Ministry of Government and Consumer Services. ServiceOntario. Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report

Similar documents
MNsure Privacy Program Strategic Plan FY

Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report. Status of Actions Recommended # of Actions Recommended

Community Development and Recreation Committee

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

SUBJECT: PRESTO operating agreement renewal update. Committee of the Whole. Transit Department. Recommendation: Purpose: Page 1 of Report TR-01-17

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Ouachita Baptist University. Identity Theft Policy and Program

Audit and Compliance Committee - Agenda

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

in a National Service Delivery Model 3 rd Annual Privacy, Access and Security Congress October 4, 2012

12 Approval of a New PRESTO Agreement Between York Region and Metrolinx

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Rules for LNE Certification of Management Systems

Follow-up to Information Technology Security Audit

INFORMATION SECURITY AND RISK POLICY

Client Services Procedure Manual

GAO INFORMATION SECURITY. Veterans Affairs Needs to Address Long-Standing Weaknesses

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

Adopter s Site Support Guide

Auditor General's Office

Red Flags/Identity Theft Prevention Policy: Purpose

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Physical Security Reliability Standard Implementation

New Graduate Guide to the Online Application Process

JOURNAL #5 - June 2018

Government of Ontario IT Standard (GO ITS) GO-ITS Number 56.3 Information Modeling Standard

Provider Monitoring Report. City and Guilds

Office of Inspector General Office of Professional Practice Services

Municipal Law Enforcement Officer Certified-M.L.E.O. (c) Certification Application Guide

Seattle University Identity Theft Prevention Program. Purpose. Definitions

Continuing Care Reporting System Data Submission User Manual,

Financial Planning Standards Council 2016 ENFORCEMENT AND DISCIPLINARY REVIEW REPORT

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Client Registry. Privacy Impact Assessment Summary

City of Toronto Accessibility Design Guidelines 2015

[Utility Name] Identity Theft Prevention Program

Request for Qualifications for Audit Services March 25, 2015

Action Plan Developed by. Institute of Certified Public Accountants of Uganda BACKGROUND NOTE ON ACTION PLANS

Resolution: Advancing the National Preparedness for Cyber Security

Public Safety Canada. Audit of the Business Continuity Planning Program

Upcoming PIPEDA Changes What is changing and what to do about it

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Municipal Law Enforcement Officer Certified-M.L.E.O. (c) Certification Application Guide Program Features

History of NERC December 2012

Audit Report. Chartered Management Institute (CMI)

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Provider Monitoring Process

IATF Transition Strategy Presenter: Cherie Reiche, IAOB

ERO Enterprise Strategic Planning Redesign

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

MINING LANDS ADMINISTRATION SYSTEM (MLAS) STAGE 1 CLIENT ENROLMENT USER GUIDE

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

The Smart Campaign: Introducing Certification

Data Use and Reciprocal Support Agreement (DURSA) Overview

Chapter 35 ehealth Saskatchewan Sharing Patient Data 1.0 MAIN POINTS

Section I. GENERAL PROVISIONS

BCS, Professional Certifications

Minimum Requirements For The Operation of Management System Certification Bodies

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Government of Ontario IT Standard (GO ITS)

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Office of the City Auditor 2014 Third Quarter Activity Report November 25, 2014

RULES OF TENNESSEE STATE BOARD OF EQUALIZATION CHAPTER ASSESSMENT CERTIFICATION AND EDUCATION PROGRAM TABLE OF CONTENTS

Earthquake Preparedness

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

History of NERC August 2013

Analysis/Intelligence: Data Model - Configuration

ARRA State & Local Energy Assurance Planning & Implementation

Standard CIP Cyber Security Critical Cyber Asset Identification

IDENTITY THEFT PREVENTION Policy Statement

Red Flag Policy and Identity Theft Prevention Program

Grid Security Policy

Standard CIP Cyber Security Critical Cyber Asset Identification

Hong Kong s Personal Data (Privacy) Ordinance

JEAS-Accredited Environmental Assessor Qualification Scheme

ALABAMA STATE BOARD OF PUBLIC ACCOUNTANCY ADMINISTRATIVE CODE

Data Processing Agreement

DATE: April 8, 2013 REPORT NO. CD TYPE OF REPORT CONSENT ITEM [ ] ITEM FOR CONSIDERATION [ X ]

