Employment and Social Development Canada’s Old Age Security Program

Section 37 of the Privacy Act

September 2016


Main Points

What we examined

Employment and Social Development Canada (ESDC) is responsible for delivering more than 70 social programs, including the Old Age Security (OAS) program. Administering this program requires the collection, use and disclosure of senior citizens’ personal information. We examined how ESDC manages and protects this information and also reviewed how Shared Services Canada (SSC) safeguards OAS information stored on its information technology (IT) infrastructure.

Our audit examination was conducted from February 18, 2015 to March 31, 2016. During the audit we examined the personal information management practices of ESDC for the OAS program, including agreements with partners, risk assessments, audit reports, corporate and security plans, breach files and retention and disposal schedules. We also examined IT security including the management of identity and access monitoring. Finally, we interviewed numerous officials at the Department’s headquarters and in its four regions – Atlantic, Quebec, Ontario and; Western and Territories. The audit did not include an examination of OAS client files.

Why this issue is important

There are approximately 5.6 million OAS clients. This clientele is comprised of senior citizens, which is considered to be a group vulnerable to identity theft and fraud. In 2015, nearly six million Canadians were aged 65 or older, representing over 16 percent of Canada’s population. This population is expected to increase to over 9.5 million and make up 23 percent of Canadians by 2030.

To receive OAS benefits, applicants must provide ESDC with sensitive personal information, including their social insurance number, financial information, and other data. Given the large number of clients and the sensitivity of the information, any incident involving the unauthorized disclosure of this information could have a significant impact on the persons affected. OAS clients therefore expect ESDC and its officials to ensure that all necessary steps are taken to protect their personal information from inappropriate access, use or disclosure.

What we found

ESDC has many elements of an effective privacy management regime. Privacy was identified and recognized as one of its major corporate risks and privacy protection is a key management priority.

The Department has taken significant steps in the last few years to reinforce the protection of client information, including combining pre-existing privacy codes governing the protection, use and disclosure of personal information within the Employment and Social Development Act to improve accountability for the protection of personal information; establishing a new Policy on Privacy Management; strengthening privacy training for employees; developing privacy action plans for each major program including one for OAS; preparing annual work plans integrating privacy and security; and improving the role of its senior level Privacy and Information Security Committee to oversee key privacy commitments.

In addition, ESDC’s internal audit group has done extensive work related to security and privacy in support of ESDC’s privacy management. However, gaps and weaknesses identified in this audit report may hinder ESDC’s ability to ensure that OAS client information is secure from internal and external threats. Most notably,

  • While ESDC and SSC share IT responsibilities relating to OAS client information, there is no agreement that defines their respective IT roles and responsibilities or that includes privacy or security clauses;
  • The IT systems supporting the OAS program have not been certified and accredited, as required;
  • Employee access rights to OAS systems are not always removed on a timely or consistent basis and their rights are not limited to the minimum required to perform their duties;
  • Audit trails on employee access to, and use of, OAS systems are available but they are not proactively reviewed;
  • To date, ESDC has not disposed of any electronic files and there is a backlog of paper files waiting to be destroyed;
  • Key privacy and security clauses were lacking in some provincial and federal information sharing agreements; and
  • The assessment of physical security risks needs strengthening.

We made recommendations to ESDC aimed at addressing each of the above gaps. ESDC has responded to our audit findings and its management responses follow each report recommendation.

While the focus of this audit was on ESDC’s personal information management practices, during the audit, we also reviewed the gaps identified that relate to SSC.

Introduction

About Employment and Social Development Canada

  1. Employment and Social Development Canada (ESDC) is the department of the Government of Canada responsible for developing, managing and delivering social programs and services. The Old Age Security program is the Government of Canada’s largest pension program and is funded out of the general revenues of the Government of Canada.
  2. ESDC is one of the largest and most regionally present departments in the Government of Canada, with over 65 percent of its more than 20,000 employees working in the regions. The Service Canada network is comprised of more than 500 locations and is the primary means that ESDC uses to deliver its programs directly to Canadians.
  3. To respond to increasing workload demands, the need for cost efficiencies and the requirement to renew aging IT infrastructure, ESDC has initiated a project to migrate its OAS Legacy system to a newer IT platform. At the same time, significant Shared Service Canada (SSC) initiatives related to the migration of a new e-mail system, the consolidation of data centres and the transformation of telecommunications are underway.
  4. ESDC is subject to the Privacy Act and associated Treasury Board of Canada Secretariat (TBS) policies and directives for the management and protection of Canadians’ personal information. In addition, Part 4 of the Department’s enabling legislation, the Department of Employment and Social Development Act, establishes rules that apply to the protection, use and disclosure of personal information under its control.
  5. Additional information about ESDC is available online.

The Old Age Security Program

  1. The Old Age Security (OAS) program is the largest ESDC program in terms of budget and number of clients, and it is also the federal government’s largest program. It represents nearly 40 percent of ESDC’s program expenditures for 2016-2017 and in 2013-2014 managed more than 7.1 million OAS benefits.
  2. OAS was introduced in 1952 and is the first pillar of Canada’s retirement income system. Today, theOAS program has three components that together provide a guaranteed annual income for most of Canada’s seniors that contribute towards reducing the incidence of low income for these individuals:
    • The Old Age Security basic pension provides a monthly payment to all Canadians aged 65 or older who meet the age, residence and legal status requirements;
    • The Guaranteed Income Supplement (GIS) is an additional benefit to low-income seniors living in Canada; and
    • Allowance payments provide benefits to low-income individuals aged 60 to 64 who are the spouses or common-law partners of GIS recipients, or who are widows or widowers.
  3. In April 2013, ESDC introduced an automatic enrolment process for new OAS applicants. By March 2015, approximately 44 percent of new OAS clients did not have to apply using traditional paper forms to receive benefits.
  4. Additional information about the OAS program is available online.

Shared Services Canada’s link to the OAS Program

  1. Shared Services Canada (SSC) was created on August 4, 2011 to manage the information technology (IT) infrastructure of 42 Government of Canada partner organizations, including ESDC. SSC’s general mandate is to provide services related to email, data centres and networks to support delivery of government programs and services.
  2. Both ESDC and SSC have IT related responsibilities for OAS client information. Pursuant to the Shared Services Canada Act (SSCA), SSC is responsible for providing the IT infrastructure used by ESDC. ESDC is responsible for managing the personal information which it collects in support of the OAS program. The SSCA provides that personal information that is collected by other government institutions and that is contained in or carried on SSC’s IT systems on behalf of such institutions, is not under the control of SSC for the purposes of the Privacy Act. Therefore, as ESDC clients’ personal information remains under its control, accountability for the protection of personal information rests with ESDC.

Focus of the Audit

  1. The audit focused on the protection of personal information used, disclosed and retained by ESDC to administer the OAS program. The audit included a review of SSC’s role in safeguarding OAS information residing on its IT infrastructure.
  2. The audit objective was to assess whether ESDC has appropriate controls for the OAS program - including policies, practices and procedures - to comply with its obligations under the Privacy Act to ensure appropriate use, disclosure and retention of personal information.
  3. Given SSC’s role in providing the IT infrastructure used by ESDC for the OAS program, we also reviewed SSC’s IT safeguards including its policies, practices and procedures.
  4. The audit did not include an examination of client inquiries, appeals or files. The audit also excluded web-based applications and information services for clients.
  5. Information on the audit objective, criteria, scope and approach can be found in the About the Audit section of this report.

Observations and Recommendations

  1. Our audit observations and recommendations are organized into six categories:
    • Roles and responsibilities of ESDC and SSC for the protection of client information;
    • IT security;
    • Identity and access management and monitoring;
    • Retention and disposal of personal information;
    • Information sharing agreements; and
    • Physical security.

Roles and responsibilities of ESDC and SSC for the protection of OAS client information are not defined

  1. Subsection 29.2(2) of the Financial Administration Act requires that when a department provides internal support services to another department, they must enter into a written agreement. Such an agreement can support clear governance and accountability by defining respective roles, responsibilities and mechanisms to meet legal requirements, regulations, policies, standards and public expectations.
  2. Additionally, agreements should include clauses for the protection of personal information as set out in the Privacy Act and relevant Treasury Board of Canada Secretariat (TBS) policies, such as the TBS Guideline on Service Agreements: Essential Elements. This TBS guideline provides guidance regarding service agreements, including those between two federal government departments. While agreements can vary depending on the nature of the relationship between the parties involved, this guideline recommends a list of essential elements that can be included in agreements, such as scope, governance and privacy and security, among others.
  3. Employment and Social Development Canada’s (ESDC’s) Policy on Privacy Management requires that when the Department enters into agreements with any governmental or non-governmental entity, such agreements must include appropriate privacy and security safeguards.
  4. Based on the above requirements, and considering the shared IT responsibilities between ESDC and SSC, we expected that the roles and responsibilities of ESDC and SSC for the protection of personal information for the OAS program to be clearly defined in an agreement. We reviewed a Memorandum of Understanding (MOU), a business arrangement, an operating protocol, interdepartmental committee minutes and conducted interviews with selected ESDC and SSC staff in this regard.
  5. We found that while a written business arrangement exists between ESDC and SSC to describe, in general terms, their ongoing business relationship, this document does not specify the roles and responsibilities of each department for the protection of OAS client information. It also does not include privacy or security clauses, such as the requirements for privacy and security risk assessments, management of access rights and monitoring, control and custody of personal information, nor how to deal with privacy breaches.
  6. We reviewed ESDC’s IT Security Program Action Plan 2014-2015 and noted that the Department is aware of the need for an agreement with SSC to provide more clarity concerning their respective roles. While attempts have been made to put in place such an agreement, none currently exists.
  7. Absent an agreement between ESDC and SSC that contains privacy and security clauses, roles and responsibilities for the protection of OAS information remain undefined, which could result in this information being inappropriately accessed, used or disclosed.
  8. Recommendation: In accordance with the Financial Administration Act and the TBS Guideline on Service Agreements: Essential Elements, ESDC should work with SSC to put in place an agreement where IT security roles and responsibilities and relevant privacy and security clauses for the protection of OAS client information are clearly defined.

    ESDC’s response: ESDC agrees that the establishment and ever greening of formal agreements with SSC with respect to roles, responsibilities, and expectations for both parties with respect to the safeguarding of personal information is important. As outlined by the OPC, a written business relationship already exists with SSC as well as an established interdepartmental committee to manage this relationship.

    ESDC agrees that it needs to continue to leverage its existing business relationship to clearly define IT security roles and responsibilities and relevant privacy and security clauses for the protection of OAS client information. The Department will engage with SSC to address this recommendation by March 2017.

Privacy and IT security risks have not been fully assessed

  1. Information Technology Security (ITS) includes technical, physical and administrative safeguards that organizations use to protect its electronic information holdings. Sound ITS practices are an essential component for meeting the requirements of the Privacy Act to protect Canadians’ personal information.
  2. The TBS Operational Security Standard: Management of Information Technology Security (MITS) defines baseline security requirements that federal departments must fulfill to ensure the security of information and information technology (IT) under their control. This includes ensuring that IT systems and infrastructure are certified and accredited through a Security Assessment & Authorization (SA&A) process before approving them for operation. SA&A is used to assess and mitigate risks to an acceptable level. The process includes conducting Threat and Risk Assessments (TRAs) to determine security requirements, Statements of Sensitivity (SOS) to assess the sensitivity of information or assets and Privacy Impact Assessments (PIAs) to assess and mitigate potential privacy risks, among other activities.
  3. Since the creation of SSC in 2011, the IT infrastructure on which OAS client information resides is managed by SSC; however ESDC continues to be responsible for managing the OAS systems used to administer the OAS program. The personal information collected by ESDC for the OAS program is primarily stored in two IT systems: the OAS Legacy system and the Information Technology Renewal Delivery System (ITRDS). These systems contain social insurance numbers, biographical information, and financial information, among other sensitive personal information. We expected to find that ESDC and SSC have appropriate IT safeguards for OAS-related systems and the infrastructure.
  4. We reviewed ESDC’s and SSC’s IT policies and procedures and IT-related risk assessments and their associated action plans for addressing identified risks. We also interviewed selected IT security personnel concerning SA&A activities and the limits and vulnerabilities of aging IT systems.
  5. We found that the OAS Legacy system has not been certified and accredited as required. ESDC has identified this system as an aging IT system and plans to replace it with ITRDS in 2019 as part of its OAS Service Improvement Strategy (OAS SIS). Until then, the OAS Legacy system will continue to be used. We have been informed by ESDC that the required security assessments were performed when this system was implemented over fifty years ago, with the most recent TRA completed in 2002; however TRA, PIA, SOS and other risk assessments have not been recently completed on the entire OAS Legacy system.
  6. We expected ESDC to include an assessment of privacy and security risks in its plans to replace the aging OAS Legacy system by identifying the specific SA&A activities to be undertaken before the implementation of the replacement system. Not doing so could lead to costly system redesigns or a situation where needed improvements cannot be implemented later.
  7. We found that a PIA of ITRDS for the OAS program has not been conducted and, according to the OAS SIS project charter, is not scheduled to be conducted until the final phase of the project. With respect to the conduct of TRAs, the project charter indicated that TRAs would be undertaken at each design phase of the project, but no TRAs have been completed so far even though ITRDS is being used.
  8. The OAS Legacy and ITRDS systems have not been certified or accredited, as required by ESDC. The IT infrastructure where the OAS-related systems reside has never been certified or accredited. Therefore the IT infrastructure has never been formally approved for operation. As a result, potential privacy and IT security risks have not been fully assessed and mitigated. These gaps were also identified by ESDC in 2012.
  9. Lacking an assessment of risks via the SA&A process, there may be privacy and security risks to the personal information of OAS clients that have not been identified and mitigated.

The purpose of certification is to verify that the security requirements established for a particular system or service are met and that the controls and safeguards work as intended. The purpose of accreditation is to signify that management has authorized the system or service to operate and has accepted the residual risk.

Departments must have their systems or services certified and accredited before approving them for operation.

Treasury Board of Canada Secretariat:
Operational Security Standard: Management of Information Technology Security (MITS)

  1. Recommendations:

    As required by the TBS Operational Security Standard: Management of Information Technology Security (MITS), ESDC should certify and accredit its OAS Legacy and ITRDS systems through the Security Assessment and Authorization process.

    ESDC should work with SSC to ensure the infrastructure on which the OAS Legacy and ITRDS systems reside is also certified and accredited via the Security Assessment and Authorization process, as required.

    ESDC’s response: ESDC agrees that the OAS Legacy and ITRDS systems should be properly certified and accredited through the Security Assessment and Authorization (SA&A) process and will re-engage SSC by September 2016 to request that the infrastructure on which these systems reside is also certified and accredited. ESDC plans to complete a full SA&A for ITRDS by July 2016, for OAS Auto Enrollment Category 2 by November 2016, and for the entire OAS legacy solution by March 2017.

Identity and access management and monitoring requires strengthening

  1. Identity and Access Management (IAM) processes manage "who has access to what" in electronic information systems. IAM processes are used to initiate, record, and manage user identities and related access permissions to a department’s electronic information. Monitoring employees’ activity on IT systems provides a means of determining whether data is only being accessed and used by staff that has a legitimate need to know. Weaknesses in IAM and monitoring can lead to unauthorized access to and disclosure of sensitive personal information.
  2. We expected ESDC to have appropriate access and monitoring controls to manage employee access to OAS client information. The TBS Directive on Privacy Practices requires that federal government institutions identify which job functions have a valid reason to access personal information and that employee access is limited and monitored through appropriate administrative, technical and physical controls. We reviewed ESDC’s access management and monitoring policies and procedures and audits related to IAM. We also interviewed selected managers and IT security personnel at headquarters and in the regions concerning those policies and procedures.

Identity and access management

  1. ESDC has a process for modifying and deleting access rights of employees within the OAS Legacy and ITRDS systems. Since 2013, the Department has also implemented a quarterly review process to ensure access rights in both systems are accurate and up-to-date. The Department also sends reminders to staff about their responsibilities for managing access rights on a quarterly basis. We found that even though there are controls to manage and review access rights, when an employee leaves the Department or changes job functions internally, access rights are not modified or deleted according to ESDC’s internal process and therefore they are not updated consistently and on a timely basis as required.
  2. We also found that user profiles in the OAS Legacy system are not directly tied to job functions and as such, are difficult to assign to the right users. Some regions have created reference documents to assist staff in determining which user profile to assign to staff within the OAS Legacy system. These reference documents vary from one region to the next and were not approved by headquarters. This results in some employees being granted broader access than others when performing the same tasks.

Monitoring of employee access

  1. Both the OAS Legacy and ITRDS systems produce audit trails to record users’ activities in these systems; however what is recorded varies. If a user views client information in the OAS Legacy system, but does not update it, no audit trail will be produced. For ITRDS, audit trails are produced when a user either updates or views information in the system. ESDC is aware of audit trail limitations for the OAS Legacy system.
  2. While audit trails can be produced for both systems, they are not proactively reviewed to ensure the timely identification of inappropriate or unauthorized access to OAS client information, unless there is an investigation involving potential inappropriate access to the systems. Monitoring is particularly important when employees have broad access to personal information.
  3. Recommendations:

    ESDC should modify and delete access rights within the OAS Legacy and ITRDS systems in accordance with its internal process to ensure access rights are updated consistently and on a timely basis.

    In line with the TBS Directive on Privacy Practices, ESDC should ensure employees’ electronic access within the OAS Legacy system is limited to the minimum required to perform their duties.

    As per the TBS Directive on Privacy Practices, ESDC should conduct reviews of audit trails of users’ activities within the OAS-related systems to ensure the timely identification of inappropriate or unauthorized access to OAS client information.

    ESDC’s response: As noted by the OPC, the Department has established a process for maintaining employee access right accuracy, which includes staff reminders as well as a quarterly access review. In addition a mandatory training program reinforces the necessity for employee to appropriately protect personal information. ESDC views these controls allow the Department to adequately manage employee’s system access.

    ESDC agrees that employee’s electronic access should be limited to the minimum requirements to perform their duties. The Department establishes access based on user profiles which are aligned with position responsibilities and allows the program to manage its processing workload nationally. In addition, the Department will review employee user profiles to ensure alignment with job requirements by December 2016.

    ESDC is currently developing an approach that will leverage existing audit trails, assess any existing data gaps, and define roles and responsibilities to detect inappropriate or unauthorized access to client information. A plan to actively analyze and monitor existing OAS audit and log files will be developed by March 2017.

Files are kept longer than necessary

  1. In accordance with section 6 of the Privacy Act and the TBS Directive on Privacy Practices, federal institutions must develop retention and disposal schedules to manage their records. These schedules establish how long records will be kept before they are destroyed or transferred to the control of Library and Archives Canada.
  2. We expected ESDC to ensure that OAS information in paper and electronic formats is retained and disposed of in accordance with established retention and disposal schedules. We reviewed ESDC’s retention and disposal schedule and interviewed selected officials in headquarters and in the regions to inquire about their retention and disposal practices.
  3. OAS client files are kept in both paper and electronic formats. According to the retention and disposal schedule, once an OAS file is closed, the paper file should be retained for six years and then disposed of. Electronic files are not currently being disposed of as they are not covered by a retention and disposal schedule.
  4. We found that in some regions paper-based records were retained after the prescribed six year period. We also found that while efforts are underway to deal with the disposal of paper files, there is a backlog of these files that require destruction. During the audit, we requested that ESDC confirm how many files were awaiting destruction. The Department was unable to determine the number of files that have reached the end of their retention period and therefore could not provide the number of files that should be destroyed. Retaining personal information beyond what is necessary increases the risk of inappropriate use, disclosure or loss of this information.
  5. ESDC is in the process of updating its retention and disposition schedule for OAS files. This new schedule will maintain the previous six year retention period and will now include electronic records. We have been informed by ESDC that the new retention schedule will take effect in the Spring of 2016.
  6. Recommendation: Once new retention and disposal schedules are implemented, ESDC should develop a plan to dispose of files that are required to be destroyed.

    ESDC’s response: ESDC agrees with the recommendation will develop a plan to dispose of the OAS files in accordance with the new retention and disposal schedule by November 2016. As the audit report points out, efforts are already underway to dispose paper-based client files and the retention and disposition schedules are currently being updated for OAS files. This new schedule now includes the disposition of electronic files within its approach.

Information sharing agreements are missing key privacy and security provisions

  1. ESDC has a large number of information sharing agreements (ISAs) with provincial, federal and international governments for the collection, use and disclosure of personal information related to the OAS program.
  2. The 2010 TBS Guidance on Preparing Information Sharing Agreements Involving Personal Information recommends a number of privacy and security provisions that should be considered for inclusion in ISAs. These include the purpose of the agreement, the legal authorities permitting the exchange of personal information, limitations on the subsequent use and disclosure, safeguards, use and disclosure, processes for addressing privacy or security breaches and maximum retention periods and disposition methods, among others.
  3. We expected that ESDC’s ISAs with its partners would contain adequate privacy and security clauses to protect OAS information. We reviewed a sample of 23 provincial, federal and international agreements and the tools used at headquarters and in the regions pertaining to ISAs. We also interviewed employees who disclose OAS information about the privacy and security clauses contained in the agreements.
  4. We found that many of the recommended privacy and security provisions in the TBS guidance document for ISAs were missing. The ISAs with federal and provincial partners that we reviewed generally do not:
    • specify who has legal control over the shared personal information, and thus who is responsible for making corrections for possible errors or omissions;
    • define baseline security requirements to protect personal information;
    • specify how long each party is to retain the personal information;
    • include clauses related to privacy breaches; nor
    • contain provisions allowing audits of personal information management practices.
  5. ESDC is aware of the privacy issues associated with its ISAs for the OAS program, and since 2012, has been taking steps to correct them. The Department has developed a template for the creation and evaluation of ISAs that is consistent with TBS guidance and has begun using this template for new agreements. This template contains the clauses that would address the privacy and security provisions that were not included in the ISAs we reviewed.
  6. Recommendation: ESDC should develop a plan for updating federal and provincial Information Sharing Agreements related to the OAS program using their new template, to ensure these agreements contain adequate privacy and security clauses.

    ESDC’s response: ESDC agrees with the recommendation. As outlined by the OPC, the Department has already been taking several steps to address privacy issues with its ISAs for the OAS program. Since 2008, ESDC has been undertaking risk-based assessments of its OAS ISAs and has developed associated risk-based work plans, which prioritize the re-negotiation of existing ISAs. ESDC will continue to use its template that the OPC recognized as containing adequate privacy and security protection clauses for all new and updated ISAs while also respecting the positions and legislation of other jurisdictions. The Department will finalize its 2016-2019 ISA risk-based plan by October 2016.

The assessment of physical security risks need strengthening

  1. Physical security requirements for the protection of personal information are included in various TBS and RCMP policies and guidelines, including the Policy on Government Security, the Directive on Departmental Security Management and the Operational Security Standard on Physical Security. One such requirement is that departments review risks related to their facilities, including how information is secured, by conducting Threat and Risk Assessments (TRAs).
  2. We expected ESDC to have adequate physical security controls to protect paper documents containing OAS client information held at its many facilities. We conducted on-site visits at selected OAS locations in three regions, reviewed a sample of TRA reports, interviewed selected staff at ESDC headquarters and in the regions and reviewed departmental policies related to physical security.

Storage of OAS client information

  1. Our examination of 22 ESDC facilities included four large processing centres and twelve Service Canada Centres across the country. We noted that physical security controls were adequate for the storage of paper documents containing OAS client information. This information was protected in accordance with ESDC’s Information Classification Guide, which sets out the minimum safeguards for the storage of this information within an approved security area.

Threat and Risk Assessments

  1. ESDC’s Departmental Security Policy and Procedures Manual include a checklist of key physical security risks that should be assessed when conducting a TRA. We reviewed a sample of 31 TRA reports and found that some provided more detail than others regarding the risks that could affect the protection of OAS client information. For example, some reports provided details related to security clearances, security training and security incident reports, while many others did not. Consequently, it was difficult to compare which risks were assessed from one region to the next.
  2. ESDC’s manual also requires that a TRA be conducted for each location; however we found some instances where TRAs have not been completed. While the Manual provides some information regarding the Department’s TRA process, it does not specify how often TRAs should be conducted, nor indicate who is responsible within the Department for following-up on the TRA recommendations to ensure identified risks are mitigated.
  3. ESDC has introduced a national tool to track when TRAs are completed and to record the associated recommendations; however, there is no centralized oversight function in the Department to ensure that risks to OAS client information are consistently assessed and mitigated across the country.
  4. Gaps in assessing and mitigating physical security risks may increase the threat of inappropriate internal and external access to, and disclosure of, OAS client information.
  5. Recommendations:

    ESDC should update its Departmental Security and Procedures Manual to ensure it includes requirements for how often Threat and Risk Assessments (TRAs) should be conducted and to clarify the responsibility for follow up to the TRA recommendations.

    ESDC should develop a centralized oversight function for the review of TRAs across the department.

    ESDC’s response: ESDC agrees with the recommendation and recognizes the need to update the Departmental Security and Procedures Manual. The Department views TRAs as one element of a comprehensive approach to physical security. As recognized by the OPC audit team, ESDC’s physical security controls were adequate for the storage of paper documents containing OAS client information.

    ESDC will update the Security and Procedures Manual by March 2017 to specify the frequency that TRAs should be conducted, identify the responsibilities for a centralized oversight function, and clarify the responsibilities for following up on the implementation of TRA recommendations.

Conclusion

  1. The Privacy Act imposes obligations on federal government institutions to protect the privacy rights of Canadians.
  2. ESDC has many elements of an effective privacy management regime. Privacy is recognized as one of its major corporate risks and significant steps have been taken within the Department in the last few years to reinforce the protection of client information. However there are gaps and weaknesses in the implementation of some of its privacy and security policies, practices and procedures. Most notably,
    • While ESDC and SSC share IT responsibilities for OAS client information, there is no agreement that defines their respective IT roles and responsibilities or that includes privacy or security clauses;
    • The IT systems supporting the OAS program have not been certified and accredited, as required;
    • Employee access rights to the OAS Legacy system is not always removed on a timely or consistent basis and their rights are not limited to the minimum required to perform their duties;
    • Audit trails on employee access to, and use of, OAS systems are available but they are not proactively reviewed;
    • To date, ESDC has not disposed of any electronic files and there is a backlog of paper files waiting to be destroyed;
    • Key privacy and security clauses were lacking in some information sharing agreements with partners; and
    • The assessment of physical security risks needs strengthening.
  3. The observations and recommendations in this report are intended to enhance ESDC’s privacy and security controls to reduce the risk of unauthorized access, use or disclosure of OAS client information.

About the Audit

Authority

Section 37 of the Privacy Act empowers the Privacy Commissioner to examine the personal information handling practices of federal government organizations.

Objectives

The audit objective was to assess whether ESDC has appropriate controls for the OAS program – including policies, practices and procedures – to comply with its obligations under the Privacy Act to ensure appropriate retention, use and disclosure of personal information.

Given SSC’s role in providing the IT infrastructure used by ESDC for the OAS program, we also reviewed SSC’s IT safeguards including its policies, practices and procedures.

Criteria

Audit criteria were derived from the Privacy Act and Treasury Board of Canada Secretariat policies, directives and standards related to the management of personal information.

  • the IT roles and responsibilities of ESDC and SSC for the protection of OAS information are clearly defined;
  • appropriate IT safeguards exist for OAS-related information, systems and infrastructure;
  • appropriate access and monitoring controls exist for OAS information;
  • OAS information is disposed of when no longer required;
  • information sharing agreements exist with adequate privacy and security provisions; and
  • physical safeguards for OAS information are adequate.

Scope and approach

The audit focussed on the protection of personal information collected, used and disclosed by ESDC to administer the OAS program. The audit also included inquiries regarding SSC’s role in safeguarding OAS information that resides on its information technology infrastructure.

The audit examined ESDC’s practices and procedures to manage and protect OAS client personal information. During the audit, evidence was obtained from the examination of records, interviews with officials, demonstrations of systems and other audit tests. Examination activities were conducted at ESDCs headquarters and during site visits to selected regional processing centres, Service Canada locations and call centres located in the regions. These sites were chosen because they represent the majority of OAS and GIS processing transactions across Canada.

The audit commenced on February 18, 2015 and was substantially completed on March 31, 2016.

Standards

The audit was conducted in accordance with the legislative mandate, policies and practices of the Office of the Privacy Commissioner of Canada, and followed the spirit of the audit standards recommended by Chartered Professional Accountants of Canada.

Audit team

Director General: Steven Morgan
Tom Fitzpatrick
Marjorie Platero
Ivan Villafan
Matt Williams

Appendix A: List of Recommendations

Recommendation Departmental response
Roles and responsibilities of ESDC and SSC for the protection of OAS client information are not defined
In accordance with the Financial Administration Act and the TBS Guideline on Service Agreements: Essential Elements, ESDC should work with SSC to put in place an agreement where IT security roles and responsibilities and relevant privacy and security clauses for the protection of OAS client information are clearly defined. ESDC agrees that the establishment and ever greening of formal agreements with SSC with respect to roles, responsibilities, and expectations for both parties with respect to the safeguarding of personal information is important. As outlined by the OPC, a written business relationship already exists with SSC as well as an established interdepartmental committee to manage this relationship. ESDC agrees that it needs to continue to leverage its existing business relationship to clearly define IT security roles and responsibilities and relevant privacy and security clauses for the protection of OAS client information. The Department will engage with-SSC to address this recommendation by March 2017.
Privacy and IT security risks have not been fully assessed
As required by the TBS Operational Security Standard: Management of Information Technology Security (MITS), ESDC should certify and accredit its OAS Legacy and ITRDS systems through the Security Assessment and Authorization process.

ESDC should work with SSC to ensure the infrastructure on which the OAS Legacy and ITRDS systems reside is also certified and accredited via the Security Assessment and Authorization process, as required.
ESDC agrees that the OAS Legacy and ITRDS systems should be properly certified and accredited through the Security Assessment and Authorization (SA&A) process and will re-engage SSC by September 2016 to request that the infrastructure on which these systems reside is also certified and accredited. ESDC plans to complete a full SA&A for ITRDS by July 2016, for OAS Auto Enrollment Category 2 by November 2016, and for the entire OAS legacy solution by March 2017.
Identity and access management and monitoring requires strengthening
ESDC should modify and delete access rights within the OAS Legacy and ITRDS systems in accordance with its internal process to ensure access rights are updated consistently and on a timely basis. As noted by the OPC, the Department has established a process for maintaining employee access right accuracy, which includes staff reminders as well as a quarterly access review. In addition a mandatory training program reinforces the necessity for employee to appropriately protect personal information. ESDC views these controls allow the Department to adequately manage employee’s system access.
In line with the TBS Directive on Privacy Practices, ESDC should ensure employees’ electronic access within the OAS Legacy system is limited to the minimum required to perform their duties. ESDC agrees that employee’s electronic access should be limited to the minimum requirements to perform their duties. The Department establishes access based on user profiles which are aligned with position responsibilities and allows the program to manage its processing workload nationally. In addition, the Department will review employee user profiles to ensure alignment with job requirements by December 2016.
As per the TBS Directive on Privacy Practices, ESDC should conduct reviews of audit trails of users’ activities within the OAS-related systems to ensure timely identification of inappropriate or unauthorized access to OAS client information. ESDC is currently developing an approach that will leverage existing audit trails, assess any existing data gaps, and define roles and responsibilities to detect inappropriate or unauthorized access to client information. A plan to actively analyze and monitor existing OAS audit and log files will be developed by March 2017.
Files are kept longer than necessary
Once new retention and disposal schedules are implemented, ESDC should develop a plan to dispose of files that are required to be destroyed. ESDC agrees with the recommendation will develop a plan to dispose of the OAS files in accordance with the new retention and disposal schedule by November 2016. As the audit report points out, efforts are already underway to dispose paper-based client files and the retention and disposition schedules are currently being updated for OAS files. This new schedule now includes the disposition of electronic files within its approach.
Information sharing agreements are missing key privacy and security provisions
ESDC should develop a plan for updating federal and provincial Information Sharing Agreements related to the OAS program using their new template, to ensure these agreements contain adequate privacy and security clauses. ESDC agrees with the recommendation. As outlined by the OPC, the Department has already been taking several steps to address privacy issues with its ISAs for the OAS program.

Since 2008, ESDC has been undertaking risk-based assessments of its OAS ISAs and has developed associated risk-based work plans, which prioritize the re-negotiation of existing ISAs. ESDC will continue to use its template that the OPC recognized as containing adequate privacy and security protection clauses for all new and updated ISAs while also respecting the positions and legislation of other jurisdictions. The Department will finalize its 2016-2019 ISA risk-based plan by October 2016.
The assessment of physical security risks need strengthening
ESDC should update its Departmental Security and Procedures Manual to ensure it includes requirements for how often Threat and Risk Assessments (TRAs) should be conducted and to clarify the responsibility for follow up to the TRA recommendations. ESDC agrees with the recommendation and recognizes the need to update the Departmental Security and Procedures Manual. The Department views TRAs as one element of a comprehensive approach to physical security. As recognized by the OPC audit team, ESDC’s physical security controls were adequate for the storage of paper documents containing OAS client information.
ESDC should develop a centralized oversight function for the review of TRAs across the department. ESDC will update the Security and Procedures Manual by March 2017 to specify the frequency that TRAs should be conducted, identify the responsibilities for a centralized oversight function, and clarify the responsibilities for following up on the implementation of TRA recommendations.

Appendix B: Glossary

Identity and Access Management (IAM):
Refers to processes used to manage “who has access to what” in electronic information systems. IAM processes are used to initiate, record, and manage user identities and related access permissions to electronic information.
Information Technology (IT) infrastructure:
The IT infrastructure within the scope of this audit is limited to the IBM Mainframe on which the OAS Legacy system runs and the Windows and Unix servers on which ITRDS runs; both are managed by Shared Services Canada.
Information Technology Renewal Delivery System (ITRDS):
An ESDC system used to record client data for the Old Age Security program. By 2019, ESDC anticipates replacing the OAS Legacy system with ITRDS, therefore ITRDS will become the primary system used to record client data.
Information Technology Security (ITS):
ITS includes technical, physical and administrative safeguards that organizations use to protect their electronic information holdings.
Old Age Security (OAS) Legacy system:
The main system currently used to record client data for the Old Age Security program. ESDC is in the process of replacing the OAS Legacy system with ITRDS.
Old Age Security Service Improvement Strategy (OAS SIS):
The OAS SIS project is part of ESDC’s ongoing efforts to improve the service delivery of the Old Age Security program while reducing operational costs. The OAS SIS project proposes to transform existing business processes, many of which are manual and paper-based, to more streamlined and automated processes. The project also involves replacing the existing OAS Legacy system with ITRDS by 2019.
Privacy Impact Assessment (PIA):
A PIA is a component of risk management that focuses on ensuring compliance with the Privacy Act requirements and assessing the privacy implications of new or substantially modified programs and activities involving personal information.
Security Assessment and Authorization (SA&A):
SA&A is a two-step process that ensures security of information systems. The first step, security assessment, involves evaluating, testing, and examining security controls in an information system to identify weaknesses and to put in place mitigating measures for those weaknesses. The second step, authorization, is the process of accepting the risks that remain after the implementation of mitigation measures and granting a given system approval to operate for a specified period of time. SA&A was formerly referred to as Certification and Accreditation (C&A).
Statement of Sensitivity (SOS):
A SOS is usually performed as part of a Threat and Risk Assessment. A SOS is used to identify relevant assets and assigning values for confidentiality, integrity and availability based upon the injuries that might reasonably be expected, in the event of a compromise to any of the identified assets.
Threat and Risk Assessment (TRA):
A TRA is a tool used to evaluate and understand the various threats to IT systems, facilities, employees and other assets at a fixed point in time. TRAs assist in determining the level of risks and recommending an appropriate mitigation measure to address identified risks. TRAs are performed as part of a Security Assessment and Authorization process.
Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: