Review of procurement practices and supplier complaints: Privacy impact assessment summary

Introduction

The program activities, which operates at arm's length of the government:

• reviews procurement practices across federal departments and agencies
• investigates complaints from potential suppliers with respect to award of contracts for goods and services below certain thresholds, and complaints concerning the administration of contracts
• ensures the provision of an alternative dispute resolution program for contracts

This activity helps to promote fairness, openness and transparency of the procurement process.

Office mandate overview

As set out in the Department of Public Works and Government Services Act, the mandate of the Office of the Procurement Ombudsman is to:

• review the practices of departments for acquiring materiel and services to assess their fairness, openness and transparency and make any appropriate recommendations to the relevant department for the improvement of those practices
• review any complaint respecting the award of a contract for the acquisition of goods below the value of $25,000 and services below the value of $100,000 where the criteria of Canada's Agreement on Internal Trade applies
• review any complaint respecting the administration of a contract for the acquisition of materiel or services by a department, regardless of dollar value
• ensure that an alternative dispute resolution process is provided, if both parties agree to participate

The Office of the Procurement Ombudsman can also perform any other duty or function respecting the practices of departments for acquiring materiel and services that may be assigned to the Office of the Procurement Ombudsman by order of the Governor in Council or the Minister.

Data analysis

The Case Management System is the system used as a data collection and analysis tool for the Office of the Procurement Ombudsman. Each business line also keeps hard copy files and electronic files which are saved on a shared drive. Hard copy files containing personal or sensitive information are properly identified at the Protected B level and are stored in an approved locked cabinet. Files considered personal or sensitive are encrypted prior to being saved on the shared drive. The system holds a variety of information and is designed to: capture, store, analyse and report information needed for effective decision making and reporting. The main functions include:

• establishing a file
• tracking any file (inquiries, investigations, reviews, alternate dispute resolution, assigned files and correspondence) activity from inception to closure
• tracking files while ensuring compliance with timelines established in legislative regulations
• coordinating and facilitating integration of specialized activities of the different areas of the Office of the Procurement Ombudsman
• providing compliance capabilities under the access to information and privacy legislation
• linking information about complainants, issues, authorities and reviews
• providing easy access to information for managers to support sound decision-making and obtain feedback for input towards the annual report
• supporting advanced searching capabilities
• linking soft files to cases
• collecting, storing, and managing information to ensure compliance with Government of Canada information management (IM) and information technology (IT) policies
• promoting transparency through information being accessible by those authorized to see it, including individual exercising their rights under the Access to Information Act and the Privacy Act
• producing detailed reporting
• conducting trend analyses for environmental scanning purposes

The system will provide information on the past, present and planned activities of the Office of the Procurement Ombudsman. It can be defined as an integrated system for maintaining data, converting and aggregating it into the right information, supplying the same to appropriate users and reporting on Office of the Procurement Ombudsman activities. Staff using the system will only retrieve needed information without receiving extraneous information at the same time, reducing information overload and avoiding confusion. The main purpose of the system is to provide the right information to the right people at the right time and to report on it accordingly. The system is a key enabler for the Office of the Procurement Ombudsman to achieve well-managed information in support of legislative requirements.

Investment in the system and effective implementation will ensure that the Office of the Procurement Ombudsman deals with information appropriately and is able to carry out its legislative mandate in a manner that gives stakeholders confidence in the information generated by the Office of the Procurement Ombudsman.

The system collects information provided by Canadian suppliers and government officials through an official complaint form, letters, email, fax or telephone conversation and informal inquiries. The system also collects information on practices reviews undertaken and the recommendations provided to departments from the Office of the Procurement Ombudsman. Outgoing and incoming correspondence related to review of procurement practices and supplier complaints and all other business related correspondence is also captured in the system. The information collected can sometimes be considered personal information due to the sensitivity of the issue. The information collected is provided directly from the Canadian supplier or government official. The office requests specific information in order to resolve or investigate a complaint or issue. It is possible that the complainant or government official provide further detail not originally requested.

Information considered as "personal information" is classified at the Protected B level and is marked and stored in a Protected B environment, with regard to the document's sensitivity. The information considered to be "personal information" is also stored in an approved locked container.

Data flow table for the Case Management System

• Description of personal information cluster
• Collected by
• Format
• Used by
• Purpose of collection
• Disclosed to
• Storage or retention

Registration data cluster

• Name, position, organization, address, telephone number; email address and details of the complaint
• Case Management System
• Paper, telephone and electronic
• Office of the Procurement Ombudsman personnel
• To reply to correspondence
• The investigators, review analysts and potentially the deputy minister of the department assigned to the file
• Two years until the record deposition authority has been established for the Office of the Procurement Ombudsman (currently under development)

Privacy risk management

The following section identifies a number of privacy risks in relation to Case Management System procedures, storing and handling of hard copy and electronic files. This information is outlined in the privacy impact assessment. The risks, which are summarized below, also describe the security and privacy measures taken to be mitigated.

• Accountability for personal information
• Consent to disclose personal information
• Collection of personal information
• Use, disclosure and retention of personal information
• Safeguarding personal information and training
• Security of the Case Management System

Accountability for personal information

Risk 1

Since the office is still establishing itself, directives still need to be developed to identify what constitutes "personal information" and how the information should be entered in the Case Management System. It will also address the proper handling and storing of "personal information" of the Office of the Procurement Ombudsman for the hard copy filing system and electronic shared drive.

Risk 1: Risk mitigation measures

In order to minimize privacy-related risks in the management of information in the Case Management System, hard copy and electronic shared drive, the Office of the Procurement Ombudsman intends to develop security and privacy directives to ensure the secure handling of sensitive personal information at each stage of its life cycle.

These formal business rules establish standard security procedures that address the handling of personal information in the system, hard copy and electronic shared drive.

Risk 2

Specific responsibility for privacy issues has not been addressed. The accountability of information shared between departments and agencies, which fall under Schedule I.1 of the Financial Administration Act, has not as of yet been established, and could lead to mismanagement of information and lack of trust.

Risk 2: Risk mitigation measures

Accountability issues will be addressed in the security and privacy directives. The Office of the Procurement Ombudsman is the functional authority responsible for the information received and entered in the Case Management System, hard copy filing and electronic shared drive. As for the departments, rules have not yet been established to indicate to which extent they are responsible for the information received from the Office of the Procurement Ombudsman with respect to a complaint or alternative dispute resolution (specifically for the production, marking, saving and transmission of the information).

Consent to disclose personal information

Risk 3

When information is collected by the complainant or government official, the complainant has been approached to confirm if the information they have provided to the Office of the Procurement Ombudsman can be shared with the department in question. However, the Office of the Procurement Ombudsman has not yet addressed the issue of how departments should handle the disclosed information once they receive it, which may flag a risk that it may subsequently be shared with other parties or used without consent. The issue of consent arises when "personal information" of correspondents must be disclosed to another institution (department).

Risk 3: Risk mitigation measures

By providing required information to address their complaint, Canadian suppliers give their implicit consent to personal information collection but not specifically for disclosure. As per the Office of the Procurement Ombudsman's mandate, it is inferred that "personal" information is not disclosed beyond its main purpose, which is to respond to a complaint. The information is collected in accordance with Procurement Ombudsman Regulations made under the Archived – Federal Accountability Act for a complaint to be filed and considered for review. Consequently, the Office of the Procurement Ombudsman is often required to share "personal" information in accordance with paragraph 8(2)(a) of the Privacy Act, for the purpose of which it was obtained or compiled, or for a use consistent with that purpose, that is, to respond to the complaint.

The Office of the Procurement Ombudsman is diligent in monitoring to ensure that information considered to be "personal" is not being shared for any other purpose.

In fact, a notice was added to the information on privacy currently on the complaint form and on the Office of the Procurement Ombudsman website, in both official languages, stating that "personal" information will only be used to respond to the complainants' request. It also indicates that the information may be shared with another department when the inquiry relates to that department.

In the event that there is a need to disclose information to another department (such as in the case of a referral), the complainant is made aware prior to disclosing the information to and is advised that Office of the Procurement Ombudsman may forward a copy of the complaint to another department to answer the inquiry. This procedure is also indicated in section 8 of the Procurement Ombudsman Regulations.

Collection of personal information

Risk 4

Retaining information which is considered "personal" increases the harm that would result from unauthorized access or from those who do not have a need-to-know.

Risk 4: Risk mitigation measures

The Case Management System is designed to hold Protected B information and Public Works and Government Services' information technology team ensured that the system is on a Protected B platform. However, guidelines and directives are being established for the security and privacy, which will provide detailed procedures that define the type of sensitive information included and how those accessing the data should handle the information. For example, ensuring that printing of "personal" information is only done through the secure printer.

Information collected and stored on the shared drive or hard copy filing system will respect the Policy on Government Security and information which is considered as "personal" information shall be encrypted before it is saved on the shared drive. All documents which contain "personal" information will be properly identified with the accurate level of security marking and stored in an approved container.

Documents marked as Protected C, Secret and Top Secret are never scanned into system nor stored on the shared drive. The hard copy file shall identify the correct security marking and stored in an approved container.

Use, disclosure and retention of personal information

Risk 5

Employees having unauthorized access to "personal" information through the Case Management System, hard copy and electronic shared drive

Risk 5: Risk mitigation measures

There are no secondary uses of information received by the Case Management System and, as far as it can be determined, no unauthorized use of the information is anticipated.

A role-based access control for the system is already in use. Access rights are established in accordance with a need-to-know basis. The information is currently only stored on designated personal computers and are password controlled. This ensures who has access to the system. User accounts are kept current by sending an email requesting access to the system that is verified and approved by the Director of the Case Management System. Unauthorized access is therefore not possible. There are currently only a handful of users using the system and the anticipated number is not expected to surpass 15 users. This makes it easier to manage and control. Access to the shared drive is only limited to Office of the Procurement Ombudsman staff and "personal" information stored on the electronic shared drive should be encrypted and allow only those with a need-to-know basis access to review the file. The hard copy files which contain "personal" information are stored in an approved locked container which only those with a need-to-know basis have access to.

The Office of the Procurement Ombudsman will undertake periodic cleanups of the system, which will revise the list of users, to ensure access rights are up to date.

A warning banner has been created to advise users that information in the system should only be used, disclosed and destroyed in accordance with the Policy on Government Security and subsection 8(2) of the Privacy Act. In addition to this banner, a general security notice appears regularly on each workstation requiring the user to acknowledge his or her responsibilities with regard to the proper use of the applications available in the system. Moreover, the system provides the possibility, upon request, of generating a historic of all users, accessions, and records accessed.

Risk 6

There is a risk that sensitive "personal" information that is no longer required for an identifiable purpose may still be in the Case Management System, shared drive or hard files and employees that do not have a need-to-know may have access to it.

Risk 6: Risk mitigation measures

With regard to retention, information will be destroyed when it is no longer required for an identifiable purpose or its maximum retention period when it has been reached. A file cleanup will also be executed and logs will be kept which identify the file number and subject of file destroyed.

• Case Management System and paper copy: The review of procurement practices and supplier complaints programs currently have a records disposition of two years, however the Office of the Procurement Ombudsman is currently working with Library and Archives Canada in order to obtain the appropriate time frame for its records disposition period. Once this has been established proper procedures will be put in place to handle the disposition of records
• Shared drive: Information pertaining to the Supplier Complaints Program, if saved on the shared drive, shall be encrypted as most of the information pertaining to complaints received is at the Protected B level. Employees of the Office of the Procurement Ombudsman handling Protected B data have all been provided with a public key infrastructure (PKI) key which enables them to transfer Protected B information via email by encrypting the document and sharing only with those who have a PKI key. As for the review of procurement practices, documents are identified as Protected A and can be stored on the shared drive. Documents are however properly identified and stored an approved storage container.

Safeguarding personal information and training

Risk 7

Although information stored in the Case Management System meets the security requirements required for safeguarding of personal information at the Protected B level, there is currently no guidelines or procedures which addresses the mishandling or compromise of information entered. Procedures and guidelines also need to be addressed when saving Protected B information on the shared drive as the shared drive is only at the Protected A level.

Risk 7: Risk mitigation measures

The Office of the Procurement Ombudsman does and will continue to send information and reminders with respect to handling, storing and disposing of personal information as part of their awareness initiative. The Office of the Procurement Ombudsman will continue to remind its personnel of the procedures to follow through routine meetings and provide new employees with briefing sessions and material pertaining to the handling, storing and disposing of personal information. Information which is considered "personal" is properly marked and stored in an approved container. A user training manual is under development, which will address the safeguarding, security or privacy issues when handling information stored on the shared drive and the Case Management System.

Security of the Case Management System

Risk 8

The security of the Case Management System

Risk 8: Risk mitigation measures

The certification and accreditation process was initiated by Information and Technology Services Branch's security, and confirms that the actual level of risk matches the acceptable level.

Conclusion

In conclusion, the Office of the Procurement Ombudsman will be implementing these measures to address the potential privacy risks during all the file life cycle. The Office of the Procurement Ombudsman will lower the risk of access to sensitive information with proper security measures as defined within the privacy impact assessment.