SECURITY & PRIVACY DOCUMENTATION

IATF Transition Strategy Presenter: Mrs. Michelle Maxwell, IAOB

VETDATA PRIVACY POLICY

Red Flags Program. Purpose

BACKGROUND NOTE ON ACTION PLANS

PUBLIC WORKS INTEGRATED PEST MANAGEMENT (IPM) CERTIFICATION PROGRAM (Ontario)

Response to Wood Buffalo Wildfire KPMG Report. Alberta Municipal Affairs

EARLY CARE AND EDUCATION PROVIDER S MEETING

Office of Consumer Information and Insurance Oversight. State Planning and Establishment Grants for the Affordable Care Act s Exchanges

NALA Certifying Board Announces New Exam Specifications Effective with 2018 Administrations

Security and Privacy Governance Program Guidelines

Canadian Anti-Spam Legislation (CASL)

Continuing Professional Education Policy

ENMAX Generation Portfolio Inc.

ERO Compliance Enforcement Authority Staff Training

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

Identity Theft Prevention Program. Effective beginning August 1, 2009

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Shaw Privacy Policy. 1- Our commitment to you

Transcription:

Chapter 3 Section 3.06 Ministry of Government and Consumer Services ServiceOntario Standing Committee on Public Accounts Follow-Up on Section 4.09, 2015 Annual Report In March 2016, the Committee held a public hearing on our 2015 follow-up to our 2013 audit of ServiceOntario. The Committee tabled a report on this hearing in the Legislature in June 2016. The full report can be found at www.auditor. on.ca/en/content/standingcommittee/ standingcommittee.html. The Committee made five recommendations and asked the Ministry of Government and Consumer Services (Ministry) to report back by early October 2016. The Ministry formally responded to the Committee on September 26, 2016. A number of the issues raised by the Committee were similar to the audit observations in our 2013 audit and 2015 follow-up. The status of each of the Committee s recommended actions is shown in Figure 1. We conducted assurance work between April 1, 2017, and July 4, 2017, and obtained written representation from the Ministry that on September 1, 2017, it has provided us with a complete update of the status of the recommendations made by the Committee in its report. Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report Prepared by the Office of the Auditor General of Ontario Status of Actions Recommended # of Actions Recommended Fully Implemented In Process of Being Implemented Little or No Progress Will Not Be Implemented Recommendation 1 2 2 Recommendation 2 1 1 Recommendation 3 2 1 1 Recommendation 4 1 1 Recommendation 5 1 1 Total 7 3 3 0 1 % 100 43 43 0 14 Overall Conclusion According to the information the Ministry and ServiceOntario provided to us, as of July 4, 2017, about 43% of the Committee s recommendations had been fully implemented and about 43% of the recommendations were in the process of being implemented. ServiceOntario will not be implementing one recommendation. For example, ServiceOntario had fully implemented recommendations relating to providing updates on accessible parking 258

ServiceOntario 259 permits and actions taken as a result of high-risk privacy breaches. As well, ServiceOntario was in the process of implementing recommendations relating to areas such as improving uptake of online services and providing a business case for a single digital identity. However, ServiceOntario is not planning to implement any interim measures that permit the sharing of address-change information between multiple programs. Detailed Status of Recommendations Figure 2 shows the recommendations and the status of each based on responses from the Ministry and our review of the information provided. Figure 2: s and Detailed Status of Actions Taken Prepared by the Office of the Auditor General of Ontario Recommendation 1 ServiceOntario continue to examine ways to improve uptake of online services while balancing the accessibility of services for Ontarians, and provide the Committee with an update on online service usage. Status: In the process of being implemented by March 2018. ServiceOntario actions and plans to further grow uptake in the future include: the introduction in October 2016 of a simplified email reminder system for vehicle plate-sticker renewal notices, accompanied by a six-week social-media advertising campaign launched in January 2017, leading to 18,500 clients registering for email reminders by mid-may 2017; plans to offer email reminders for driver s licence renewals starting in September 2017; simplification in November 2016 of the paper-based vehicle licence-plate-sticker renewal notice, which led to a 40% increase in online sticker renewals in the four months from January to April 2017, compared to the same four months of 2016; updating the online Service Finder (previously called Service Location Finder) in February 2017, which makes it easier for people to learn about ServiceOntario s online services; updating the Integrated Address Change function in March 2017 to improve the online verification process, which makes it simpler for users to simultaneously change their address on both their driver s licence and health card; and plans to increase awareness of ServiceOntario online offerings through public campaigns, including promotion of the 4-in-1 baby bundle (birth registration, birth certificate, social insurance number, Canada and Ontario child benefits) in 2017/18, and implementation of online photo-health-card renewals by March 2018. Some of the above improvements slightly increased the uptake of online services in 2016/17, with driver and vehicle services rising to almost 17% and health services to 13%. In 2015/16,14% of driver and vehicle services were completed online and 12% of health services. ServiceOntario indicated that it will continue to ensure its services are broadly accessible to all segments of the population. It also plans to work closely with Ontario s Chief Digital Officer, appointed in March 2017, to improve existing online services.

260 ServiceOntario should provide the Committee with a three-year plan detailing further changes it plans to make to increase the public s use of online transactions and new targets for online transactions, while maintaining equity of access to services for those without Internet access or who require in-person assistance. ServiceOntario should report back to the Committee at the end of the three-year period. Status: In the process of being implemented by March 2019. ServiceOntario s September 2016 response to the Committee included a three-year plan ending in March 2019 to increase uptake of online services. The plan was to focus on driver, vehicle, and health services. These three services account for over 70% of transaction volumes and so present maximum opportunity to increase online uptake by making clients more aware of them, and making the services more user-friendly. According to ServiceOntario, online service uptake is projected to be at least 35% of all services by the end of fiscal 2018/19, up from 31% in fiscal 2015/16. Recommendation 2 ServiceOntario provide an update on what impact the new accessible parking permit policy and permit design have had on improving the permit- issuing process and identifying abusers of the permit system. Status: Fully implemented. ServiceOntario s actions to improve controls over accessible parking permits included: implementation of a new process in January 2016 that requires clients to show identification to prove their legal name, date of birth and signature, to help reduce the risk of multiple permits issued for one person; improved permit security through various new design elements, including machine-readable barcodes intended to reduce the risk of forgeries; development of an Accessible Parking Permit Municipal Enforcement Guidebook in January 2016 to guide bylaw enforcement officers on the permit seizure process; collaboration with municipalities, which enforce accessible parking- permitrelated bylaws, to identify the most appropriate ways to track permit seizures (enforcement officers seized 1,347 permits in 2016, up 31% from 1,030 in 2015); improved timeliness of permit cancellations for deceased individuals, achieved by monthly cross-checks with other provincial agencies, that led to 12,789 such cancellations in 2016, up from 9,957 in 2015; and formalized processes for escalating suspected fraudulent cases to ServiceOntario s internal Risk Management Unit.

ServiceOntario 261 Recommendation 3 ServiceOntario provide the Committee with a timetable for preparing a comprehensive business case for an integrated smart card (or similar alternative) that includes implementation costs; the ministries and services that could participate in an integrated smart card; operational and cost savings that ministries would achieve; strategies to mitigate privacy concerns; and an implementation plan. Status: Fully implemented. The business case should also include research on lessons learned by other jurisdictions that have already implemented an integrated smart card. ServiceOntario should provide the Committee with this business case when it is completed. Status: In the process of being implemented by November 2018. As part of the September 2016 response to the Committee, ServiceOntario concluded that a single digital identity that includes smart card integration would be more beneficial to Ontario. In January 2017, ServiceOntario had discussions with Treasury Board Secretariat, ehealth Ontario, and the ministries of Health and Long-Term Care, Transportation, Finance, and Community and Social Services. ServiceOntario and these organizations plan to build a business case for a single digital identity focusing on privacy-friendly design, security, efficiencies that will result in cost savings for ministries and an implementation roadmap. ServiceOntario cautions that the complexity of this initiative means the single digital identity business case and policy framework depend on significant co-operation by several provincial and federal government organizations. A phased approach will be taken, and timelines may be adjusted based on the needs of partners. The timelines for the business case have already been delayed by over a year from the initial projections submitted to the Committee in September 2016 due to these challenges. In late July 2017, ServiceOntario submitted and received government approval for a policy framework that will provide the basis for the single digital identity business case. Following Cabinet s approval of the single digital identity policy framework, ServiceOntario has committed to providing Cabinet with a comprehensive business case by November 2018. The comprehensive digital identity business case will include: lessons learned by other jurisdictions on similar initiatives; implementation options; projected costs and savings; implementation strategy; and policy, legislative and regulatory changes required to implement the digital identity program in Ontario.

262 Recommendation 4 ServiceOntario should provide the Committee with a summary of the number and types of privacy breaches that have occurred with respect to ServiceOntario operations over the last three years, the action(s) taken as a result of breaches considered to be high-risk, and any initiatives planned to mitigate future privacy breaches. Status: Fully implemented. ServiceOntario defines a minor privacy breach as one which occurs through inadvertent or unintentional errors, and in which fewer than 10 personal information records are accessed by or exposed to individuals who should not have access to them. A major privacy breach is defined as one in which 10 or more personal information records are accessed, or where the breach occurred as a result of intentional wrongdoing by ministry staff or operators of ServiceOntario locations. In addition, ServiceOntario may classify an incident as a major breach if the personal information involved is particularly sensitive, or if other factors increase risk. In the three years between 2013 and 2015, there were a total of 25 major and 1,189 minor privacy breaches. ServiceOntario and the Ministry s Privacy Office review and classify all privacy breaches as minor or major, and recommend improvements aimed at preventing future breaches. Actions taken to prevent future major breaches include: annual training in Standards of Conduct and Ethics, and in privacy and security, introduced in 2015 for all front-line and production staff; updates to ServiceOntario privacy guidance, with additional specific examples of improper access; privacy training for ServiceOntario s managers of vital events (for example, births, marriages, and deaths) in September 2016; new and revised privacy and security policies delivered to all vital events staff, and Vital Statistics Act Oaths of Secrecy re-administered in October 2015; privacy and security refresher training provided to ServiceOntario s Thunder Bay vital events staff in 2015, and Toronto/Ottawa vital events staff in 2016; refresher privacy training delivered by the Ministry s Privacy Office to about half of ServiceOntario contact-centre staff, with remaining staff to receive training by December 2017; development of an audit framework for ServiceOntario s vital event activities, currently undergoing validation review by the Ontario Internal Audit Division, to identify unauthorized access; and updated Privacy Guidance and Documentation, with ministry-wide distribution planned for March 2018. Systems and Security ServiceOntario and the Ministry s Privacy Office have worked with the Ministry of Transportation to improve the usability and functionality of logging and audit tools in the Ministry of Transportation s Licensing and Control System. These logs and tools detect and investigate privacy breaches involving inappropriate access to the Ministry of Transportation information systems by ServiceOntario staff an area where privacy breaches have occurred in the past. Mailroom, Print and Distribution ServiceOntario requested the Ontario Internal Audit Division to conduct a full review of the process of logging and reconciling returned and cancelled items, including OHIP cards and Ontario photo cards. The review was completed in January 2017 and recommendations for improvement, including a new policy manual, are to be implemented by March 2018.

ServiceOntario 263 Recent Major Privacy Breach Subsequent to ServiceOntario s September 2016 response to the Committee, a major privacy breach occurred in April 2017 involving about 2,000 children s health-card renewal notices. Each of these notices, produced by ServiceOntario and mailed to clients, contained the personal information of another child on the reverse side. The personal information included the children s name, health card number (without version code), residential and/or mailing addresses and date of birth. In May 2017, to reduce the risk of future incidents, ServiceOntario changed all renewal notices. The changes included printing only minimal personal information, and only on one side of the notices rather than on both. Recommendation 5 As an interim measure until an integrated smart-card initiative is further developed, ServiceOntario should provide the Committee with an action plan and timetable for introducing new measures that would permit the sharing of address-change information between multiple programs. Status: Will not be implemented. ServiceOntario is not considering any measures in the interim, while the single digital identity is further developed, that would permit the sharing of addresschange information between multiple programs.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback