Review of Procurement Practices and Supplier Complaints

Public Summary

1. Introduction
2. Office Mandate Overview
3. Data Analysis
4. Privacy Risk Management
5. Conclusion

1. Introduction

The program activities, which operates at arms length of the government, reviews procurement practices across federal departments and agencies, investigates complaints from potential suppliers with respect to award of contracts for goods and services below certain thresholds, and complaints concerning the administration of contracts; and ensures the provision of an alternative dispute resolution program for contracts. This activity helps to promote fairness, openness and transparency of the procurement process.

2. Office Mandate Overview

As set out in the Department of Public Works and Government Services Act, the mandate of the Procurement Ombudsman is to:

• Review the practices of departments for acquiring materiel and services to assess their fairness, openness and transparency and make any appropriate recommendations to the relevant department for the improvement of those practices;
• Review any complaint respecting the award of a contract for the acquisition of goods below the value of $25,000 and services below the value of $100,000 where the criteria of Canada's Agreement on Internal Trade applies;
• Review any complaint respecting the administration of a contract for the acquisition of materiel or services by a department, regardless of dollar value;
• Ensure that an alternative dispute resolution process is provided, if both parties agree to participate. The Procurement Ombudsman can also perform any other duty or function respecting the practices of departments for acquiring materiel and services that may be assigned to the Procurement Ombudsman by order of the Governor in Council or the Minister.

The Procurement Ombudsman can also perform any other duty or function respecting the practices of departments for acquiring materiel and services that may be assigned to the Procurement Ombudsman by order of the Governor in Council or the Minister.

3. Data Analysis

The Case Management System (CMS) is the system used as a data collection and analysis tool for OPO. Each business line also keeps hard copy files and electronic files which are saved on a shared drive. Hard copy files containing personal or sensitive information are properly identified at the protected B level and are stored in an approved locked cabinet. Files considered personal or sensitive are encrypted prior to being saved on the shared drive. The system holds a variety of information and is designed to: capture, store, analyse and report information needed for effective decision making and reporting. The main functions include:

• establishing a file;
• tracking any file (inquiries, investigations, reviews, alternate dispute resolution (ADR), assigned files and correspondence) activity from inception to closure;
• tracking files while ensuring compliance with timelines established in legislative regulations;
• coordinating and facilitating integration of specialized activities of the different areas of OPO;
• providing compliance capabilities under ATIP legislation;
• linking information about complainants, issues, authorities and reviews;
• providing easy access to information for managers to support sound decision-making and obtain feedback for input towards the annual report
• supporting advanced searching capabilities;
• linking soft files to cases;
• collecting, storing, and managing information to ensure compliance with Government of Canada (GoC) IM/IT policies;
• promoting transparency through information being accessible by those authorized to see it, including individual exercising their rights under the Access to Information and Privacy Act;
• producing detailed reporting; and
• conducting trend analyses for environmental scanning purposes.

The CMS will provide information on the past, present and planned activities of OPO. It can be defined as an integrated system for maintaining data, converting and aggregating it into the right information, supplying the same to appropriate users and reporting on OPO activities. Staff using the system, will only retrieve needed information without receiving extraneous information at the same time, reducing information overload and avoiding confusion. The main purpose of the CMS is to provide the right information to the right people at the right time and to report on it accordingly. The CMS is a key enabler for OPO to achieve well-managed information in support of legislative requirements.

Investment in the CMS and effective implementation will ensure that OPO deals with information appropriately and is able to carry out its legislative mandate in a manner that gives stakeholders confidence in the information generated by OPO.

The system collects information provided by Canadian suppliers and Government officials through an official complaint form, letters, e-mail, fax or telephone conversation and informal inquiries. The system also collects information on Practices Reviews undertaken and the recommendations provided to departments from the OPO. Outgoing and Incoming Correspondence related to Review of Procurement Practices and Supplier Complaints and all other business related correspondence is also captured in the system. The information collected can sometimes be considered personal information due to the sensitivity of the issue. The information collected is provided directly from the Canadian Supplier or government official. The office requests specific information in order to resolve or investigate a complaint/issue. It is possible that the complainant or government official provide further detail not originally requested.

Information considered as "personal information", is classified at the Protected B level and is marked and stored in a protected B environment, with regard to the document's sensitivity. The information considered to be "personal information" is also stored in an approved locked container.

Data Flow Table for CMS

• Description of personal information cluster
• Collected by
• Format
• Used by
• Purpose of collection
• Disclosed to
• Storage or retention

Registration Data Cluster

• Name, position; organization; address; phone number; e-mail address; and details of the complaint.
• CMS
• Paper, telephone and/or electronic
• The OPO personnel
• To reply to correspondence
• The Investigators, Review analysts and potentially the DM of the department assigned to the file
• Two years until the RDA has been established for OPO (currently under development)

4. Privacy Risk Management

The following section identifies a number of privacy risks in relation to CMS procedures, storing and handling of hard copy and electronic files. This information is outlined in the Privacy Impact Assessment. The risks, which are summarized below, also describe the security and privacy measures taken to be mitigated:

• Accountability for personal information;
• Consent to disclose personal information;
• Collection of personal information;
• Use, disclosure and retention of personal information;
• Safeguarding personal information/training; and
• Security of the CMS.

4.1 Accountability for Personal Information

Risk 1

Since the office is still establishing itself, directives still need to be developed to identify what constitutes "personal information" and how the information should be entered in the system. It will also address the proper handling and storing of OPO "personal information" for the hard copy filing system and electronic shared drive.

Risk 1 - Risk Mitigation Measures

In order to minimize privacy-related risks in the management of information in the CMS, hard copy and electronic shared drive, OPO intends to develop Security and Privacy Directives to ensure the secure handling of sensitive personal information at each stage of its life cycle.

These formal business rules establish standard security procedures that address the handling of personal information in the CMS, hard copy and electronic shared drive.

Risk 2

Specific responsibility for privacy issues has not been addressed. The accountability of information shared between Departments and Agencies which fall under Schedule 1.1 of the FedAA, has not as of yet been established and could lead to mismanagement of information and lack of trust.

Risk 2 - Risk Mitigation Measures

Accountability issues will be addressed in the Security and Privacy Directives. OPO is the functional authority responsible for the information received and entered in CMS, hard copy filing and electronic shared drive. As for the departments, rules have not yet been established to indicate to which extent they are responsible for the information received from OPO with respect to a complaint or alternative dispute resolution.(specifically for the production, marking, saving and transmission of the information).

4.2 Consent to Disclose Personal Information

Risk 3

When information is collected by the complainant or government official, the complainant has been approached to confirm if the information they have provided to OPO can be shared with the department in question. However, OPO has not yet addressed the issue of how departments should handle the disclosed information once they receive it, which may flag a risk that it may subsequently be shared with other parties or used without consent. The issue of consent arises when "personal information" of correspondents must be disclosed to another institution (department).

Risk 3 - Risk Mitigation Measures

By providing required information to address their complaint, Canadian suppliers give their implicit consent to personal information collection but not specifically for disclosure. As per OPO’s mandate, it is inferred that "personal" information is not disclosed beyond its main purpose, which is to respond to a complaint. The information is collected in accordance with Procurement Ombudsman Regulations made under the Federal Accountability Act for a complaint to be filed and considered for review. Consequently, OPO is often required to share "personal" information in accordance with paragraph 8(2)(a) of the Privacy Act, for the purpose of which it was obtained or compiled, or for a use consistent with that purpose, i.e. to respond to the complaint.

OPO is diligent in monitoring to ensure that information considered to be "personal" is not being shared for any other purpose.

In fact, a notice was added to the information on privacy currently on the complaint form and on the OPO website, in both official languages, stating that "personal" information will only be used to respond to the complainants' request. It also indicates that the information maybe shared with another department when the inquiry relates to that department.

In the event that there is a need to disclose information to another department (such as in the case of a referral), the complainant is made aware prior to disclosing the information to and is advised that OPO may forward a copy of the complaint to another department to answer the inquiry. This procedure is also indicated in section 8 of the OPO Regulations.

4.3 Collection of Personal Information

Risk 4

Retaining information which is considered "personal" increases the harm that would result from unauthorized access or from those who do not have a need-to-know.

Risk 4 - Risk Mitigation Measures

The CMS is designed to hold Protected B information and PWGSC IT ensured that the CMS is on a Protected B platform. However, guidelines/directives are being established for the Security and Privacy, which will provide detailed procedures that define the type of sensitive information included and how those accessing the data should handle the information. For example, ensuring that printing of "personal" information is only done through the secure printer.

Information collected and stored on the shared drive or hard copy filing system will respect the Government Security Policy and information which is considered as "personal" information shall be encrypted before it is saved on the shared drive. All documents which contain "personal" information will be properly identified with the accurate level of security marking and stored in an approved container.

Documents marked as Protected C, Secret and Top Secret are never scanned into CMS nor stored on the shared drive. The hard copy file shall identify the correct security marking and stored in an approved container.

4.4 Use, Disclosure and Retention of Personal Information

Risk 5

Employees having unauthorized access to "personal" information through the CMS, hard copy and electronic shared drive.

Risk 5 - Risk Mitigation Measures

There are no secondary uses of information received by CMS and, as far as it can be determined, no unauthorized use of the information is anticipated.

A role-based access control for CMS is already in use. Access rights are established in accordance with a need-to-know basis. The information is currently only stored on designated Personal computers and are password controlled. This ensures who has access to the CMS. User accounts are kept current by sending an e-mail requesting access to the system that is verified and approved by the Director of CMS. Unauthorized access is therefore not possible. There are currently only a handful of users using the CMS and the anticipated number is not expected to surpass 15 users. This makes it easier to manage and control. Access to the shared drive is only limited to OPO staff and "personal" information stored on the electronic shared drive should be encrypted and allow only those with a need-to-know basis access to review the file. The hard copy files which contain "personal" information are stored in an approved locked container which only those with a need-to-know basis have access to.

OPO will undertake periodic cleanups of CMS, which will revise the list of users, to ensure access rights are up to date.

A warning banner has been created to advise users that information in the system should only be used, disclosed and destroyed in accordance with the Government Security Policy and subsection 8(2) of the Privacy Act. In addition to this banner, a general security notice appears regularly on each workstation requiring the user to acknowledge his/her responsibilities with regard to the proper use of the applications available in the system. Moreover, the CMS provides the possibility, upon request, of generating a historic of all users, accessions, and records accessed.

Risk 6

There is a risk that sensitive "personal" information that is no longer required for an identifiable purpose may still be in the CMS, shared drive or hard files and employees that do not have a need-to-know may have access to it.

Risk 6 - Risk Mitigation Measures

With regard to retention, information will be destroyed when it is no longer required for an identifiable purpose or its maximum retention period when it has been reached. A file cleanup will also be executed and logs will be kept which identify the file number and subject of file destroyed.

• CMS and paper copy: the Review of Procurement Practices and Supplier Complaints programs currently have a records disposition of two years, however OPO is currently working with LAC in order to obtain the appropriate time frame for its records disposition period. Once this has been established proper procedures will be put in place to handle the disposition of records.
• Shared drive: Information pertaining to the Supplier Complaints program if saved on the shared drive shall be encrypted as most of the information pertaining to complaints received is at the Protected B level. Employees of OPO handling Protected B data have all been provided with a PKI key which enables them to transfer Protected B information via e-mail by encrypting the document and sharing only with those who have a PKI key. As for the Review of Procurement Practices, documents are identified as Protected A and can be stored on the shared drive. Documents are however properly identified and stored an approved storage container.

4.5 Safeguarding Personal Information

Risk 7

Although information stored in the CMS meets the security requirements required for safeguarding of personal information at the Protected B level, there is currently no guidelines or procedures which addresses the mishandling or compromise of information entered. Procedures and guidelines also need to be addressed when saving protected B information on the shared drive as the shared drive is only at the Protected A level.

Risk 7 - Risk Mitigation Measures

OPO does and will continue to send information and reminders with respect to handling, storing and disposing of personal information as part of their awareness initiative. OPO will continue to remind its personnel of the procedures to follow through routine meetings and provide new employees with briefing sessions and material pertaining to the handling, storing and disposing of personal information. Information which is considered "personal" is properly marked and stored in an approved container. A user training manual is under development, which will address the safeguarding, security or privacy issues when handling information stored on the shared drive and the CMS.

4.6 Security of the CMS

Risk 8

The security of the Case Management System.

Risk 8 - Risk Mitigation Measures

The certification and accreditation process was initiated by Information and Technology Services Branch Security, and confirms that the actual level of risk matches the acceptable level.

Conclusion

In conclusion, OPO will be implementing these measures to address the potential privacy risks during all the file life cycle. OPO will lower the risk of access to sensitive information with proper security measures as defined within the Privacy Impact Assessment.