Telework at the ATIP Office of Correctional Service Canada
Privacy impact assessment (PIA) summary
In compliance with Treasury Board Secretariat's (TBS) Telework Policy, which:
encourages departments to implement telework arrangements where it is economically and operationally feasible to do so, and in a fair, equitable and transparent manner,
Correctional Service Canada (CSC) implemented a telework arrangement for its access to information and privacy (ATIP) analysts in 2000. As of the date of this assessment, five of 22 analysts work primarily out of their home offices.
Summary of risks and recommendations
Information that is categorized at the "Protected C" level is transmitted over the electronic network without input or review by IT security. The security measures for the IT systems are not commensurate with the sensitivity of information.
"Protected C" documents are regularly removed from the CSC offices for review at the telework site. The teleworkers do not pre-screen the files to determine the level of sensitivity of the documents they contain. They do not obtain the prior approval of the CSC manager to remove a file containing documentation categorized at the "Protected C" level. The files may also contain, on a rare occasion, documents categorized as "Secret". The security measurements for the physical documents are not commensurate with the sensitivity of information.
Non-Specific contingency plans and procedures for teleworkers. It is not clear that the contingency plans and procedures currently in place for non-teleworkers are also applicable in their entirety to teleworkers.
Recommendations for mitigation
A threat risk assessment (TRA) was undertaken by the CSC IT Security group on the IT systems, telecommunication devices, and assets being used by teleworkers, such as remote access to:
- Offender Management System (OMS)
- internet, and
The risks identified in the TRA were mitigated by incorporating the recommendations into CSC policies, procedures, guidelines and training.
Policies, procedures, practices and guidelines should be amended to ensure that "Protected C" and "Classified" documents are not removed from the CSC offices, except under exceptional and unique circumstances, such as the requirement to comply with a Court order.
Adapt telework offices to meet the specifications of a Secure Room.
Ensure telework filing cabinets meet current security requirements for the use outside of operational zones.
Seal "Protected C" documents in an envelope with appropriate security markings and transport in a secure case when taking documents outside of restricted access areas for telework purposes.
Ensure that teleworkers are aware of protocols for the transportation of "Protected C" documents outside of restricted access areas.
Terminate telework program.
Review the CSC guidelines on privacy breaches, and existing contingency plans and procedures and ensure that they are applicable in their entirety to the telework arrangements.
Provide training to teleworkers on privacy breaches, and on the contingency plans and procedures.
The safeguards in place for the telework arrangements will diminish over time. There are no scheduled audits and compliance checks on privacy requirements.
Recommendations for mitigation
Develop a plan for ongoing quality assurance and audit programs to assess the ongoing state of the safeguards applicable to the telework arrangement. This should include regularly scheduled on site visits/reviews.
- Date modified: