Language selection


Appendix C — Ten-Point Action Plan Assessment

Prepared by:
Audit Services Canada from Public Works and Government Services Canada

Ten-Point Action Plan Assessment
Action Step Description Target Date Status
1. Review system access in detail Detailed review of 2,800 CSDN user accounts March 31, 2011 Ongoing. Initial assessment of CSDN access matrix in November 2010 resulted in 400 user accounts removed; Matrix Review Committee created. Survey of access requirements to be completed September 2011. Plan to implement regional access control.
2. Communicate discipline policy A strengthened discipline policy and guidelines with clear sanctions developed and communicated to staff October 31, 2010 Completed. Discipline guidelines posted on Department’s intranet with email notification to employees, May 2011.
3. Introduce a privacy lens for briefing note process New procedures on the appropriate use of client information when preparing briefing notes and other documents for use within the Department October 31, 2010 Completed. New briefing notes guideline provided to level-3 managers. Also new guidelines for disclosure of information to Members of Parliament.
4. Appoint external systems expert External experts in electronic information systems management to review and recommend changes to departmental systems October 31, 2010 to March 31, 2011 Completed. Expert reviewed IM/IT systems in November 2010 and made 16 recommendations for improvement.
5. Appoint external privacy expert A team of experts in government information management and privacy to review and recommend changes to departmental processes to ensure information is protected and access is controlled October 19, 2010 to March 31, 2011 Completed. Three experts engaged to review ATIP policies and procedures; provide ATIP oversight and guidance; and provide training for managers.
6. Enhance monitoring of electronic systems A team to proactively monitor, review, and investigate who is accessing client information. Where access is inappropriate, disciplinary measures to be taken October 18, 2010 Ongoing. CSDN access monitored by IT Security since January 2011; daily reports prepared. Employees receive an email asking for an explanation of why the account was accessed.
7. Provide mandatory privacy training A mandatory privacy awareness program for all staff launched October 19, 2010. This program covers ‘need to know’, client consent when sharing information, and the range of disciplinary measures that will be taken if privacy is breached. Ste. Anne’s Hospital has its own programs related to privacy and confidentiality of client information October 19, 2010 to November 19, 2010 Ongoing. 82% of staff trained on need-to-know requirements of Privacy Policy in October-November, 2010. This training is now included in VAC’s information management course and the MOP/SOP sessions to begin in June 2011. Need-to-know training is also offered to students and new employees of the Department.
8. Provide in-depth training on Government privacy policies and procedures In-depth training for all staff on new policies, guidelines, and procedures January – March 31, 2011 Ongoing. All managers trained in March 2011. Sessions also held for regional offices. Training covered Privacy Management Framework, policies, and guidelines. Commitment to train all staff by July 2011.
9. Conduct independent annual assessment An annual independent assessment of VAC’s compliance with the Privacy Act and Access to Information Act Annually, starting June 2011 Completed. Audit Services Canada engaged to conduct annual assessment; report in June 2011.
10. Prepare for Privacy Commissioner’s audit The Department has started preparations for a comprehensive audit by the Privacy Commissioner Immediately Ongoing. All steps above are in preparation for the Privacy Commissioner’s audit.
Date modified: