Canadian Police Information Centre (CPIC) Quality Assurance Review (QAR) Process FAQs for CACP

Size: px

Start display at page:

Download "Canadian Police Information Centre (CPIC) Quality Assurance Review (QAR) Process FAQs for CACP"

Mervin Watkins
5 years ago
Views:

1 Page 1 of 7 Canadian Police Information Centre (CPIC) Quality Assurance Review (QAR) Process FAQs for CACP August 12, What is the Canadian Police Information Centre (CPIC) Quality Assurance Review (QAR) process? The CPIC QAR process is a national risk assessment that starts with the automated review and validation of all records stemming from all 2,300 CPIC data entry and access points. The risk assessment will involve validating all records attributed to a given agency, followed by subjectively assessing pertinent risk factors, such as whether an agency has two factor authentication (2FA) or whether the agency s dissemination of information policy is in line with CPIC s dissemination policy. This comprehensive review process will help individual CPIC agencies identify their greatest risks. Each agency will be asked to take appropriate action to address these risks as each agency is ultimately responsible for the quality of its own CPIC records. 2. When will the new CPIC QAR process be implemented? It is anticipated that the national QAR process will be implemented during the Spring, As we transition to the QAR process over the coming year, the CPI Centre will be in close contact with its partner agencies both nationally and regionally to discuss these changes, assess each agency s interim needs and provide assistance to ensure those needs are met. A test of the QAR process is currently being conducted on a sample of agencies across Canada. This will be followed by a pilot project to confirm its validity. 3. Why was the QAR process developed? It was developed to improve the accuracy of CPIC data. Discussions about developing a riskbased assessment model began more than a decade ago and were brought to the attention of the CPIC Advisory Committee. These discussions surfaced again in 2010 following an RCMP internal audit. KPMG consultants later confirmed that moving to a risk-based assessment model would be more efficient than continuing with the traditional CPIC audit process. Technological advances have also helped to make the QAR process possible. In recent years, computing capacity has increased to the point where it is now possible to evaluate all CPIC records electronically.

2 Page 2 of 7 4. How is the QAR process different from the traditional audit function? The traditional audit process only allowed for the periodic assessment of a random sample of each partner agency s CPIC records. The QAR process will be far more thorough because it will enable the CPI Centre to review all records held by all agencies and/or their queries. This will help to ensure that the data uploaded to CPIC is timely, accurate and secure. The QAR process will help each partner agency identify inaccurate CPIC data and assess the risk they assume and place on other partners when inaccurate data is entered into the system. 5. Will auditing of CPIC information continue until the QAR process begins? All agencies are encouraged to continue to audit their CPIC information as required to ensure the data they are uploading to CPIC is accurate and timely and that they are following proper and established procedures. The CPI Centre, both nationally and regionally, will be in close contact with partner agencies over the coming year to communicate about the QAR changes, assess each agency s interim CPIC needs and provide suitable assistance to ensure those needs are met as we transition to the QAR process. 6. How exactly will the QAR process work? The QAR process will use automated data analysis and report capabilities to identify risks associated with the quality and security of each partner agency's data and access. The CPI Centre and its Field Service Teams will help partner agencies interpret their data quality and risk reports. The QAR process will work well in conjunction with Phase 3 CPIC, which is being regularly updated with new functions to improve data validation and accuracy. 7. How was the QAR process developed? A number of risk factors and potential data anomalies were identified by a team of CPIC subject matter experts. These risk factors will be used to assess each partner agency s CPIC data management and query practices. A risk matrix was developed that allows for the objective and subjective assessment of all 2,300 CPIC data entry and access points. These assessments are based on three overreaching objectives: a. Public safety b. Officer safety c. Organizational liability

3 Page 3 of 7 8. Are all risks related to CPIC data entry weighted evenly? No. Some factors are considered less risky than others. A few factors, such as whether a given agency has maintenance capability, or whether they have and follow a Dissemination of Information Policy which is consistent with CPIC s dissemination policy, are considered to be higher risk. 9. Why is Dissemination of Information Policy deemed to be so important? When an agency becomes a CPIC agency and begins uploading private and sensitive information about police investigations, it does so with the understanding that the system is secure and that only CPIC agencies will be accessing their records. CPIC s integrity has stood up to critical analysis and many reviews and court challenges. CPIC s integrity is based on protecting the system s sensitive information from people and agencies that are not privy to such information or have no legislated mandate to access it. CPIC partner agencies trust their information to the stringent security policies and practices that CPIC has established and upheld since its inception. Without these policies and practices, CPIC information would not be trusted by the police officers who depend on it for their personal safety and for the integrity of their investigations, nor could it be trusted by the courts. 10. How often will the CPIC QAR process occur? The CPI Centre will use a system of continuous monitoring to evaluate and reassess the risk associated with each agency s data and queries. Each CPIC partner agency will be responsible for working closely with CPIC staff and contributing to the subjective data associated with this risk analysis. A system of self-audit will complement these efforts and will allow each agency to ensure that CPIC policies and procedures are being adhered to. 11. What is the responsibility of partner agencies in the CPIC QAR process? The current responsibility of partner agencies is to enter, disseminate or query CPIC records as per usual. Over the coming year, the CPI Centre will contact each agency to explain new roles and responsibilities under the QAR process. Specifically, partner agency s responsibilities will evolve according to the need to continuously self-audit and self-report on the data uploaded to CPIC. Specific tasks will involve developing and following policies to support the QAR process, analyzing the risk to CPIC through Unit Level and Agency Level Quality Assurance cycles, and responding to requests from CPIC.

4 Page 4 of How will the CPIC QAR process affect partner agency CPIC personnel? We hope the CPIC QAR process will help partner agencies to sharpen their awareness of CPIC data. CPIC personnel will continue to be highly aware of the records they enter into CPIC, ensuring that each record is current, complete and accurate. When working on a file, CPIC personnel must remain aware of the quality controls that are in place and must monitor for any record deficiencies that could pose risks. CPIC personnel should review each file as a whole and help to identify other employees working in the various partner agencies who are also responsible for the quality of CPIC records. CPIC personnel are encouraged to communicate with CPIC s Field Services staff on a regular basis to ask questions, confirm information and share best practices. 13. How will agencies handle this additional work on top of the other responsibilities? That will be a matter for each CPIC agency to decide. The Commissioner of the RCMP is the ultimate authority for CPIC, while the National Police Information Services Advisory Board monitors the integrity of the CPIC system. This can t be done properly if the risks that jeopardize CPIC are not identified. The CPI Centre strives to identify factors that can cause medium to high levels of risk and follow through with steps to help agencies minimize those risks. How this fits into each agency s priorities is a matter for individual agencies to determine. 14. Will the CPI Centre be providing tools to help agencies with the QAR process? Yes. Validation reports will be provided to help agencies assess their CPIC records with the goal of identifying invalid data and/or anomalies. A review guide will help agencies conduct local quality assurance reviews, determine best practices, identify user groups, conduct training, produce annual reports and more. As we progress through the implementation of the QAR process, we expect to develop and provide additional electronic tools to help agencies fine-tune their reviews and assessments. 15. Will training be available to help partner agencies with the QAR process? Yes. We are currently working with several police training institutions to ensure that instruction on the new CPIC QAR process will be available for CPIC operators and users.

5 Page 5 of How will the QAR process improve the quality of CPIC records? It will help by ensuring that CPIC data is as accurate as possible. If each agency uploading data to CPIC is continually reviewing its records, CPIC can more quickly identify and fix potential problems. Clearly, this will improve the quality and reliability of CPIC records for all partner agencies. 17. Will there still be CPIC Field Operations in partner agency regions? Yes, local CPIC Field Operations Officers will remain key contacts in the QAR process. Their understanding of each agency s local needs is essential. 18. How can partner agencies obtain more information about the QAR Process? They can contact their local CPIC Field Operations staff to ask questions, confirm information and share best practices.

6 Page 6 of 7 Vintage CPIC 19. What s meant by the term Vintage CPIC? Vintage CPIC refers to outdated interfaces with agency s record management systems (RMS) that are not compliant with Phase 3 CPIC. In November 2006, CPIC transitioned to the Phase 3 platform, a software upgrade. Phase 3 provides CPIC users with improved functions that are important to police investigations and public safety. It was expected that all CPIC agencies would migrate to the Phase 3 platform in a timely fashion but that hasn t happened. The NPIS AB endorsed a final sunset date of December 31, 2014 for Vintage CPIC. To date, only 10 interfaces of partner agencies remain to be upgraded and these agencies are on target to meet this sunset date. 20. How is the CPI Centre dealing with the issue of Vintage CPIC? The CPI Centre maintains two different versions of CPIC: Phase 3 and Vintage. Twice each year, new functions are added to Phase 3. The Vintage CPIC system has not had any new functions added since 2006, but programmers still have to assess the impact that changes to Phase 3 will have on Vintage CPIC. As of December 31, 2014, Vintage CPIC interfaces will no longer be maintained and supported by either the CPI Centre or the CIO sector. 21. Why is it so important to eliminate Vintage CPIC now? The Vintage CPIC needs to be eliminated because the new QAR process won t be able to properly assess Vintage CPIC records. The QAR will rely heavily on technology to inform CPIC agencies of their data errors. Agencies that use Vintage CPIC will not be able to take full advantage of the QAR process and will therefore be much more susceptible to data errors, which will compromise the integrity of the entire CPIC system. 22. How is Vintage CPIC limiting the agencies that use it? Agencies using Vintage CPIC are limited in many ways. Here are just a few examples: - They cannot access information from the INTERPOL database or Transport Canada's pleasure-craft licensing database. - They require substantially more space to enter information about release conditions imposed by court orders. - They cannot query logs to determine whether a subject or vehicle has been queried in the past 120 hours. - They cannot access many enhancements made to the MISS and BODY categories. 23. Will the Vintage CPIC system continue to be supported with the implementation of the new QAR process? No. With the unanimous endorsement of the NPIS AB, a final date for the use of Vintage CPIC has been set for December 31, After that date, the CPI Centre will no longer support

7 Page 7 of 7 Vintage CPIC. CPIC system changes made after December 31, 2014 will not take the impact on Vintage CPIC users into consideration. This could mean that previously valid Vintage CPIC transactions may then be rejected. Partner agencies using Vintage CPIC would be required to update their own RMS and /or their computer-aided dispatch systems to accommodate the new version of CPIC.

Auditor General of Canada to the House of Commons

2010 Report of the Auditor General of Canada to the House of Commons SPRING Chapter 1 Aging Information Technology Systems Office of the Auditor General of Canada The Spring 2010 Report of the Auditor