Recent Audits by the Privacy Commissioner and Auditor-General
In February 2009, the Privacy Commissioner of Canada and the Auditor-General of Canada published their concurrent audits of three federal institutions: Elections Canada, Human Resources and Development Canada/Service Canada; the Canada Revenue Agency; and the Auditor General also audited Passport Canada (which the Privacy Commissioner had separately audited in 2008).
The audits were limited to looking at the management of one large database in each institution:
- at Elections Canada, the National Register of Electors was reviewed, containing the personal information of 23 million Canadians;
- at HRSDC, the Social Insurance Register was reviewed, with nearly 31 million active records;
- at the Canada Revenue Agency, the IDENT database was reviewed, containing personal information about approximately 33 million taxpayers; and
- at Passport Canada, the Auditor General looked at the Passport Index, which contains information about over 17 million passports.
Both audits called for stronger leadership from the Treasury Board Secretariat to avoid the development of independent solutions to common challenges in identity authentication, information management and policy development.
The Privacy Commissioner recommended that the Treasury Board implement new and comprehensive policies and guidance on privacy impact assessments, identification and authentication and information sharing. She also recommended developing and promoting better privacy training across government institutions.
The concurrent audits revealed that information sharing is not new and the growth of interoperable systems is inevitable. They also showed that there are risks that privacy will be considered an afterthought or an “add-on,” – secondary to the main goals of efficiency and cost-containment. If this happens, citizens will be the losers.
Auditor-General Recommends Interoperability
Probably the most important single issue to emerge from the audit by the Auditor-General is the perceived need for an integrated federal approach for managing identity information across the federal public service. The Auditor-General argues that improving the management of identity information could increase efficiency, reduce duplication, streamline processes, reduce errors, help prevent fraud and improve the delivery of programs to citizens.
The Audit Report recommends that the Treasury Board continue to lead its work on establishing a government-wide framework, policies and governance arrangements for identity management. Specifically, the Auditor-General recommended that identity management practices be standardized and interoperability be increased within the Canadian government.
The Treasury Board agreed with the Auditor-General’s recommendations and indicated that new policies to address and support identity management are expected to be introduced in 2010, with full implementation within three years.
Privacy Commissioner Silent on Interoperability, Emphasizes Privacy Policies and Practices
Although integrated identity management was at the core of the Auditor-General`s audit, the Privacy Commissioner did not mention the subject in her report. Given the privacy risks – as well as the potential benefits – posed by interoperability, this is somewhat surprising, as the views and concerns of the Privacy Commissioner could have been helpful to the process of developing a privacy protective integrated identity management system. As it stands, there is no critique or response in either report about the promised benefits of interoperability, nor is there any suggestion of the risks posed by such systems.
Instead, the Commissioner focused on the manner in which the institutions handled information generally, and specifically in the three databases examined. For the most part, she was reasonably satisfied with the information handling practices of the institutions (with the exception of Passport Canada), or with their willingness to improve, and most of her recommendations were accepted by the institutions that were audited.