Data Sharing Agreement Audit

The audit showed that, regardless of the size or structure of the department or the extent of DSA activity, the roles of staff participating in assigned have developed over time more than formally defined, and these roles are largely adequately exercised. However, there is a lack of segregation of incompatible functions within some departments. Whether a department has centralized or decentralized DSA functions, there have been instances where the same employee prepared and transmitted a sharing file without independent verification and authorization. Task separation is an important internal control to avoid unintentional errors and ensure timely error detection. 2.3. The management of DSA-specific privacy guarantees by all DSA parties on their life cycle is carried out in accordance with the terms of the agreement and the MAF Public Service Values PSV 1-4 and the St-22 Stewardship Manufacturing and Energy Division (MED), which has a large number of DSAs, has developed extensive documented processes and procedures. It has centralized the broadcasting sector to create ongoing capacity, including trained and experienced staff. You have created an Excel document that is stored on a sharing disk and describes the specific procedures for different types of data sharing in different forms of DNA. This mechanism helps the tradesman to easily consult procedures and inform the partner in advance of what can and cannot be shared, thus fostering a better relationship with the partner. The audit concluded that the status of the DSA should not be monitored and audited at all times. This increases the risk that breaches of confidentiality will go undetected with respect to the legal and political requirements of the DSA and that timely and effective corrective action will not be implemented.

In 2006, DACS began to phase in a review and verification clause in the DSA texts, where the partners would agree. However, it is not possible to systematically exercise the clause. The administrative services of the Statistics Canada and DACS DSA administrative departments must verify that the partners are following the rules. The DSA`s privacy monitoring, defined as a practice that includes the assessment of DSA controls for confidentiality, reporting and exchange of information on control deficiencies and their correction, as well as change management, is not included in the current legislative and policy collection. A few years ago, DACS asked S.11 partners to conduct a self-assessment and report. It has been found that DSA privacy processes are integrated into much larger monitoring mechanisms for survey operations. Compliance with the general requirements for information rights and approval by ASDs is integrated into survey prescription processes. The general requirements for protecting the privacy of ASDs are incorporated into the general physical, computer and personnel security requirements, for which security controls and procedures are available. DSA-specific security measures, such as a ban on third-party data disclosure or restricted access to researchers and research organizations of DSA partners under certain conditions, are set out in the agreements.

As a result, managers must combine all these fragments into their own rules and processes, leading to very different practices for managing DSA privacy compliance at the division level.