Management Practice Review of Information Sharing and Tracking Practices (Executive Secretariat)

Prepared by Deloitte & Touche LLP and affiliated entities
for the Office of the Privacy Commissioner of Canada

April 2013

---

Executive Summary

Background and Context

The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.

As an Officer of Parliament, the OPC is committed to achieving organizational excellence, applying sound business management practices, and continually improving its performance. With respect to information sharing and tracking processes to share information with the Executive Secretariat, the OPC continuously strives to operate in an effective and efficient fashion.

At the OPC, the Executive Secretariat is responsible for coordinating the sharing and tracking of information being provided to the Commissioner and the Assistant Commissioner (the Commissioners), their decisions, and subsequent follow-up actions required.

The purpose of this project was to perform a Management Practice Review of the effectiveness and efficiency of the OPC’s information sharing and tracking processes that support the Commissioners, and to identify opportunities for improvement, taking into consideration the size of the organization.

Summary of Findings

The key findings with regards to the review are provided below.

Strengths

1. The Executive Secretariat recently made efforts to clarify its information sharing and tracking processes by sending instructions and guidelines by e-mail to the OPC management team.
2. All interviewees indicated that they are committed to implementing the new processes being proposed.
3. The OPC is currently implementing new internal systems for information sharing and tracking (i.e. Correspondence Tracking System (CTS) and Officium) that are based on a common IT structure supporting other internal systems such as Ci2 (for investigations) and SharePoint (for sharing of internal documents).

Opportunities for Improvement

1. We recommend that training be provided to all OPC staff involved in the processes pertaining to briefing notes, meeting requests, event invitations, correspondence, and speeches.
2. We recommend that the OPC consider the implementation of process workflows in the Correspondence Tracking System (CTS) to ensure that the system enforces the mandatory reviews, recommendations, and approvals required within each process.
3. We recommend that all new paper docket folders be modified to provide a more complete history of the review/approval process followed.
4. We recommend that templates supporting the information sharing mechanisms for the Executive Secretariat (i.e. briefing notes, meeting requests, event invitations, correspondence, and speeches) be updated to properly reflect information required for tracking purposes (e.g. document date; prepared by; prepared for; based on consultations with; reviewed by; approved by; etc.).
5. We recommend progressively phasing out the utilization of paper dockets and focusing on the utilization of information systems (e.g. Officium and CTS) to share and track information. This approach will be in line with practices for investigation files (which are now completely integrated within the Ci2 system) and will reduce the need for archiving of physical paper dockets.
6. We recommend that the Executive Secretariat and the Information Management Group review the correspondence sharing and tracking process to streamline the review of incoming correspondence and the creation of dockets; and that the Executive Secretariat clarify the process to prepare and send acknowledgement messages.

Conclusion

Based on the aforementioned observations and overall scope of the review, the OPC has minor issues related to the effectiveness and efficiency of its information sharing and tracking processes that support the Commissioners. The recommendations included in this report are intended to provide opportunities for improvement, taking into consideration the size of the organization. Management responses are included at the end of each finding.

This report was prepared, and this review was conducted, for OPC management purposes. Use of this report for other purposes may not be appropriate.

Statement of Conformance

The review was conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Review Objective, Scope and Approach

1.1. Background

The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.

The Privacy Commissioner of Canada is an Officer of Parliament, who reports directly to the House of Commons and the Senate. The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector.

The Commissioner is an advocate for the privacy rights of Canadians and her powers include:

1. Investigating complaints, conducting audits and pursuing court action under federal laws;
2. Publicly reporting on the personal information-handling practices of public and private sector organizations;
3. Supporting, undertaking and publishing research into privacy issues; and,
4. Promoting public awareness and understanding of privacy issues.

At the OPC, the Executive Secretariat is responsible for coordinating the sharing and tracking of information being provided to the Commissioner and the Assistant Commissioners (the Commissioners), their decisions, and subsequent follow-up actions required.

1.2. Management Practice Review Area Overview

During recent years, the OPC has been involved in high profile investigations, studies, and court cases involving the privacy rights of Canadians. This has considerably increased the OPC’s credibility and visibility in Canada and abroad. With such a high profile, the OPC is increasingly being asked by Canadians to investigate cases that are more complex in nature, by media/companies/governments to provide point of views on arising issues, by external stakeholders to intervene in court cases, and by several organizations to participate in public forums.

This situation has further increased the need for thorough internal processes designed to help ensure the OPC provides its stakeholders with comprehensive, cohesive, consistent, and reliable information (e.g. point of views, legal opinions, investigation conclusions, etc.).

The Commissioners expressed concerns with regards to processes for information sharing and tracking into and within the Executive Secretariat. As identified in the planning phase, there are concerns with the effectiveness, consistency and efficiency of the internal consultation, review and approval processes in place to support the preparation of documents provided to the Commissioner and Assistant Commissioner (the Commissioners). It was noted that there are differences in processes followed by each Branch that interacts with the Executive Secretariat, which may be a key contributor to current issues identified.

Currently, the Commissioners assume that all documents they receive for information purposes or for review and approval have been properly reviewed and approved by internal subject matter experts and the Director General responsible for the Branch that prepared the document. Once ready to be sent to the Commissioners, documents are to be printed and sent to the Executive Secretariat. The Executive Secretariat is responsible for ensuring that documents are properly tracked, communicated to the Commissioners, and responses communicated back to internal stakeholders, as needed.

To help ensure documents (i.e. briefing notes, legal opinions, correspondence, invitations to events, speeches, emails) provided to the Executive Secretariat are properly recorded and tracked, they should be added to a paper docket and recorded in the Correspondence Tracking System (CTS).

As a small organization, the OPC continuously strives to improve internal processes for information sharing and tracking purposes, while balancing its capacity and needs for flexibility in dealing with urgent matters in an efficient manner.

1.3. Review Objective

The objective of this engagement was to perform a Management Practice Review of the effectiveness and efficiency of the OPC’s information sharing and tracking processes that support the Commissioners, and to identify opportunities for improvement, taking into consideration the size of the organization.

1.4. Review Scope

The scope of the engagement focused on the information sharing and information tracking into and within the Executive Secretariat. They included processes pertaining to:

• Briefing notes;
• Correspondence;
• Invitations to events;
• Meeting Requests;
• E-mails; and,
• Speeches.

The Criteria used for the review can be found in Appendix B.

1.5. Review Approach

The original objective of this management practice review was to review the OPC’s information sharing and tracking practices at the Executive Secretariat level to identify issues with current process and propose recommendations, based on best practices. At the same time, current processes were going to be documented.

As part of the planning phase of the management practice review, it was noted that the Executive Secretariat clarified some of its key information sharing and tracking processes in October 2012. As such, all interviewees indicated that they intended on complying with these updated processes and that they would most likely address the organization’s challenges with regards to information sharing and tracking at the Executive Secretariat level, as well as the risks identified in the planning phase.

Consequently, interviewees, Executive Secretariat staff, the Director General, Corporate Services Branch, and the Director Business Planning and Management Practices agreed to modify this engagement’s focus to increase its added value, and to better reflect the organization’s recent efforts to improve its processes. As such, this management practice review focused on the documentation of recently updated process workflows (i.e. narratives, flowcharts, and a matrix of authorities), and on assessing if risks identified as part of the planning process were being addressed by this updated information sharing and tracking process at the Executive Secretariat level.

To document this updated process, the review team:

• Performed a review of available documentation (e.g. internal emails, guidelines, processes, organizational chart, etc.);
• Conducted interviews with Executive Secretariat staff and with several Directors General;
• Documented a first draft of information sharing and tracking processes (i.e. workflow, narrative, authorities matrix). The processes documented include:
  • Briefing Notes (for invitations to events, documents provided for information only, legal opinions, etc.);
  • Meeting Requests;
  • Event invitations;
  • Correspondence; and
  • Speeches.
• Conducted follow-up and validation interviews with staff from each Branch (e.g. Administrative Assistants, Directors, Directors General, Executive Secretariat, etc.);
• Adjusted and finalized workflows, narratives, and authorities matrix;
• Determined the extent to which the new documented processes address the risks identified during the planning phase (refer to Section 2); and,
• Prepared a draft and final review report.

The review was conducted within the following timelines:

• Planning Phase : November 20, 2012 – January 25, 2013
• Examination Phase: January 28, 2013 – February 15, 2013
• Reporting Phase: February 18, 2013 – February 22, 2013
• Presentation to the OPC Audit Committee: March 4, 2013

Findings and Recommendations

2.1. Strengths Noted

The following strengths were noted with regards to the information sharing and tracking practices for information provided to the Executive Secretariat:

1. The Executive Secretariat recently made efforts to clarify its information sharing and tracking processes by sending instructions and guidelines by e-mail to the OPC management team.
2. All interviewees indicated that they are committed to implementing the new processes being proposed.
3. The OPC is currently implementing new internal systems for information sharing and tracking (i.e. Correspondence Tracking System (CTS) and Officium) that are based on a common IT structure supporting other internal systems such as Ci2 (for investigations) and SharePoint (for sharing of internal documents).

2.2. Review Findings and Recommendations

This section highlights risks that have been either raised by interviewees (refer to Appendix A for the list of interviewees) in relation to the scope of this engagement, or identified through the review of documentation provided during the planning phase of the review.

After reviewing the provided documents and conducting follow-up interviews (with individuals identified in Appendix A), we were able to document the OPC’s information sharing and tracking processes with regards to briefing notes, correspondence, invitations to events, meeting requests, e-mails, and speeches. As documented below, the OPC’s updated information sharing and tracking processes address most of the risks identified during the planning phase. Recommendations are provided for risks that are not addressed completely by the documented process flowcharts. A summary of recommendations is provided after this table.

Finding #1: Unclear delegation of authorities between the Commissioners

Identified Risk: There is a risk that requests for approvals / decisions, or briefing notes provided for information purposes, are not sent to the appropriate person (i.e. Commissioner or Assistant Commissioner) based on delegated authorities.

Review Observation: The process flowchart for briefing notes and other requests clearly identifies individuals responsible for approvals and decisions, based on delegated authorities. The flowchart also indicates how briefing notes should be shared within the organization and if they should be sent to the Commissioner or the Assistant Commissioner.

Review Conclusion: The process flowchart for briefing notes and other requests addresses this risk by clearly identifying delegated authorities and information sharing mechanisms and processes.

Recommendation #1: We recommend that a training session be provided to all OPC staff involved in the processes pertaining to briefing notes, meeting requests, event invitations, correspondence, and speeches.

Management Response and Action Plan	Responsibility / Deadlines
We agree with the recommendation. Function specific training sessions to be scheduled for all staff involved in the process. (i.e. Training for: Administrative Assistants, Branch Heads, Analysts)	Executive Secretariat, March 31, 2014

Finding #2: Lack of internal consultation and lack of adequate review / approval of documents sent to the Commissioners

Identified Risk: As dockets are not always filled out adequately, there is a risk that documents sent to the Commissioners for review, approval, or information purposes are not supported by sufficient internal consultation and/or are not reviewed and approved by the appropriate individuals before being sent to the Executive Secretariat.

Review Observation: The process flowcharts (i.e. briefing notes, meeting requests, event invitations, correspondence, and speeches) clearly identify where and when consultation and review/approval are necessary. In addition, the approval matrix also defines specific review, approval, and recommendation authorities.

Review Conclusion: The process flowcharts and the matrix or authorities addresses this risk by clearly identifying delegated authorities and information sharing mechanisms and processes.

Recommendations #1 to 4:

1. We recommend that a training session be provided to all OPC staff involved in the processes pertaining to briefing notes, meeting requests, event invitations, correspondence, and speeches.
2. We recommend that the OPC consider the implementation of process workflows in CTS to ensure that the system enforces the mandatory reviews, recommendations, and approvals required within each process.
3. We recommend that all new paper docket folders be modified to provide a more complete history of the review/approval process followed.
4. We recommend that templates supporting the information sharing mechanisms for the Executive Secretariat (i.e. briefing notes, meeting requests, event invitations, correspondence, and speeches) be updated to properly reflect information required for tracking purposes (e.g. document date; prepared by; prepared for; based on consultations with; reviewed by; approved by; etc.).

Management Response and Action Plan

Responsibility / Deadlines

We agree with the recommendations. Function specific training sessions to be scheduled for all staff involved in the process. Process workflows will be set up appropriately in CTS to ensure mandatory reviews. A new front page will be added to the existing dockets to identify clearer directions. New dockets will be printed with the appropriate directions. Existing templates will be updated and supplemented with new templates as needed. Procedures currently posted on SharePoint will also be updated.

Executive Secretariat, March 31, 2014 Executive Secretariat in collaboration with Corporate Services Branch, March 31, 2014 Executive Secretariat, completed as of February 20th, 2013 Executive Secretariat, March 31, 2014

Finding #3: Lack of training and documented procedures

Identified Risk: There is a risk that the OPC’s staff members are not provided with sufficient training or formally documented guidelines/procedures with regards to the review and approval process for documents being sent to the Commissioners, which may have a negative impact on the effectiveness, consistency and efficiency of information sharing and tracking practices at the Executive Secretariat level.

Review Observation: The process flowcharts (i.e. briefing notes, meeting requests, event invitations, correspondence, and speeches) clearly define information sharing and tracking processes for all types of documents provided to the Commissioners for information or approval.

Review Conclusion: The process flowcharts will address the risk of not having documented procedures as it formally documents guidelines/procedures with regards to the review and approval process for documents being sent to the Commissioners. On their own, these flowcharts will not address the lack of training.

Recommendation #1: We recommend that a training session be provided to all OPC staff involved in the processes pertaining to briefing notes, meeting requests, event invitations, correspondence, and speeches.

Management Response and Action Plan	Responsibility / Deadlines
We agree with the recommendation. Function specific training sessions to be scheduled for all staff involved in the process.	Executive Secretariat, March 31, 2014

Finding #4: Inefficient use of information technologies

Identified Risk: There is a risk that information technologies implemented to support information sharing and tracking process are not used efficiently and effectively. Staff members do not always understand the means to use (e.g. email, paper dockets) to get feedback from, or providing information to, the Commissioners.

Review Observation: The process flowcharts (i.e. briefing notes, meeting requests, event invitations, correspondence, and speeches) clearly indicate how information technologies should be used throughout the information sharing and tracking process. The documented process indicates that all pertinent information is to be recorded in systems such as Officium (RDIMS) and the Correspondence Tracking System (CTS – CRM Dynamics).

Review Conclusion: The process flowcharts for information sharing and tracking processes partly address this risk by clearly identifying how information technologies should be used.

Recommendations #1 and #5:

1. We recommend that a training session be provided to all OPC staff involved in the processes pertaining to briefing notes, meeting requests, event invitations, correspondence, and speeches.

5. We recommend progressively phasing out the utilization of paper dockets and focusing on the utilization of information systems (e.g. Officium and CTS) to share and track information. This approach will be in line with practices for investigation files (which are now completely integrated within the Ci2 system) and will reduce the need for archiving of physical paper dockets.

Management Response and Action Plan	Responsibility / Deadlines
We agree with the recommendations. 1. Function specific training sessions to be scheduled for all staff involved in the process. 5. Subject to successful implementation of Officium and CTS throughout the OPC, identify possible pilot project for one type of docket. Then the eventual phasing out of other dockets.	1. Executive Secretariat, March 31, 2014 5. Executive Secretariat in collaboration with Corporate Services Branch, 2013-14 and ongoing

Finding #5: Inefficient assignment of responsibilities

Identified Risk: There is a risk that efforts are being duplicated between the Records and Mail Clerk and the Correspondence Officer with regards to correspondence. In the correspondence process, it was noted that the Records and Mail Clerk saves all the received correspondence in Officium and creates a new record in CTS (except for correspondence pertaining to investigations that is scanned and recorded in Ci2). The Correspondence Officer then has to review the correspondence to determine if it is new correspondence of if it pertains to an ongoing file, in which case, the Correspondence Officer has to close the new CTS record and reassign it to the previous record, and transfer the paper documents to the appropriate docket that already exists. Consequently, each request is reviewed twice and many of them have to be closed and transferred to already existing dockets / CTS records.

It was also noted that the Correspondence Officer is responsible to send an acknowledgement message when receiving correspondence. This acknowledgement is typically sent without consultation with other Branches.

Review Observation: The process flowchart for correspondence does not address this risk directly.

Review Conclusion: The current process for correspondence creates a situation where the time of the Records and Mail Clerk and/or the Correspondence Officer is not being used efficiently. It also creates a situation where the Correspondence Officer might be sending acknowledgement messages that are not properly tailored to the recipient or the subject matter.

Recommendation #6: We recommend that the Executive Secretariat and the Information Management Group review the correspondence sharing and tracking process to streamline the review of incoming correspondence and the creation of dockets; and that the Executive Secretariat clarify the process to prepare and send acknowledgement messages.

Management Response and Action Plan	Responsibility / Deadlines
We agree with the recommendation. 6. The Manager of the Executive Secretariat and the Manager of IM will work together to further streamline the review of incoming correspondence and the creation of dockets. The Manager of the Executive Secretariat will work internally to review existing procedures for preparing and sending out acknowledgement messages.	6. Executive Secretariat in collaboration with Corporate Services Branch, March 31, 2014 Executive Secretariat, March 31, 2014

As some of the recommendations address several risks identified above, here is a summary of recommendations:

Summary of Recommendations		Findings / Risks Addressed
		1	2	3	4	5
1	We recommend that a training session be provided to all OPC staff involved in the processes pertaining to briefing notes, meeting requests, event invitations, correspondence, and speeches.
2	We recommend that the OPC consider the implementation of process workflows in CTS to ensure that the system enforces the mandatory reviews, recommendations, and approvals required within each process.
3	We recommend that all new paper docket folders be modified to provide a more complete history of the review/approval process followed.
4	We recommend that templates supporting the information sharing mechanisms for the Executive Secretariat (i.e. briefing notes, meeting requests, event invitations, correspondence, and speeches) be updated to properly reflect information required for tracking purposes (e.g. document date; prepared by; prepared for; based on consultations with; reviewed by; approved by; etc.).
5	We recommend progressively phasing out the utilization of paper dockets and focusing on the utilization of information systems (e.g. Officium and CTS) to share and track information. This approach will be in line with practices for investigation files (which are now completely integrated within the Ci2 system) and will reduce the need for archiving of physical paper dockets.
6	We recommend that the Executive Secretariat and the Information Management Group review the correspondence sharing and tracking process to streamline the review of incoming correspondence and the creation of dockets; and that the Executive Secretariat clarify the process to prepare and send acknowledgement messages.

Appendix A - Interviewees

The following key individuals were interviewed as part of the review process:

• Paul Beauchamp – Director, Information Management and Information Technology
• Chantal Bernier – Assistant Privacy Commissioner
• Rachel Desjardins – Manager, Executive Secretariat
• Anne-Marie Hayden – Director General, Communication Branch
• Brent Homan – Director General, PIPEDA, Privacy Investigations Branch
• Patricia Kosseim – Senior General Counsel and Director General, Legal Services, Policy and Research Branch
• Sue Lajoie – Director General, Privacy Act, Privacy Investigations Branch
• Daniel Nadeau – Director General, Corporate Services Branch
• Sophie Paluck-Bastien – Special Advisor, Executive Secretariat
• Chantale Roussel – Director, Business Planning and Management Practices

Appendix B - Review Criteria

The following criteria were used for this review:

Review Criteria
Review and Approval Approval requirements between the Commissioner and the Assistant Commissioner are properly understood based on official delegation of authority. The review and approval requirements within Branches for documents sent to the Executive Secretariat are documented and properly understood. The process to document consultations between Branches is properly understood.
Processes and Procedures Processes and procedures for submitting documents to the Commissioners are appropriately documented. Employees are provided with the necessary tools (e.g. flowcharts, templates, dockets, etc.) and training to understand processes and procedures for submitting documents to the Commissioners.
Information Technology Information technology is leveraged to streamline the information sharing and tracking process when communicating with the Executive Secretariat (e.g. IT process workflows, electronic files/dockets, etc.).