Audit of Access to Information at the Canadian Space Agency
Audit Report
Project # 17/18 01-04
Prepared by the
Audit and Evaluation Directorate
Table of contents
1.0 Summary
1.1 Audit objective
The purpose of the audit was to determine whether the access to information management framework in place allows the Canadian Space Agency (CSA) to meet the requirements of the Access to Information Act.
1.2 Audit opinion
In our opinion, the access to information management framework in place allows the CSA to meet the requirements of the Access to Information Act.
1.3 Statement of assurance
As Chief Audit Executive, I am of the opinion that sufficient and appropriate audit procedures have been followed and that evidence has been gathered to support the accuracy of the opinion provided in this report. The opinion is based on a comparison of the circumstances, as they existed at the time of the audit, against the pre-established audit criteria agreed on with management. The opinion is applicable only to the entity examined. Evidence was gathered in accordance with Treasury Board internal audit policy, directives and standards. The procedures followed comply with the professional standards of the Institute of Internal Auditors. Sufficient evidence was gathered to convince senior management of the validity of the opinion derived from the internal audit.
1.4 Summary of findings
During the audit of the practices in place to manage access to information requests, we found that an effective process is in place and that the CSA meets the requirements set out in the access to information Act, regulations and policy. Roles, responsibilities and procedures are well defined and applied for each type of access to information request. Requirements and time limits are respected, and the analyses conducted to process requests are documented and validated.
We also found that proper accountability reporting is done in the access to information process. Reports are communicated to CSA management levels in a timely manner and the information is reported to central agencies according to requirements.
We have identified an opportunity for improvement in relation to the production of the annual statistical report. A recommendation was made to this effect and a management action plan was created.
Original signed by Dominique Breden
Signature of the Chief Audit Executive
Members of the audit team
- Dany Fortin
- Johanna Gailer
- Fatima Raveen
2.0 Audit report
2.1 Background
The Government of Canada issued the Access to Information Act, which gives Canadian citizens and permanent residents the right to access government documents, subject to certain exemptions. Federal institutions must respond to access to information requests accurately and completely, in a timely manner and in the format requested. In addition, regulations issued by the Government of Canada and a Treasury Board policy clarify the application of the Act.
A coordinator position and an access to information and open data officer position were created, so the CSA has the resources needed to meet the Government of Canada's requirements in terms of access to information. These positions report to the Chief information Officer (CIO). The CSA receives three categories of access to information requests: access to information requests (i.e. requests for access to a record under the Access to Information Act); informal requests (i.e. requests for information that has already been disclosed under the Act); and consultation requests (i.e. access to information requests received by another department, but the information concerns the CSA.).
2.2 Audit rationale, scope and approach
Rationale
This audit project is part of the - Risk-Based Audit Plan that was approved by the CSA's Audit Committee.
The rationale for prioritizing this audit project is due to the fact that the last audit on this subject was conducted in .
Scope
The audit focused on the processes in place to manage access to information requests, consultation requests and informal requests, the ongoing monitoring of processes, and access to information accountability reporting. The period covered for the assessment of these processes was , to .
The accuracy or completeness of the responses to access to information requests, consultation requests and informal requests was not assessed, as the risk of omission or error was considered low. The minimal number of complaints made to the Office of the Information Commissioner of Canada was also a factor that influenced our decision in this regard. In fact, only one complaint has been made against the CSA since -.
Approach
The audit criteria were established in accordance with the requirements in the Act, regulations and policy. The criteria and sub-criteria are listed in Appendix A. It should be noted that the audit objective and criteria were discussed with the entity audited. The audit included various processes, including interviews and a review of documents.
A sampling of access to information requests was selected and reviewed.
We reviewed:
- 5 access to information requests (17 received in total in -)
- 2 informal requests (26 received in total in -)
- 2 consultation requests (37 received in total in -)
The following selection criteria were used for the access to information requests reviewed:
- the level of risk associated with each category of access to information request (the risk was higher for access to information and consultation requests, as the information was being disclosed for the first time, and lower for informal requests, as the information had already been disclosed previously)
- at least one request per source category
- the turnaround time for processing requests
- requests for which the information was fully disclosed, partially disclosed or for which there were no records
The following tables provide a breakdown of the 80 access to information requests received in - by source of the requests.
| Source | Number of Requests | Percentage |
|---|---|---|
| Academic | 0 | 0% |
| Commercial | 4 | 24% |
| Organization | 0 | 0% |
| Public | 6 | 35% |
| Media | 6 | 35% |
| Decline to identify | 1 | 6% |
| Total | 17 | 100% |
| Source | Number of Requests | Percentage |
|---|---|---|
| Academic | 5 | 19% |
| Commercial | 3 | 12% |
| Organization | 0 | 0% |
| Public | 8 | 31% |
| Media | 7 | 27% |
| Decline to identify | 3 | 12% |
| Total | 26 | 100% |
| Source | Number of Requests | Percentage |
|---|---|---|
| Organization | 37 | 100% |
| Total | 37 | 100% |
2.3 Findings, recommendations and management response
Expected outcomes
Criteria 1, 2 and 3
To determine whether there is an effective process in place at the CSA to manage access to information requests, consultation requests and informal requests, we expected to find the following:
- an effective process for managing access to information requests
- ongoing monitoring
- accountability reporting
2.3.1 Process for managing access to information requests
Audit objective: The purpose of the audit was to determine whether the access to information management framework in place allows the CSA to meet the requirements of the Access to Information Act.
Findings
Criterion 1
An effective process is in place at the CSA to manage access to information requests.
Condition
Conclusion about the criterion:
Through our audit, we determined that there is an effective process in place at the CSA for managing access to information requests.
Roles, responsibilities and procedures
In our opinion, the roles, responsibilities and procedures related to processing access to information requests are clearly defined and applied.
An internal document entitled "Information Management – Access to Information and Privacy (ATIP) Office" describes the roles and responsibilities, as well as the steps for each stakeholder to follow when requests are processed. This document in available on the CSA's intranet. Other documents, such as the ATIP procedure, flow charts and templates, complete the information and facilitate the effectiveness of the process. These documents should be reviewed soon when the legislation is updated.
When reviewing the files, we determined that CSA employees apply the established roles, responsibilities and procedures as specified. Moreover, requests are sent to the CSA directors general and employees with the knowledge and skills to process the requests. When processing requests, access to information staff is available to answer questions and requests for clarification from the employees who have been asked to provide the information.
We also identified an element in the procedure that could be clarified. According to the CSA's Policy on Access to Information, the director general must review and approve response records to requests. However, in three of the nine records examined, we noted that the information discloser approval pocket was signed by a director in the branch in question. Therefore, it may be relevant to clarify the circumstances under which a delegate may approve a disclosure on behalf of a director general who is absent.
During our review, we also noted that the CSA gives its employees the opportunity to attend information sessions on how to process access to information requests. The Canada School of Public Service also provides training that is available to all CSA employees.
Meeting requirements
The examination of nine records on the processing of access to information requests, consultation requests and informal requests showed us that the CSA meets the requirements and the time limits set out in the access to information legislation, regulations and policy.
Request approval requirements were notably met. At the CSA, this authority is delegated to the Vice President (VP), the CIO and in part to the Access to Information and Privacy Coordinator. We also noted that the confidentiality of the identity of the applicants was respected in all of the requests we examined.
Protected information, that is, the exemptions, was not disclosed and the sections of the legislation supporting the non-disclosure of information were cited in the response letters. The analyses conducted and the justifications for the exemptions were properly documented in the computerized request processing system. We noted that, in each record, an approval document supported information disclosure decisions.
Moreover, in almost all cases, the time limit set out in the legislation for processing access to information requests was met. Of the 17 access to information requests that the CSA processed in -, only one missed the time limit by a few days. Also, when third parties are involved in the response process, a request to extend the time limit is sent to the applicant, as stipulated.
Recommendation
N/A
Responsibility identified
Organization
N/A
Function
N/A
Management response
N/A
Management action plan
Action plan details
N/A
Deadline
N/A
Audit objective: The purpose of the audit was to determine whether the access to information management framework in place allows the CSA to meet the requirements of the Access to Information Act.
Findings
Criterion 2
The access to information process in place is subject to ongoing monitoring.
Condition
Conclusion about the criterion:
Through our audit, we determined that the access to information process in place in subject to ongoing monitoring.
An ongoing monitoring process validates the analyses conducted as part of the process to respond to access to information requests
We noted that the access to information process in place is subject to ongoing monitoring. Responses to access to information requests are validated by the Access to Information and Privacy Coordinator, and approved by the CIO and the VP. The branch in question is also consulted.
In -, the Access to Information Officer processed 87% of the requests and the Access to Information and Privacy Coordinator processed 13% of the requests. Records processed by the officer are validated by the coordinator and all of the records are approved at higher levels, where decisions made regarding information disclosure can be questioned.
Although the final decision is signed by the Access to Information and Privacy Coordinator, the CIO, the director general and the VP, it is sometimes difficult for an outside observer to identify the validation work of the analyses conducted, as there are few traces in the record. To improve this, we suggest increasing the traceability of the monitoring conducted to demonstrate the quality control and scope of the work done. For example, revisers could initial every decision in the record to show that the information was reviewed.
Recommendation
N/A
Responsibility identified
Organization
N/A
Function
N/A
Management response
N/A.
Management action plan
Action plan details
N/A
Deadline
N/A
Audit objective: The purpose of the audit was to determine whether the access to information management framework in place allows the CSA to meet the requirements of the Access to Information Act.
Findings
Criterion 3
The access to information process in place is subject to accountability reporting.
Condition
Conclusion about the criterion:
Through our audit, we determined that the access to information process in place is subject to accountability reporting.
Management reports are communicated to the appropriate levels of management in a timely manner
We noted that reports are sent to the appropriate levels of management in a timely manner. A monthly report is produced to notify the President of access to information requests, consultation requests and informal requests. Weekly reports on all of the relevant information are also produced and sent to management. Moreover, the CSA meets the requirements of Innovation, Science and Economic Development Canada in terms of reports on certain specific requests.
Information is reported to central agencies according to requirements
We noted that the CSA reports the information requested to central agencies according to requirements. Notably, a report on the administration of the Access to Information Act is produced annually for Parliament. The CSA also produces an annual statistical report on the administration of the Access to Information Act that is sent to the Treasury Board Secretariat (TBS). It also updates the appropriate chapter in Info Source.Footnote 1
Moreover, we noted that it is difficult to reconcile the annual statistical report with the data in the internal management system for access to information requests, Laserfiche, as the data from the system does not correspond in all respects with the data required by central agencies. To this end, a manual compilation is done to identify the data required for the report. However, the traces of this manual compilation and the corrections made as required were not documented in the records.
A review of the process to produce the statistical report should be conducted to ensure that traces are kept of the compiling of information to prepare the report and therefore to be able to demonstrate the accuracy of the information in the report.
Recommendation
- Review the process followed to produce the annual statistical report in order to improve traceability and to be able to demonstrate the accuracy of the information in the report.
Responsibility identified
Organization
IM-IT Directorate
Function
Chief Information Officer
Management response
The statistical report is produced using data from the internal management system for access to information requests, Laserfiche, and data that has been manually compiled for each request. This process is easily followed because of the number of access to information requests received and processed, although it is not optimal. The obsolescence of the internal management system for access to information requests, Laserfiche, is the main reason.
New internal management systems for access to information requests are being developed by various suppliers in order to meet the new requirements related to amendments to the legislation. The TBS is responsible for this and provides regular updates on the work to allow departments to have access to more up-to-date solutions.
Management action plan
Action plan details
The Access to Information and Privacy Office will continue to produce the statistical report using data from the internal management system for access to information requests, Laserfiche, and data that has been manually compiled for each request.
Until a new internal management system for access to information requests is available, it will develop a traceability tool for the - report that will allow it to demonstrate the accuracy of the report.
Funding for the purchase of the new system will then be identified and the statistical reports required by central agencies can be automatically generated without the need for data to be collected manually.
Deadline
Appendix A – Terms of reference
Audit objective: The purpose of the audit was to determine whether the access to information management framework in place allows the CSA to meet the requirements of the Access to Information Act.
| Audit criteria | Audit sub-criteria |
|
|---|---|---|
| Criterion No. 1: An effective process is in place at the CSA to manage access to information requests. | Sub-criterion 1.1: The roles, responsibilities and procedures related to processing access to information requests are clearly defined and applied. | Sub-criterion met |
| Sub-criterion 1.2: The processing of responses to access to information requests meets the requirements and time limits set out in the Act, the regulations and the policy. | Sub-criterion met | |
| Criterion No. 2: The access to information process in place is subject to ongoing monitoring. | Sub-criterion 2.1: An ongoing monitoring process validates the analyses conducted as part of the process to respond to access to information requests. | Sub-criterion met |
| Criterion No. 3: The access to information process in place is subject to accountability reporting. | Sub-criterion 3.1: Reports are communicated to the appropriate levels of management in a timely manner. | Sub-criterion met |
| Sub-criterion 3.2: Information is reported to central agencies according to requirements. | Sub-criterion met |
- Date modified: