeting minutes), and identifying opportunities to formalize the role of other branches within these meeting; for instance, on a rotating basis have other branches present and discuss relevant issues with Inquiries Officers and Investigators.

Management Response and Action Plan Responsibility / Deadlines
1. PA & PIPEDA Investigation Branches to define what information is required from other areas of OPC. 1. Director Communications and Investigation Branch Heads

April 30, 2011
2. Conversely OPC to define what information they require from the Investigation Units. (Available information is contained in the Ci2 case management system). 2. DG, Corporate Services

September 30, 2011
3. Review system access controls to Ci2 and legal databases to provide information while respecting privacy and client-solicitor privilege. 3. DG, Corporate Services

September 30, 2011
4. Define and implement the tools and/or system modifications required to share this information. 4. DG, Corporate Services

September 30, 2011
Note: Regular meetings of the PA and PIPEDA teams are in effect. ROD for PA meetings posted on SharePoint. Other Branches are frequently invited/ requested to attend. PIPEDA introduced some meetings beginning August 2011. These team meetings invite representatives of PA, Legal, Policy and REO to discuss relevant topics.

Publish meeting “Record of Decisions” (not minutes) in a Branch SharePoint site.
DG, PA Investigations

Director PIPEDA Investigations

September 30, 2011

3.2.3 Data related to inquiries and investigations and used for decision making may not be accurate or complete

Inquiries and investigations are difficult to classify given current OPC taxonomy, inquiries may not always be well documented or consistently documented in Ci2, and a quality assurance program has not been implemented for inquiries and investigations.

Inquiries and investigations are not always well documented or consistently documented in Ci2. A quality assurance program was developed, but was not implemented, for I&I related to the quality of the information for inquiries and investigations, and subsequently used for management reporting. Furthermore, the taxonomy used to classify inquiries and investigations is very granular, especially in relation to PIPEDA, and not useful for classification and subsequent reporting purposes.

In addition, OPC has moved towards a ‘paperless office’ and the official case file is now the electronic file within Ci2. It is the responsibility of investigators to scan any hardcopy documents they obtain during an investigation into the system, and then destroy the hardcopy. Accountability for records and processes now relate to the electronic information, although investigators still receive and handle many hardcopy documents, and many continue to have hardcopy ‘shadow’ or ‘unofficial’ files, given the difficulty in using Ci2, the large size of the files, and/or the comfort level of the investigator in the use of electronic files. There is concern that not all documents are being included in the official electronic file.

The tracking and classification of complaints settled in early resolution is not transparent, and complaints that are resolved via early resolution processes most often remain classified as inquiries.

Impact and Risk Level

Inconsistent documentation of inquiries and investigations diminishes data integrity and the value of Ci2 management reports. The current taxonomy makes it difficult to mine the data within Ci2 to identify trends and commonalities. Complaints resolved via early resolution processes being classified as inquiries does not accurately reflect the activities of the Branch, making it difficult to accurately assess workload or resource requirements.

Based on interviews, there is concern that given current IM processes within the I&I Branch, there is the potential for the official electronic file to not include all the records related to an investigation.

Recommendation #4

Implement a new taxonomy for inquiries and investigations to facilitate the searching and reporting of related information, and ensure it can support the generation of useful information to management for decision making.

Management Response and Action Plan Responsibility / Deadlines
Note: the need to understand classification and better classify Inquiries is addressed under the Management Action Plan for the Responding to Inquiries Internal Audit.

Note: With respect to the taxonomy for inquiries, see Recommendation 2 of this report and Recommendation 3 of the Internal Audit of Responding to Inquiries, in relation to the review of the taxonomy for the purpose of recording and reporting on inquiries.
 
1. Together PA & PIPEDA are finalizing a taxonomy project for CI2 and will work with CSB and IMIT to implement so that the information about investigations can be captured, reported and used for management decision making. 1. Investigations Branch Heads

September 30, 2011
2. Together PA & PIPEDA are currently undertaking a project to review closed investigations to add additional information (more complete summary, taxonomy, etc) to significant cases enabling individuals to retrieve better data. 2. Investigations Branch Heads

July 30, 2011

Recommendation #5

Provide training on the use of Ci2, and on the use of hardcopy files to ensure the official file captures all information related to that case.

Management Response and Action Plan Responsibility / Deadlines
Training

Note: Regular ongoing formal and ad hoc training is provided to the users of Ci2. The issue respecting training is more related to keeping users current with the many changes made to the system since implementation in Oct 2009 (currently 140).
 
1. Develop a training framework, to ensure all staff are trained on their program needs and the Case Management System. 1. DG Corporate Services

September 30. 2011
2. Deliver regular refresher training for all users of CI2. 2. DG, Corporate Services

September 30. 2011
Electronic Records

Note: CI2 users understand and support the principle that the electronic record is the official record for OPC. Challenges arise when working on voluminous files of several thousand pages and when conducting file reviews with stakeholders. The electronic environment does not support user requirements.
 
3. Fully understand the issues around difficulty of exclusively using electronic records. 3. DG Corporate Services

September 30, 2011
4. Develop strategies and solutions to deal with the issues identified. 4. DG Corporate Services

September 30, 2011
5. Deliver training on the solutions. 5. DG Corporate Services

September 30, 2011

Recommendation #6

Implement a quality assurance program to improve the integrity of I&I Branch information in Ci2.

Management Response and Action Plan Responsibility / Deadlines
1. Define and implement a Senior Management Committee (SMC) approved quality assurance program for Investigation that will ensure service standards are upheld and investigations are conducted appropriately. 1. Branch Heads of Investigations

December 31, 2011
2. With respect to the Inquiries function, see Recommendation 8 of the Internal Audit of Responding to Inquiries. 2. Director Communications

September 30, 2011

Recommendation #7

Complaints that are resolved via early resolution processes should be differentiated from inquiries within Ci2 to allow for accurate reporting related to the early resolution process.

Management Response and Action Plan Responsibility / Deadlines
Comment:

See the Management Action Plan in the Responding to Inquiries Internal Audit report. The functions of inquiries and pre-complaint registration will be de-coupled
 

3.2.4 Ci2 system functionality does not support effective management decision making

The current use, functionality and reporting capability of the case management system utilized by the I&I Branch (i.e., Ci2) does not sufficiently meet the information sharing and reporting requirements of the I&I Branch and the OPC.

Although user and functional requirements were defined prior to the development and implementation of Ci2 in September 2009, for those requirements related to information sharing and reporting, some requirements were not developed, some were developed within Ci2 but not utilized, while others were not well defined. For instance, requirements related to ‘information sharing and collaboration’ included the ability for the system to allow individuals or groups to work together effectively by providing intuitive, flexible and secure mechanisms for sharing information, as well as the ability for users to setup and receive customized notifications and alerts on a variety of conditions. Current Ci2 functionality does not allow the easy sharing of individual case-level or summary level information between staff within the I&I Branch and other OPC branches, and the functionality that is available within Ci2 has not been utilized. With the exception of automated incident notification, there are no automated feeds of information from Ci2 to other Branches (or from other branches to Ci2) related to trends or other information of interest, and no ability to provide context on trends or to provide analysis within the system.

Requirements related to reporting included both pre-built and ad hoc reports (through the system’s ‘advanced search’ functionality). Although pre-built and ad hoc reporting functionality is available in the system, given the lack of useful pre-built reports, the majority of reporting is done through the ‘advanced search’ functionality, and given the complexity and time required for this functionality, management relies on the I&I Planning and Performance Unit (PPU) to generate these reports. I&I PPU have identified over 50 common requests for reporting that they currently conduct on behalf of management through the ‘advanced search’ functionality.

A reporting ‘data cube’ was initially created at the time of Ci2 implementation, but is not currently in use, as it has been described as highly ‘technical’, with complex requirements to generate reports, and not easy to use.The need for improvements to Ci2 was recognized by management, and five separate committees were created to address functionality deficiencies in the system. These committees have been inactive since they were originally set up, as the position overseeing the committees was vacant (i.e., I&I Manager of Planning & Performance). Now that the position has been filled, it is expected the committees will be re-activated in the New Year (January 2011). During the several months that the position was vacant, requested changes to Ci2 as documented in the Ci2 change request log have not been addressed, and new change requests are generally not being documented. Small changes may be performed that are not documented. Changes were previously reviewed, accepted, and prioritized by the I&I Manager of Planning & Performance. A total of 114 modifications have been made to Ci2 since its implementation, and there is currently a list of 39 outstanding changes to be made, with 13 of these changes classified by the PPU unit as a ‘high priority’.

Impact and Risk Level

Management is not able to generate useful reports in a timely fashion from Ci2 to support decision making in an efficient and effective manner. The lack of functionality or easily automated reporting has caused resource constraints; for example, the I&I Program Coordinator spends approximately 80% of their time preparing reports, many of these recurring requests for similar reports and information. Ultimately, the lack of useful Ci2 reports, and the extensive requirement for manual intervention and manipulation, diminishes the ability of management to conduct effective ongoing monitoring ofperformance indicators and other trends, and has lead to issues with the accuracy of the data. Furthermore, the lack of Ci2 functionality, limits the sharing of useful information between the I&I Branch and other OPC branches and the opportunity for these other branches to proactively address inquiry and investigation trends and significant cases.

Recommendation #8

Develop functionality within Ci2 for the automation of the most useful and requested reports, such as the scorecard or other ‘dashboard views’ of the most relevant information, to allow management to conduct effective and efficient ongoing monitoring and decision making.

Management Response and Action Plan Responsibility / Deadlines
1. Develop automated scorecard based on revised scorecard (and PMF) reporting elements. 1. DG, Corporate Services

September 30, 2011
2. Implement a dashboard reporting tool, an effective suite of standard reports and an ad-hoc reporting capability to meet management needs. 2. DG, Corporate Services

September 30, 2011

Recommendation #9

Ensure a formal change management process is implemented to appropriately identify, prioritize, approve and implement changes in Ci2. All significant changes should be clearly tied to strategic objectives, user requirements and expected benefits, and the level of approval for significant changes should be commensurate with the level of effort required to implement the change, and the impact the change will have on Ci2 functionality.

Management Response and Action Plan Responsibility / Deadlines
1. Develop a governance framework for the management, support and for approving system changes to Ci2. 1. DG, Corporate Services

April 30, 2011
2. Develop a detailed system change management process. 2. DG, Corporate Services

June 30, 2011

Recommendation #10

Consider the active use of tools such as EDRMS, wikis or SharePoint for the collaboration and sharing of information between I&I Branch staff and with the I&I Branch and other OPC branches.

Management Response and Action Plan Responsibility / Deadlines
1. PA & PIPEDA Investigation Branches to define what information is required from other areas of OPC. 1. Director Communications and Investigation Branch Heads

April 30, 2011
2. Conversely OPC to define what information they require from the Investigation Units. (Available information is contained in the Ci2 case management system). 2. DG, Corporate Services

September 30, 2011
3. Review system access controls to Ci2 and legal databases to provide information while respecting privacy and client-solicitor privilege. 3. DG, Corporate Services

September 30, 2011
4. Define and implement the tools and/or system modifications required to share this information. 4. DG, Corporate Services

September 30, 2011
Note: Regular meetings of the PA and PIPEDA teams are in effect. Records of Decisions for PA meetings are posted on SharePoint. Other Branches are frequently invited/ requested to attend. PIPEDA introduced some meetings beginning August 2011. These team meetings invite representatives from PA, Legal, Policy and REO to discuss relevant topics.

Publish meeting “Record of Decisions” (not minutes) in a Branch SharePoint site.
DG, PA Investigations

Director PIPEDA Investigations

September 30, 2011

Appendix A – Interviewees

The following key individuals were interviewed as part of the audit process:

  • Privacy Commissioner
  • Assistant Commissioner
  • Director, Communications
  • Director General, Corporate Services
  • Director, IM/IT, Corporate Services
  • Systems Manager, Information Technology, Corporate Services
  • Manager, IM Programs and Services, Corporate Services Branch
  • Senior Security and Technology Advisor, Research, Education and Outreach
  • Director, Financial and Administrative Services
  • General Counsel, Legal Services, Policy and Parliamentary Affairs
  • Director, Research, Education and Outreach
  • Director, Human Resources
  • Director General, Audit and Review
  • Director, PIPEDA
  • Director General, I&I Branch
  • Complaint Registrar, I&I Branch
  • Early Resolution Investigator, I&I Branch
  • Inquiries Officer, I&I Branch
  • Manager, Investigations, I&I Branch
  • Manager, Planning and Performance, I&I Branch
  • Program Coordinator, I&I Branch

Appendix B – Audit Criteria

  Criteria
1.1 Operational plans and objectives have been established for the I&I Branch, and include IM requirement considerations linked to the mandate and identified priorities of the OPC.
1.2 Roles and responsibilities related to the management and sharing of information within I&I and between Branches have been defined and communicated.
1.3 The organisational structure is appropriate and conducive to the appropriate utilization of information for management decision making.
2.1 A comprehensive policy framework has been established for IM, and is supported by appropriate tools and a training and awareness program.
2.2 Information is classified in accordance to a structured set of business rules and information technology requirements, including designated repositories to maintain information to ensure its long term availability, understandability and usability.
2.3 Effective use and dissemination of information yields timely, accurate and available information that is accessible by management, when they need it, and in a form that they can use.
3.1 Performance standards are defined and there is an overall quality assurance and continuous improvement process related to IM.
Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: