The program activities, which operates at arms length of the government, reviews procurement practices across federal departments and agencies, investigates complaints from potential suppliers with respect to award of contracts for goods and services below certain thresholds, and complaints concerning the administration of contracts; and ensures the provision of an alternative dispute resolution program for contracts. This activity helps to promote fairness, openness and transparency of the procurement process.
As set out in the Department of Public Works and Government Services Act, the mandate of the Procurement Ombudsman is to:
The Procurement Ombudsman can also perform any other duty or function respecting the practices of departments for acquiring materiel and services that may be assigned to the Procurement Ombudsman by order of the Governor in Council or the Minister.
The Case Management System (CMS) is the system used as a data collection and analysis tool for OPO. Each business line also keeps hard copy files and electronic files which are saved on a shared drive. Hard copy files containing personal or sensitive information are properly identified at the protected B level and are stored in an approved locked cabinet. Files considered personal or sensitive are encrypted prior to being saved on the shared drive. The system holds a variety of information and is designed to: capture, store, analyse and report information needed for effective decision making and reporting. The main functions include:
The CMS will provide information on the past, present and planned activities of OPO. It can be defined as an integrated system for maintaining data, converting and aggregating it into the right information, supplying the same to appropriate users and reporting on OPO activities. Staff using the system, will only retrieve needed information without receiving extraneous information at the same time, reducing information overload and avoiding confusion. The main purpose of the CMS is to provide the right information to the right people at the right time and to report on it accordingly. The CMS is a key enabler for OPO to achieve well-managed information in support of legislative requirements.
Investment in the CMS and effective implementation will ensure that OPO deals with information appropriately and is able to carry out its legislative mandate in a manner that gives stakeholders confidence in the information generated by OPO.
The system collects information provided by Canadian suppliers and Government officials through an official complaint form, letters, e-mail, fax or telephone conversation and informal inquiries. The system also collects information on Practices Reviews undertaken and the recommendations provided to departments from the OPO. Outgoing and Incoming Correspondence related to Review of Procurement Practices and Supplier Complaints and all other business related correspondence is also captured in the system. The information collected can sometimes be considered personal information due to the sensitivity of the issue. The information collected is provided directly from the Canadian Supplier or government official. The office requests specific information in order to resolve or investigate a complaint/issue. It is possible that the complainant or government official provide further detail not originally requested.
Information considered as "personal information", is classified at the Protected B level and is marked and stored in a protected B environment, with regard to the document's sensitivity. The information considered to be "personal information" is also stored in an approved locked container.
The following section identifies a number of privacy risks in relation to CMS procedures, storing and handling of hard copy and electronic files. This information is outlined in the Privacy Impact Assessment. The risks, which are summarized below, also describe the security and privacy measures taken to be mitigated:
Since the office is still establishing itself, directives still need to be developed to identify what constitutes "personal information" and how the information should be entered in the system. It will also address the proper handling and storing of OPO "personal information" for the hard copy filing system and electronic shared drive.
In order to minimize privacy-related risks in the management of information in the CMS, hard copy and electronic shared drive, OPO intends to develop Security and Privacy Directives to ensure the secure handling of sensitive personal information at each stage of its life cycle.
These formal business rules establish standard security procedures that address the handling of personal information in the CMS, hard copy and electronic shared drive.
Specific responsibility for privacy issues has not been addressed. The accountability of information shared between Departments and Agencies which fall under Schedule 1.1 of the FedAA, has not as of yet been established and could lead to mismanagement of information and lack of trust.
Accountability issues will be addressed in the Security and Privacy Directives. OPO is the functional authority responsible for the information received and entered in CMS, hard copy filing and electronic shared drive. As for the departments, rules have not yet been established to indicate to which extent they are responsible for the information received from OPO with respect to a complaint or alternative dispute resolution.(specifically for the production, marking, saving and transmission of the information).
When information is collected by the complainant or government official, the complainant has been approached to confirm if the information they have provided to OPO can be shared with the department in question. However, OPO has not yet addressed the issue of how departments should handle the disclosed information once they receive it, which may flag a risk that it may subsequently be shared with other parties or used without consent. The issue of consent arises when "personal information" of correspondents must be disclosed to another institution (department).
By providing required information to address their complaint, Canadian suppliers give their implicit consent to personal information collection but not specifically for disclosure. As per OPO’s mandate, it is inferred that "personal" information is not disclosed beyond its main purpose, which is to respond to a complaint. The information is collected in accordance with Procurement Ombudsman Regulations made under the Federal Accountability Act for a complaint to be filed and considered for review. Consequently, OPO is often required to share "personal" information in accordance with paragraph 8(2)(a) of the Privacy Act, for the purpose of which it was obtained or compiled, or for a use consistent with that purpose, i.e. to respond to the complaint.
OPO is diligent in monitoring to ensure that information considered to be "personal" is not being shared for any other purpose.
In fact, a notice was added to the information on privacy currently on the complaint form and on the OPO website, in both official languages, stating that "personal" information will only be used to respond to the complainants' request. It also indicates that the information maybe shared with another department when the inquiry relates to that department.
In the event that there is a need to disclose information to another department (such as in the case of a referral), the complainant is made aware prior to disclosing the information to and is advised that OPO may forward a copy of the complaint to another department to answer the inquiry. This procedure is also indicated in section 8 of the OPO Regulations.
Retaining information which is considered "personal" increases the harm that would result from unauthorized access or from those who do not have a need-to-know.
The CMS is designed to hold Protected B information and PWGSC IT ensured that the CMS is on a Protected B platform. However, guidelines/directives are being established for the Security and Privacy, which will provide detailed procedures that define the type of sensitive information included and how those accessing the data should handle the information. For example, ensuring that printing of "personal" information is only done through the secure printer.
Information collected and stored on the shared drive or hard copy filing system will respect the Government Security Policy and information which is considered as "personal" information shall be encrypted before it is saved on the shared drive. All documents which contain "personal" information will be properly identified with the accurate level of security marking and stored in an approved container.
Documents marked as Protected C, Secret and Top Secret are never scanned into CMS nor stored on the shared drive. The hard copy file shall identify the correct security marking and stored in an approved container.
Employees having unauthorized access to "personal" information through the CMS, hard copy and electronic shared drive.
There are no secondary uses of information received by CMS and, as far as it can be determined, no unauthorized use of the information is anticipated.
A role-based access control for CMS is already in use. Access rights are established in accordance with a need-to-know basis. The information is currently only stored on designated Personal computers and are password controlled. This ensures who has access to the CMS. User accounts are kept current by sending an e-mail requesting access to the system that is verified and approved by the Director of CMS. Unauthorized access is therefore not possible. There are currently only a handful of users using the CMS and the anticipated number is not expected to surpass 15 users. This makes it easier to manage and control. Access to the shared drive is only limited to OPO staff and "personal" information stored on the electronic shared drive should be encrypted and allow only those with a need-to-know basis access to review the file. The hard copy files which contain "personal" information are stored in an approved locked container which only those with a need-to-know basis have access to.
OPO will undertake periodic cleanups of CMS, which will revise the list of users, to ensure access rights are up to date.
A warning banner has been created to advise users that information in the system should only be used, disclosed and destroyed in accordance with the Government Security Policy and subsection 8(2) of the Privacy Act. In addition to this banner, a general security notice appears regularly on each workstation requiring the user to acknowledge his/her responsibilities with regard to the proper use of the applications available in the system. Moreover, the CMS provides the possibility, upon request, of generating a historic of all users, accessions, and records accessed.
There is a risk that sensitive "personal" information that is no longer required for an identifiable purpose may still be in the CMS, shared drive or hard files and employees that do not have a need-to-know may have access to it.
With regard to retention, information will be destroyed when it is no longer required for an identifiable purpose or its maximum retention period when it has been reached. A file cleanup will also be executed and logs will be kept which identify the file number and subject of file destroyed.
Although information stored in the CMS meets the security requirements required for safeguarding of personal information at the Protected B level, there is currently no guidelines or procedures which addresses the mishandling or compromise of information entered. Procedures and guidelines also need to be addressed when saving protected B information on the shared drive as the shared drive is only at the Protected A level.
OPO does and will continue to send information and reminders with respect to handling, storing and disposing of personal information as part of their awareness initiative. OPO will continue to remind its personnel of the procedures to follow through routine meetings and provide new employees with briefing sessions and material pertaining to the handling, storing and disposing of personal information. Information which is considered "personal" is properly marked and stored in an approved container. A user training manual is under development, which will address the safeguarding, security or privacy issues when handling information stored on the shared drive and the CMS.
The security of the Case Management System.
The certification and accreditation process was initiated by Information and Technology Services Branch Security, and confirms that the actual level of risk matches the acceptable level.
In conclusion, OPO will be implementing these measures to address the potential privacy risks during all the file life cycle. OPO will lower the risk of access to sensitive information with proper security measures as defined within the Privacy Impact Assessment.