May Audit and Compliance Program Charter

Similar documents
TERMS OF REFERENCE FOR THE PROVISION OF OUTSOURCED INTERNAL AUDIT SERVICE

PSNC Briefing on the NHS Complaints procedure (from 1 April 2009)

Audit and Risk Management Committee Charter

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Information concerning the constitution, goals and functions of the agency, including 1 :

JAUPT Appraisal Criteria Centre Application. November 2016

Stakeholder Relations and Communications Policy

AUDIT and ASSURANCE COMMITTEE TERMS OF REFERENCE

Subject Access Requests

Guidelines for submission to the NSW Population and Health Services Research Ethics Committee. Version June 2015

HUMAN RESOURCES AND COMPENSATION COMMITTEE CHARTER

TERMS OF REFERENCE. Audit and Risk Committee (the "Committee") of Wilmcote Holdings Plc (the "Company")

International Standard on Auditing (Ireland) 265. Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

AUDIT & RISK COMMITTEE CHARTER

MiFID Supervisory Briefing Suitability

UCEA/ECU Age Discrimination Working Group Guidance. Age Discrimination Legislation Guidance Note 1: Pay and Benefits A UCEA Publication

[AGENCY NAME] Mandate and Roles Document. (Pure Advisory Committees)

The CIA certification has 4 parts. The CCSA exam and the CGAP exam are single part specialty exams.

Strategic Plan Request for Proposals. March 2018

Guidelines and Recommendations Guidelines on periodic information to be submitted to ESMA by Credit Rating Agencies

TERMS AND CONDITIONS FOR APPOINTMENT OF INDEPENDENT DIRECTOR

Audit Committee Charter

Chapter 1. Introduction and Overview of Audit & Assurance

WHOLESALE AND RETAIL SETA. Skills Development for Economic Growth. ETQA Assessor and Moderator Registration Policy

Enforceable Undertakings Operational Policy

Producer Statements will be accepted only in accordance with this policy.

HIPAA Privacy Rule LINKS AND RESOURCES AFFECTED ENTITIES IMPACT ON EMPLOYERS. Provided by Brown & Brown of Louisiana, LLC

DATA PROTECTION POLICY FOR PUPILS AND PARENTS

Are you ready for the FUTURE of your Quality Management system?

International Standard on Auditing (UK) 265

PERFORMANCE DEVELOPMENT SYSTEM. Supervisory and Management Staff Appraisal. Department: Reviewer s Name: Review Period:

AUDIT COMMITTEE CHARTER

Internal Control Requirements for Adopting New Accounting Standards

Terms of Reference - Board of Directors (approved by the Board on 12 April 2018)

Using the Work of an Auditor s Expert

CHARTER OF RESERVES, HEALTH, SAFETY, ENVIRONMENT AND SOCIAL RESPONSIBILITY COMMITTEE 2018

Sound Management of Electronic Wastes in North America Operating Year(s):

Canadian Association for the Study of the Liver Endorsement Policy

Audit & Risk Committee Charter

AUDIT, RISK MANAGEMENT AND COMPLIANCE COMMITTEE CHARTER

School Business Manager

AUDIT & RISK COMMITTEE (ARC)

LMA GUIDANCE: GDPR CORE USES INFORMATION NOTICE

EXECUTIVE SUMMARY INTERNAL AUDIT REPORT. IOM Mogadishu SO November 7 December 2018

CYBG PLC BOARD REMUNERATION COMMITTEE. Charter

CONSENT FOR TREATMENT

TASSAL GROUP LIMITED ABN Procedures for the Oversight and Management of Material Business Risks. (Approved by the Board 28 May 2015)

June Dear Chairman Cuttita and Members of the Board of Fire Commissioners:

Details of Rate, Fee and Other Cost Information

Commission d évaluation de l enseignement collégial. Analytical Framework. Evaluating the Effectiveness of Strategic Plans in the Cégeps

How to Become a Delaware Public Benefit Corporation

THE CLOROX COMPANY AUDIT COMMITTEE CHARTER. [Effective May 8, 2017]

Policy Coversheet. Link Tutors: appointment and responsibilities

Privacy & Data Protection Policy

Huntington Bancshares Incorporated

NCTJ Conflicts of Interest Policy and Procedures

SRI LANKA AUDITING STANDARD 580 WRITTEN REPRESENTATIONS CONTENTS

Data Protection Policy

ARIZONA FIRE DISTRICT ASSOCIATION FINANCIAL PROCEDURES POLICY

Audit Follow Up. Citywide Cash Controls Development and Transportation Services (Report #0134, Issued August, 2001) As of March 31, 2002

Engineering IT Application Development Governance Workflow

Practice Review and Internal Audit Plan

Board Committee Charters

EXECUTIVE SUMMARY INTERNAL AUDIT REPORT. IOM Kingston JM JULY 2017

What do you need? Copy of the HIPAA Policy on Amendment of Protected Health Information

NANOSTRING TECHNOLOGIES, INC. COMPENSATION COMMITTEE CHARTER. (Adopted as of October 16, 2012 and amended as of April 26, 2017)

Approval Process and Arrangements for University Consultancy Work

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF PLURALSIGHT, INC. Adopted May 3, 2018

NEW PROCEDURES FOR ORDER MARKER CORRECTIONS

Policy Planning and Analysis Team (PAT) Charter

Annex E - Special Event Emergency Planning Guide

A-1110 Wien. Privacy Notice

The Committee is specifically charged with the following duties and responsibilities:

Overview of Statements of Investment Policies and Procedures (SIPP) Requirements

Copiague Chamber of Commerce

Local Code Of Corporate Governance

Investor Money Regulations

Information Incident Management Process

TD Insurance s Multi-Year Accessibility Plan

Academic and Administrative and Other Related Staff Annual Review

Grant Application Guidelines

Written Representations

Renewing an Insurance Policy

ensuring staff are aware of the Principles they must follow when handling personal data ensuring appropriate controls are in place and are effective

Risk and Audit Committee charter

CORPORATE GOVERNANCE POLICY

NUMBER: BUSF 3.30 Business and Finance. Other Educational and General Program Accounts ("E" Funds) Date: October 18, 2006 I. PURPOSE OF THE POLICY

Audit Committee Charter

CITIGROUP INC. AUDIT COMMITTEE CHARTER As of January 18, 2018

FCA Final Notice: Market abuse systems and controls

Scope of Services and Timeline. PHASE 1: Project Organization & Best Practices Research Week Completed

UK Employment Law Changes in 2010: New Statutory Rates, Limits and Entitlements

JOHN L. LITTLE, D.D.S, P.A ACKNOWLEDGEMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES. May Refuse to Sign This Acknowledgement-

UNITED NATIONS OFFICE FOR PROJECT SERVICES (UNOPS) INTERNAL AUDIT REPORT 3 JUNE 2014

VIVINT SOLAR, INC. COMPENSATION COMMITTEE CHARTER. (Adopted as of May 9, 2014)

Department of Environment Land, Water and Planning

Bill 92 extra billing provisions Information for Practitioners

NARACOORTE LUCINDALE COUNCIL COUNCIL POLICY 94 PUBLIC CONSULTATION AND COMMUNITY ENGAGEMENT

OSHA INSPECTION CHECKLIST

RISK MANAGEMENT AND BUSINESS CONTINUANCE A FAIS Standard. An AC Guidance Note. July 2010

Transcription:

May 2015 Audit and Cmpliance Prgram Charter

TABLE OF CONTENTS PAGE 1.0 BACKGROUND 2 2.0 AUDIT AND COMPLIANCE ASSESSMENT 2 3.0 KEY LEGISLATIVE AUTHORITY AND POWERS 4 4.0 VALUES 5 5.0 STEPS IN THE ASSESSMENT PROCESS 6 5.1 Step One: Planning 5.2 Step Tw: Backgrund Research 5.3: Step Three: Fieldwrk 5.4: Step Fur: Analysis and Reprting 6.0 LIMITATIONS OF ASSESSMENTS 13 7.0 APPENDIX 1: LEGISLATIVE AUTHORITIES AND POWERS 14

Audit and Cmpliance Prgram Charter 3 1.0 BACKGROUND The Office f the Infrmatin and Privacy Cmmissiner fr BC ( OIPC ) has established an Audit and Cmpliance Prgram t assess the extent t which public bdies and private sectr rganizatins are prtecting persnal infrmatin and cmplying with access prvisins under the Freedm f Infrmatin and Prtectin f Privacy Act ( FIPPA ) and the Persnal Infrmatin Prtectin Act ( PIPA ). This dcument prvides the framewrk fr the Audit and Cmpliance Prgram and is designed t assist public bdies and rganizatins t understand the authrity and functin f the OIPC in cnducting assessments as well as the basic steps leading up t and during an assessment. 2.0 AUDIT AND COMPLIANCE ASSESSMENTS The OIPC s Audit and Cmpliance Prgram draws frm a cmbinatin f cmpliance assessment; peratinal audit; infrmatin management and infrmatin technlgy audit; prgram evaluatin; and prcess imprvement methdlgies. The purpse f the Audit and Cmpliance Prgram is t prvide a mechanism t: enhance versight regarding the management f persnal infrmatin acrss BC; measure the level f cmpliance emplyed by public bdies and rganizatins with prvincial privacy and access legislatin, relevant plicies and guidelines, and privacy principles; and make recmmendatins, where needed, t imprve privacy and access practices, plicies, guidelines, and legislatin. The Audit and Cmpliance Prgram will cmprise fair and bjective assessments f public bdies r private sectr rganizatins t determine: hw well entities cmply with bligatins under FIPPA r PIPA, relevant plicies and prcedures, guidelines, and privacy principles; whether entities maintain adequate administrative, physical and technlgical safeguards t prtect persnal infrmatin frm unauthrized access, cllectin, use, disclsure, dispsal r similar risks; the extent t which an entity has established and maintains adequate prcedures fr managing requests fr infrmatin; and the extent t which an entity has established and maintains an effective and accuntable privacy management prgram. Assessments will identify bth the areas where an entity may excel with regard t cmpliance, safeguards, and verall access r privacy management; as well as areas where imprvements are needed in rder t cmply with legislatin and guidelines. There are many aspects within access r privacy management prgrams that can be assessed t determine the extent t which public bdies and private sectr rganizatins are prtecting

Audit and Cmpliance Prgram Charter 4 persnal infrmatin and cmplying with access prvisins. Sme f these include, fr example: Management, Plicies and Prcedures: Reviewing an entity s management f access t infrmatin and prtectin f privacy prgrams; access t infrmatin and privacy plicies and prcedures; and infrmatin and data sharing agreements. Cllectin, Use, Disclsure and Retentin: Assessing the cllectin, use, disclsure and retentin f persnal infrmatin by the entity; whether apprpriate ntice and cnsent has been btained; and whether the entity limits cllectin, use, disclsure and retentin f persnal infrmatin t nly what they need t administer a prgram r business. Prtectins and Safeguards: Examining an entity s access, disclsure r prtectin prvisins; their administrative, technical and physical safeguards; staff knwledge and training related t privacy and the prtectin f persnal infrmatin; and whether and hw an entity prtects persnal infrmatin in its custdy r under its cntrl by making reasnable security arrangements against such risks as unauthrized access, cllectin, use, disclsure r dispsal. Access Prcesses: Reviewing an entity s access t infrmatin prcesses; hw it handles access-related requests r cmplaints; timelines fr respnding t access requests; and cmpliance with ther access-related bligatins under FIPPA r PIPA. Accuntability and Cmpliance Mnitring: Evaluating hw the entity mnitrs cmpliance with its privacy plicies and prcedures; accuntability practices; hw it handles privacy-related cmplaints; whether they cnduct internal r external audits f safeguards; and whether they analyze breaches that may have ccurred. In rder t bjectively identify lcatins and tpics fr assessment, OIPC staff will interview stakehlders; cnduct analysis f internal files (cmplaints, requests fr review and breaches); review infrmatin cllected frm ther entities; and cnsider ther investigatins and plicy prjects recently cmpleted, currently underway r abut t be initiated. 3.0 KEY LEGISLATIVE AUTHORITY AND POWERS Public bdies r rganizatins being reviewed under the Audit and Cmpliance Prgram may be assessed n any aspect f their FIPPA r PIPA bligatins with regard t access, cllectin, use, disclsure, prtectin, retentin, r dispsal f persnal infrmatin. The Cmmissiner has the fllwing pwers with regard t such assessments: mnitring and cmpliance (FIPPA s. 42 and PIPA s. 36) investigate r audit t ensure cmpliance with any prvisin f these Acts r regulatins, make rders resulting frm investigatins r audits, receive cmments frm the public, and engage in r cmmissin research int anything affecting the achievement f the purpses f the Acts;

Audit and Cmpliance Prgram Charter 5 cmpel recrds and answers t questins (FIPPA s. 44 and PIPA s. 38); entry and inspectin (PIPA s. 38); infrm the public abut the Acts r make cmment (FIPPA s. 42 and PIPA s. 36); and delegate her duties, pwers and functins t any persn (FIPPA s. 49 and PIPA s. 43) Assessments may cmprise investigatin, audit, research r any cmbinatin f the mnitring and cmpliance functins. There are als several sectins in bth FIPPA and PIPA that prvide certain prtectins t individuals wh have made statements r answered questins during an assessment by the OIPC, including: general restrictin n disclsure by Cmmissiner and staff (FIPPA s. 47 and PIPA s. 41) the Cmmissiner r staff cannt be cmpelled t give evidence in curt respecting infrmatin cllected while perfrming their duties (FIPPA s. 45 and PIPA s. 39); prtectin against libel r slander actins (FIPPA s. 46 and PIPA s. 40); and whistleblwer prtectins (FIPPA s. 30.3 and PIPA s. 54). Please see Appendix 1 fr mre detail regarding the legislative authrity and pwers f the Cmmissiner. 4.0 VALUES All activities related t the planning and implementatin f an assessment will be cnducted in accrdance with a set f values prmted by the OIPC. OIPC staff members cnducting assessments will endeavur t act at all times with: independence; cnfidentiality; due care; integrity; bjectivity; cmpetence; a systematic and structured apprach; secure handling f infrmatin; and apprpriate supervisin.

Audit and Cmpliance Prgram Charter 6 5.0 STEPS IN THE ASSESSMENT PROCESS 5.1 Step One: Planning 5.1.1 Identifying Scpe and Objectives: the What and Why The scpe f an OIPC assessment will ften cmprise an evaluatin f cmpliance with any aspect f FIPPA, PIPA, OIPC guidelines, entity plicies, and/r safeguards fr prtecting persnal infrmatin. The bjectives may include measuring cmpliance; cntributing t a bdy f knwledge n a particular tpic; updating OIPC guidance dcuments; recmmendatins fr amendments t plicy r legislatin; r ther purpses. 5.1.2 Assessment Targets: the Wh The OIPC will select tpics r entities t assess based n a variety f factrs and resurces, including: cmplaints received by the OIPC; media reprts relating t privacy practices within a particular entity, sectr r tpic; fllw-up with previusly assessed entities; ther assessments that pint t further need t explre a similar entity, tpic, gegraphical regin; cmments frm cnsultatin with FOI, privacy and security experts; infrmatin that an entity cllects r uses a substantial amunt f persnal infrmatin, r very sensitive persnal infrmatin; and/r a need t explre a particular tpic r entity fr input int plicy r legislative amendments. 5.1.3 Ntifying the Entity: the When and Where The OIPC will ntify invlved entities in advance f an assessment. We will send a letter t the head(s) f the entity(ies) invlved utlining the intentin t cnduct an assessment as well as a general utline f the scpe, bjectives, methdlgy and anticipated timelines. The OIPC will als share a draft f a cmprehensive Assessment Plan with entity representatives in advance. The Assessment Plan will prvide high level infrmatin n: the reasns why an entity was selected fr assessment; the scpe, bjectives and basic methdlgy fr the assessment; the tpics, prgrams, technlgy r initiatives that will be assessed; the jb functins f entity staff wh will be interviewed; backgrund materials t be made available prir t the nsite visit; materials that will be reviewed thrughut the curse f the assessment; OIPC assessment team members and their rle fr the assessment; and estimated timelines fr key assessment activities.

Audit and Cmpliance Prgram Charter 7 The success f any assessment depends primarily n the cperatin frm entity staff; access t the systems and infrmatin needed fr the assessment; and the availability f evidence fr inclusin in the assessment. As such, key staff frm the entity(ies) invlved will be invited t cmment n any challenges r issues they feel may interfere with successful cmpletin f the assessment. In additin, advance cnsultatin allws the assessment team t gain a better understanding f the tpics intended fr assessment; the types f materials available; and the structure f the entity. 5.1.4 Chsing the Methdlgy: the Hw Each assessment will have unique requirements and bjectives and, as such, the assessment team will select methdlgy fr specific assessments based n the particular circumstances f the tpics and entities invlved. The assessment team will ften use a cmbinatin f the fllwing methdlgies: interviews with senir entity staff; interviews r fcus grups with key prgram area staff; inspectin f the premises, with attentin t prgrams that cllect persnal infrmatin and safeguards emplyed by the entity (fr example: inspectin f electrnic prgrams r databases, reviews f security prcedures, r examinatin f physical security measures); file reviews based n the nature f the business (fr example, inspectin f client files, access lgs, cmmunicatins, etc.); and questinnaires t assess knwledge and awareness f, satisfactin with, r attitudes tward privacy plicies and prcesses. 5.1.5 Deliverables: Letter f Intent, Assessment Plan As discussed abve, the OIPC assessment team will draft the fllwing deliverables during the planning phase f an assessment: letter f intent prvided t the head f the entity; and the Assessment Plan. 5.2 Step Tw: Backgrund Research 5.2.1 Understanding the Lay f the Land As nted abve, the OIPC will prvide advance ntice t entities invlved in an assessment. The cmprehensive Assessment Plan will utline the backgrund materials that will be requested fr review prir t an nsite visit. Examples f backgrund materials include: relevant written plices r prcedures; rganizatinal charts; cntact infrmatin fr key staff; descriptins f safeguards emplyed t prtect persnal infrmatin; cpies f privacy management assessments and risk assessments cnducted by the entity invlved in the assessment r by ther rganizatins;

Audit and Cmpliance Prgram Charter 8 internal reprts relating t prgrams under review r persnal infrmatin management; data sharing agreements; privacy impact assessments; cpies f cntracts related t service prviders r thers wh may cllect, use, disclse r retain persnal infrmatin n behalf f the entity invlved in the assessment; a small sample f the types f files that may be included in a file review; cpies f training materials and/r details regarding training prgrams; cpies f cmmunicatin materials regarding a prgram r service, and mems r directives t staff; r additinal materials requested by the OIPC assessment team r materials that the entity invlved in the assessment may identify. The OIPC assessment team will review the backgrund materials in rder t build understanding f the cntext fr the specific tpic and entity. Mst ften, the team will review these materials at OIPC ffices; hwever if materials are required t remain nsite at the entity, the team may review dcuments n lcatin. 5.2.2 Building Assessment Criteria Assessment criteria are standards against which cmpliance can be evaluated and assessed. The OIPC assessment team will select criteria fr assessments based n apprpriateness fr the tpic and entity fr each specific assessment. Criteria are t be relevant, unbiased, fulsme, understandable and reliable. Cmmn surces the team will use t develp assessment criteria include: FIPPA; PIPA; OIPC guidance dcuments: Accuntable Privacy Management in BC's Public Sectr, Getting Accuntability Right with a Privacy Management Prgram (private sectr), A Guide t PIPA fr Businesses and Organizatins, Privacy Breaches: Tls and Resurces, and Other relevant guidance dcuments; plicies, standards, directives and guidelines develped by ther Privacy Cmmissiners r relevant versight entities; privacy principles: Canadian Standards Assciatin: Mdel Cde fr the Prtectin f Persnal Infrmatin, and Canadian Institute f Chartered Accuntants and American Institute f Certified Public Accuntants: Generally Accepted Privacy Principles;

Audit and Cmpliance Prgram Charter 9 relevant entity plicies, agreements and cntract terms relating t hw persnal infrmatin is managed; standards relating t infrmatin security and infrmatin management develped by internatinal standards bdies: Internatinal Organizatin fr Standardizatin ( ISO ), and Infrmatin Systems Audit and Cntrl Assciatin ( ISACA ); ther relevant legislatin, regulatins, directives r enactments; recmmendatins frm previus assessments r audits (internal r external); criteria develped by the OIPC assessment team; and ther criteria relevant t specific assessment bjectives. Once several assessments have been cmpleted, the OIPC will have a standard set f criteria that can be cnsidered in future assessments. The OIPC assessment team wuld still review specific criteria t determine its relevance r adaptability t the particular assessment. 5.2.3 Drafting the Tls Assessment tls are instruments n which t recrd the findings f any particular data cllectin during an assessment. The assessment team will either: (1) build these tls in advance f an assessment and review r amend them prir t the nsite visit r (2) build them after the review f backgrund materials. The types and cntent f assessment tls will depend n the bjectives f the specific assessment and will be develped frm the assessment criteria utlined abve. Examples f tls that the assessment team may use include: guides fr use during interviews r fcus grups; questinnaires fr cnducting surveys; inspectin checklists fr use during physical examinatin f persnal infrmatin safeguards r review f electrnic prgrams r databases; and spreadsheets t be used during inspectin f prgram files. 5.2.4 Deliverables: Cntext Descriptin, Assessment Tls During the backgrund research phase f an assessment, the assessment team will create these deliverables: a summary f the backgrund f a particular prgram r service and the entity invlved in the assessment (fr inclusin in the final reprt); a descriptin f the persnal infrmatin cllected and the plicies and prcesses used t manage that infrmatin (fr inclusin in the final reprt); and cpies f assessment tls t be used during the fieldwrk phase f the assessment.

Audit and Cmpliance Prgram Charter 10 5.3 Step Three: Fieldwrk 5.3.1 Gathering Evidence: Multiple Methds Evidence can include any infrmatin gleaned during the curse f an assessment that assists evaluatrs in determining whether individual assessment criteria have been met. Evidence can cme frm interviews; physical inspectins and bservatins; system r files reviews; r questinnaires depending n the nature f the assessment and its bjectives. Evidence may als be derived frm analysis f such infrmatin. In each f these methds f evidence gathering, evidence will be dcumented n checklists, spreadsheets, survey frms r by ther means. Mst ften, the OIPC assessment team will be gathering evidence by cnducting ne-n-ne interviews with key entity r prgram area staff. Where pssible, the team may prvide in advance a basic interview guide cntaining sme f the questins t be asked r pints the interview is intending t cver. These interviews help the assessment team t gain knwledge abut the entity and its relevant prgrams r prcesses, determine staff awareness and learn frm staff abut the tpic being assessed, and cllect and crrbrate evidence t answer assessment questins. OIPC team members will take ntes and may digitally recrd during the interviews in rder t ensure evidence is available fr later analysis and t substantiate cnclusins drawn. These ntes are used fr the OIPC staff t review and analyze fr the purpses f the assessment and will nt be shared with anyne utside f the OIPC. See Appendix 1 fr further infrmatin n prtectins fr thse wh prvide statements t the OIPC r answer questins during an assessment. The OIPC assessment teams will seek t gather sufficient vlume and cmpleteness f evidence t be able t develp cnclusins that are valid and sund enugh that a reasnable persn may reach the same cnclusins when reviewing evidence included in the assessment. There may be ccasins where the assessment team requests additinal evidence (fr example: additinal recrds fr review, fllw-up interviews with staff t clarify pints r ask additinal questins, r dcuments that may nt have been requested frm the entity earlier). 5.3.2 Dcumenting Evidence: Substantiatin Binders The assessment team will maintain substantiatin binders that detail the evidence used t supprt the findings dcumented in assessment reprts. Substantiatin binders may cntain, fr example: cpies f relevant cmmunicatins and backgrund materials; initial assessment planning dcuments; interview r fcus grup ntes; cmpleted inspectin r bservatin check-lists; and aggregate findings frm questinnaires r statistical analysis. Substantiatin binders will be used fr internal peer review f assessment reprts in rder t prvide a secndary check t ensure that all findings and statements made within the reprt are supprted by available and crrbrating evidence. 5.3.3 Sharing Initial Findings: Prviding Entity Feedback The OIPC assessment will endeavur t prvide entities invlved in the assessment with feedback thrughut the prcess. The assessment team will raise gaps r challenges fund during the cllectin and initial analysis f evidence with the management r executive f the entity being assessed. Open cmmunicatin and cntinuus feedback are beneficial in allwing entities the chance t implement quality imprvement measures as sn as pssible. The

Audit and Cmpliance Prgram Charter 11 ultimate gal f the OIPC Audit and Cmpliance Prgram is t imprve privacy r access practices and supprt infrmatin rights f British Clumbians. 5.3.4 Deliverable: Evidence Cllected, Substantiatin Binders The OIPC assessment team will create the tw key deliverables during the fieldwrk phase f an assessment, including: dcumented evidence frm each methd used t gather evidence during the assessment; and substantiatin binders cntaining key evidence. 5.4 Step Fur: Analysis and Reprting 5.4.1 Analyzing Results The OIPC assessment team will analyze the evidence cllected during the fieldwrk stage in rder t answer the questins raised thrugh the assessment plan (step ne) and detailed by the assessment criteria (step tw). Analysis may be qualitative r quantitative. Qualitative analysis is ften used t explre descriptins r bservatins that may cntain deeper meaning, fr example, t determine recurring themes acrss interviews r fcus grups. Quantitative analysis fcuses n numbers and may be used, fr example, t examine a bulk f questinnaires r t cunt the prevalence f a particular errr r issue in a sample f files. The assessment team uses bth qualitative and quantitative analytical methds t interpret whether the infrmatin cllected during fieldwrk shws that the entity has met the assessment criteria. Analysis will reveal whether there is sufficient evidence t supprt an assessment finding. 5.4.2 Drafting the Reprt and OIPC Internal Review The assessment team will summarize findings discvered thrugh fieldwrk and analysis, alng with ptential recmmendatins, in a preliminary reprt. The preliminary and all subsequent reprts will usually include, at minimum: a descriptin f the entity and tpic being assessed; an utline f the bjectives, scpe and criteria fr the assessment; a descriptin f the methdlgy used t cnduct the assessment; an verall assessment pinin r summary statement; key findings and a summary f related evidence; a summary f the gaps r challenges fund and why these are imprtant t address; and recmmendatins t address the gaps r challenges fund. The assessment team will share this preliminary reprt with ther OIPC internal reviewers and the Deputy Registrar/Assistant Cmmissiner. The assessment team will incrprate the feedback and then submit a draft reprt t the Cmmissiner fr review.

Audit and Cmpliance Prgram Charter 12 5.4.3 Entity Review and Cmment Once the draft reprt has been apprved by the Cmmissiner, entities that are invlved with the assessments will receive a cpy f the draft reprt. Entities will be able t prvide feedback relating t any errrs, missins r misinterpretatins in the reprt(s). If entity reviewers have cncerns regarding reprt findings, they can discuss them with the OIPC assessment team. The assessment team will then review the feedback and determine what changes t incrprate in the final reprt. Entities will als be asked t prvide an fficial respnse t the reprt findings and whether r nt they accept the OIPC s recmmendatins. If entities have already implemented r initiated sme f the recmmendatins, the assessment team will cnsider updating the reprt t include a descriptin f the changes that have been undertaken. The team may als include the fficial respnse letter frm the entity in its entirety in an appendix t the reprt. 5.4.4 Final Reprt and Public Release The assessment team will prvide the final reprt t the Deputy Registrar/Assistant Cmmissiner and the Cmmissiner fr review and apprval. Cmmunicatins will be prepared fr public release f the reprt. If instead the Cmmissiner decides that the reprt will nt be made public in its entirety, then the assessment team will prepare a smaller versin r an executive summary f the reprt fr public distributin. Prir t public release, the Cmmissiner will send a final cpy f the full reprt (and, if applicable, the smaller versin r executive summary fr public distributin) t the entities invlved in the examinatin. In mst cases, the Cmmissiner will prvide a news release relating t the assessment and the final reprt. Media utlets may als request the Cmmissiner t participate in radi, print r televisin interviews regarding the assessment reprt, its findings, the recmmendatins, r related tpics. 5.4.5 Fllw-up n Recmmendatins The OIPC may ask entities invlved in the assessment t prvide an actin plan detailing hw the recmmendatins will be implemented, alng with the timelines fr implementatin. The OIPC assessment team will fllw-up with the entities as necessary t determine the level f implementatin. It is pssible that a fllw-up assessment will als be cnducted t determine the level f cmpliance with the recmmendatins and/r t determine whether the implemented changes nw meet the riginal assessment criteria. 5.4.6 Deliverables: Draft Reprt, Final Reprt The assessment team will prepare the fllwing deliverables during the analysis and reprting step f an OIPC assessment: dcumented analyses in summary dcuments, excel spreadsheets, highlighting r cmments n interview ntes; preliminary reprt and cmments frm internal reviewers; draft reprt and a summary f the feedback prvided by the entities invlved in the assessment; the final reprt; and cmmunicatins materials.

Audit and Cmpliance Prgram Charter 13 Deliverables frm any fllw-up cnducted will depend n the extent f the fllw-up. 6.0 LIMITATIONS OF ASSESSMENTS It is imprtant t keep in mind that any assessment will be limited in its applicability by its scpe and bjectives; the perid f time captured in fieldwrk; the specific areas f the entity that were assessed; the availability f applicable infrmatin; and the margin f errr. Such details may limit the generalizability f assessment findings acrss the wider entity, ther time perids, and ther like entities. As such, the final reprt shuld nt be seen as a definitive accunt f an entity s ttal persnal infrmatin handling practices; nr shuld the reprt be seen as an endrsement f the entity's cmpliance with its bligatins under FIPPA r PIPA.

Audit and Cmpliance Prgram Charter 14 7.0 APPENDIX 1: LEGISLATIVE AUTHORITIES AND POWERS Mnitring and Cmpliance (FIPPA s. 42 and PIPA s. 36) With regard t the public sectr, s. 42(1) utlines the Cmmissiner s respnsibilities fr mnitring hw FIPPA is administered and states that the Cmmissiner may: investigate r audit t ensure cmpliance with any prvisin f this Act r regulatin; make rders resulting frm investigatins r audits; receive cmments frm the public; and engage in r cmmissin research int anything affecting the achievement f the purpses f the Act. The crrespnding sectin fr the private sectr rganizatins is s. 36(1) f PIPA. This sectin is similar t the abve with the exceptin that the Cmmissiner may investigate r audit if there are reasnable grunds t believe that an rganizatin is nt cmplying. The Cmmissiner may als exchange infrmatin with ther privacy Cmmissiners acrss Canada fr the purpse f crdinating activities. Assessments may cmprise investigatin, audit, research r any cmbinatin f the mnitring and cmpliance functins. Inspectin and Cllectin f Evidence (FIPPA s. 44 and PIPA s. 38) Cmpel Recrds and Answers t Questins (FIPPA s. 44 and PIPA s. 38) Fr the purpses f cnducting an assessment, s. 44 f FIPPA and s. 38 f PIPA authrize the Cmmissiner t make an rder requiring a persn t answer questins r t prduce a recrd, including a recrd cntaining persnal infrmatin. The Cmmissiner may als apply t the Supreme Curt fr an rder directing a persn t cmply with the Cmmissiner s rder. These prvisins als apply in situatins where a recrd is subject t slicitr client privilege (such privilege is nt affected by disclsing the recrd t the OIPC). Entry and Inspectin (PIPA s. 38) Sectin 38(2) f PIPA als permits the Cmmissiner t enter any premises at any reasnable time (ther than a persnal residence) ccupied by an rganizatin after satisfying security requirements f the rganizatin relating t the premises. Prtectins (FIPPA ss. 30.3, 45 47 and PIPA ss. 39 41, 54 55) Peple may have cncerns abut liability with regard t statements made t the OIPC during an assessment. There are sectins in bth FIPPA and PIPA that prvide certain prtectins t individuals wh have made statements r respnded t questins asked by the OIPC. Restrictins n Disclsure by Cmmissiner (FIPPA s. 47 and PIPA s. 41) Sectins 47(3) f FIPPA and 41 f PIPA cntain a general prhibitin against disclsure by the Cmmissiner and her staff related t any infrmatin btained in perfrming their duties, pwers and functins under the Acts. In additin, FIPPA s. 3 ntes that FIPPA des nt apply t recrds created by r fr, in the custdy r cntrl f, r that relate t the exercise f the

Audit and Cmpliance Prgram Charter 15 Cmmissiner s functins. This means that the OIPC s peratinal recrds are nt subject t access fr infrmatin requests. Evidence in Prceedings (FIPPA s. 47(2.1) and PIPA s. 39) Sectin 47(2.1) f FIPPA and s. 39 PIPA state that the Cmmissiner r her staff must nt give r be cmpelled t give evidence in a curt r ther prceedings in respect f infrmatin cllected while perfrming their duties (again, except with regard t perjury, prsecutin fr an ffence under the Acts, r in an applicatin fr judicial review r an appeal). Prtectin Against Libel r Slander Actins (FIPPA s. 46 and PIPA s. 40) Similarly, s. 46 f FIPPA and s. 40 f PIPA state that anything said, any infrmatin supplied r any recrd prduced by a persn during an investigatin by the Cmmissiner is privileged in the same manner as if the investigatin were a prceeding in a curt. Whistleblwer Prtectin (FIPPA s. 30.3 and PIPA s. 54) FIPPA s. 30.3 and PIPA s. 54 state that emplyers must nt dismiss, suspend, demte, discipline, harass r therwise disadvantage an emplyee, r deny that emplyee a benefit, because the emplyee has: disclsed t the Cmmissiner that any ther persn has cntravened r is abut t cntravene this Act; has dne r has intentin f ding anything required in rder t avid a cntraventin f this Act; r has refused t d anything in cntraventin f this Act. Reprting (FIPPA s. 42 and PIPA s. 36) Sectins 42 f FIPPA and 36 f PIPA allw the Cmmissiner t infrm the public abut the Act and cmment n: implicatins fr access r prtectin f privacy f legislative schemes, prgrams, activities f public bdies; prtectin f persnal infrmatin f prgrams prpsed by rganizatins; and autmated systems r data-linking initiatives by public bdies r private sectr rganizatins. This includes public psting f reprts r ther materials that result frm an OIPC assessment. Determinatins f whether t infrm the public abut the results f an assessment, alng with the type f infrmatin that may be shared, will be made n a case-by-case basis. Delegatin (FIPPA s. 49 and PIPA s. 43) FIPPA s. 49 and PIPA s. 43 allws the Cmmissiner t delegate her duties, pwers and functins t any persn. One exceptin t the ability t delegate under FIPPA is that the Cmmissiner may nt delegate the pwer t examine infrmatin referred t in s. 15 (disclsure harmful t law enfrcement) if the head f a plice frce r the Attrney General has refused t disclse that infrmatin and has requested the Cmmissiner nt t delegate the pwer t examine that infrmatin. Respnsibility fr planning, cnducting, reprting and fllwing-up n Audit and Cmpliance Prgram assessments sits with the OIPC s Senir Investigatr f Audit and Cmpliance and may als include ther investigatrs, plicy analysts, intake fficers r assistant Cmmissiners. Interactins with Other Legislatin There are n legislative prvisins in ther Acts that prevent the OIPC frm accessing recrds and cnducting assessments f public bdies r private sectr rganizatins.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback