3.1 Adequacy and effectiveness of policies, practices and management controls.
Adequate policies and procedures exist, but they were not readily available to all VAC staff at the time of this audit.
Policies define how things should be done and provide the limits of acceptable action. They should not be too detailed and should only contain relevant information. The need for specific policies and the extent to which they are documented depend on the size of the organization, the objectives to be achieved, the risks involved and the extent to which clear communication of the limits of acceptable action is requiredFootnote 2. Given that access to information and privacy are both highly regulated, the importance of open government and the risks of reputational loss if these types of requests are mishandled, documented policies which are shared throughout the organization should be available.
The audit team conducted a review of guidance associated with access to information and privacy and determined that adequate guidance has been developed for the major functions in the access to information and privacy request process. The guidance provides a clear description of roles and responsibilities, delegated authority, and the processing steps. These documents were last updated in 2012 and were in the process of being updated during the course of this audit. A number of minor changes not reflected in the policies and procedures were identified during the audit but these omissions were not critical to the internal controls and governance around ATIP (e.g. organizational changes affected the names of contacts and units, no longer required to pay a fee, etc.).
While the audit team was satisfied with the existence of adequate documentation, this documentation was removed from the Departmental intranet site for updating during the course of the audit. As of September 18, 2017, the materials had not been reposted and were not readily available to staff. If staff had questions, the ATIP Unit contact information was available on the intranet site. Guidance for access to information and privacy should be documented and made available to staff so that they are aware of and understand their responsibilities and the parameters within which they are allowed to act. Staff cannot be held accountable if they are not aware of their responsibilities.
Training has been provided; various sources/methods of training exist and a central repository would facilitate access.
Adequate training is an important internal control because it helps to ensure staff have the competencies to complete the work assigned to them. Training can also help maintain quality and improve efficiency.
In terms of training provided to the liaison officers (LOs), the majority of LOs indicated the training they received was through quarterly meetings and peer to peer training. Of the 16 LOs and their backups interviewed, three indicated they had no type of training in the role. Of those three LOs, two had less than two years’ experience.
A number of training courses are available to all staff on access to information and privacy. These courses are offered by the Canada School of Public Service and the Treasury Board Secretariat. In addition to these courses offered by external organizations, VAC has developed and delivers its own ATIP training which is well attended.
Not all of the training available to VAC staff was clearly identified for them. Normally, available courses and training would be described through the regular internal work sites (i.e. VAC at Work or GC Docs), but this was not the case for ATIP training. Staff would need to be aware of which government departments offer training and which sites to visit to access training. A central repository where VAC staff can obtain information on the training available to them would be beneficial.
Recommendation 1
It is recommended that the Director, Privacy and Information Management, improve accessibility of policies and procedures, and training. (Essential)
Management Response
Management agrees with this recommendation. The VAC ATIP Unit provides customized and general training throughout VAC to ensure that employees have the tools and training they need to properly handle personal information. The VAC ATIP Unit also has policies and procedures that are updated and added to as required. In December 2017, an improved ATIP page was posted on the VAC Intranet to enhance accessibility. Work is continuing to add updated policies, procedures and training to the improved space.
3.2 Areas to improve efficiency in the processing of access to information and privacy requests
While VAC has been increasing its ability to process requests and is processing more requests with fewer resources, the Department is not meeting the 30-day statutory requirement.
In order to determine where efficiencies could be gained in regards to access to information and privacy requests, it is important to understand how the environment has changed over the past five years. Since 2011-12, the volume of access to information requests has more than doubled, increasing from 164 requests in 2011-12 to 379 requests in 2016-17. During the same period, the number of resources within the ATIP Unit dedicated to processing access to information requests has been decreasing. Notwithstanding the increase in requests and decrease in resources available to complete them, the average pages reviewed per FTEFootnote 3 is increasing, an indication of more efficient processing. The average number of pages reviewed per FTE in 2011-12 was 4,154, increasing to 12,294 in 2016-17; i.e., a 196% increase in processing volume. Despite this more efficient processing of access to information requests, VAC is still not meeting the statutory 30 calendar-dayFootnote 4 turnaround time for 40% of them in 2016-17.
Similarly, the volume of privacy requests has more than doubled from 341 requests in 2011-12 to 737 requests in 2016-17. Unlike access to information, though, the number of FTEs dedicated to privacy requests has been fluctuating and is not showing a trend. The average number of pages per FTE reviewed in 2011-12 was 7,207, increasing by 26% to 9,108 in 2016-17. VAC is not meeting the statutory 30-day turnaround time in 32% of privacy requests in 2016-17.
The four main phases of processing access to information and privacy requests comprise the following:
Phase 1: The request is received and entered into the system. If additional clarification is required in order to process the requests, the request is put “on hold” while the ATIP Unit seeks clarification. Once the ATIP Unit is clear on the request, they send the request to the OPI. There are two days allotted to this phase.
Phase 2: The request is received by the OPI (normally an ATIP LO for ATI requests and specific OPIs for privacy requests), who then sends the request to subject matter experts to determine what information is available to meet the request. The requested ATI information is gathered by the LOs and then approved by the responsible ADM. For privacy requests, the specific OPI sends the requested information to the ATIP Unit. There are seven days allotted to this phase.
Phase 3: The retrievalFootnote 5 is received in the ATIP Unit, is scanned into the system, if applicable, and is processed by the ATIP Unit.
Phase 4: The retrieval goes through a quality review process and the information package is sent to the requestor. There are 21 days allotted for Phases 3 and 4.
Table 2 depicts the turnaround times associated with these four phases of the process and are based on the file review results. Due to the wide variation in turnaround times in the sample population ( where there were a few extreme values which affected the mean average), the more representative measure in this case is the medianFootnote 6 average.
| Phase | Responsibility | Days Allotted | ATI Actual days (median) |
Privacy Actual days (median) |
|---|---|---|---|---|
| Phase 1: Receipt of request | ATIP Unit | 2 | 4 | 5 |
| Phase 2: Document Retrieval | OPI | 7 | 11 | 5 |
| Phase 3: Request Processing Phase 4: Final Release |
ATIP Unit | 21 | 16 | 15 |
| Overall Median | All | 30 | 33Footnote 7 | 28 |
Table 2 shows the median days for Phase 1 for both privacy and access to information requests exceed the time allotted. The numbers presented exclude the time required to seek clarification from the requester and therefore the “hold” is not affecting the median times. Seventy percent (70%) of access to information requests and 69% of privacy requests in the sample exceeded the two days allotted.
For privacy requests, performance is better during Phase 2 of the process given that the median is five days and the seven-day turnaround time is met in 75% of the cases. This is not the case, however, for access to information requests where the median days taken to process the request exceed the allotted days. In fact, 72% of the ATI requests examined in the file review exceeded the allotted days. It is important to note that some OPIs are better able to meet the seven-day turnaround time than others. During interviews with a selection of OPIs responsible for this phase in the process, conflicting workloads was stated as the source of delays in meeting the turnaround times for 50% of interviewees (8/16). Clarifying the priority of ATI requests with OPIs, subject matter experts and their managers when conflicts occur would be one step in the right direction along with determining if seven days is realistic. Other areas indicated that having to mail the materials to ATIP takes up much of the seven days allotted and there may be mitigation opportunities in this regard.
Phases 3 and 4 were combined for the purposes of this reportFootnote 8. These phases on average fall well within the 21 allotted days. In fact, given that the median average is five to six days ahead of schedule, these phases assist in completing requests within the 30 calendar days when timelines during Phases 1 and/or 2 are not being met.
There is an opportunity to explore the use of extensions. Access to information and privacy requests are to be completed within 30 calendar days; however, when certain requirements are met, an extension may be applied. In terms of access to information requests, we noted that VAC applies extensions at a lesser rate than other government departments; e.g., in 2016-17, VAC applied extensions in 16% of requests, whereas the average percentage of extensions applied for a judgmentally selected sample of eight other government departments was 32%. VAC may wish to review the requirements for extension as it may be applying a more rigid interpretation than other departments.
Recommendation 2
A - It is recommended that the Director, Privacy and Information Management, implement strategies to address the issues identified in the report in order to improve performance against the statutory 30-day turnaround times. (Critical)
Management Response
Management agrees with this recommendation. Over the past two years, ATIP has made significant improvements related to completion of requests within the statutory 30 day turnaround time. We continue to analyze options to further improve our completion times. One option that has been implemented is a tool to better apply extensions under the ATI Act.
ATIP also continues to work with Senior Managers throughout the department to decrease the time it takes to obtain information required to complete requests within the legislated time frame.
B - It is recommended that each of the Department's Assistant Deputy Ministers place priority on access to information retrievals in their branch and provide the direction and supports necessary to staff to achieve this.
Management Response
All ADMs agree with the recommendation. In recognition of the varying types of information holdings in each branch, senior management has committed to a variety of measures to communicate to staff and management that a high level of priority is to be assigned to access to information retrievals. Other measures include training and awareness sessions and implementation of tracking systems.
While there is data available in the ATIP Unit’s tracking system, reporting on and analyzing the data often requires additional manual manipulation of the data fields or manual calculation of the data. Without an efficient means of reporting data on processing times, it is difficult for the ATIP Unit to determine where efficiencies can be gained and to determine the results, either positive or negative, of interventions put in place to address process deficiencies. Reporting is also beneficial for ongoing monitoring and active management of processing.
Recommendation 3
It is recommended that the Director, Information Management and Privacy, enhance ATIP processing data reporting capabilities. (Essential)
Management Response
Management agrees with this recommendation and is working to implement enhanced reporting capabilities. These additional reporting capabilities should assist with targeting specific issues identified in Recommendation 2.
3.3 Audit Opinion
The objectives of the audit were to assess the adequacy of policies and practices related to ATIP and to identify areas for efficiency. Overall, the audit team determined the results to be “ Generally Acceptable.” The audit team observed that the roles and responsibilities had been clearly established and staff were supported with clear policies and procedures. However, these policies were not readily available to staff. In terms of efficiency of operations, VAC is improving its ability to process requests but there is a need to improve performance reporting capabilities within the system so that VAC can further improve efficiency.