Office of the Comptroller General (OCG) Horizontal Audit of Protection of Personal Information

Office of the Correctional Investigator Management Action Plan
AUDIT RECOMMENDATION MANAGEMENT ACTION AREA RESPONSIBLE EXPECTED COMPLETION DATE
Privacy notices    

A privacy notice is not included for information collected for the Ed McIsaac Human Rights in Corrections Award.

A privacy notice will be developed and provided to nominees at the time of collection of the information relating to their personal information.

Corporate Services

March 31, 2014

completed

The OCI’s website, with regards to the Award, details, in the Nomination Procedures section, the type of personal information to be provided in conjunction with the nomination for the reward, but also does not contain a privacy notice.

The privacy notice (above) will be posted on the OCI’s website providing the reader with assurances that personal information will be protected.

Corporate Services

March 31, 2014

completed

A privacy notice was included in both the Personal Information Request Form and the Direct Deposit Enrolment Form. The Privacy Notice is the same in both cases and, while InfoSource is referenced in the Personal Information Request Form, neither form refers to the PIBs to which information is aligned.

Response: The Direct Deposit Enrolment Form (PWGSC 8437) and the Personal Information Request forms used by the OCI are issued by the Government of Canada and for that reason are generic. Both forms state:

“The information provided is protected under the Privacy Act, The information may be accessed through your program department using the Personal Information Bank number PPU 040 listed in the Info Source Publication.”

Although a welcomed addition to this form, the OCI is unable to add any OCI-related information, such as a reference to PIBS on these forms.  
Corporate Services

March 31, 2014

completed

Privacy Impact Assessment (PIA)    

A PIA has not been required since 2009, when the Ed McIsaac Human Rights in Corrections Award was introduced. Given the historically low volume of PIAs in the organization, triggers and written guidance on when and how to conduct a PIA have not been developed. The decision to conduct a PIA would be informed with the use of TBS tools and guidance. The OCI’s RPP for FY 2012-13 shows no changes or major new initiatives planned for the year.

The OCI will determine if a PIA is required in relation to the Ed McIsaac Human Rights in Corrections Award. This will be done with the TBS Checklist to determine when a PIA is required.

The requirement to complete a Privacy Impact Assessment for future incremental programs or activities will be determined by OCI senior management. 
Corporate Services

March 31, 2014

completed