Auditor General of Canada to the House of Commons

Transcription

1 2009 Report of the Auditor General of Canada to the House of Commons Managing Identity Information Office of the Auditor General of Canada

2 The Report is available on our website at For copies of the Report or other Office of the Auditor General publications, contact Office of the Auditor General of Canada 240 Sparks Street, Stop 10-1 Ottawa, Ontario K1A 0G6 Telephone: , ext. 5000, or Fax: Hearing impaired only TTY: Ce document est également publié en français. Minister of Public Works and Government Services Canada 2008 Cat. No. FA3-48/2008E ISBN

3 Auditor General of Canada Vérificatrice générale du Canada To the Honourable Speaker of the House of Commons: I have the honour to transmit herewith this report to the House of Commons, which is to be laid before the House in accordance with the provisions of subsection 7(5) of the Auditor General Act. Sheila Fraser, FCA Auditor General of Canada OTTAWA, 5 November 2008

4

5 Managing Identity Information

6 All of the audit work in this chapter was conducted in accordance with the standards for assurance engagements set by The Canadian Institute of Chartered Accountants. While the Office adopts these standards as the minimum requirement for our audits, we also draw upon the standards and practices of other disciplines.

7 Table of Contents Foreword 1 Main Points 5 Introduction 7 Identity information is essential to delivering federal services 7 Focus of the audit 9 Observations and Recommendations 9 Identity information holdings 9 Three of the four institutions collect only identity information they are authorized to collect 9 Management of information quality 11 Elections Canada and Service Canada have adequate quality management systems 11 Canada Revenue Agency can further improve quality management of identity information 12 Passport Canada lacks some key elements of a quality management system for identity information 13 A whole-of-government approach 15 An integrated approach to managing identity information does not exist 16 Many potential benefits of common solutions have not been realized 18 Duplication exists in practices to obtain vital events data 20 Legislative and privacy considerations need not be barriers 23 Effective structures for governance and funding of a common approach do not exist 25 There has been little policy direction on managing identity information 25 Treasury Board of Canada Secretariat has done some recent work on policy guidance but more is needed 28 Conclusion 29 About the Audit 31 Appendix List of recommendations 35 Report of the Auditor General of Canada iii

8

9 Managing Identity Information Foreword Canadians and residents of Canada come in contact with the federal government in several ways. They receive services and benefits such as income security and Canada Pension Plan payments; they exercise their rights the right to vote, for example, and to move freely in and out of the country; and they fulfill obligations such as the requirement to pay taxes. The various federal institutions that deliver these services and benefits, and support the exercise of these rights, have to confirm that their clients are the people they claim to be. Confirming a person s identity every time they deal with government is a complex business challenge. Many people use slight variations of their names or record their dates of birth in different ways. Each year, enormous numbers of Canadians move to new addresses. And people forget or misplace the identifying numbers assigned to them and the passwords that they have created. To meet this challenge, federal institutions collect information from the same people for different purposes information that is similar, though not always exactly the same from one organization to another. Several recent audits by the Office of the Auditor General found that organizations managing this similar information faced similar challenges. In the spring of 2007, the Office decided to look more closely at how federal institutions manage the information that they use to identify their clients their identity information. The Office was particularly interested in how they ensure the quality of the information and to what extent they collaborate to ensure the efficient use of the government s information holdings. The Office of the Privacy Commissioner has also conducted several audits of how federal institutions are managing the personal information they hold, which includes identity information. It found that institutions need a robust privacy management framework if they are to achieve their program objectives and observe best privacy practices. The Commissioner s Office decided to look more closely at the privacy management frameworks of certain federal institutions how they organize themselves through structures, policies, systems, and Report of the Auditor General of Canada 1

10 procedures to distribute privacy responsibilities, coordinate privacy work, manage privacy risks, and ensure compliance with the Privacy Act. Our two offices therefore agreed to work collaboratively on concurrent audits, consistent with our respective mandates. This collaboration represents a historic first audits of selected federal institutions, conducted and reported on concurrently by two officers of Parliament. The two audit teams participated jointly in audit-related processes and shared information on a regular basis. Both offices report on the systems and practices of four federal institutions, each of which manages at least one large database of personal information that includes identity information. Elections Canada, for example, manages the National Register of Electors, which contains the personal information of about 23 million eligible Canadian voters. Service Canada manages the Social Insurance Register, with the personal information of everyone who has applied for a social insurance number; the Register held nearly 31 million active records in The Canada Revenue Agency manages the IDENT database containing the personal information of about 33 million individual taxpayers, and Passport Canada s Central Index contains records of more than 17 million active passports. The Office of the Auditor General found that, with one exception, the organizations collected only the identity information they are authorized to collect. The quality of the collected information is managed well in two of the federal institutions, while there are opportunities to improve in the two others. However, federal institutions have not integrated their approaches to managing identity information. Many similar frameworks, strategies, and initiatives have been pursued over the past 10 years, but the result has been some duplication of process, frequent reconsideration of the same problems, and incomplete solutions to the underlying needs. The Office of the Privacy Commissioner found that the privacy management frameworks of two of the four federal institutions are reasonably robust, but require improvement, while there are significant gaps with respect to the way personal information is managed by the two other institutions. It found instances where personal information is being collected and used without legislative authority, where personal information is at risk of unauthorized disclosure or loss, or where privacy risks were not appropriately assessed. Weaknesses in an institution s privacy management framework can have a variety of real 2 Report of the Auditor General of Canada

11 consequences for Canadians, including the risk that personal information will be used for illegal activities such as identity theft. Both officers of Parliament call for stronger leadership from the centre of government specifically, the Treasury Board of Canada Secretariat. The Secretariat has a critical role to play in setting standards and issuing policy, directives, and guidance on managing identity information and developing model frameworks for privacy management. Without stronger leadership, federal institutions will likely continue independently to develop incomplete solutions to their common challenges: how to authenticate the identity of the Canadian citizens and residents they serve; and how to ensure the privacy of the personal information they collect and use, including its integrity, security, and confidentiality. The full picture of the opportunities and the risks of inaction emerges in reading the two reports as a whole. Federal institutions can do a better job of managing the personal information assets of government. Failure to do so will be costly and inefficient and could erode the privacy of Canadians. Sheila Fraser Auditor General of Canada Jennifer Stoddart Privacy Commissioner of Canada Report of the Auditor General of Canada 3

12

13 Managing Identity Information Main Points What we examined The government s ability to deliver some of its largest and most significant programs to Canadians relies on information that allows federal institutions to identify the individuals applying for services. This identity information includes, for example, an individual s name, date of birth, and address. Our audit examined identity information databases of the Canada Revenue Agency, Elections Canada, Passport Canada, and Service Canada. The four databases we reviewed contain similar identity information about the majority of adults in Canada. We looked at whether the four institutions manage identity information as a valuable asset, collecting only what is relevant to their programs or activities and using practices that are adequate to ensure the quality of the information. We also looked at the extent to which they have worked together to address common problems and to share solutions, in order to manage identity information efficiently while respecting privacy and other legal requirements. Our audit also included the Treasury Board of Canada Secretariat in its role of providing central guidance on information and identity management in the federal government. We did not audit data security, that is, controls on access and security of data transmissions. Why it s important People requesting government services today expect federal institutions to meet their needs seamlessly and efficiently. To do this, federal institutions increasingly use the identity information in their databases to identify the individuals applying for services. Those institutions need to ensure that the information they use is valid and accurate. It is difficult to determine the costs of managing identity information. Based on information provided to us, however, estimated development costs of each of the four databases we examined ranged from $12 million to $31 million. Each database also costs from around $3 million to over $20 million a year to operate. Improving the management of identity information could increase efficiency and reduce duplication. It could also improve service to Canadians by Report of the Auditor General of Canada 5

14 reducing the need to repeat processes, streamlining access to services, and improving communication with government. What we found There is no integrated federal approach to managing identity information; many similar frameworks and strategies have been developed but not formally adopted by the government. Policy guidance has undergone several iterations, all with similar elements. Initiatives pursued by federal institutions over the past 10 years to jointly use and manage identity information have resulted in duplication, frequent reconsideration of the same problems, and incomplete solutions to the underlying needs. The inability to arrive at solutions has been due to two main barriers: difficulty in establishing governance structures to manage interdepartmental or inter-jurisdictional initiatives including an equitable means of paying for the solutions; and a lack of policy direction on managing identity information. Federal institutions have pursued many initiatives jointly and separately, many of them overlapping to establish electronic routing of vital events information (on births and deaths, for example) from provincial vital statistics organizations. However, almost 10 years after the first electronic links to provincial systems were established, only some information is being obtained electronically and only by some federal institutions; and some of the information is duplicated. The institutions we examined collect and manage selected identity information as a valuable asset, with a few exceptions. For the most part, they collect only identity information that is relevant to their programs. The four institutions have a variety of systems and practices to ensure the quality of their identity information. However, Passport Canada has not implemented a comprehensive quality management system to provide adequate assurance that its identity information database contains accurate and complete information. The federal institutions have responded. The federal institutions agree with our recommendations. Their responses follow each recommendation throughout the report. 6 Report of the Auditor General of Canada

15 Introduction Identity information is essential to delivering federal services 1. The federal government s Policy on Information Management states that government information is essential to effective management. Further, it says that information should be managed as a valuable asset to support all aspects of government business. Identity information The personal information commonly used alone or in combination with other information to identify individuals for example, name, date of birth, gender, citizenship, address, or assigned identifying number (such as a social insurance number, birth certificate registration number, or passport number). Identification and authentication The process of validating and verifying a claimed identity based on assessing the reliability of the information provided. 2. Identity information is central to the government s ability to deliver some of its largest and most significant programs. It helps federal institutions provide services to only those entitled to receive them. 3. People requesting government services today expect federal institutions to meet their needs seamlessly and efficiently. As federal institutions provide more services electronically, they are using the information contained in identity information databases to identify and authenticate Canadians. They need to ensure that they do this efficiently and that the information they use is valid and accurate. 4. Acting on opportunities to improve the management of identity information has several potential benefits. For federal institutions, it could increase efficiency and reduce duplication. For clients, it could reduce the need to repeat processes, streamline their access to services, and make it easier for them to communicate with government. Furthermore, ensuring that the information is accurate could reduce errors, help prevent fraud, and improve program delivery. Personal information Under the Privacy Act, personal information is information about an identifiable individual that is recorded in any form and includes, but is not limited to, name, national or ethnic origin, colour, religion, age, marital status, education, financial transactions, address, fingerprints, blood type, and medical, criminal, or employment history. 5. As a type of personal information, identity information is subject to the Privacy Act and the associated privacy policies that govern the collection, use, and disclosure of personal information. The collection and management of identity information by particular federal institutions is also governed by program legislation such as the Canada Elections Act, the Employment Insurance Act, and the Income Tax Act. How the information is managed must also be consistent with the Government Security Policy. 6. We estimate that there are at least nine large databases in the federal government that include establishing identity as an important aspect of delivering services to clients and in which most adults in Canada can expect to be included at some point in their lives. Four federal institutions manage these nine databases. Report of the Auditor General of Canada 7

16 7. We examined one database (Exhibit 1) in each of the following four federal institutions: Canada Revenue Agency s Individual Identification Master File (known as IDENT); Elections Canada s National Register of Electors (NRE); Passport Canada s database for issuing passports (known as the Central Index); and Service Canada s Social Insurance Register (SIR). 8. Costs of managing identity information are difficult to estimate because the information is usually considered a subset of the personal information managed by an institution and is often managed as part of a larger set of program information. Nevertheless, based on information provided by federal institutions, estimated development costs of each of the four databases ranged from around $12 million to $31 million. The estimated annual cost to operate each database ranges from around $3 million to over $20 million, but not all relevant costs are included in these figures. Some federal institutions did not include costs of data collection, overhead, or quality assurance activities in their operating costs; and none was able to provide its costs for the archiving and disposal of information. Exhibit 1 The identity information databases examined in the audit Database Federal institution Contents Created Number of active records Individual Identification Master File (IDENT) Canada Revenue Agency Identification information from tax returns and applications for benefit payments million* National Register of Electors (NRE) Elections Canada Identification information on Canadians qualified to vote million Central Index Passport Canada Completed passport applications and supporting documentation for issued passports and travel documents million Social Insurance Register (SIR) Service Canada Personal information on applicants for social insurance numbers million * IDENT includes some records marked as deceased for which there is ongoing tax activity. Sources: Canada Revenue Agency, Elections Canada, Passport Canada, and Service Canada. 8 Report of the Auditor General of Canada

17 Focus of the audit 9. The audit focused on how the Canada Revenue Agency, Elections Canada, Passport Canada, and Service Canada manage the identity information included in the four databases we examined. (Several of these institutions have undergone name changes in recent years due to government reorganizations; this report uses their current names.) 10. The objective of the audit was to determine whether the four institutions manage identity information as a valuable asset, collecting only identity information that is relevant to their program needs and using practices that are adequate to ensure the quality of the information. We also looked at the extent to which they have worked together to address common problems and share solutions in order to manage identity information efficiently while respecting privacy and other legal requirements. 11. Our audit included the Treasury Board of Canada Secretariat in its role of providing central guidance on information and identity management in the federal government. We also looked at Statistics Canada since, at the time of the audit, it was the lead federal department responsible for the National Routing System (a specific project we examined). 12. More details on the audit s objective, scope, approach, and criteria are in About the Audit at the end of this report. Observations and Recommendations Identity information holdings 13. Under the Privacy Act, a federal institution cannot collect identity information unless it is directly related to its programs or activities. Managing identity information that is not relevant to its programs may also be an inefficient use of its resources. 14. We looked at what kinds of identity information the selected databases contain and why the Canada Revenue Agency, Elections Canada, Passport Canada, and Service Canada collect and manage the information. Three of the four institutions collect only identity information they are authorized to collect 15. Canada Revenue Agency, Passport Canada, and Service Canada. In the databases we examined, we found that the use made of each identity element by the Canada Revenue Agency, Passport Report of the Auditor General of Canada 9

18 Canada, and Service Canada is directly related to the programs they provide. We also found that they have the authority set out in the Acts, regulations, and policies governing their respective programs to collect the identity information in their databases. 16. Elections Canada. Elections Canada lacks authority for some identity information it collects and keeps. Section 44 of the Canada Elections Act establishes the National Register of Electors and specifies several identity data elements that should be maintained in it. The Act also permits Elections Canada to collect and retain information it considers reliable and needed to update the register. 17. Elections Canada collects information from provincial and territorial drivers licence registries (in some cases through provincial electoral agencies) mainly to obtain changes of address. Some provinces and territories send identity information on all drivers, including those under the age of 18 information that Elections Canada does not have the authority to collect, since these individuals are known not to be electors. Officials at Elections Canada told us that this information allows it to invite individuals to register as electors as they turn 18. Elections Canada estimates that it currently holds identity information on about 104,000 individuals under the age of Recommendation. Elections Canada should ensure that it collects only the identity information permitted by the Canada Elections Act. Elections Canada s response. Elections Canada agrees with the recommendation and will take the following steps to comply by 31 March 2009: Elections Canada will purge from its database all information on individuals under 18 years of age. Elections Canada will contact its suppliers to request that they provide information only for individuals 18 years of age or older. Until they have implemented this change, Elections Canada will filter the files received from its suppliers and will remove the records of individuals under 18 years of age before processing the files. However, pursuant to subsection 540(2) of the Canada Elections Act, Elections Canada is required to keep, for at least two years, documents that relate to the updating of the National Register of Electors. After that period and subject to the consent of the Librarian and Archivist of Canada, Elections Canada will destroy CD-ROMs, diskettes, or other physical media on which the data was provided. 10 Report of the Auditor General of Canada

19 Elections Canada notes that information on these individuals under 18 years of age has not been included in the National Register of Electors or on lists of electors. Management of information quality 19. Managing identity information that is poor in quality or is not usable is inconsistent with the Privacy Act and the Treasury Board s policy guidance on managing information. Both require that federal institutions take reasonable steps to ensure that their personal information holdings are accurate, up-to-date, and complete. If federal institutions do not appropriately manage the quality of identity information, they risk having to do work over again to fix errors and being unable to provide good customer service. Furthermore, having identity data that is of good quality helps in detecting and preventing abuse and fraud. 20. Quality management systems provide assurance that individual quality controls are working as intended. They are essential to providing management with independent information on performance and early warning of risks that could affect program delivery. In database management, they also provide a means to ensure that information already in the system does not become corrupted and unusable. 21. We looked at what steps the Canada Revenue Agency, Elections Canada, Passport Canada, and Service Canada take to ensure that the identity information going into their databases is accurate, complete, and valid, and that it is kept up-to-date and not corrupted over time. Elections Canada and Service Canada have adequate quality management systems Coverage The percentage of the estimated total number of eligible voters who are included in the National Register of Electors. Currency The percentage of the estimated total number of eligible voters who are included in the National Register of Electors at the correct address. 22. Elections Canada. In November 2005, we reported that Elections Canada had in place the core elements of a quality management system, including two targets for the coverage and currency of the information in the National Register of Electors (NRE) (November 2005 Report, Chapter 6, Administering the Federal Electoral Process Elections Canada). We also reported that Elections Canada had controls and means in place to ensure that it met these targets. 23. Our current audit found that Elections Canada still measures and reports on the two targets for quality of information in the NRE and has taken steps for further improvement. 24. Service Canada. In February 2007 we reported that while Service Canada was heading in the right direction to improve data quality in the Social Insurance Register (SIR), much still remained to be done (February 2007 Status Report, Chapter 6, The Management Report of the Auditor General of Canada 11

20 of the Social Insurance Number Human Resources and Social Development Canada). Legitimate SINs accuracy rate The estimated proportion of active SINs that are not multiples or based on fabricated identities and stolen identities of deceased individuals. Vital events accuracy rate An estimate of the percentage of birth and death dates contained in the SIR that are accurate. 25. Our current audit found that Service Canada has taken significant steps to implement a quality measurement and reporting system for the data in the SIR, as well as a quality management strategy for new data as it is entered into the SIR when someone applies for a social insurance number (SIN). Since February 2007, Service Canada has developed two goals for the quality of identity information in the SIR legitimate SINs accuracy rate and vital events accuracy rate and has established targets for these goals. Service Canada officials informed us that they plan to measure and report on these accuracy rates in the Departmental Performance Report of Human Resources and Social Development Canada (of which Service Canada is a part). 26. In October 2007, Service Canada implemented a national quality control process for SIN applications. Randomly selected cases are reviewed independently to verify that new information entering the SIR at the time of a SIN application is complete, accurate, and valid. Canada Revenue Agency can further improve quality management of identity information 27. We found that the Canada Revenue Agency has processes in place designed to identify and act on potential quality problems in its identity information database (IDENT). Some of these processes are undertaken by the managers of IDENT annual testing of the database before the new tax season begins, for example, and monthly error reports that identify inconsistencies in information and identify when system validity rules are bypassed. We found that the Agency acts promptly to investigate and correct errors. 28. Other quality processes are managed by the business functions that use the identity information in various activities such as processing tax returns. For example, the Agency annually updates identity information based on tax returns filed by individuals and also evaluates how accurately tax returns are processed. The Agency is currently developing a strategy to standardize and better monitor the quality review process in its operational centres, which could further ensure that information on tax returns, for example, is reflected accurately in IDENT. 29. However, we found that in some cases not all the available processes and reports that provide information on the quality of data 12 Report of the Auditor General of Canada

21 in IDENT are being fully used. Using them would enable managers to monitor the information in IDENT and act on problems as necessary. 30. We also found that the Agency formally measures and reports against a quality target for only one element of the identity information in IDENT namely, addresses (for the Agency to receive preferential mail rates from Canada Post, 95 percent of the addresses on its mailings must be accurate). 31. In 2006, the Canada Revenue Agency began a multi-year project to renew the IDENT database. The project includes validating information and processes for many data fields; establishing a data stewardship function that identifies business owners of the data; and redefining authorities and rules that govern how the information is entered and extracted from the database. We observed that the validation activities to date have not identified significant data quality problems. Passport Canada lacks some key elements of a quality management system for identity information 32. Passport Canada has controls in place that are designed to identify and resolve potential data quality problems when a passport application is processed. However, it does not have a comprehensive quality management system that would monitor the effectiveness of the application-processing controls and, over time, the quality of the information in the Central Index (the database for issuing passports). 33. The simplified passport renewal process introduced in August 2007 relies on the identity information submitted with the previous passport application around five years earlier and entered in the Central Index at that time; the passport holder is not required to submit the same identity documents again. After 2011, when a 10-year passport is to be introduced, renewals will rely on data entered in the database up to 10 years earlier. These two changes make it critical not only that the quality of data on passport applications be assured before it is entered in the system but also that the quality of the data be maintained over time. 34. Passport Canada does not have explicit quality goals but rather works to ensure that identity information on the passport application is correctly reflected on the printed passport. We examined the controls designed to achieve this objective at one of Passport Canada s two application-processing sites. We found manual and automated controls in place to help ensure that identity information on passport applications is entered accurately into the system. Passport agents were Report of the Auditor General of Canada 13