Audit of Access to Information and Privacy

Final report
March 2020

Table of contents

  1. Acronyms and abbreviations
  2. Executive summary
  3. Management's response to the audit
  4. 1. Background
  5. 2. Objective, scope and methodology
  6. 3. Audit findings
  7. 4. Conclusion
  8. 5. Recommendations
  9. Appendix A – Audit objective and criteria
  10. Appendix B – Detailed management action plans

Acronyms and abbreviations

APCM
AccessPro Case Management
ATI
Access to Information
ATIP
Access to Information and Privacy
CSPPO
Chief Strategic Policy and Planning Officer
HR
Human Resources
NIOC
National Integrated Operations Council
OIC
Office of the Information Commissioner
OPC
Office of the Privacy Commissioner
OPI
Office of Primary Interest
RCMP
Royal Canadian Mounted Police
SEC
Senior Executive Committee
SOP
Standard Operating Procedure
TBS
Treasury Board Secretariat
QA
Quality Assurance

Executive summary

The Access to Information Act and the Privacy Act provide the legal framework for the administration of Access to Information and Privacy (ATIP) by departments and agencies across the federal government. These Acts are supported by Treasury Board (TB) policies and directives which provide specific guidelines for the administration of ATIP.

The Royal Canadian Mounted Police (RCMP) Access to Information and Privacy (ATIP) Branch was created in 1983 to serve as the central contact point for all matters arising from both the Access to Information Act and the Privacy Act. One of the main functions of the ATIP Branch is to ensure that any exemptions applicable under the Acts are applied before information is released from the organization.

The RCMP's ATIP program has reported experiencing a number of challenges in addressing the volume of requests received and complying with the legislative requirement to respond to ATIP requests within 30 days.

The objective of this audit engagement was to determine whether a management control framework for the RCMP's ATIP program was in place and working as intended. In addition to assessing the management control framework and the Force's compliance to the ATI and Privacy Acts; the audit aimed to examine whether the Force has reviewed ATIP Program activities to identify opportunities to improve the effectiveness and efficiency of the Program within current resourcing levels and taking into consideration risks to the organization.

The audit found that while the RCMP has a governance framework in place to support the ATIP Program with clearly defined and communicated roles and responsibilities within the ATIP Branch, there is an opportunity to: update RCMP ATIP policy and guidance documentation and to reflect legislative and process changes, and provide further guidance on the role and responsibility of Liaison Officers and RCMP employees overall.

The audit also found that the ATIP Branch has undertaken a number of initiatives with the aim of improving the effectiveness and efficiency of the ATIP process. In general, the implementation of initiatives appears to be reactive with limited documented analysis to support management's decision to pursue proposed initiatives. The audit team was unable to assess the effectiveness of the initiatives given the lack of evidence-based performance information. The ATIP Branch would benefit from the development of a formal plan, inclusive of a Human Resource (HR) strategy, to manage the implementation of process improvement initiatives and measure their success.

Finally, the ATIP Program would benefit from a quality assurance function that includes an examination of complaints and their root cause to inform process improvements and improve program compliance.

The management response and action plan developed in response to this report demonstrate the commitment from senior management to address the audit findings and recommendations. RCMP Internal Audit will monitor its implementation and undertake a follow-up audit if warranted.

Management's response to the audit

Strategic Policy and Planning Directorate (SPPD) agrees with the findings and recommendations in the audit report. The audit has highlighted areas for improvement to the management of the ATIP process for which SPPD has already taken steps in making process improvements. Subsequent to the audit scope period, using funds reallocated from within SPPD (approximately 0.3M), the Program Area procured the services of consultants to help reduce the backlog of files by 4,700. In addition, in recognizing the Program Area's capacity challenges, SPPD permanently transferred 0.650M to the Program Area's annual budget.

SPPD will develop and implement a detailed management action plan to address the recommendations in the audit. Notably, key actions to be taken are as follows: clarifying roles and responsibilities of LO's and non-ATIP employees; undergoing a process analysis and thereafter developing a process improvement plan including improved business analysis and quality assurance; and advancing a human resource strategy for ATIP.

Deputy Commissioner Kevin Jones
Acting Chief Strategic Policy & Planning Officer

1. Background

The Access to Information Act and the Privacy Act provide the legal framework for the administration of Access to Information and Privacy (ATIP) by departments and agencies across the federal government. These Acts are supported by Treasury Board (TB) policies and directives which provide specific guidelines for the administration of ATIP.

The RCMP Access to Information and Privacy (ATIP) Branch was created in 1983 to serve as the central contact point for all matters arising from both the Access to Information Act and the Privacy Act. One of the main functions of the ATIP Branch is to ensure that any exemptions applicable under the Acts are applied before information is released from the organization. In the case of the Access to Information Act, sections 13 through 26 of the Act set out a number of specific exceptions to the right of access established by the legislation. These exceptions are known as exemptions. Each exemption is intended to protect information relating to a particular public or private interest. Given the nature of the of the work done by the RCMP, sections 13 and 16 of the Act are two examples of exemptions the RCMP could use to withhold or redact information concerning ongoing investigations, investigative methods, intelligence and the use of related operational techniques which are relevant to the nature of the work done by the RCMP.

While RCMP employees are responsible for all the information they collect, use, retain, dispose of and disclose during the course of their employment, several RCMP business lines and divisions have designated an ATIP Liaison Officer who works directly with the ATIP Branch to coordinate the retrieval, review and submission of the required information back to the ATIP Branch. In the course of responding to ATIP requests, the following RCMP records must be searched: all electronic systems and databases; employees' personal drive; units' shared drives; paper files that are not electronically indexed; any official or unofficial files within units/detachments and; all emails.

Through its Commissioner approved Annual Reports, the RCMP's ATIP program has reported experiencing a number of challenges, including capacity, in addressing the volume of requests received and complying with the legislative requirement to respond to ATIP requests within 30 days. RCMP senior management has been briefed on the program's challenges and related requests for additional resources via the Senior Executive Committee's (SEC) Resourcing Sub-Committee and the recent Departmental Review exercise.

As identified in the Program's Annual Reports for 2016-2017 and 2017-2018, the Program has reported increases in volumes and carried forward files, coinciding with constant resourcing levels.

RCMP ATIP Workload

RCMP ATIP Workload

RCMP ATIP Workload

RCMP ATIP Workload - text version

A bar graph illustrating the number of ATIP requests received, outstanding, completed, and carried forward over a four year period.

The horizontal axis represents fiscal years from 2014-15 to 2017-18.

The vertical axis represents the number of ATIP requests for the RCMP.

In fiscal year 2014-15 there were 9,801 ATIP requests received; 1,691 ATIP requests outstanding from the prior fiscal year; 10,292 ATIP requests completed; and 1,200 ATIP requests carried forward to the next fiscal year.

In fiscal year 2015-16 there were 8,469 ATIP requests received; 1,200 ATIP requests outstanding from the prior fiscal year; 8,122 ATIP requests completed; and 1,277 ATIP requests carried forward to the next fiscal year.

In fiscal year 2016-17 there were 9,965 ATIP requests received; 1,454 ATIP requests outstanding from the prior fiscal year; 8,130 ATIP requests completed; and 3,289 ATIP requests carried forward to the next fiscal year.

In fiscal year 2017-18 there were 10,199 ATIP requests received; 3,289 ATIP requests outstanding from the prior fiscal year; 6,051 ATIP requests completed; and 7,437 ATIP requests carried forward to the next fiscal year.

Source: RCMP Commissioner Approved ATI and Privacy Annual Reports 2016-2017 and 2017-2018.

In addition, the Program has reported compliance rates for both Access to Information (ATI) and Privacy requests have both declined. For ATI requests, compliance rates for fiscal years 2015-16, 2016-17, 2017-18 have been 78.2%, 65.4% and 33.5% respectively. For Privacy requests for the same three fiscal years, the compliance rates were 82.1%, 69.9% and 45.1%.

The Commissioner-approved 2017-2022 Risk-Based Audit, Evaluation and Data Analytics Plan included an audit of ATIP with a focus on effectiveness and efficiency. The increasing number of ATIP requests received by the RCMP along with recent government focus on open disclosure, supported an independent examination of the management framework related to the ATIP function.

2. Objective, scope and methodology

2.1 Objective

The objective of this audit engagement was to determine whether a management control framework for the RCMP's ATIP program is in place and working as intended.

2.2 Scope

The audit examined the processes and controls in place within the RCMP to support compliance with the requirements of the ATI Act and the Privacy Act. The scope included activities carried out from April 1, 2016 to March 31, 2018. The audit scope did not include an assessment of the accuracy or completeness of completed ATIP requests nor the accuracy of data captured in the case management system.

2.3 Methodology

Planning for the audit was completed in September 2018. In this phase, the audit team conducted interviews, process walkthroughs and examined relevant legislation, policies, procedures and results of previous audit work performed. The audit objective and criteria are available in Appendix A.

The examination phase, which concluded in January 2019, employed various auditing techniques including interviews, process walkthroughs, documentation reviews, file testing and data analysis. The audit team interviewed personnel within the ATIP Branch and Information Management personnel working in E, K, F, T, D, N and J Divisions. Upon completion of the examination phase, the audit team debriefed program management of the relevant findings.

Table 1 that follows provides a summary of the number and type of files tested during the audit. In order to ensure some geographical coverage of the population, to the extent possible, ATIP files were sampled proportionally based on the number of taskings each Division/Business Line received for each file type during the scope period. Other risk factors which were taken into account when sampling individual files included: the timeliness of file processing; the volume of information requiring review; and the number of taskings on each file.

Table 1: Summary of File Review Sample
File type 2016-2017 Sample size 2017-2018 Sample size Total
ATI requests 41 40 81
Privacy requests 40 39 79
Total 81 79 160

2.4 Statement of conformance

The audit engagement conforms to the Institute of Internal Auditors' International Professional Practices Framework and the Treasury Board of Canada Directive on Internal Audit, as supported by the results of the quality assurance and improvement program.

3. Audit findings

In relation to the Program's reported challenges, as highlighted in the background section, the audit assessed the RCMP ATIP management control framework and the Force's compliance to the ATI and Privacy Acts. In addition, the audit aimed to examine whether the Force has reviewed ATIP Program activities to identify opportunities to improve the effectiveness and efficiency of the Program within current resourcing levels and taking into consideration risks to the organization.

In order to conduct a detailed analysis of the Branch's initiatives, the audit expected to find a structured approach to the analysis of the current department-wide ATIP process which would include an assessment of risks and areas to improve effectiveness and efficiency. Resulting from the analysis the audit expected that the Branch would have prepared a formalized plan with detailed action items with corresponding timelines, milestones, and associated financial and human resource implications. Finally the plan would incorporate mechanisms to monitor the performance of initiatives and assess overall impacts to the effectiveness and efficiency to the process.

As noted later in section 3.3, the audit found that notwithstanding the analysis conducted to support the need for additional resources the Program did not have a structured approach to the analysis and implementation of its recent efficiency initiatives. In addition, also noted later in section 3.2, the audit team encountered limitations in analyzing transactions or "action" coding within the AccessPro Case Management (APCM) software as they are used inconsistently by individual ATIP Analysts.

3.1 ATIP Governance and Oversight

While the RCMP has a governance framework in place to support the ATIP Program, there is an opportunity to provide further guidance on the roles and responsibilities of ATIP Liaison Officers and all RCMP employees. In addition, oversight and monitoring could be improved through the introduction of a quality assurance program.

ATIP program objectives

Overall, ATIP program objectives were found to be defined, documented and clearly understood. The RCMP's ATIP program objectives emanate from both the Access to Information Act and the Privacy Act. The ATI Act sets out the legal requirements to provide individuals with access to government records and the circumstances under which access may be restricted. The Privacy Act establishes the requirements to protect the personal information of individuals while providing individuals the right to access to that information.

ATIP program objectives are communicated to all RCMP employees through the ATIP Branch Infoweb page as well as the RCMP Information Management Manual (Chapter 3.1). Interviews with ATIP Branch staff as well as ATIP Liaison Officers (LOs) confirmed that personnel understand the legislation governing the program and carry out their duties in alignment with program objectives.

In addition, the Branch has a number of mechanisms in place that provide opportunities to communicate and reinforce ATIP program objectives, specifically: weekly bilateral meetings between the ATIP Director and Chief Strategic Policy and Planning Officer (CSPPO); quarterly ATIP Branch all staff meetings; bi-weekly management meetings; team meetings; and conferences with Divisional ATIP Liaison Officers.

Roles and responsibilities

A key aspect of good governance is the clear definition and communication of roles and responsibilities to help ensure program activities are carried out as intended. The audit expected to find that there would be mechanisms in place to ensure all RCMP employees are made aware of their roles and responsibilities with regard to the ATI and Privacy Acts. For example, employees should be aware of the accessibility of government records they work with as part of their day-to-day duties as well as their specific obligations when responding to formal ATIP requests.

Overall, as identified in further detail in the ensuing paragraphs, we found that employees at all levels within ATIP Branch understood their roles and responsibilities. However, we also found that opportunities exist to provide further guidance on roles and responsibilities to ATIP Liaison Officers and RCMP employees overall, in the administration of ATIP requests to help facilitate efficient and timely processing.

Administration of the ATI Act and Privacy Act has been delegated by the Minister of Public Safety to the Commissioner of the RCMP. Further delegation within the RCMP is done through the Chief Strategic Policy and Planning Officer and finally to the ATIP Coordinator.

The ATIP Coordinator is responsible for ensuring operational and administrative compliance with the ATI Act and Privacy Act, as well as associated regulations and guidelines. While the Branch is responsible for responding to formal ATIP requests, RCMP's compliance with the Acts remains an organization-wide responsibility for which all employees have a role to play. All RCMP employees are responsible for the information collected, used, retained, disposed of and disclosed during the course of their employment.

The ATIP Branch defines the roles and responsibilities of its staff in job descriptions and standard operating procedures. In general, based on audit interviews, employees at all levels within the ATIP Branch clearly understood their roles and responsibilities pertaining to processing ATIP requests and how they are aligned with program objectives. To further clarify roles and responsibilities among newer analysts, the ATIP Branch developed and implemented an intensive training program in 2017. This training targeted newer staff with limited ATIP experience to provide them with hands on experience with real ATIP requests in a training environment.

Outside of the ATIP Branch there is a network of ATIP LOs within RCMP Business Lines and Divisions who play a role coordinating requests between information holders and the ATIP Branch. Within the Divisions, LOs are Information Management staff while within NHQ Business Lines, LOs are generally Branch administrative employees. In both cases they support the ATIP process but do not have a direct reporting relationship to the ATIP Branch. We found that LOs within the Divisions and Business Lines do not have clearly defined roles and responsibilities that are formally documented and mutually agreed upon between the LOs themselves and the Branch. LOs interviewed felt that there were opportunities to improve the support, guidance, and direction they receive from the ATIP Branch, as the policy centre. Improved support and guidance to LOs could lead to increased consistency in the process. The ATIP Branch should also engage senior management within Divisions and NHQ Business Lines to facilitate the establishment of clear roles and responsibilities for LOs.

The audit found that while there is some guidance available to employees, it is limited. Sources of guidance include ATIP related information contained in the RCMP Information Management Manuals, general IM training, and the ATIP Branch's InfoWeb page which provides general information on the ATIP process. Employees who are not aware of their roles and responsibilities under ATIP will be less likely to be responsive to a request which could impact turnaround time and compliance with the Acts.

The ATIP Branch has acknowledged there is room for improvement with respect to increasing ATIP awareness among departmental staff and has made efforts to further inform employees as a possible way of improving compliance with Legislation and increasing the efficiency of the process. Recently, the Branch has been conducting information sessions specifically for employees within Divisions and Business Lines. During 2017/2018 the Branch conducted 43 sessions to 21 different groups, with approximately 1141 employees attending.

Monitoring and oversight

Regular monitoring and oversight practices are key to assessing performance of the ATIP function and identifying and managing opportunities and risks associated with processing ATIP requests in a timely and effective manner.

The audit expected to find that processes were in place to monitor ATIP activities to identify opportunities for improvement, and that performance information was being captured and used by management for decision-making. The audit also expected to find a quality assurance (QA) process to monitor compliance of activities and that complaints would be assessed by the program to inform process improvements.

At the senior management level, the Director of ATIP keeps the CSPPO apprised of program activities through recurring bi-weekly updates on key issues as well as providing the CSPPO basic point-in-time data from APCM (e.g. new requests, active complaints, and compliance rates) on a weekly basis. Although ATIP is not a standing agenda item at either the Senior Executive Committee or the National Integrated Operations Council (NIOC), the Branch presented a request for additional resources to the SEC Resourcing Sub-Committee (RSC) in February 2018 and briefed SEC on changes to pro-active disclosure associated with Bill C-58.

While the case management system is able to provide a number of statistical reports on program activity such as volumes, size of requests, timeliness of processing, we found no evidence that the ATIP Branch is using this information to manage performance and employee productivity (e.g. number of pages reviewed per day/analyst). In addition, it was reported that the Branch has limited ability to extract performance information from APCM aside from the standard built-in reports due to an internal lack of system knowledge, limited functionality of the APCM application, as well as a lack of vendor support. Weekly point-in-time reports outlining basic statistics are sent out to all staff within the Branch but it is unclear whether these weekly reports are used for decision making. Without a comprehensive approach to performance measurement, the Branch has limited information available to monitor the performance of its activities and inform decision making and resource allocation.

At the unit level, supervisory review is the key quality control process in place to provide assurance over the process. Supervisory review is required on all responses to ATI requests as per Branch procedures. However, we found that privacy requests are approved by Senior ATIP Analysts without having to undergo a secondary review by a supervisor. While the aim of this practice is to streamline the review process, it may increase the risk of errors in processing privacy requests which increases the risk of potential privacy breaches. The audit did not find evidence to indicate that the program had formally assessed the practice of limited supervisory review of Privacy requests to identify, and when appropriate, mitigate the risk of potential privacy breaches and non-compliance.

The audit found that there was no QA function operating within the ATIP Branch to monitor its activities. Management explained that a QA function had previously been setup in 2017 but due to an employee departure there was no such function in place during the examination phase of the audit. The Branch was relying on supervisory review as its singular QA activity and internal control for operational oversight.

The audit expected that the complaints filed against the RCMP with the Office of the Information Commissioner (OIC) and the Office of the Privacy Commissioner (OPC) would provide a valuable source of information for ATIP managers to review for monitoring compliance and opportunities for improvement. Formal complaints received by the ATIP Branch are processed and addressed in collaboration with the OIC/OPC, however, the audit did not find evidence that lessons learned from complaints are analyzed, formally documented, or utilized to inform improvements to the overall ATIP process. The Program would benefit from the re-introduction of a quality assurance function that includes an examination of complaints to inform process improvements and program compliance.

Annually, pursuant to the reporting requirements of both the ATI and Privacy Acts, the ATIP Branch must prepare an Annual Report for tabling in Parliament as well as Statistical Reports for Treasury Board Secretariat (TBS). It was reported that the preparation of these reports is labour intensive requiring several weeks of work by a Senior Analyst. Although TBS provides guidance for developing these reports, limited reporting functionality in APCM in addition to inconsistent user data input creates the need for the creation of ad-hoc reports and manual reconciliations. While the audit team reviewed the contents of the last two annual reports, it did not validate the accuracy of the information reported externally.

3.2 Policies, procedures, and related compliance

RCMP ATIP policies and procedures in place were found to be in alignment with Legislation and related TBS policies; however they should be reviewed and updated. The program is challenged in responding to ATIP requests within the legislated timeframe of 30 calendar days.

Departmental ATIP policies and procedures

The audit expected the Department to have established and clearly communicated policies and procedures to assist in the management of ATIP requests and help ensure consistency in the process. This included the expectation that such policies and procedures aligned with Treasury Board policy requirements as well as related Legislation.

Chapter 3 of the Departmental Information Management Manual contains the high level responsibilities of Departmental staff in relation to both the Access to Information Act and the Privacy Act. It was noted that the chapter was last amended in 2004 and some of the information contained within it was not up-to-date such as the requirement to calculate "search fees" which have not been applicable since 2016.

At the ATIP Branch level, internal reference material was found to be in place to facilitate the process, including: reference guides, standard operating procedures (SOP) and procedures. While a number of SOPs and procedures specifically related to the Intake function were found to have been recently updated by the Training Unit, interviewees generally felt that documented procedures were lacking or in need of update given the number of changes implemented to the process in the last few years.

In anticipation of Bill C-58 (proactive disclosure of briefing notes) obtaining Royal Assent, the Branch has developed an internal policy and created a working group to proactively manage the disclosure of briefing notes.

ATIP Branch management confirmed the need to update internal policies and procedures and explained that competing pressures had not allowed the Branch to dedicate resources specifically to the function of keeping internal reference materials up-to-date. While the Branch has a policy unit, its focus is primarily with supporting the Privacy Impact Assessment process.

Without access to up to date reference material, there is a greater likelihood of inconsistent and inefficient practices being performed across the Branch – which in turn increases the risk of errors, inefficiencies and complaints.

Compliance

To assess compliance to ATIP policies and procedures, a sample of 160 ATIP files was examined.

The audit team expected to find that the files contained documentation demonstrating compliance with applicable legislative, Treasury Board and departmental requirements. For example, the files should contain evidence that searches were carried out to obtain the requested information, required timelines were respected, and responses underwent supervisory review. The audit also expected to find adequate controls in place to support and monitor compliance.

Overall, the audit team's file testing identified that documentation was on file to support the operating effectiveness of management's key controls. However, the testing did identify some exceptions and room for improvement.

Results of audit testing on the sample of ATIP files indicated that there are significant challenges in meeting the legislated 30-day timeframe to respond to ATIP requests. Of the 160 files reviewed, only 30% were found to have been processed within the required timeframe, either the legislated 30 days or within the requested extension. The audit team was advised that compliance has been impacted due to a number of factors such as sending ATIP staff on training, staff turnover, and an increase in the volume of large requests which stems from the removal of search fees.

It was also explained by ATIP management that the current lack of a triage function as noted in section 3.3 of the report, negatively impacts compliance. Without a triage process in place, incoming requests are not assessed for complexity and required level of effort when received. Therefore, by the time it is noted that the request requires an extension, the deadline to request one has often already passed thereby impacting compliance and increasing the possibility of a complaint.

The audit team found that the ATIP Branch has supervisory review as a key control within the ATIP process which is functioning as intended. Audit testing confirmed that of the necessary supervisory review had been carried out prior to the release of the information package for 100% of the files reviewed.

The audit also identified a gap in the control process to document that information holders/offices of primary interest (OPIs) have made reasonable efforts to assist requestors as per the ATI and Privacy Acts. There is no mechanism in place to ensure management approved exemption recommendations are consistently received from OPIs in addition to providing the Branch assurance that all relevant records have been searched. This control gap was previously identified by the program and was discussed at the October 2017 national workshop with LOs. To mitigate the gap and improve OPI accountability, it was proposed to implement a form already developed by E Division. At the conclusion of the audit's examination phase, the audit team had not observed the implementation of this initiative.

Complaints

Complaints related to ATIP requests are administrated by either the Office of the Information Commissioner of Canada (OIC) or the Office of the Privacy Commissioner of Canada (OPC). The RCMP receives two main types of complaints from the OPC and OIC: administrative and refusal. Administrative complaints generally relate to delays in responding to requestors while refusal complaints relate to requesters disagreeing with the application of exemptions to refuse the disclosure of information. In the case of administrative complaints, the ATIP Branch's approach to addressing such complaints is to prioritize these requests. In the case of refusal related complaints, the OIC or OPC will investigate the veracity of the complaint and work with the RCMP to find a resolution.

The RCMP Annual Report to Parliament stated that during fiscal year 2017-2018, the RCMP received 357 new ATI complaints and a total of 283 complaints were closed by the OIC. Of the 283 closed complaints, 185 were determined to be well-founded (65%) by the OIC. The OIC stated in its 2017-18 annual report that the RCMP was the government institution with the most new complaints. In the last four years, an upward trend was noted as follows:

Table 2
Year 2014-15 2015-16 2016-17 2017-18
# of New Complaints 178 235 274 435

The RCMP Annual Report to Parliament stated during fiscal year 2017-2018, the RCMP received 232 new privacy complaints of which 167 resulted in investigations by the OPC. The OPC stated in its 2017-18 annual report that the RCMP was the government institution with the 2nd most complaints accepted. A generally upward trend in privacy complaints was noted as well:

Table 3
Year 2014-15 2015-16 2016-17 2017-18
# of New Complaints 140 120 160 232

Based on the increasing volume of ATIP complaints filed against the RCMP, the audit's assessment is that there is an opportunity for the Branch to improve compliance by analyzing complaints to assess whether there are any systemic causes for non-compliance beyond those related to resource challenges including training, tools, policy and monitoring.

Audit testing and analysis

In an effort to identify and assess bottlenecks and potential inefficiencies within the ATIP process, the audit team conducted analysis on the sample of 160 files. For each file, processing time was calculated for key steps in the process including waiting time between certain steps in the process. Table 4 identifies average results for the entire sample of files.

While the legislation requires requests to be processed within 30 calendar days (plus extensions where applicable), audit testing results based on the sample of files reviewed found the average calendar days to complete an ATI request to be 95.3 days and Privacy requests to be 80.7.

The audit team found that the majority of time spent within the process is concentrated in four areas: the time it takes to initiate taskings to OPIs; wait time for scanning; time to receive information from OPIs (Divisions and NHQ Business Lines); and the time taken by ATIP disclosure analysts to conduct their file review and apply exemptions under the respective Acts. Specifically:

Table 4
Average number of calendar days ATI Privacy
To initiate tasking to OPI 9 9
Wait time for scanning 9 7
To receive all requested information (Note 1) 22 19
To complete analyst review 27 27

Note 1: For the files being reviewed, this was the total time it took to obtain all of the information necessary to respond to the request. Files can have more than one request/tasking and while for some files the taskings are done all at once (concurrently), for others they are done sequentially as the need for additional information is only discovered later during processing. The results were specifically calculated as the time between the date the initial request (tasking) for information was created and the date the information was received from the last request/tasking. It is to be noted that these results are not directly comparable to the results of the analysis of taskings referred to later in section 3.3 of the report which calculated the turnaround of individual requests.

Graph 1 provides a visual representation of the timeliness of key steps in the ATIP process and the magnitude of each step in relation to other steps.

Graph 1

Graph 1

Graph 1

Graph 1 - text version

A line graph illustrating the average amount of time required to complete key steps in the RCMP's ATIP process.

The horizontal axis represents the key steps in the RCMP's ATIP process in chronological sequence.

The vertical axis represents the average number of calendar days.

On average, to open a file, ATI requests take 3.4 days and privacy requests take 4.3 days.

On average, to initiate tasking to an OPI, ATI requests take 9.2 days and privacy requests take 9.8 days.

On average, to receive all requested information, ATI requests take 22.1 days and privacy requests take 19.1 days.

On average, waiting time for information to be scanned or imported is 9 days for ATI requests and 6.7 days for privacy requests.

On average, the time it takes to scan or import the information is .3 days for ATI requests and .4 days for privacy requests.

On average, for requests waiting to be reviewed by an analyst, ATI requests take 7.0 days and privacy requests take 5.9 days.

On average, for analysts to complete their review, ATI requests take 27.0 days and privacy requests take 27.5 days.

On average, to approve release packages, ATI requests take 3.8 days and privacy requests take 5.7 days.

On average, to send release packages to the requestor, ATI requests take 3.0 days and privacy requests take 1.4 days.

In order to further corroborate the analysis carried out on the audit sample, the audit team engaged IAER's Data Analytics group to perform additional analysis on the entire population of requests closed during the scope period. The analysis encountered limitations given the fact that transactions or "action" coding within APCM are used inconsistently by individual ATIP Analysts. Therefore, analysis of the aggregate population was only possible with respect to the early steps in the ATIP process where there was more consistent use of transactions. The results of the analysis indicated the following: the average time to open a file is 4.8 days; the average time it takes to receive requested information from OPIs is 12.6 days; and the average time it takes to scan a request is 1 day.

The audit team`s data analysis of the time it takes to receive requested information from OPIs was found to correlate to the results of the analysis conducted by the ATIP Branch on the 5000 taskings referred to in section 3.3 of the report. Table 5 below illustrates the percentage of information requests to OPIs which are completed within the 5 day internal service standard set by the Branch and those which take longer than 30 days.

Table 5
OPI response time Data analytics ATIP branch analysis
≤ 5 days 46% 52%
> 30 days 8% 7%

3.3 ATIP Branch process enhancements

While some analysis of the ATIP process and tools have been undertaken by the ATIP Branch, the Branch would benefit from the development of a formal plan to manage the implementation of process improvement initiatives which integrates HR planning and mechanisms to measure successful implementation.

As previously identified, the ATIP Branch has reported a number of challenges facing operations such as an increasing trend in the volume and complexity of ATIP requests, poor compliance, an increase in complaints, and limited resource capacity. In light of these concerns, the audit expected that consideration would be given by management to identifying opportunities for increased effectiveness and efficiency within current resourcing levels.

Specifically, the audit expected to find a structured approach to the analysis of the current department-wide ATIP process which would include an assessment of risks and areas to improve effectiveness and efficiency. Resulting from the analysis would be a formalized plan with detailed action items with corresponding timelines, milestones, and associated financial and human resource implications. Finally the plan would incorporate mechanisms to monitor successful implementation of initiatives and assess overall impacts to the effectiveness and efficiency to the process.

Assessment of processes and tools

In 2017, the ATIP Branch recognized a need for additional capacity and prepared a business case for senior management, requesting additional funding. The ATIP Branch performed analysis on its current capacity and the amount of additional positions it would require to sustain the current workload. By comparing the current number of employees to the number required, it concluded that 61 additional FTEs were required. As a result of the business case, SEC approved $1M in funding in 2018-19 to hire 12 contractors in order to assist in processing the backlog of ATI and Privacy requests.

In 2018, the ATIP Branch leveraged the analysis previously performed in 2017 to inform the Departmental Review submission; requesting either 61 additional FTEs to address the current workload and mitigate future backlogs or 86 FTEs to manage the anticipated additional requirements of Bill C-58 (proactive disclosure of briefing notes). At the time of the audit, the results of the submission were still outstanding and it was not unknown whether additional funding would be allocated to the program.

In April 2018, the program conducted analysis of approximately 5,000 information taskings from ATIP requests in the 2017-18 fiscal year in order to assess turnaround time by Divisions and Business lines to identify possible bottlenecks. The audit team reviewed the results of this analysis and determined that approximately 52% of taskings were responded to within the allocated time frame (5 days or less) and 7% were responded to after 30 days. The audit did not find evidence that similar analysis had been carried out on other steps in the process. Additional analysis of other steps in the process would be useful in aiding management to identify specific problem areas as well as to inform resource allocation.

With respect to the assessment of its tools, the ATIP Branch developed a business case in 2017 to obtain approval to purchase and acquire a new ATIP software solution to address technical challenges with the current software, APCM. At the time of the audit, this initiative had been overtaken by the Treasury Board's plan to procure a government wide ATIP software platform which is expected to be available in 2019-2020.

The Branch has also solicited input from other stakeholders and looked externally in an effort to promote continuous improvement. For example, in October 2017, the ATIP Branch hosted a national workshop in Ottawa with Business Line and Divisional ATIP Liaison Officers where input was sought into potential ATIP business process improvements. In addition, the ATIP Branch reported consulting with other ATIP Branches across Government in an effort to network and share best practices which could potentially inform its process improvement initiatives. During the course of the audit, the audit team did not observe the implementation of any initiatives resulting from this consultation.

The audit found that although the ATIP Branch has conducted some analysis of the process and tools, a more structured approach including additional analysis of program risks and the potential root cause of the areas with significant bottlenecks would be useful in identifying potential efficiencies and improving effectiveness.

Process improvement initiatives

The ATIP Branch has undertaken a number of initiatives with the aim of improving the effectiveness and efficiency of the ATIP process. In general, the implementation of initiatives appears to be reactive with limited documented analysis to support management's decision to pursue proposed initiatives. The audit team was unable to assess the effectiveness of the initiatives given the lack of evidence-based performance information. The ATIP Branch would benefit from the development of a formal plan to manage the implementation of process improvement initiatives and measure their success.

In February 2018, a number of active and planned initiatives were presented to SEC's Resource Sub-Committee (RSC) as "mitigation strategies" to be implemented by the Branch. The initiatives that follow include those mitigation strategies and others that were initiated or in place during the audit scope period April 1, 2016 to March 31, 2018. Given that several initiatives are at early stages of development, coupled with the fact that the program has not defined performance measures to assess and measure the outcome its process improvement initiatives the program and audit team are unable to assess their respective impacts.

Triage Unit

During the planning phase of the audit, a triage function had been introduced in order to assess the complexity of incoming requests, work on files with major delays, and to communicate with requestors with the aim of narrowing broad and ambiguous requests. However, during the examination phase of the audit this triage function was no longer active due to an employee departure.

Restructuring

Within the audit scope period, the ATIP Branch implemented a number of organizational changes, including the creation of separate scanning and training units and temporarily introduced a complaints team along with a triage and QA function.

Tools

We found that the ATIP Branch has been assessing ways of making better use of technology to further improve the efficiency of the process including acquiring a new ATIP software solution to address technical challenges with the current software (APCM). As noted earlier, this initiative has been overtaken by the Treasury Board Secretariat's plan to procure a government wide ATIP software platform which is expected to be available in 2019-2020.

Another recent technology improvement initiative is the Branch's procurement of high speed scanners to increase the efficiency and capacity within the scanning unit.

Training unit

The audit team observed that ATIP management created a Training Unit in 2017 with the aim of having an in-house training program to address the training needs of new staff and knowledge gaps of existing employees within the ATIP Branch. The unit has since developed and delivered structured training to staff including the following: One Month Training Course for Intake Analysts; Three Month Training Course for Disclosure Analysts; Ad-hoc Training Sessions for specific disclosure topics; and ATIP Information Sessions delivered in-person to Business Lines and Divisions.

Other initiatives

In October 2017, as a result of analysis conducted by the ATIP Branch, the Chief Human Resources Officer (CHRO) issued a directive whereby Regular Members (RMs) could informally request their employment and medical records through their Divisional Career and Development Resourcing Offices or Health Services Offices instead of submitting a Privacy request for those records. In an effort to reduce the volume of Privacy requests to be processed, the Branch has since been contacting members with ATIP requests for such personal records that have not yet been completed and advising them of this alternative option available to them. The ATIP Branch has reported that this initiative has reduced the number of medical files waiting to be processed.

In summary, while the ATIP Branch has undertaken a number of initiatives with the aim to improve the effectiveness and efficiency of the ATIP process, these initiatives are not supported by documented analysis or mechanisms to assess performance. Accordingly, the ATIP Branch would benefit from the development of a formal plan to manage the implementation of process improvement initiatives and measure their success.

Human resources planning

Human Resource (HR) Planning is an essential process that facilitates the identification of current and future HR needs in support of meeting organizational objectives. The audit team expected to find evidence of a formal HR plan or strategy.

While no formal HR plan was found to exist, the ATIP Branch has undertaken a number of independent human resource initiatives including: staffing, employee retention initiatives, training and as previously mentioned the hiring of consultants.

Since 2017, the ATIP Branch has engaged the RCMP NHQ Human Resources Organization & Classification unit to obtain advice on updating ATIP related job descriptions and their organizational structure. In anticipation of a potential increase in FTEs, the Branch wanted to ensure it would be in a position to act expediently should it receive additional funding (i.e. clone positions). The consultations with RCMP HR on this initiative have been ongoing.

In February 2018, the Branch reported to SEC's RSC that it had experienced 65% turnover over the last 3 years and that ongoing staffing processes were conducted on a continual basis to keep up with turnover. It was reported that over 150 staffing actions had been completed in 2017 within the Branch. In order to improve employee retention, Branch management has made efforts to improve morale within the Branch. For example, the Branch has permitted disclosure analysts to work from home up to 1 day per week; it has also held team building activities; and holds quarterly "Town Hall" style all-staff meetings to increase communication and assist in team building within the Branch.

The audit team found that the Branch's HR initiatives are independent of its other process improvement initiatives and lack integration. The ATIP Branch would benefit from the development of a formal human resources strategy and detailed plan coordinated with its various change initiatives which have human resources implications. Establishing a HR plan would allow for alignment of priorities and facilitate appropriate allocation of available human resources.

4. Conclusion

While the RCMP ATIP Branch has been experiencing challenges in meeting the ATI and Privacy Act 30 day legislative requirement to respond to requests with its current resource allocation, the audit found that a governance framework is in place to support the ATIP Program with clearly defined and communicated roles and responsibilities within the ATIP Branch. There is an opportunity to provide further guidance on the role and responsibility of Liaison Officers and RCMP employees overall, and to update RCMP ATIP policy and guidance documentation to reflect legislative and process changes. Updates to policy and guidance documentation should include the Branch assessing its practice of limited supervisory review of Privacy requests to identify, and when appropriate, mitigate the risk of potential privacy breaches and non-compliance.

In addition, the ATIP Branch would benefit from additional analysis and the development of a formal plan, inclusive of a HR strategy, to manage the implementation of process improvement initiatives and measure their outcomes.

The ATIP Program would benefit from a quality assurance function that includes an examination of complaints and their root cause to inform process improvements and program compliance.

5. Recommendations

  1. The Chief Strategic Policy and Planning Officer should ensure that RCMP ATIP policy and guidance documentation is updated to reflect legislative and process changes as well as provide further guidance on the role and responsibility of Liaison Officers and RCMP employees overall.
  2. The Chief Strategic Policy and Planning Officer should ensure that a formal plan is developed to manage the implementation of process improvement initiatives. This plan should include performance metrics that both measure the success of process improvements and establish performance expectations for ongoing program oversight and monitoring as well as timelines and milestones.
  3. The Chief Strategic Policy and Planning Officer should ensure that a formal human resources strategy and detailed plan is developed to coordinate the ATIP Branch's various human resources initiatives.
  4. The Chief Strategic Policy and Planning Officer should ensure that the ATIP Program develops a quality assurance function that includes an examination of complaints as well as root cause analysis to inform process improvements and program compliance.

Appendix A – Audit objective and criteria

Objective: to determine whether a management control framework for the RCMP's ATIP program is in place and working as intended.

Criterion 1: The governance framework includes clear roles and responsibilities and oversight mechanisms to enable the achievement of the program's objectives and intended results.

Criterion 2: RCMP policies and procedures are aligned with the Access to Information Act, Privacy Act, TB policies and directives, and are consistently applied across the organization.

Criterion 3: Departmental ATIP processes including HR planning, training, and the use of tools, have been reviewed to identify opportunities to improve the effectiveness and efficiency of the process while considering the risks to the organization.

Appendix B - Detailed management action plans

Recommendation Management action plan
  1. The Chief Strategic Policy and Planning Officer should ensure that RCMP ATIP policy and guidance documentation is updated to reflect legislative and process changes as well as provide further guidance on the role and responsibility of Liaison Officers and RCMP employees overall.

Agree.
The ATIP Branch recognizes that its current policies need to be updated to reflect current practices, and need to be aligned with legislation, such as the passage of Bill C-58, and government wide Treasury Board Secretariat (TBS) policies, directives and guidelines. Further, as TBS provides new guidance, implementation notices and directives, it is imperative that the implications to the organization be communicated. ATIP Branch will conduct a thorough review of its existing policies and conduct a formal gap analysis initiative, identifying key stakeholders that are implicated in any change requirement. Following the review and gap analysis, current policies will be updated, and new policies will be drafted and implemented based on the review.

The time frame associated to complete this initiative could be amended should additional funding for extra resources to address this gap be provided.

Completion Date: November 2021
Position Responsible: Director, ATIP Branch

The ATIP Branch has identified and recognizes the need to provide RCMP employees education and training on their roles and responsibilities vis a vis the Access to Information and Privacy Acts. Although face to face training with employees have been undertaken, it is not the most efficient methodology.

ATIP Branch will work with Learning and Development Branch to develop an online training course through the Agora platform that will provide an overview of the Acts, how those Acts apply to the RCMP, employee responsibilities, and what is required of employees when an ATIP request is received. Efforts will be made to engage senior management support to make this course mandatory for all employees as this is a federally mandated requirement.

ATIP Branch will also develop training tools and clear Standardized Guidelines for its Liaison Officers in the various business lines and Divisions. ATIP Branch will also develop a communication strategy to ensure that modifications to processes are efficiently communicated, with a clear monitoring regime to ensure compliance with new directions.

The ATIP Branch will also proceed with updates to its webpage for the information of RCMP employees and the general public.

This initiative has interdependencies with the Learning and Development (L&D) Program of the RCMP. L&D have certain organizational priorities that may trump this initiative and may have funding implications.

Completion Date: Standardized Guidelines June 2020
Completion Date: Implementation of Guidelines December 2020
Completion Date: Agora Learning Tool May 2021

Position Responsible: Director, ATIP Branch
  1. The Chief Strategic Policy and Planning Officer should ensure that a formal plan is developed to manage the implementation of process improvement initiatives. This plan should include performance metrics that both measure the success of process improvements and establish performance expectations for ongoing program oversight and monitoring as well as timelines and milestones.

Agree.
The ATIP Branch will proceed with a strategic program review on business process improvement. This review will inform the initiatives that the Branch will undertake in the following year.

This initiative would benefit from additional funding and resources. The timeline may be affected by interdependencies related to other units within the RCMP.

Completion Date: December 2020

Position Responsible: Director, ATIP Branch

ATIP program initiatives will be aligned with the strategic outcomes of the program review and it is anticipated that increased efficiencies within current resource levels will be paramount. To that end, formal plans will be developed to align with TBS' ATIP Online Request Service (AORS) Onboarding Project. ATIP Branch will develop a project plan that will outline the critical path, objectives, deliverables, milestones, performance metrics and measures, to ensure successful integration. An ongoing monitoring requirement will be reflected in the project plan.

This initiative and its release date is dependent on Treasury Board Secretariat's implementation plan. Additionally, RCMP ATIP's employees will require some additional training for this new project.

Completion Date: AORS Integration: September 2020

Position Responsible: Director, ATIP Branch
  1. The Chief Strategic Policy and Planning Officer should ensure that a formal human resources strategy and detailed plan is developed to coordinate the ATIP Branch's various human resources initiatives.

Agree.
The ATIP Branch recognizes the need for a formal Human Resource (HR) Strategy to address its various HR needs. This strategy will require the assistance of various areas of the internal services of the RCMP such as Organization and Classification, Staffing, Departmental Security Branch, etc.

A full review of upcoming pressures, forecasted retirements, succession planning, and normalizing of positions, will be conducted in the first instance. ATIP Branch, with the assistance of HR Staffing, will partner with other government departments to conduct ATIP-specific collective staffing actions, which should allow greater flexibility to draw from larger talent pools, with access to various groups and levels.

The HR plan will be adjusted following the completion and approval of the Strategic Program Review.

Completion Date: May 2021

Position Responsible: Director , RCMP ATIP Branch
  1. The Chief Strategic Policy and Planning Officer should ensure that the ATIP Program develops a quality assurance function that includes an examination of complaints as well as root cause analysis to inform process improvements and program compliance.

Agree.
The ATIP Branch has identified the need for a dedicated position focusing on quality assurance within the ATIP Branch. This position will focus on a Unit Level Quality Assurance Review (ULQAR), of a variety of areas within ATIP. These responsibilities will include the setting of service level standards for each section within the Branch. Further, the position will conduct a review of disclosure files, focusing on the level of quality, compliance with legislation, and potential breaches.

ATIP Branch will continue to work with Organization and Classification Branch to develop a Quality Control Manager work description and position on the Organizational Chart. This effort will form part of the ATIP HR Strategy.

These initiatives would benefit from additional funding and resources. As well, the strategic program review of ATIP, will influence that HR strategy. The timeline can be affected by other units within the RCMP, ie: Staffing, Organization and Classification, Departmental Security, Property Management

Completion Date: Quality Control/System Administrator Manager work description submission to Organization and Classification March 2020

Staffing of QCM/System Administrator position: June 2021

Position Responsible: Director, RCMP ATIP Branch
Top of page
Date modified: