Audit of the Data-sharing Agreements with British Columbia's Ministry of Energy and Mines and Ministry of Natural Gas Development

February 2017
Project Number: 80590-99

Table of Contents

Executive Summary

Data sharing is a key component of Statistics Canada's mandate. Data are shared to reduce respondent burden and allow shared partners, such as provincial, territorial and education institutions, to conduct research for statistical purposes. Data-sharing agreements (DSAs) outline the key controls that must be in place to ensure that shared data are kept confidential and information related to identifiable respondents is protected from unauthorized disclosure.

In 2008, Statistics Canada first entered into a DSA with the British Columbia (B.C.) Ministry of Energy, Mines and Petroleum to share data from nine energy surveys. In 2013, the B.C. Ministry reorganized into two separate ministries: the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development. As a result of this reorganization, Statistics Canada renegotiated the DSA in 2015. The new DSAs cover data from 20 energy surveys.

The objectives of this audit were to assess whether an effective management control framework is in place to govern the sharing of information between Statistics Canada and the B.C. ministries and to determine if the terms and conditions of the DSAs are being met.

Why is this important?

Section 12 in the Statistics Act stipulates legal requirements to ensure confidentiality and protection of the respondent information, to notify respondents of the planned data sharing, and, in a case of voluntary data sharing, to inform respondents about their right to object to data sharing. As the data collection is carried out under the authority of the Statistics Act, all of the provisions of the Act apply.

When survey responses of those who agreed to share are provided to the data-sharing partner, the partner must abide by the same strict rules of confidentiality and must ensure that security measures are in place to protect the shared file. Monitoring compliance with the requirements of the DSAs is a key priority for Statistics Canada to ensure that other organizations protect confidential information in an equivalent manner to that of the agency.

Any real or perceived breaches of Statistics Canada's confidential information pose the risk of respondents losing trust and refusing to participate, which results in a lack of credible information for policy development and damage to the reputation of Statistics Canada.

Key Findings

Authorities are defined and the Statistics Canada policy framework sets out clear roles, responsibilities and practices for the management and implementation of the DSAs.

Most roles and responsibilities for the management of the DSAs are in place. Opportunities were identified to clarify monitoring responsibilities for compliance with the terms and conditions of the DSAs and to review data use prior to the renegotiation of agreements.

Data were sent to the B.C. ministries using a secure process that met the requirements of the DSAs. Respondents were notified and did not object to the sharing of their data.

Data received by the B.C. ministries were stored and shared in a secure manner and kept confidential. Data sharing was limited to only those who required access. There was no sharing of the data with third parties and no publication of statistical aggregates.

Some of the data custodian responsibilities are not being carried out at the B.C. ministries and the data custodian role is not segregated from data users. Confidentiality documents and file registers are not being completed as required.

Physical access to B.C. ministries' offices is secured using an access card system that is regularly updated. Access to Statistics Canada's data is restricted to only employees required to use data through the use of restricted folders. The B.C. Government information-security policies are in place and are understood by employees involved in the handling of Statistics Canada data.

Overall Conclusion

Overall, there is an effective management control framework in place to govern the sharing of information with the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development. Monitoring responsibilities at Statistics Canada need to be strengthened.

Most of the terms and conditions of the DSAs are being met. Opportunities were identified to ensure that the data custodian role is being effectively carried out.

Audit observations did not reveal any evidence that Statistics Canada's confidential information was compromised.

Conformance with Professional Standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined, and for the scope and time period covered by the audit.

Steven McRoberts
Chief Audit and Evaluation Executive

Introduction

Background

Statistics Canada shares information with federal, provincial, municipal, research, and educational organizations. Information sharing occurs where Statistics Canada and an organization have similar data requirements and leads to reductions in response burden and collection costs for data-sharing partners, as well as improvements in statistical data accuracy, coverage, relevance and timeliness.

Section 11 and 12 of the Statistics Act allows Statistics Canada to enter into an agreement to share information subject to certain provisions. These agreements are commonly known as data-sharing agreements (DSAs). DSAs govern how data will be shared, used, recorded, stored, secured, and retained. Direction on setting up DSAs is defined in Statistics Canada's Directive on Data Sharing, which includes expected roles, responsibilities and accountabilities.

Statistics Canada first entered into a DSA with the B.C. Ministry of Energy, Mines and Petroleum in 2008 to share data from nine energy surveys. In 2013, this B.C. Ministry reorganized into two separate ministries: the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development. As a result of this reorganization, in 2015, Statistics Canada renegotiated the DSA with each ministry. The new DSAs cover data from 20 energy surveys.

The statistical program responsible for the majority of energy surveys covered by these DSAs is the Environment, Energy and Transportation Statistics Division (EETSD). Its mandate is to collect, compile, analyze, abstract and publish statistical information on Canadian business activity in the energy sector. The subject-matter units of the energy statistics program provide information on industries that produce and distribute energy, the consumption of specific forms of energy, and operating and technical information.

The B.C. ministries may use the information shared, pursuant to the DSAs, that relates to an identifiable respondent, for statistical and research purposes only.

Audit Objectives

The objectives of the audit were to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that:

  • There is an effective management control framework in place to govern the sharing of information between Statistics Canada and the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development.
  • The terms and conditions of the data-sharing agreements between Statistics Canada and the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development are met.

Scope

The scope included an examination of the roles, responsibilities, accountabilities and monitoring practices at Statistics Canada with respect to managing the terms and conditions of the DSAs. The scope also included a review of compliance with the terms and conditions prescribed in the DSAs, for both Statistics Canada and the ministries, to ensure that data are protected and confidentiality maintained.

This included physical security access, IT storage and transmission, physical storage and information copying, and records-management safeguards at the ministries to ensure that data are protected and confidentiality maintained.

The audit did not include the Annual Survey of Manufactures and Logging and the Cement Monthly since no data have been shared for these surveys.

Approach and Methodology

The audit work consisted of an examination of documents, interviews with key senior management and personnel, and a review of compliance with relevant policies and guidelines (see Appendix A: Audit Criteria for details) at Statistics Canada and the ministries.

The field work included the following:

  • Examination of documents;
  • Interviews with key senior management and other personnel;
  • Review and assessment of the processes and procedures outlined in the terms and conditions of the DSAs with the ministries, with emphasis on determining whether the security requirements are in place and complied with, and whether confidentiality of data are maintained; and,
  • Testing of a sample of selected contracts with third parties (if any).

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing.

Authority

The audit was conducted under the authority of the approved Statistics Canada Integrated Risk-Based Audit and Evaluation Plan 2016/2017 to 2020/2021.

Findings, Recommendations and Management Response

Control Environment for the Management of the Data-sharing Agreements

Authorities are defined and the Statistics Canada policy framework sets out clear roles, responsibilities and practices for the management and implementation of the DSAs.

Most roles and responsibilities for the management of the DSAs are in place. Opportunities were identified to clarify monitoring responsibilities for compliance with the terms and conditions of the DSAs and to review data use prior to the renegotiation of agreements.

Authorities, roles and responsibilities should be clearly defined and understood at all levels to support the effective management of DSAs.

Authorities are defined

Statistics Canada exercises its mandate to enter into statistical data-sharing agreements with other organizations under the authority of sections 11 and 12 of the Statistics Act. Roles and responsibilities related to the development, implementation and monitoring requirements of DSAs are set out in the Directive on Data Sharing. The directive notes that subject-matter divisions (SMDs) are responsible for communication with recipient organizations during both the negotiations and the drafting of the agreements. The Information Management Division (IMD) is responsible for drafting data-sharing agreements when requested by directors of statistical programs and for providing support to managers during the development of new or modified data-sharing agreements with receiving parties. Justice Canada Legal Services are consulted on changes to the standard agreement, which is reviewed and updated at regular intervals.

Most roles and responsibilities for the management of the DSAs are in place; there are opportunities to clarify monitoring responsibilities

Statistics Canada first entered into a DSA with the B.C. Ministry of Energy, Mines and Petroleum, in 2008, to share data from nine energy surveys. Under the 2008 agreement, two sections of the B.C. ministry received data: the Monthly Oil Pipeline Survey data were sent to the natural gas section and the Coal Survey data to the energy and mines section.

In 2013, the B.C. Ministry of Energy, Mines and Petroleum reorganized into two separate ministries: the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development. This reorganization led Statistics Canada, in 2015, to renegotiate the DSA with each ministry. The new DSAs cover data from 20 energy surveys.

The Statistics Canada division responsible for managing both DSAs with the B.C. ministries is the EETSD. The subject-matter units of the energy statistics program provide information on energy-producing and distributing industries, on the consumption of specific forms of energy, and on operating and technical information.

Since 2014, EETSD assigned responsibilities for the management and implementation of the DSAs to two different areas. The implementation of the agreements is assigned to the Energy Statistics Unit, which prepares the shared file for distribution and ensures its accuracy. The unit also maintains a list of respondents who object to sharing their data with the B.C. ministries. The secure transmission of the file, the maintenance of transmission logs of information shared, and the renegotiation of agreements and communication with the B.C. ministries have been assigned to the Centre for Special Business Projects Division (CSBP).

Specific responsibility for monitoring of the DSAs has not been assigned and has not been carried out. Interviews indicated that neither the Energy Statistics program nor CSBP were aware of who was responsible for carrying out monitoring.

The Directive on Data Sharing (Appendix C) outlines the responsibilities related to the monitoring of compliance with DSAs to ensure that due diligence and legal requirements are met, particularly with respect to the protection of confidentiality and respondent information. Section 7.1 in the DSA template requires that “within 10 business days of a request made by Statistics Canada, the ministries shall submit confidentiality documents, a register of all data files and data-access registers as outlined in Appendix C.”

Testing during the conduct of the audit revealed that the Natural Gas Section never used the data it received under the first DSA, signed in 2008, and, there was no monitoring or review of the data used prior to renegotiating the agreements in 2015.

Recommendation:

It is recommended that the Assistant Chief Statistician, Economic Statistics ensure that:

  • Responsibilities for the management and implementation of DSAs within the SMDs of the Agriculture, Energy, Environment and Transportation Statistics Branch are clarified, communicated, and effectively carried out.

Management Response:

Management agrees with the recommendation.

The Director General Agriculture, Energy, Environment and Transportation Statistics Branch will ensure that the SMDs involved with the management of the DSAs will map out their specific roles and responsibilities, including monitoring requirements. A checklist will be developed to ensure that agreements are being managed in a comprehensive and consistent manner.

Deliverables and Timeline: Documented mapping of roles, responsibilities and checklist will be completed by March 31, 2017.

Data Stewardship

Data were sent to the B.C. ministries using a secure process and met the requirements of the DSAs. Respondents were notified and did not object to the sharing of their data.

Data received by the B.C. ministries were stored and shared in a secure manner and kept confidential. Data sharing was limited to only those who required access. There was no sharing of the data with third parties and no publication of statistical aggregates.

Some of the data custodian responsibilities are not being carried out at the B.C. ministries, and the data custodian role is not segregated from data users. Confidentiality documents and file registers are not being completed as required.

The DSAs outline the controls that should be in place to ensure Statistics Canada's data are kept confidential and protected against unauthorized use. Specific controls must be in place for the secure and accurate transmission of data files. In addition, once received, the data should be secured, tracked, and monitored.

Processes and procedures are in place for the secure and accurate transmission of data files

A sample of eight data files sent was tested to assess whether the established framework to manage the DSA requirements for the preparation of the data files and the secure transmission of the shared files was followed at Statistics Canada.

As of April 2012, the Electronic File Transfer (e-FT) Service is the corporate system used by Statistics Canada for the secure transmission of protected information to recipient partners. The files are password-protected and encrypted during transfer. Once a data file is transmitted from Statistics Canada, the data custodian is notified that a file is in the e-FT vault. The data custodian is then required to request a password from Statistics Canada to decrypt and access the file. Prior to the implementation of the e-FT data-transmission process, Statistics Canada data files were sent to the ministry via encrypted compact disc (CD).

The sharing of Statistics Canada microdata under section 12 of the Statistics Act requires giving respondents prior notification of the proposed sharing, and giving them the right to refuse to allow their information to be shared. Documentation review revealed that this requirement is reflected in the DSAs and, the survey prescription forms for respondents identified the B.C. ministries as potential users of the data.

Review of the data files prepared and sent to the ministries confirmed that they were for the reference periods covered in the DSAs and contained survey responses from only respondents in B.C. A register of the “list of refusals” from survey respondents, for the surveys, revealed that no respondents objected to sharing their information.

There are effective controls for the receipt, storage and sharing of Statistics Canada's data at the B.C. ministries

A walkthrough of the processes and procedures for data receipt, storage and transmission of Statistics Canada data files was conducted. Data are stored on both encrypted CDs and, saved in an electronic directory. Data that was held on encrypted CDs were observed to be stored in a locked cabinet in the director's office. A review of the directory where Statistics Canada's data files are stored found that the data custodian received and decrypted data in a folder on the ministry's departmental network drive, and that access is further secured using Microsoft security groups. Testing confirmed that the security group was limited to the individuals provided access by the data custodian.

The B.C. ministries can share Statistics Canada confidential information with third parties and can publish statistical aggregates, as long as the information does not directly or indirectly identify a person, business, organization or an identifiable product and they consult with Statistics Canada prior to doing so. Interviews revealed that the ministries have not shared any of the data received from Statistics Canada with researchers, provincial/territorial or university research institutes/organizations, and statistical aggregates are released internally, but only at a very high level and never using Statistics Canada data. Therefore, there has been no need to consult with Statistics Canada prior to releasing any statistical aggregates.

The data custodian is not fulfilling all of the responsibilities prescribed in the DSAs and, the data custodian role is not segregated from data users

Appendix C of the DSAs specifies that the data custodian is responsible for three key requirements:

  • Preparing a confidentiality document and ensuring that all individuals who access the Statistics Canada data sign this document;
  • Maintaining a register of data files received from Statistics Canada; and,
  • Maintaining a register of access to data files for all individuals granted access to Statistics Canada data files.

In February 2016, Statistics Canada provided an information session to both ministries about the recently signed DSAs, which included an explanation of the data custodian responsibilities.

The audit found that employees who have access privileges to Statistics Canada files at the B.C. ministries had not signed the confidentiality document. In addition, the ministries had not maintained a register of data files received from Statistics Canada and a register of access to data files. Finally, the role of the data custodian is assigned to functional team members who access and use the data.

Standard templates for confidentiality documents or data file registers are not provided to the receiving parties, and guidance on ensuring the segregation of the data custodian role is not included in the DSA.

Recommendations:

It is recommended that the Assistant Chief Statistician, Economic Statistics:

  • Communicate with the B.C. ministries and ensure that data custodians at the B.C. ministries are effectively carrying out their assigned responsibilities.

It is recommended that the Assistant Chief Statistician, Analytical Studies, Methodology and Statistical Infrastructure ensure:

  • A standard approach to inform and support receiving parties in fulfilling the data custodian responsibilities is implemented; and,
  • Guidance on the segregation of the data custodian role from the users of the data is made available to receiving parties.

Management Response:

Management agrees with the recommendations.

The Director General Agriculture, Energy, Environment and Transportation Statistics Branch will prepare a letter to the B.C. ministries requesting that data custodian responsibilities for data stewardship are effectively carried out, and will request confirmation in writing when this has been done.

Deliverables and Timeline: Telephone conversation followed by written correspondence by the Director General Agriculture, Energy, Environment and Transportation Statistics Branch to be completed by March 31, 2017.

The IMD will implement a uniform approach to inform and support data custodians, and provide consistent guidance on their roles and responsibilities by way of a business portal for receiving organizations. This portal will:

  • allow the receiving organizations to have current information about their obligations when receiving confidential information;
  • be used as a communication tool between Statistics Canada and the receiving organizations; and,
  • be used as a repository of information, such as the register of data files received from Statistics Canada, the register of access to data files of all users, and confidentiality documents.

Deliverables and Timeline: The implementation will be completed by September 30, 2018.

Physical and Information Technology Security Controls

Physical access to B.C. ministries' offices is secured through an access card system that is regularly updated.

Access to Statistics Canada's data is restricted to employees required to use data through the use of restricted folders. B.C. Government information-security policies are in place and are understood by employees involved in the handling of Statistics Canada data.

Control and protection of information, either physical or electronic, should be executed in a manner that guards against loss, theft, compromise or improper disclosure. Access to the data should be granted to only employees or contractors, as necessary, to produce a survey-related product or service for the sole benefit and mandate of the ministries.

Physical access to the B.C. ministries' offices is restricted

The ministries' offices are located in downtown Victoria and are co-located with other B.C. government departments that occupy the same building complex. A physical inspection of the site found that the offices are secured and use an access card system. Employees are required to swipe their access cards to enter secure floors. Access cards of departing employees are deactivated. Visitors are required to check in with security, sign a logbook, and must be escorted by an authorized person at all times. No access cards or passes are issued to visitors.

Access to Statistics Canada's data is restricted, and information security policies are in place

Interviews, review of documentation, and testing confirmed that logical access controls exist at the ministries in accordance with the security requirements in the DSAs. A password is required to access computers on the network, and access permissions are captured under each employee's user profile. Only the data custodian and another user have read/write access to the data.

Only employees who had been granted access to the Statistics Canada data could access the restricted folder where the Statistics Canada data are stored. Access to Statistics Canada data is updated every time an employee is hired, transferred to another section, leaves the organization or retires. However, as mentioned earlier, while data access is secured, there is no log kept of who has been granted access.

There are several corporate security policy instruments to which the employees should adhere or can refer, including the B.C. Government Information Security Policy, the Working Outside the Workplace Policy, the IM-IT Security Standards Policy, and Security 101 Guidebook on the Basics of Information Security in the Government of British Columbia.

Documentation review found that their security policies prohibit the transmission of data through fax or emails, and data cannot be stored on transportable media devices (i.e., CDs, Universal Serial Bus (USB) sticks, hard drives or laptops). Data are not to be removed from the premises or reproduced. Employees are required to ensure that confidential information is placed in locked shredding bins, the contents of which are to be removed by a private shredding company. Interview evidence confirmed that employees involved in the handling of Statistics Canada data understood these information security requirements.

Appendices

Appendix A: Audit Criteria

Audit Criteria
Table summary
This table displays the results of Audit Criteria. The information is grouped by Control Objective / Core Controls / Criteria (appearing as row headers), Sub-Criteria and Policy instruments / Sources (appearing as column headers).
Control Objective / Core Controls / Criteria Sub-Criteria Policy instruments / Sources
Objective 1: There is an effective management control framework in place to govern the sharing of information between Statistics Canada and the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development.
1.1 Authorities, responsibilities and accountabilities are defined and communicated, and the segregation of duties is appropriately established.

(AC-1 & 4)
1.1.1 Responsibilities are formally defined and clearly communicated.

1.1.2 Authority is formally delegated, and delegated authority is aligned with individuals' responsibilities. Where applicable, incompatible functions are not combined.
Relevant TB legislative and regulatory requirements, Statistics Canada policies and procedures, such as:
  • Statistics Act
  • Policy on Official Release
  • Security Practices Manual
  • Policy on the Security of Sensitive Statistical Information
  • Policy on Privacy Impact Assessments (PIA)
  • Policy on Informing Survey Respondents
  • Policy on Micro-Data Release
  • Policy on Discretionary Disclosure and associated guidelines
  • TB Policy on Government Security
  • TB Operational Security Standard on Physical Security
  • TB Directive on Departmental Security Management
  • All levels of management/ staff for the Energy program at EETSD; Dissemination section at CSBP; and IMD
  • Internal documents related to the management of DSAs
  • Data-sharing agreements
1.2 Statistics Canada and B.C. Ministry of Energy and Mines and B.C. Ministry of Natural Gas Development have established an appropriate framework to manage the requirements stipulated in the DSAs.

(G-1 & 2)
1.2.1 Processes are in place to fulfill the requirements stipulated in the DSAs

1.2.2 Processes are understood and are complied with.

1.2.3 Compliance with processes is monitored.
1.3 Management at B.C. Ministry of Energy and Mines and B.C. Ministry of Natural Gas Development identifies, assesses the appropriateness of existing controls to effectively manage its risks and ability to meet the requirements of the DSAs.

(RM-2, 3 & 4)
1.3.1 Risks are identified

1.3.2 Formal processes and guidelines exist to assess the effectiveness of controls in place to manage identified risks.

1.3.3 Management formally responds to and monitors its risk exposure
1.4 Management at B.C. Ministry of Energy and Mines and B.C. Ministry of Natural Gas Development monitors actual performance against planned results, and adjusts course, as needed, to better address the requirements stipulated in the DSAs.

(RP-3)
1.4.2 Responsibility for monitoring is clear and communicated, and results are reported to required authority levels.

1.4.3 Active monitoring is demonstrated.
Objective 2: The terms and conditions of the data-sharing agreements between Statistics Canada and the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development are met.
2.1 Processes are in place to ensure that the data shared under the DSAs are protected at the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development.

(ST-9)
2.1.1 Access to data is limited to authorized individuals and is appropriately secured in compliance with the DSAs.

2.1.2 Access is physically restricted.

2.1.3 Procedures exist to safeguard the shared data upon termination of an agreement.

2.1.4 Procedures exist to protect the use of data from abuse or fraud.
  • TB Policy on Government Security
  • TB Operational Security Standards: Management of IT Security (MITS)
  • Statistics Canada's Security Practice Manual
  • Statistics Canada's Policy on Security of Sensitive Statistical Information
2.2 Appropriate system application controls exist at the B.C. Ministry of Energy and Mines and the B.C. Ministry of Natural Gas Development.

(ST-11)
2.2.1 Logical access controls exist to ensure access to systems and, data is restricted to authorized users; e.g., systems require users to log on using unique user name and password.

2.2.2 Authentication and access procedures and mechanisms exist for and are applied to keeping authentication and access mechanisms effective.

Appendix B: Acronyms

Acronyms
Acronym Description
B.C. British Columbia
CSBP Centre for Special Business Projects Division
CD compact disc
DSAs Data-sharing Agreements
EETSD Environment, Energy and Transportation Statistics Division
e-FT Electronic File Transfer Service
IIA Institute of Internal Auditors
IMD Information Management Division
IT Information Technology
SMDs Subject-matter Divisions
TB Treasury Board
USB Universal Serial Bus
Date modified: