Language selection


Executive Summary

Prepared by:
Audit Services Canada from Public Works and Government Services Canada

The Access to Information Act gives Canadian citizens, permanent residents, or any person or corporation present in Canada a right to access information that is contained in government records. The Privacy Act provides them with the right to access their personal information held by the government, and protection of that information against unauthorized use and disclosure.

In October 2010, the Office of the Privacy Commissioner released a report in response to a complaint alleging Veterans Affairs Canada’s mishandling of a Veteran’s personal information. The Privacy Commissioner concluded that the Department was not compliant with federal privacy legislation and lacked the controls to protect sensitive information from being widely disseminated within the Department. In response to these findings, the Department prepared a 10-point action plan outlining the corrective measures that would be taken.

We were engaged to complete step nine of the action plan – an independent assessment of the Department’s compliance with the Access to Information Act and the Privacy Act. Our assessment criteria were drawn from the sections of the Acts for which the Department has responsibility. Management agreed with the suitability of these criteria. At the Department’s request, our scope was expanded to assess its progress in implementing the 10-point action plan.

This was an assessment, not an audit, and was therefore not designed or performed to provide a high level of assurance. Our assessment approach consisted of inquiry and review of documentation to gather evidence of the Department’s compliance with the Acts. Our findings apply to the period when we conducted our assessment, April 1 to May 31, 2011.

The Department has worked to reduce the risk of a future privacy breach introducing policies and procedures to prevent and detect the misuse of clients’ personal information by its employees. Given the recent implementation of these changes, we could not assess the effectiveness of the policies and procedures in achieving compliance with the Acts. Employee education and training are now critical to successful implementation of the new policies and procedures.

The Acts require the Department to respond to requests for information within 30 days. We found that in 2010-11 the Department completed roughly 70 percent of requests within the legislated time frame. With respect to the disposal of personal information in accordance with established records retention periods, we found that the Department was not disposing of electronic records maintained in its Client Services Delivery Network system.

At May 31, 2011, the Department had substantively completed its 10-point action plan. Five of the 10 steps were completed and 5 were ongoing; employee training and monitoring are continuing. The Department plans to complete all actions prior to the Privacy Commissioner’s audit, anticipated in fall 2011.

This report contains four recommendations for improvement to which management has agreed.

Date modified: