Audit of the Data-sharing Agreement with the New Brunswick Department of Health

Background

The Health Statistics Division (HSD) at Statistics Canada has the mandate to provide accurate, timely and relevant information about the health of Canadians. The HSD provides statistical information about the health of the population, the determinants of health, and the scope and utilization of Canada's health care resources. This information is used to assist and support health planners and decision-makers at all levels of government, to sustain demographic and epidemiological research, and to report to the Canadian public about their collective health and health care system. The HSD works in partnership with provincial and territorial vital statistics registrars and cancer registries as well as data providers and users at the federal level (Health Canada and the Public Health Agency of Canada), provincial level (provincial ministries of health), and the regional level (health regions).

To achieve its mandate, the HSD enters into statistical data-sharing agreements (DSAs) with other organizations under the authority of sections 11 and 12 of the Statistics Act. These agreements cover nearly all of the business surveys and a majority of household surveys, and include certain exceptions regarding the release of confidential respondent information either with or without the respondent's consent, provided the legal requirements for the provision of data-sharing information, consent rights and confidentiality protection are respected by all parties. In general, data-sharing for statistical purposes occurs when a statistical and information inquiry is initiated by joint survey partners, or where a common data resource is equally and jointly owned by two or more partners. Data-sharing is exercised when there are significant reductions in response burden and compliance costs for data-sharing partners, as well as improvements in statistical data accuracy, coverage, relevance and timeliness.

DSAs are a key business process and ensuring the confidentiality and protection of data can pose challenges. Currently, Statistics Canada has an omnibus data-sharing agreement with the New Brunswick Department of Health (NBDH) covering health surveys, under the authority of section 12 of the Statistics Act. Health surveys for the Canadian Community Health Survey (CCHS), National Population Health Survey (NPHS) and Survey on Living with Chronic Diseases in Canada (SLCDC) are included in the agreement.

Through its mandate, the CCHS program collects information related to health status, health care utilization and health determinants for the Canadian population. The first component of the CCHS program is an annual survey (CCHS – annual), which relies on a large sample of respondents and is designed to provide reliable estimates at the health-region level. The second component focuses on a specific health-related topic such as nutrition, mental health or healthy aging, and is conducted approximately every three years. The uniqueness of the annual survey arises from the regional nature of both content and survey implementation.

The NPHS is a longitudinal survey providing unique information about the health of Canadians. The final cycle of this survey covered the period from 2010 to 2011. This survey, which was performed every two years, consisted of the same individuals providing current and in‑depth information on their physical and mental health status, use of health care services, physical activities, life in the workplace and social environment. It collected information related to the health of the Canadian population and related socio-demographic information. The last release will provide researchers with access to nine cycles of Canadian longitudinal health data to examine the dynamics of population health from 1994 to 1995 and from 2010 to 2011.

The SLCDC is a cross-sectional survey sponsored by the Public Health Agency of Canada that collects information related to the experiences of Canadians with chronic health conditions. The SLCDC takes place every two to three years, with two chronic diseases covered in each survey cycle. The objectives of the survey are to assess the impact of chronic health conditions on quality of life; provide more information on how people manage their chronic health conditions; identify health behaviours that influence disease outcomes; and identify barriers to the self-management of chronic health conditions. The last survey was performed in 2014.

The data are used extensively by the research community and other health professionals. Federal and provincial departments of health and human resources, social service agencies, and other types of government agencies use the information collected from the respondents to plan, implement and evaluate programs to improve health and the efficiency of health services. Non-profit health organizations and academic researchers use the information for research on ways to improve health.

Audit objectives

The objective of the audit was to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that:

• the terms and conditions of the Data Sharing Agreement between Statistics Canada and New Brunswick Department of Health were met.

Scope

The scope included an examination of compliance with the terms and conditions prescribed in the DSA to ensure that confidentiality of information and the sensitive nature of the information collected were protected. The audit focused on the confidentiality and security (physical access, IT storage and transmission, physical storage and information copying, and retention and record management) safeguards at the NBDH to ensure that data were protected and confidentiality was maintained.

Approach and methodology

The audit work consisted of an examination of documents, interviews with key senior management and personnel, and a review of compliance with relevant policies and guidelines (see Appendix A: Audit Criteria for details).

The field work included the following:

• a review and assessment of the processes and procedures outlined in the T&Cs of the DSA with the NBDH, with emphasis on whether or not the security requirements were in place and complied with, and that confidentiality of data was maintained
• testing of system application controls and authentication and access procedures
• a review of the third-party data-sharing agreement template.

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Authority

The audit was conducted under the authority of the approved Statistics Canada integrated Risk-Based Audit and Evaluation Plan 2015/2016 to 2019/2020.

Control Environment for the Management of the Data-sharing Agreement

Authorities, responsibilities and accountabilities should be clearly defined and understood at all levels to support effective management of the T&Cs of the omnibus DSA. Monitoring of practices as outlined in the T&Cs of the omnibus DSA should be in place to prevent unwanted disclosure of Statistics Canada data.

Authorities are defined

Statistics Canada exercises its mandate to enter into statistical data-sharing agreements with other organizations under the authority of sections 11 and 12 of the Statistics Act. The Directive on Data Sharing under sections 11 and 12 sets out the roles and responsibilities for the development, implementation and monitoring requirements of DSAs. The directive notes that the Information Management Division (IMD), in consultation with Legal Services, is responsible for drafting DSAs when requested from directors of statistical programs. IMD is also required to support managers during the development of new or modified DSAs with receiving parties pursuant to section 12 of the Statistics Act. Subject‑matter divisions are responsible for communication with recipient organizations during the negotiations and drafting of the agreements.

Processes and procedures for the management of DSA have been established at the NBDH

Statistics Canada confidential information is managed by two branches within the NBDH: the Analytics Branch has responsibility for the life-cycle of the Statistics Canada data; and the Health Business and Technology Solutions Branch provides technical services related to the Statistics Canada data, such as IT access privileges, IT storage, maintenance and security, as well as the electronic file transmission (e-FT) process used for the receipt of Statistics Canada data. Both groups report to the Assistant Deputy Minister (ADM) of Corporate Services, who has ultimate responsibility for the Statistics Canada health survey information.

Statistics Canada data are managed by long-term employees who understand their roles and responsibilities as they relate to the receiving, storing and sharing of Statistics Canada data. The same person has been the Data Custodian for the past 11 years. However, he has recently been assigned to another project with another department, and will be transferring his data custodian-related responsibilities to the Director of Analytics Branch upon his departure. However, the processes and responsibilities of the Data Custodian to fulfil the requirements of the DSA have not been documented. Although this is not a prescribed requirement in the DSA, the NBDH agreed that, as a good business practice, they will document them.

Practices for the administration and use of Statistics Canada confidential information need to be strengthened at the NBDH

At the NBDH, six users have access to Statistics Canada data—two program analysts and four statistical analysts from the Analytics Branch with responsibility for analyzing the data and providing aggregate data to the programs within the NBDH and to external organizations.

For the past 11 years, the Data Custodian has performed the duties associated with data handling, storage, and approving access to Statistics Canada data. Requests from users are received either by email or phone by the Data Custodian and, in turn, he contacts the IT group by email or phone to allow access privileges for the approved user. This is an informal practice that lacks evidence of a documented approval process as required by the T&Cs of the DSA.

Section 5 of the DSA has strict guidelines regarding the "Use of the Information." At the NBDH, the statistical analysts normally have access to the data for purposes of analyzing and providing aggregate data internally for statistical research purposes or as part of the NBDH's mandate to perform Community Health Assessments. The Data Stewardship Committee has developed a protocol to review their data against a list of identifiers before releasing or distributing aggregate data. Interviews revealed that there may be informal reviews performed on the aggregate reports prior to distribution, but this is not supported by a documented review and approval process. This is not in compliance with the DSA.

A monitoring clause is included in the omnibus DSA and in the NBDH DSA template for third-party sharing

Clauses with respect to monitoring are prescribed by Statistics Canada in the omnibus DSA with the NBDH. The DSA prescribes that third-party agreements entered into by the NBDH "shall contain a clause stipulating the right of Statistics Canada or the Receiving Party to review compliance with the terms of this Agreement."

The NBDH requires external organizations with which Statistics Canada data will be shared to sign a DSA. A review of the NBDH DSA template revealed that it includes an audit clause that states the "Contractor shall provide NBDH or its representatives with reasonable access to the Contractor and its facilities for the purpose of reviewing security measures and other records or information in order to perform audits and security reviews deemed necessary by DH and to ensure the Contractor's compliance with the terms and conditions of this Agreement."

The Data Custodian approves all requests for third-party sharing. Currently, the NBDH is not sharing Statistics Canada health survey information with any regional health authority, researcher under contract, provincial/territorial or university research institute, or any other organization.

Data Stewardship

Internal protocols and controls for the sound management of data should be in place to ensure the protection and safeguarding of Statistics Canada health survey information over the full lifecycle of the information.

Processes are in place and monitored to fulfill the requirements stipulated in the DSA

Data files are sent by Statistics Canada via e-FT directly to the Data Custodian at the NBDH. The files are password-protected and encrypted during transfer. Once a data file is received from Statistics Canada, the Data Custodian is notified that a file is in the e-FT vault and requests a password from Statistics Canada to access and decrypt the file. Afterwards, the Data Custodian sends Statistics Canada an acknowledgement of file receipt.

The data file is downloaded by the Data Custodian onto his secure personal network drive and then saved in a restricted folder within a Microsoft SharePoint folder where all the Statistics Canada data are stored and maintained. Once the file is saved in SharePoint, the Data Custodian deletes the file from his personal network drive. Testing revealed that the 'share files' received from Statistics Canada are stored in a SharePoint folder that is accessible by the employees who have been granted access to the data, and the 'link files' are saved in a SharePoint private folder accessible only by the Data Custodian. The Data Custodian is the only one who can approve access to the SharePoint document folder.

The Data Custodian is not fulfilling all the responsibilities prescribed in the DSA

As per Appendix C of the DSA, the Data Custodian is responsible for the following three key requirements: 1) prepare a confidentiality document and ensure that all individuals who access the Statistics Canada data sign this document; 2) maintain the Register of Data Files received from Statistics Canada; and 3) maintain the Register of Access to Data Files of all individuals granted access to Statistics Canada data files.

Confidentiality Document

Appendix C stipulates that the Data Custodian will "prepare a document for the use of the Receiving Party's employees and contractors, outlining the T&Cs governing the use of the information, as well as the procedures to send, receive, handle and store the information (hereinafter the "Confidentiality Document")." Prior to granting access to Statistics Canada data, the Data Custodian must ensure that every employee and contractor who will have access to the data has agreed in writing to comply with the terms of the DSA by signing and acknowledging that they have read, understood and agree to comply with the T&Cs of the DSA as highlighted in the Confidentiality Document.

The audit revealed that the confidentiality document used at the NBDH is outdated and has not been updated to reflect all of the requirements in Appendix C of the omnibus agreement signed on March 10, 2014, specifically related to sections 4, 5, 6 and 10, and Appendix A and Appendix B of the DSA. As a result, employees are not familiar with the requirements of these sections. All approved users with the exception of the Data Custodian have signed the outdated confidentiality agreement.

Register of Data Files

The audit revealed that the Register of Data Files received from Statistics Canada has not been maintained, as required. The NBDH had incorrectly assumed that all information required to be maintained was recorded in the SharePoint document folder. However, a review of the SharePoint site revealed that it was missing some of the required information such as the name of employee who received the file from Statistics Canada, the name of individual at Statistics Canada who sent the file, and the name of the employee responsible for safekeeping of the file.

Register of Access to Data Files

The Register of Access to Data Files has not been maintained either, as required. The NBDH provided a listing of all employees who had access to the Statistics Canada data on SharePoint, but the listing did not include all the required information such as the file name and reference period, name of employee or contractor to whom access is given, justification for access, name of person who authorized access, date of authorization, and start and end dates of the period for which access is authorized.

The NBDH has established a risk-management process to identify and monitor risks

The audit revealed that risks to the New Brunswick Department of Health (NBDH) are managed through its core policy framework (Corporate Privacy Policy; Privacy and Security Guide; and Information Security Framework Policy), which are based on the Right to Information and Protection of Privacy Act (RTIPPA) and the Personal Health Information Privacy and Access Act (PHIPAA) legislation, as well as the New Brunswick Government Information Technology Systems Security Policy (GISSP) Standards and Directives.

The Chief Privacy Officer (CPO) oversees the NBDH's privacy management program, which is a corporate-wide oversight and management component of the NBDH's privacy risks and responsibilities. A data stewardship committee chaired by the CPO deals with changes to policy and large data requests, and a working group assesses corporate gaps and ensures that gap recommendations are being addressed.

Employees are required to complete the General PHIPAA Training within six weeks of employment and annually thereafter; they are also asked to acknowledge and sign that they have reviewed and understood privacy and access, conflict of interest and Internet policies as part of their annual performance evaluations.

Processes for reporting privacy breaches are in place and governed by the Corporate Privacy Policy administered by the CPO, who records and investigates all privacy incidents. Interviews and a review of the NBDH 2014 Incident Report did not reveal any privacy incidents involving Statistics Canada data.

Physical and Information Technology Security

Control and protection of information, either physical or electronic, should be executed in a manner that protects against loss, theft, compromise or improper disclosure. Access to the data should only be granted to employees or contractors as necessary to produce a survey-related product or service for the sole benefit and mandate of the NBDH.

Physical access and storage is secure

The NBDH offices are located in downtown Fredericton, and its data centre (where the Statistics Canada data server resides) is located off-site at a New Brunswick Government-owned facility managed by the New Brunswick Information Services Agency (NBISA). Stringent physical access controls exist at both locations, including the use of locked doors and a physical access card system, which is used for both the elevator and the rest of the premises. No guest-pass-card access is permitted, and visitors must be escorted by an NBDH-authorized person at all times. Interviews revealed that access cards are regularly updated to reflect employee departures.

A visit to the data centre revealed that the entrances to the building are equipped with security cameras. Pre-authorization is required to visit the data centre and, upon sign-in at reception, visitors must also sign a non-disclosure document. An annual audit of the sign-in log is conducted and reconciled against the access tickets issued to visitors. All servers and equipment are locked in cabinets and security cameras are located along certain server rows. The server room is equipped with a fire suppression system, cooling systems, and a backup power generator. The physical area housing the servers is protected by concrete walls, ceilings and floors.

Clauses for termination and return or destruction of the shared data no longer needed are included in the DSA. Prior to the implementation of the e-FT data transmission process, the Statistics Canada files were sent to the NBDH via encrypted CD ROMs. While all of the Statistics Canada data received by either CD ROM or e-FT are still in use and saved on the NBDH network, the Data Custodian indicated that the CD ROMs have now been destroyed.

Effective security measures are in place for identification and authentication safeguards, IT storage and data transmission

Testing of logical access controls with the Data Custodian and other employees of the Analytics group revealed that only employees who had been granted access to the Statistics Canada data could access the related SharePoint folder where the Statistics Canada data are maintained; and that only the Data Custodian had access to his personal folder on SharePoint where the Statistics Canada link files are maintained. A password was required to access the NBDH network, which automatically provides access to the SharePoint document folder. Access to the Statistics Canada data on SharePoint is restricted to employees approved by the Data Custodian. Only the Data Custodian and the Director of Analytics have read/write access to the data on SharePoint. The other six users have been granted read‑only access. Analysts download a copy of the file onto their secure private drive to work with the data as needed for their research/statistical purposes and they indicated that, once their analysis has been completed, they delete the file from their private drive.

Network access to Statistics Canada data files is not compliant with the T&Cs of the DSA

The T&Cs of the DSA stipulate that access to Statistics Canada confidential information at the NBDH is to be granted to employees as necessary to produce a survey-related product or service for the sole benefit and mandate of the NBDH. The audit tested this requirement by reviewing who has access privileges to the directory where the Statistics Canada data files are stored, along with the purpose and frequency of such access. The audit revealed that once employees have been granted access to the data, their access privileges are only removed when they move to a new position or leave the NBDH. Access privileges are not periodically reviewed.

Section 1 in Appendix A of the DSA states that "information must be accessed within a secure location that allows unescorted access, only to Authorized Persons." Interviews revealed that one approved user of Statistics Canada data can access data remotely from his home. The Data Custodian informed the audit team that the user has been verbally directed not to access Statistics Canada information remotely. The employee stated that he has not worked on or accessed Statistics Canada data in the last three to four years, but that he is still able to access the data from his residence. This is not compliant with the requirements of the DSA and could result in unauthorized access and use of the data, and confidential information being compromised.

Sound security measures exist for information copying, retention and records management

Information stored on the database servers is backed-up daily on encrypted tapes, which are stored off‑site in a secure building. A review of the NBDH's Security Policy Framework revealed that their security policies prohibit the transmission of data through fax or emails and data cannot be stored on transportable media devices (i.e., CD-ROMs, USB sticks, hard drives or laptops). Data are not to be removed from the premises or reproduced. Employees are required to ensure that confidential information is placed in locked shredding bins, the contents of which are to be removed by a private shredding company.

Appendix A: Audit Criteria

Appendix B: Acronyms and initialisms