This Web page has been archived on the Web.
2003 September Report of the Auditor General of Canada Report on the Office of the Privacy Commissioner of Canada
2003 September Report of the Auditor General of Canada
Report on the Office of the Privacy Commissioner of Canada
8—Analysis of international meal and refreshment expenditures of the former Commissioner and the Senior Director General
9—International travel by the former Commissioner and the Senior Director General—September 2000 to March 2003
1. We found that the former Privacy Commissioner abdicated his responsibilities as a deputy head to ensure the proper administration of the Office of the Privacy Commissioner.
2. We found an environment of fear and arbitrariness in the Office of the Privacy Commissioner that led to a major breakdown of controls over financial management, human resources management, contracting, and travel and hospitality. The effect of this breakdown was a climate that allowed the abuse of the public treasury for the benefit of the former Commissioner and a few senior executives.
3. At the Office of the Privacy Commissioner, many senior executives (willingly or by omission) turned a blind eye to breaches of law and policy and to other problems in such areas as staffing, financial management, contracting, and travel and hospitality. To varying degrees, executives failed to discharge their duties in accordance with such public service values as fairness, integrity, and impartiality.
4. We found that the former Commissioner repeatedly abused his discretion, in that he often failed to exercise sound and reasonable judgment. For example, he spent public money on travel and hospitality unreasonably and extravagantly, without regard to prudence and probity. We found little value to the Office of the Privacy Commissioner and to taxpayers for expenditures on hospitality and international travel. We also found that the former Commissioner abused his discretion in the areas of job classification and compensation.
5. Significant financial and human costs were incurred as a result of a poisoned work environment. The internal governance mechanisms in the Office of the Privacy Commissioner and oversight mechanisms of central agencies—the Treasury Board Secretariat and the Public Service Commission—were insufficient or, in the case of central agencies, not used to either prevent abuse and wrongdoing or deal with them when they occurred. Few employees reported the abuse and wrongdoing because they believed that they had no way to express their concerns without fear of reprisal.
6. In our view, these conditions have seriously impaired the ability of the Office of the Privacy Commissioner to function. A great deal of rebuilding is needed to restore its management capabilities. The present situation is cause for concern, given that parliamentarians provided the Office of the Privacy Commissioner with powers in an area of critical importance—assisting Parliament in protecting and preserving the privacy rights of Canadians.
7. In spring 2003, the House of Commons Standing Committee on Government Operations and Estimates held a series of hearings to examine the Estimates of the Office of the Privacy Commissioner of Canada.
8. As a result of those hearings, in June 2003 the Committee asked the Auditor General of Canada to audit the Office of the Privacy Commissioner and "determine if all financial accounts have been faithfully and properly maintained and . . . public money has been fully accounted for." The Committee also asked the Auditor General to review travel and hospitality expenses, executive staffing, hiring practices, and a lump sum payment to an executive upon retirement.
9. In her letter dated 20 June 2003, the Auditor General agreed to the Committee's request.
A servant of Parliament
10. Parliament created the Office of the Privacy Commissioner of Canada and other offices as servants of Parliament to provide it with information and advice, among other services. The other servants or officers of Parliament are the Auditor General, the Commissioner of Official Languages, the Chief Electoral Officer, and the Information Commissioner.
11. All of these offices are unlike typical departments and agencies in that they are accorded a considerable degree of independence from government oversight, as set out in A Guide Book for Heads of Agencies. In our opinion, they owe a corresponding degree of care to faithfully and honestly carry out their mandates. Agency heads serve as the organization's chief executive officer and as such are responsible for the conduct of the organization and its effective functioning. This expectation reflects not only their autonomy to carry out their mandates but also Parliament's trust in them as its officers.
12. The Office of the Privacy Commissioner of Canada is meant to be an advocate for the privacy rights of Canadians. Exhibit 1 describes its organization at the time of the former Commissioner's resignation. The legislative mandate of the Commissioner is to
- investigate complaints and conduct audits under the Privacy Act and the Personal Information Protection and Electronics Document Act;
- publish information about the handling of personal information in the public and the private sectors;
- conduct research into privacy issues; and
- promote public awareness and understanding of privacy issues.
13. The Office of the Privacy Commissioner (OPC) had an annual budget of about $11 million and employed over 100 people in its most recent fiscal year. During that year, its approved spending limit was reduced by $230,000 as a result of the division of corporate services, which had been shared with the Office of the Information Commissioner.
14. The OPC is listed under schedule I.1 of the Financial Administration Act, which means it is to operate in accordance with
- the Financial Administration Act;
- the Public Service Staff Relations Act and the Public Service Employment Act;
- directives from the Receiver General of Canada; and
- applicable Treasury Board policies and guidelines.
Focus of the audit
15. Our audit focussed on whether the Office of the Privacy Commissioner had established and maintained adequate controls over its administration, financial and human resources management, contracting, and travel and hospitality practices. We also assessed whether its transactions complied with applicable government policies and directives. Our examination covered the period from September 2000 to June 2003.
16. Our audit included the tests and other audit procedures that we determined were appropriate to the scope of our work. We reviewed a sample of human resources files, contracts, travel and hospitality claims, and other financial records of the Office of the Privacy Commissioner. We interviewed the former Commissioner, executives, and key personnel of the OPC, including personnel who had left the organization. Our audit did not include assessing program delivery or the results of day-to-day operations.
Weaknesses in internal governance arrangements
17. We found weaknesses in the governance arrangements within the Office of the Privacy Commissioner. Other weaknesses in governance existed in central agencies (the Treasury Board Secretariat and the Public Service Commission), which we discuss in paragraphs 181 to 190.
Internal governance arrangements in the Office of the Privacy Commissioner were inadequate
18. All federal government organizations are obliged to establish effective arrangements for their internal governance—that is, for directing, overseeing, and managing their operations and accounting for the use of the resources entrusted to them. They are also responsible for reporting the results they achieve with the money they spend. In the broadest sense, internal governance arrangements should ensure that employees of an organization act ethically and in the best interests of Parliament and taxpayers. This includes the obligation to act faithfully and honestly in the course of their employment. Deputy heads of organizations are responsible for ensuring that these obligations are indeed fulfilled.
19. Our audit showed that the internal governance arrangements at the Office of the Privacy Commissioner were inadequate. We found that the former Commissioner did not discharge his duties as a deputy head to be sure that appropriate management practices had been established and were operating to ensure prudence and probity in the conduct of the operations of the Office. We noted that the internal oversight mechanisms for executives to monitor and ensure compliance with government policies and directives were not working in the areas of financial management, travel and hospitality, human resources management, and contracting—due in part to the former Commissioner's persistent override of existing control mechanisms and, according to some of his senior executives, of their advice with respect to applicable policies and directives.
20. Many executives were complicit in the breaking of rules. We also found evidence of a covering up of wrongdoing. Executives failed to discharge their duty to Parliament, to their organization, to central agencies, and to Canadians. Further, to varying degrees, all senior executives failed to discharge their obligations under the Financial Administration Act to report instances of financial wrongdoing and to deal with harassment in the workplace.
Human resources management issues
Legislation and policies were contravened
21. The report on the Office of the Privacy Commissioner issued in June 2003 by the Standing Committee on Government Operations and Estimates showed that the Committee had recognized many of the organization's problems in its management of human resources. Many OPC employees we interviewed as part of our audit recounted practices in human resources management that broke many of the rules intended to promote fairness and transparency in the treatment of employees, including the rules for hiring and promoting.
22. We found that most aspects of human resources management in the Office of the Privacy Commissioner showed an utter disregard for the legislation and regulations that govern the hiring of staff, the classification of their positions (which affects the salaries they earn), labour relations, and performance awards. Most executives and a number of employees benefited from breaches of policy and legislation or from other abuses.
Stress and intimidation in the workplace
23. Employees we interviewed told of a poisoned work environment at the Office of the Privacy Commissioner in which staff were intimidated by the former Commissioner. Our interviews consistently revealed instances of authoritarian behaviour amounting to what employees called a "reign of terror" by the former Commissioner or certain executives carrying out his directives. Although the former Commissioner strongly denied the existence of a "reign of terror," our interviews repeatedly disclosed instances of his humiliation of staff, inappropriate comments, intolerance, and verbal abuse that were socially unacceptable—in either Canada in general or the public service in particular.
24. Some employees said they had been discouraged from documenting their concerns; those who did had been treated poorly. Nevertheless, some incidents had been documented, and others had been witnessed by several people. Some employees broke down as they recounted how they had been treated. We learned that some employees who had questioned or displeased the former Commissioner or his inner circle were banished from the Commissioner's floor, excluded from meetings they should have attended, not allowed to put their names on reports, and moved to other positions; in one case, the employee's work was contracted out.
Overclassification was a major problem
25. The greatest alleged abuses of classification and staffing policies were in the Communications and Strategic Policy Branch and the Corporate Services Branch, so it was there that we focused our attention although we examined a sample of files from other branches.
26. How a job is classified directly affects the salary range of the position. At the Office of the Privacy Commissioner, we found in the files we examined that the practice of classifying positions and then reclassifying them upward was out of control.
27. Most positions in the Corporate Services Branch and the Communications and Strategic Policy Branch were overclassified, as were most executive (EX) positions in the Office of the Privacy Commissioner. Current salary ranges for executive categories are set out in Exhibit 2. Two senior positions—the Senior Director General, Communications and Strategic Policy and the Chief of Staff/Senior Advisor—had been reclassified more than once within a two-year period.
28. The Senior Director General was transferred into the organization in September 2000 at the EX1 level and almost immediately (in December 2000) began receiving pay as an acting EX2. The Public Service Commission confirmed her EX2 level in June 2001 as a result of a competitive process. In January 2002 her position was reclassified to the EX3 level. At that time, deputy heads in the federal government had been delegated the authority to promote executives in reclassified positions without having to involve the Public Service Commission, apart from reporting the promotion. We noted that the Senior Director General's promotion from EX2 to EX3 was never reported to the Public Service Commission. The Chief of Staff/Senior Advisor was reclassified from AS8 to EX1 and then to EX2. The staffing action following the reclassification to EX2 also was not reported to the Public Service Commission.
29. Each reclassification (and all other executive reclassifications at the Office of the Privacy Commissioner) carried with it a salary increase of 10 percent. As a result, the two reclassifications of the Senior Director General, Communications and Strategic Policy and the Chief of Staff's reclassification raised their salaries by more than 20 percent. The Treasury Board's policy limits the increase per reclassification to 5 percent in most circumstances, and 10 percent only in an exceptional case. When we discussed this transaction with the former Commissioner, he claimed he had little or no knowledge of Treasury Board policies. However, we noted that the policy for salary increases upon reclassification of executives was clearly stated in the first reclassification review he signed for the Director General, Communications and Strategic Policy. In our opinion, none of the reclassifications we examined met the criteria for a 10 percent increase.
30. We reviewed the executive (EX) positions in the Office of the Privacy Commissioner and found that 8 out of 10 had been overclassified during the tenure of the former Privacy Commissioner. We also looked at non-executive positions in Corporate Services, at most officer-level positions in Communications, and at positions in support of the former Commissioner and senior executives. Of the 17 non-executive positions we reviewed, we found that the levels of 15 could not be supported.
Many classification policies were ignored
31. As a deputy head, the former Commissioner had authority delegated by the Treasury Board to classify positions up to the EX3 level, given certain conditions outlined in the classification policy. However, those conditions had not been met in most of the cases we reviewed. For example, Treasury Board policies require that federal organizations submit classification levels of certain senior people below the EX level for approval by interdepartmental committees. The Office of the Privacy Commissioner never met this requirement. The policy also requires that when a position is reclassified, the organization must carry out an on-site review to verify that the reclassified person is doing the work specified in his or her new job description. We found no evidence that the Office of the Privacy Commissioner had carried out any of these on-site reviews.
32. It is accepted practice that a deputy head may classify a position at his or her discretion without having to justify that decision. For example, if an employee with highly specialized knowledge in a critical function were offered a higher-level job elsewhere, the deputy head might reclassify the position upward to retain the employee. In practice, deputy heads are to do this only infrequently. At the Office of the Privacy Commissioner, however, the exception became the rule. A number of people in that organization were reclassified upward solely, we are advised, at the former Commissioner's direction and are being paid at levels that have not been justified, according to our audit of OPC records.
Hiring practices disregarded key public service values
33. Under a Staffing Delegation and Accountability Agreement with the Public Service Commission, the former Commissioner was responsible and accountable for all delegated staffing and promotion of staff. Prior to signing the agreement in October 2001, the President of the Public Service Commission met with the former Commissioner to discuss its implications.
34. The files we reviewed showed a blatant disregard of four critical values that the Public Service Commission has espoused for staffing: non-partisanship (including bureaucratic patronage), fairness, equity, and transparency. We found ample evidence of the avoidance of staffing competitions and the working around of staffing processes established by the Public Service Employment Act (PSEA).
35. We found instances of the hiring of friends, acquaintances, or former colleagues of the former Commissioner and senior executives. For example, we found that in 2001 the girlfriend of the former Commissioner's son, a law student, was hired to work in the legal department in a position created for her and approved by the former Commissioner. The General Counsel said that she was not pressured to hire the student but that prior to receiving a letter from the student—hand-delivered to her by the former Commissioner—she had had no plans to hire a summer student.
36. Although the Public Service Commission runs a program for hiring summer students (known as the Federal Student Work Experience Program, or FSWEP), the Office of the Privacy Commissioner did not use the program in this instance, nor did it consider other candidates. The law student was hired as a casual employee and was paid at a rate 50 percent higher than the usual rate paid to a student at her education level. We note that the letter of offer extending casual status went to the former Commissioner's Ottawa residence (where the student was residing with the former Commissioner's son while she worked at the OPC).
37. In 2002, the same student was again hired as a casual employee to do legislative monitoring, starting 11 March 2002. The Office of the Privacy Commissioner offered her a salary that was some 30 percent higher than in the previous year, without any negotiation by the employee. During this period, the student worked from Toronto and was attending school during some of the time when she was paid by the Office of the Privacy Commissioner. No other employees of the Office of the Privacy Commissioner worked from a city other than Ottawa.
38. Casual employees, who receive a pay cheque every two weeks, are expected to work 37½ hours per week. The student told us that her work usually took from 2 to 5½ hours per day. When we asked what she did during the Easter recess, when Parliament was not sitting, she indicated that she had been asked to do a small piece of research. Her casual employment status was extended on 21 June, the day the House rose for its summer recess, until 13 September 2002. When we asked what she did during this period, the student told us that she worked on two research projects, which took about seven days of time. The student told us that she e-mailed the manager concerned and asked for work but did not receive any. The Office of the Privacy Commissioner cancelled the casual employment on 30 July 2002.
39. The former Privacy Commissioner said that he had stayed out of the hiring of his son's girlfriend and did not perceive there to be any conflict of interest. In our opinion, a conflict of interest existed.
40. We stress that our observations are not intended to be criticisms of this student, and should not be interpreted as such. Rather, our concerns are wholly with respect to the actions of the former Privacy Commissioner and some of the staff of the Office of the Privacy Commissioner in initiating and managing these employment arrangements.
41. The OPC manipulated the process to favour particular candidates. The Office of the Privacy Commissioner hired a number of employees initially on personal service contracts or on a casual basis, avoiding the need to open the positions to competition. These employees remained on contract or continued as casual staff for as long as possible under the PSEA until a competition was held. However, these competitions were not truly "open." They were advertised as term positions for the shortest period possible. Most applicants would be screened out, and the casual or contract workers would be selected because they had on-the-job experience. After working as term employees for a given period, their positions would be made indeterminate (full-time) without further competition.
42. In another case, the former Commissioner decided that he wanted to hire someone from outside the public service as his Director of Strategic Policy, a position classified at the EX2 level. Hiring at this level from outside the public service would have meant involving the Public Service Commission in the selection process. Instead, the Office of the Privacy Commissioner advertised a term position at the AS8 level (the highest level at which PSC involvement was minimal) with the same work description and classification as the initial position of Special Advisor. Only 3 of 179 applicants were screened in; the candidate was hired as an AS8 and immediately paid as an acting EX2.
43. We noted competitions with selection criteria that favoured a particular candidate but had no relevance to the actual position. In several cases, language requirements were changed to match the profile of the favoured candidate rather than the requirements of the position itself. In another case, preference was to be given to a person with experience in "print media" that seemed unrelated to the work to be performed. When the Office wanted to hire a particular candidate from outside the organization who knew very little about the Privacy Act and other relevant legislation, the requirement to have this knowledge was weighted lightly. When the Office wanted to exclude applicants from outside, it required a thorough knowledge of privacy-related legislation.
44. Another practice the Office used to hire and promote a particular person from another department was a transfer to a position that existed only on paper (Exhibit 3). This practice contravened subsection 34.2(2) of the Public Service Employment Act, which addresses the transfer of employees from one position to another.
Overclassification and hiring practices resulted in high salary costs
45. We note that the reclassification and staffing practices of the Office of the Privacy Commissioner contributed to higher salary costs and a resulting overspending of its appropriated funding. This will create budget pressures for years to come. We note that between March 2000 and March 2003, salaries for the Privacy Commissioner's EX group increased by 24.6 percent while EX salaries in the public service as a whole increased by only 14.6 percent (these figures do not include lump sum performance awards). Average salaries for all employees of the Office of the Privacy Commissioner increased by 21.3 percent in the same period, compared with 16.4 percent in the federal public service as a whole.
46. Other practices also contributed to high salary costs. We found it was common practice to bring people into the Office of the Privacy Commissioner at the high end of the salary range; normal practice in the public service is to hire staff at or near the low end of the range to allow for subsequent salary increases. A person may be hired at or near the top of the range in exceptional circumstances—that is, if accepting a position near the bottom of the range would mean a cut in the person's pay.
47. We found that the Office of the Privacy Commissioner had hired a number of people at the top salary level in their classification with no justification apparent in the records we audited, a practice that clearly contravened government policy. We also noted that several casual or term employees had been laid off for one day and rehired the next day at the top of the salary range.
The Public Service Commission knew about staffing irregularities
48. The Public Service Commission failed to respond decisively when it learned about staffing irregularities at the Office of the Privacy Commissioner. We note that in the summer of 2001, the OPC's Director of Human Resources alerted the Public Service Commission to staffing problems in the organization. In response, the Public Service Commission carried out a study, an exercise that examined 50 percent of the Office of the Privacy Commissioner's staffing actions for 2000-2001. In August 2001, the President of the Public Service Commission met with the former Privacy Commissioner to discuss a Staffing Delegation Agreement and public service staffing values. Prior to this meeting, the former Commissioner had already been advised of some of the analytical work done by the study team.
49. The study team found many irregularities and advised the Public Service Commissioners accordingly, in a detailed report dated February 2002. The report was not shared with the Office of the Privacy Commissioner, despite the serious nature of the study findings. The Public Service Commission sent a letter to the Office of the Privacy Commissioner in March 2002, sharing its perceptions and observations, making suggestions, and asking for a progress report in the fall of 2002 on what the OPC was doing to improve the staffing process. In addition, the Public Service Commission asked its officials to meet with officials of the Office of the Privacy Commissioner in May, to discuss an action plan focussed on a high-level management framework, training in staffing values, and communications. None of these actions resulted in substantive improvements in the staffing practices of the Office of the Privacy Commissioner.
50. A Public Service Commission follow-up team was sent to the Office of the Privacy Commissioner in July 2002. It reported to the Public Service Commissioners that the OPC had made significant progress in implementing several recommendations and that senior management was committed to taking action on the outstanding issues. The team based this opinion solely on a meeting with the OPC's Executive Director and its Director of Human Resources. As the results of our audit have shown, this optimistic assessment was not warranted. In our opinion, the actions taken by the Public Service Commission were insufficient to deal with the specific problems identified.
51. In November 2002, the Office of the Privacy Commissioner sent its Staffing Delegation Accountability Report to the Public Service Commission. The Public Service Commission found the report unsatisfactory. In its letter of response dated 16 June 2003, it noted that the Deputy Head had not "attested to veracity of the information and to the fact that the employees of this organization are appointed and promoted objectively, free from political or bureaucratic patronage," and outlined a number of other problems the Public Service Commission had with the report. In our opinion, the letter failed to outline the consequences if the Office of the Privacy Commissioner did not improve its staffing regime. We note that the Public Service Commission did revoke some authority to staff positions on 2 July 2003, after the former Privacy Commissioner had resigned. It also put some restrictions on certain other staffing activities.
52. Nevertheless, we note with concern the lack of visible action by the Public Service Commission earlier, when it was advised of problems by the OPC's Director of Human Resources. The lack of response sent a signal to managers, employees, and the union that the Public Service Commission would not actively support any attempts to clean up the staffing abuses at the Office of the Privacy Commissioner.
Problems in the executive staffing process
53. Most staffing of executives was not delegated to the Office of the Privacy Commissioner, so the Public Service Commission retained responsibility for it. Because of this, the Standing Committee asked us to review executive staffing. We expected that both the processes and how they were carried out would ensure that public service staffing values were respected.
54. The Public Service Commission was involved in seven executive staffing actions between September 2000 and June 2003—two reclassifications, three competitive processes, and two without competition. Two other executive reclassifications were done without the required reporting to the Public Service Commission.
55. We note that in the case of the Office of the Privacy Commissioner, several executives had acted in the positions—in one case for six years—to which they eventually were staffed. In January 2000, the Public Service Commission indicated that lengthy acting periods give incumbents a clear advantage in any subsequent competitive process; this has implications for the merit principle, in particular for the values of fairness and transparency.
56. An applicant for an executive position must normally appear before a selection board, which usually consists of three people—a senior executive from the organization, another executive, and a representative of the Public Service Commission. We noted that in the case of the Office of the Privacy Commissioner, the Executive Director sat on all selection boards except one, and chose the other executive on each board. The Public Service Commission representative was at a lower (non-executive) level than the two other members, in our view making the challenge role more difficult.
57. In our opinion, the combination of the way board members were selected and the prior acting appointments meant that the staffing actions were little more than confirmation of the OPC candidates.
58. When the appointment of the Chief of Staff to the executive level was initially to be recommended to the Public Service Commissioners, they were alerted to previous concerns about his security clearance and language proficiency. The appointment was approved in April 2002 with no further documentation on file as to how the concerns were resolved. In another case, we noted that a position serving both the OPC and the Office of the Information Commissioner was staffed without the latter's participation in the assessment process.
59. In our view, while the technical processes were respected, they were carried out in such a manner that the results did not respect the public service staffing values of merit, transparency, and fairness.
No documented justification for performance management and performance awards
60. Under the Treasury Board's policy on executive compensation, executives can receive annual salary increases as they progress through the salary range. They can also receive lump sum performance awards above and beyond the normal salary progression. However, certain constraints apply. Before they can receive either their annual increase or any lump sum performance awards, they must have a performance agreement with the department or agency at the beginning of the fiscal year. They must also receive a written performance assessment justifying any performance award. The Executive Director of the Office of the Privacy Commissioner was advised in writing of these requirements. However, with one exception, we found no performance agreements on file for 2000-01, 2001-02, and 2002-03. We found no performance assessments at all for these years.
61. We found that every executive at the EX1, EX2, and EX3 levels received an increase of 10 percent for exceeding performance targets that had never been formally stated. The Executive Director, whose position was reclassified to EX4 in January 2001, received a 15 percent performance increase for 2001-02 and 2002-03. All of these awards were split between increases within the salary range and lump sum awards; we found no documentation to show that they were merited. Maximum performance awards given prior to 2000-01 had been supported by performance assessments. The former Commissioner told us that he had approved only a 5 percent increase for one executive for 2002-03. We note that after his resignation, however, the increase was raised by the Executive Director to 10 percent, to match others.
62. We are concerned that the entire cadre of executives of the Office of the Privacy Commissioner were rated as having surpassed expectations and were rewarded accordingly; neither the ratings nor the rewards were consistent with Treasury Board guidelines. These guidelines suggest that from 0 to 25 percent of executives in any organization should be rated as having surpassed expectations and therefore may receive the maximum performance award. Exhibit 4 indicates the cost to the OPC of performance pay. This cost is significant, given the size of the organization and its budget.
63. We also note that the Office of the Privacy Commissioner did not carry out any performance appraisals in the past three years for any staff below the EX level.
64. The failure to follow established policies on reclassification, promotion, and performance awards resulted in unjustified increases in executive remuneration, amounting to over a quarter of a million dollars.
Labour relations were poor
65. In 2002, the employees who were represented by the Public Service Alliance of Canada asked to form a joint union-management committee. The Executive Director, on behalf of the former Commissioner, rejected their request, saying that such a committee was unnecessary given that both he and the former Privacy Commissioner had an "open door" policy. We question the credibility of this statement, given the way a number of employees said they had been treated when they raised any concerns.
66. The Office of the Privacy Commissioner agreed to establish a health and safety committee, which staff told us was largely ineffective and viewed as a reluctant token effort. Despite its requests, the health and safety committee was not consulted appropriately on the development of a scent-free-workplace policy, which had been the source of some contention. Nor was the committee involved in resolving problems created by a flood in the Office, which it feared could lead to health issues with mould and to the disruption of employees.
67. Some employees told us they had chosen not to file any grievances. They said they had reasoned that the final recourse for a grievance was the former Privacy Commissioner himself, and they assumed he would not resolve any grievances. Some employees who wanted to raise a grievance were simply counselled to leave the Office's employment.
Inappropriate lump sum payment upon retirement (balloon payment)
68. The Standing Committee on Government Operations and Estimates asked the Auditor General to review the appropriateness of amounts paid to some staff of the Office of the Privacy Commissioner upon retirement.
69. Deputy heads may approve payments of up to one year's salary when an executive's position is declared surplus. This payment in lieu of notice is over and above normal severance (one week's pay for each year of service, to a maximum of 28 weeks' pay). The amount that an executive ultimately receives depends on a number of factors that the deputy head must consider in arriving at an appropriate payment. These factors include the executive's age, experience, length of service, and skills—factors that can indicate the difficulty of making a transition to a new employment sector and the adequacy of normal severance benefits.
70. The position of Director General, Corporate Services, which had been shared by the Privacy Commissioner's and the Information Commissioner's offices, was declared surplus when the OPC established its own corporate services unit. The incumbent received a payment of $99,300 in lieu of notice, the maximum payable under the former Privacy Commissioner's delegated authority. In addition, he received $53,500, the maximum severance pay to which he was entitled.
71. We could not find any justification on file for the $99,300 payment in lieu of notice. We found no evidence of how the former Commissioner's exercise of discretion had taken into account the factors specified in the policy. The former Commissioner advised us that he was not aware of the factors he was required to consider and that the Executive Director had simply presented him with a recommendation for settlement. We note that the employee had been advised verbally that he could continue in a similar position at the same salary at the Office of the Information Commissioner. In our opinion, the amount paid in lieu of notice ($99,300) was not appropriate in light of the fact that the individual was entitled to maximum severance pay ($53,500) and an unreduced pension and that he had been offered continuing employment elsewhere in the federal government.
72. Treasury Board policy states that when an organization declares an executive surplus, there should be no additional costs for one year (in this case) from the date of notice. On the day the Director General, Corporate Services was released, however, the Chief of Staff, who assumed responsibility for corporate services of the OPC, was reclassified and received a 10 percent increase. In our opinion, the reclassification of this position was inappropriate.
Financial management and control
73. Sound financial management is a critical part of running the day-to-day operations of any federal department or agency. It is central to delivering programs and enabling organizations to manage public money with prudence and probity. More specifically, financial management allows an organization to manage and track its expenditures, produce complete and accurate financial statements, and account for where and how it spends taxpayers' dollars.
A breakdown in basic financial controls
74. Well-functioning financial controls provide the foundation for sound financial management. Appropriate controls enable an organization to comply with, for example, key sections of the Financial Administration Act. In essence, financial controls represent important mechanisms and processes for ensuring that government departments comply with the Financial Administration Act. Section 32 of the FAA requires an organization to ensure that it has the money to pay for any goods or services before it orders them; section 34 requires it to verify that it has received them and that they are satisfactory. Under section 33 of the FAA, the person who "signs the cheque" for goods and services must have the authority to do so, must be satisfied that the requirements noted above have been met, and must be satisfied that it is a lawful charge against the appropriation.
75. If an organization does not have appropriate financial controls in place, there is a risk that abuses will occur and that it will spend more than Parliament has authorized (as evidenced throughout this report). Indeed, we found a complete breakdown of the financial management and control framework at the Office of the Privacy Commissioner, one consequence of which was that the OPC spent more than the limits approved by Parliament.
76. Our audit found that the Office of the Privacy Commissioner lacked the most basic level of control. In short, it did not have the financial controls that would have enabled it to meet even the basic requirements for financial management as stipulated in the Financial Administration Act, Treasury Board guidelines, and Receiver General directives.
77. We found that another control—segregation of duties—was absent in contracting, travel and hospitality, and financial reporting. Segregation ensures that, for example, the same person who orders goods or services from a contractor does not also both certify that they have been received and are satisfactory and authorize payment as well. In the absence of segregation of duties, abuses occurred in the Office of the Privacy Commissioner, particularly in spending on travel and hospitality and on contracting.
Lack of control over disbursements from the public purse
78. The authority to issue payments under the Financial Administration Act is a fundamental control that must work effectively if the public purse is to be properly safeguarded. That authority is delegated to individuals who hold specific positions in an organization.
79. Individuals who have been delegated this authority must obtain from Public Works and Government Services Canada (PWGSC) an electronic authorization and authentication (EAA) or "electronic payment key" to electronically authorize payment of funds through government systems. Proper management and protection of the electronic key and password are critical to safeguarding the public purse.
80. At the Office of the Privacy Commissioner, we found a breakdown of this critical control. Our audit noted that the Chief of Staff had obtained an "electronic payment key," even though he did not have the proper delegated authority under section 33 of the FAA. We are advised that the Chief of Staff's user I.D. and password as well as the location of his "electronic payment key" were known by all finance staff of the OPC and were used by them regularly to issue payments. The practice of using the Chief of Staff's "electronic payment key" continued after the person left the OPC in July 2003.
81. We were advised that clerical staff who did not have delegated authority under section 33 of the Financial Administration Act made three payments totalling $81,621 using the Chief of Staff's "electronic payment key," user I.D., and password with the full knowledge of the Director, Financial Services. Two priority payments totalling $24,500 also were issued during the same period. These payments were issued during a time when the Chief of Staff was away from the Office. At that point, no staff in the Office of the Privacy Commissioner had the proper delegated authority.
Lack of management oversight
82. An organization's deputy head is responsible for overseeing its systems and controls (financial and other) to ensure that they are working as intended.
83. Management oversight serves to ensure that, among other things, an organization's financial controls are adequate to protect it against both financial loss or misappropriation and the risk of spending more than Parliament has authorized. Such oversight is also important for management to ensure that the organization complies with a range of legislation. Indeed, these are among the primary duties of senior financial officers.
84. Good information is a prerequisite to enabling management to exercise its oversight role. If management is to monitor the financial situation of an organization, it must receive periodic (usually monthly) financial reports, based on sound control of commitments and expenditures. We found little evidence that executives of the Office of the Privacy Commissioner had received (or demanded) regular reports on the organization's financial status. The OPC had no continuous information on how and where the organization was spending its funds. There was an almost complete lack of information comparing expenditures in particular areas with amounts budgeted. We also noted that there was no budget for either performance awards to executives or cash-out of vacation leave, yet these expenditures were incurred each year.
85. The only use of financial information that we found was in a series of monthly status reports produced between October 2002 and May 2003 that were incomplete. We found no evidence of any earlier financial reports intended for executives. The purpose of the monthly status reports was to alert executives to the growing problem of the overspending of the 2002-03 budget. The spending projections in the report did signal that the Office of the Privacy Commissioner was headed toward exceeding its total authorized spending limit. However, executives did not reduce expenditures or change the organization's spending patterns sufficiently; had they done so, the Office of the Privacy Commissioner might have been able to stay within the spending limits that Parliament had established instead of overspending by some $234,000. As discussed in paragraphs 110 to 113, the Office of the Privacy Commissioner falsified its financial statements to hide the fact that it had exceeded its Vote.
86. We saw little evidence that senior executives had exercised their responsibility to provide oversight, review, and approval of financial transactions.
87. We found that neither the former Privacy Commissioner nor his senior financial officers or the Director, Financial Services provided sound financial management, oversight, and control. Virtually all financial controls were centred with the former Privacy Commissioner and a few senior executives. This arrangement created an environment that fostered and facilitated a breakdown in management controls and provided fertile ground for irregularities.
Lack of leadership in managing expenditures
88. We found that investigators employed by the Office of the Privacy Commissioner had to stop travel in January 2003 to reduce expenditures. The former Privacy Commissioner and his Senior Director General, however, continued to travel. To support this travel, the organization used funds from its information technology and policy research budgets. Of note is that the Office of the Privacy Commissioner has had to suspend reviews of privacy considerations in the information systems of other government departments until the Treasury Board approves supplementary funding for that work.
Contraventions of the Financial Administration Act
89. One of the responsibilities of an organization's finance unit is to ensure that it complies with the Financial Administration Act. As well as the absence of basic financial controls that we have already noted, we identified two more instances (improper payments to the former Commissioner and the inappropriate cashing out of vacation leave) that are cause for concern. These relate closely to the lack of proper financial controls.
90. Improper payments to the former Commissioner. In May 2002, the former Commissioner received a $15,000 payment without any justification that our audit could find. We were told that the former Commissioner believed he had not been reimbursed for all his travel and hospitality expenses and was owed $15,000. The former Commissioner did not provide any evidence to support his request for $15,000. The OPC's Financial Services subsequently reviewed the former Commissioner's travel and hospitality claims and reimbursements. It found that the former Commissioner had been reimbursed for all business-related expenditures and that no additional amounts were owed to him.
91. Despite the absence of evidence to support any claims for reimbursement, Financial Services issued a $15,000 payment to the former Commissioner, which he cashed. This payment was recorded as a "special travel advance," in the knowledge that it did not meet Treasury Board criteria for a standing advance. The amount remained outstanding until 31 March 2003.
92. Staff told us that they advised the former Commissioner that the outstanding balance of the "special travel advance" would be reported in the 2002-03 Public Accounts. The former Commissioner told us he had been advised by staff that for bookkeeping purposes, it was preferable to repay the advance in one year and receive it as a new advance the next year.
93. The former Commissioner repaid the advance on 31 March 2003 but, in April 2003, received another $15,000 payment recorded as a "special travel advance" to him. Again, our audit found no evidence that the second payment of $15,000 was justified.
94. Financial Services advised us that the Chief of Staff had instructed it both times to issue the payment to the former Commissioner.
95. Treasury Board policy allows for standing advances to be issued, with travel expenses charged against the standing advance as incurred and no further individual travel advances issued. However, after receiving the $15,000 "special travel advance," the former Commissioner continued to request and receive travel advances, and travel expenses were not charged against the $15,000. In 2002-03, he requested 22 additional travel advances totalling more than $75,000. In May 2003, soon after receiving his second "special travel advance," the former Commissioner requested and received an additional travel advance of $7,900.
96. Given that the two $15,000 payments to the former Commissioner (in May 2002 and April 2003) were neither justified with supporting evidence nor issued in accordance with the Treasury Board's policy on standing advances, we believe that they were improper payments and contravened section 26 and section 33 of the Financial Administration Act. Pursuant to section 12 of the Auditor General Act, we have informed senior government officials of this matter and have referred the matter to the Royal Canadian Mounted Police.
97. At the time of our audit, the second $15,000 payment to the former Commissioner was still outstanding, and it ought to be recovered.
Inappropriate cash-out of vacation leave
98. Our audit found serious problems in the reporting of vacation leave and the cashing out of vacation leave by most OPC executives. The former Commissioner and six executives failed to report to the OPC's Human Resources section vacation days they had taken and, in some cases, subsequently requested payment for those vacation days. As a result, the former Commissioner and three of the executives received substantial funds to which they were not entitled.
99. Treasury Board policy strongly encourages employees to take their annual vacation leave. The policy permits the cashing out of earned vacation leave by executives and employees when they have not taken all their vacation leave. The policy also permits the granting of special leave with pay, which must be approved by the deputy head.
100. The OPC had a leave and attendance reporting system that provided each employee with an annual statement of his or her leave credits earned, leave taken, and leave balances. Employees were required to certify the accuracy of the statements. With one exception, in no executive's file did we find any evidence of the granting of special leave with pay.
101. Our audit found that the Executive Director of the OPC has taken several weeks of vacation each year, but since April 1998 he has reported to Human Resources none of the vacation leave he has taken. We found that from August 2000 to September 2002, the Executive Director cashed out vacation leave balances on four different occasions and received payments totalling about $45,000.
102. In addition, we have determined that from 1993 to 1999, the Executive Director cashed out vacation leave balances on six occasions, for which we found no justification.
103. We have identified three other executives who failed to properly report the vacation leave they were taking and whose vacation leave balances are in error. The inappropriate management of vacation leave was pervasive in the executive ranks for many years, predating the appointment of the former Commissioner.
104. According to our examination, the former Commissioner took several weeks of vacation each year but never reported the use of vacation days to the OPC's Human Resources. We found that his vacation leave balances did not reflect the days he had taken. The former Commissioner advised us that the annual holidays were taken to compensate for the excessive hours he worked as the Privacy Commissioner and were not vacation leave. We found no evidence that claims were made for special leave with pay.
105. The former Commissioner regularly cashed out all his vacation leave balances. In one case, he cashed out vacation leave prior to earning it—leave to which he therefore was not entitled. From June 2001 to May 2003, the former Commissioner cashed out vacation leave balances six times, receiving payments totalling about $56,000. In our opinion, that practice was not justified and accordingly those payments were inappropriate.
106. Pursuant to section 12 of the Auditor General Act, we have advised senior government officials of these inappropriate cash-outs of vacation leave and have referred the matter to the Royal Canadian Mounted Police.
Non-compliance with requirements of the Income Tax Act
107. The finance section of a government department or agency is responsible for ensuring that the organization complies with the Income Tax Act. This includes ensuring that taxable benefits such as housing and car allowances are reported and that income taxes are deducted and remitted to the Canada Customs and Revenue Agency.
108. For fiscal years 2001 and 2002, our audit found instances in which the Office of the Privacy Commissioner did not, in our opinion, comply with the provisions of the Income Tax Act. Specifically, it failed to report certain taxable benefits and neither deducted nor remitted the tax on those benefits to the Canada Customs and Revenue Agency.
109. On our recommendation, the Office of the Privacy Commissioner has indicated that it will ask the Canada Customs and Revenue Agency to review the tax treatment of these items.
Financial reporting was intentionally false
110. Each year, every organization in the federal government must submit its financial statements, which ultimately are tabled in Parliament as part of the Public Accounts of Canada. Organizations must prepare these statements in accordance with the government's stated accounting policies as contained in Receiver General directives and Treasury Board guidelines. The financial statements must present the organization's financial position at year end and details of its spending. Moreover, the statements must present the information completely, accurately, and fairly.
111. We found that despite these requirements, the preparers of the Office of the Privacy Commissioner's financial statements for the fiscal year ending 31 March 2003— the Director, Financial Services, the Chief of Staff, and the Executive Director—knowingly omitted about $234,000 of accounts payable at year end. The false financial statements were submitted in June 2003.
112. The effect of the omission was to mislead Parliament by creating the impression that the Office of the Privacy Commissioner had spent only the amounts authorized by Parliament for the 2002-03 fiscal year. The Director, Financial Services told us the chances had been slim that the strategy of deferring liabilities to the new fiscal year would be uncovered, because the Public Accounts statements had not been audited in a long time. We found the discrepancy during our audit and brought the matter to the attention of the Interim Privacy Commissioner, who ensured that immediate corrective action was taken.
113. The former Commissioner told us that he had had no knowledge that the financial statements had been falsified.
Financial officers have failed in their duties
114. In any organization, senior financial officers have a clear responsibility to establish and maintain proper books and records. They are to ensure that financial transactions are conducted with prudence and probity and are completely and accurately recorded in accordance with the government's accounting policies and directives. They also have a duty to ensure that the organization's financial statements are presented fairly.
115. Based on the breakdown of basic financial controls, the contraventions of the Financial Administration Act, and the false financial reporting, we have concluded that the Privacy Commissioner's financial officers—the Chief of Staff and the Director, Financial Services—failed to fulfil these most basic responsibilities.
Travel and hospitality
116. The Standing Committee on Government Operations and Estimates heard testimony about the substantial expenditures from the Privacy Commissioner's budget for travel and hospitality. The Committee was informed about the extensive international travel of the former Commissioner and his Senior Director General. The Committee also gathered information on the former Commissioner's hospitality claims and his shared lunches with colleagues. The Committee asked the Auditor General to look into these matters and in particular to "look closely at whether or not the taxpayer has received good value" from the former Privacy Commissioner's expenditures on travel and hospitality.
117. We examined all international trips taken between 1 September 2000 and 31 March 2003 and a sample of domestic travel for a six-month period in each of 2001-02 and 2002-03. We audited the travel expenditures of the former Commissioner and the executives and other employees of the OPC. We also audited hospitality expenditures for fiscal years 2001-02 and 2002-03. Exhibit 5 shows total travel expenditures and Exhibit 6 total hospitality expenditures.
Travel policies were consistently ignored
118. The Privacy Act states that the Commissioner is entitled to be paid for reasonable travel and living expenses incurred in the performance of his duties. Given that "reasonable" is not defined in the Privacy Act, we have used Treasury Board policies as a test of reasonableness.
119. The Treasury Board's policies on travel state the following:
- The norm for travel should be comfortable and convenient but not excessive.
- Travel expenditures should be justifiable under close scrutiny.
- Governor-in-Council appointees at levels 8 to 11 may use business class air travel at their discretion but must book through the Government Travel Service. Executives, Governor-in-Council appointees, and deputy heads should manage a reduction in the use of business class air travel.
- Deputy heads have discretion over commercial accommodations selected and meals and incidentals in excess of per diems, based on receipts; alcohol shall not be included.
- Discretion should be exercised with prudence and probity, mindful that all expenditures must further government objectives.
120. Our review of both domestic and international travel showed that the former Privacy Commissioner and the Senior Director General repeatedly failed to follow the Treasury Board's travel policies and guidelines. Senior executives told us that the former Privacy Commissioner had been advised of the Treasury Board's policies and guidelines and was knowledgeable about them. The Senior Director General and staff advised us that the former Commissioner gave all directions on dates and mode of travel and on what restaurants to book. The Senior Director General advised us that she travelled at the direction of the former Commissioner and believed he was allowed discretion to depart from Treasury Board travel policies.
121. The former Commissioner told us that neither his executives nor his staff had informed him about Treasury Board travel policies; nor had they informed him that he was not complying with the policies. However, he did acknowledge receipt of A Guide Book for Heads of Agencies. Exhibit 7 sets out the book's guidance on travel.
122. We reviewed travel claims by six other OPC executives, covering 21 trips. In general, these other executives travelled in economy class, stayed in reasonably priced accommodations, and claimed only eligible amounts for meals and other expenses.
123. We reviewed the claims of 30 other employees, covering over 100 trips. Claims submitted by these employees complied with travel policies and guidelines: they also flew economy class, stayed in reasonably priced accommodations, and claimed eligible amounts for meals.
124. The Treasury Board Common Services policy requires that public service employees use the Government Travel Service (GTS) to arrange their travel. This includes reservations and ticketing for air, rail, hotel accommodations, car rentals, travel consultation, preparation of travel itineraries, and free flight insurance. The objectives of the GTS services are to provide support to increase the safety and well-being of travelling employees in an efficient way and to provide cost efficiencies and economies of scale. However, the former Privacy Commissioner and the Senior Director General made their own travel arrangements directly with airlines and hotels. In doing so, they may not have received air fares and hotel rates as low as those available through the GTS.
125. The former Commissioner's travel was booked generally at the last minute, even though his travel schedule was often known weeks or months in advance. He did not take advantage of discount air fares available to those who book one or more weeks in advance.
Travel expenditures did not meet the test of reasonableness
126. The former Commissioner and the Senior Director General flew business class wherever possible, even on short domestic flights. Both almost always stayed at expensive hotels and ate at costly restaurants.
127. Hotel costs of the former Commissioner and his Senior Director General usually exceeded the published guideline rates allowed to government employees. Our audit determined that in about 80 percent of their domestic travel, they exceeded the Treasury Board guidelines for accommodations by 70 percent on average. In 60 percent of their international travel they also exceeded Treasury Board accommodation guidelines, and by 50 percent on average. On three nights in London, England, for example, the former Commissioner and the Senior Director General each spent more than $500 per night on hotel accommodations. None of their travel claims included documentation to justify exceeding the guideline limits, even though Treasury Board policies require such justification.
128. We also found that two hotel rooms at $330 each per night had been booked in Washington, DC for two nights. Although the hotel rooms had been paid for, they were not used on the first night; on the second day they were used, according to the former Commissioner, only as a place to "freshen up" and make telephone calls after a two-hour flight.
129. The cost of meals claimed during travel usually exceeded Treasury Board guidelines. Our review of domestic and international travel found that spending on meals exceeded the guidelines over 60 percent of the time. Examples of unreasonable meal expenditures include over $300 in London on lunch for two and over $100 in Hawaii and $100 in London on breakfast for two. On three occasions, in Hawaii, Brussels, and London, the former Commissioner and the Senior Director General spent over $550 per day on meals for two.
130. Travel meal expenditures are not to include alcohol. We calculated that during all the international trips of the former Commissioner, over $31,000 was paid for meals and refreshments. Taking into account that Treasury Board meal allowances for international travel vary by city to reflect the cost of living, we estimated that government employees with similar itineraries would have been entitled to claim about $14,000. Using his "discretion," therefore, the former Commissioner incurred about $17,000 more than that for meals and refreshments abroad—more than twice the amount set out in the guidelines (Exhibit 8). In our opinion, this was an abuse of the discretion accorded to a deputy head.
131. We found abuses related to transportation. For instance, although the former Commissioner had a government vehicle assigned to him from the date of his appointment and had a driver beginning in December 2002, we noted the use of expensive limousine services. For example, on three occasions he used limousine services to travel from Ottawa to the airport in Montreal at a round-trip cost of about $800. We also noted excessive use of taxis on many international trips, with little supporting evidence to justify it. For example, on an 11-day trip to London, England and Cardiff, Wales, the former Commissioner used 52 taxis at a total cost of about $1,500. Based on our examination of his business itinerary, this expenditure was unjustified.
132. We noted other travel expenditures claimed that did not appear reasonable. Our audit found that the former Commissioner and the Senior Director General had claimed expenses for many days of international travel on which no international business took place.
133. Of 17 international trips audited, we identified 58 days available for business. There was evidence of international business conducted on only 33 of those days; no international business was identified on 25 days, or over 40 percent of the days available. We were advised by the former Commissioner that he arranged his international business travel this way to allow enough flexibility in the time available to permit unscheduled meetings with the media or other interested parties. He said it also allowed his staff in Canada to schedule international meetings for him while he was abroad.
134. We calculated the expenditures incurred on the days when no international business took place and determined that over $32,000 was spent on hotels, meals, taxis, and miscellaneous charges. Our analysis of international travel is set out in Exhibit 9.
135. The Senior Director General advised us that she had been concerned and uncomfortable about the excessive days that the former Commissioner scheduled on which no international business was planned or occurred. She had raised the matter with him and he advised her that he had discretion over his handling of international travel. She told us she believed that as a deputy head he had that discretion and she had travelled at his direction.
136. The former Commissioner and the Senior Director General signed their travel claims, certifying that the expenses claimed had been incurred while they were travelling on authorized government business.
137. In our opinion, international business travel should be planned and carried out to optimize the use of time abroad. We could find no reasonable justification for the former Commissioner's spending so many days abroad with no international business activities planned. In contrast, domestic trips were limited to the time required to carry out the planned activities.
Value from travel expenditures was questionable
138. We reviewed the former Commissioner's domestic and international travel to determine the value that the Office of the Privacy Commissioner and Canadian taxpayers gained from this travel. The former Commissioner travelled with his Senior Director General on all 17 international trips and on most domestic trips. When asked why he had travelled only with the Senior Director General, he replied that no one else on his staff would really have benefited from the travel.
139. Our audit found that the former Commissioner and his Senior Director General conducted minimal business on many trips, especially the international trips. Further, at domestic and international conferences where the former Commissioner was speaking, he would arrive just before his speech was scheduled and leave shortly after delivering it. Networking was kept to a minimum and he generally did not eat with the other delegates or stay in the hotel where the conference was held. He seldom attended conferences for their full duration.
140. An examination of the international trips determined that on many occasions, the business day consisted of only one brief meeting or a few meetings lasting a few hours.
141. We were advised that any information obtained on these trips was not usually shared with the executives or employees of the OPC. The information was kept confidential for the direct use and benefit of the former Commissioner. He told us that this had served him, that the purpose of the information had been to serve him, and that those whose knowledge of the information could serve him had been given the information.
142. In our opinion, the value of these expenditures to the Office of the Privacy Commissioner and taxpayers was questionable.
143. The former Commissioner received unnecessary travel advances. The former Commissioner and the Senior Director General usually requested travel advances for their domestic and international travel to cover airline tickets and hotel costs. The former Commissioner also received travel advances for his weekend trips home to Toronto. From September 2000 to June 2003, he received 38 travel advances totalling $184,000—which is 60 percent of all travel advances issued by the Office of the Privacy Commissioner. The Senior Director General received 17 travel advances totalling $110,000, or 36 percent of all advances issued.
144. The travel advances that both the former Commissioner and the Senior Director General received could have been reduced significantly if they had followed the Treasury Board travel policy requirement to use the Government Travel Service for booking airline tickets. The Government Travel Service would have purchased the airline tickets and billed the Office of the Privacy Commissioner, eliminating the need for most of the amounts issued as travel advances.
145. We determined that the former Commissioner and the Senior Director General received about $130,000 and $75,000 respectively in unnecessary travel advances for airline ticket charges alone. Further, since both charged their air fare and hotel costs to credit cards that allowed up to 60 days to pay, there was no need for those costs to be included in the travel advances issued. Therefore, in our opinion most of the travel advances to the former Commissioner and the Senior Director General for air fare and hotel costs were unnecessary.
146. The travel advances were usually issued well in advance of need. About 70 percent of the advances were issued more than one week before the date of travel, and 20 percent were issued more than three weeks in advance. Moreover, travel advances were always issued as priority cheques, incurring additional effort and courier fees.
Expenditures for travel home were excessive
147. As part of the terms of the former Commissioner's appointment, he was to be reimbursed for up to one year for expenses to travel once a week between his residences in Toronto and Ottawa. He was also given a dual residence allowance of $1,200 monthly, net of income taxes. The Governor-in-Council extended these benefits for a second year and subsequently a third year. The cost of providing these benefits for the two additional years was about $85,000.
148. The former Commissioner always flew home to Toronto in business class. Given that business class air fare is about 30 percent higher than economy air fare, his trips to Toronto represented about $20,000 in additional charges. Furthermore, we found that the former Commissioner generally booked these flights to Toronto (and other air travel) at the last minute. Thus, he did not take advantage of discounts for advance booking.
The hospitality policy was ignored
149. Hospitality in the federal government is the provision of refreshments, meals, and sometimes entertainment to guests of government departments or agencies. The Treasury Board's policy on hospitality is intended to ensure that hospitality is extended in an economical, consistent, and appropriate way when it will facilitate government business. Hospitality may also be extended as a courtesy or offered to employees who participate in work sessions extending over meal hours or beyond normal working hours. It should not be provided during meetings of colleagues working closely together on a regular basis.
150. The former Commissioner and certain of his senior executives regularly disregarded the hospitality policy in deciding to whom they would extend hospitality. We were told that the former Commissioner had been advised by some of his senior executives that extending hospitality repeatedly to OPC executives ran counter to the spirit of the policy.
151. Of the hospitality claims with sufficient information, we determined that a large number related to lunches and dinners at restaurants with the former Commissioner and his Senior Director General or his Chief of Staff—about 47 percent of these claims in 2001-02, amounting to $3,900; and 33 percent in 2002-03, amounting to $3,200. We found no records documenting how these expenditures had contributed to the achievement of OPC objectives. We also noted that over the two years, about 50 percent of the hospitality claims we reviewed were for hospitality extended to OPC executives and other employees. The former Commissioner approved almost all the hospitality claims (Exhibit 10).
152. Treasury Board policy sets the average hospitality rate for a lunch at twice the basic meal allowance, and in exceptional circumstances the rate is up to three and a half times the basic meal allowance. Our analysis determined that over the two years analyzed, OPC hospitality claims exceeded the Treasury Board's average rate 85 percent of the time and exceeded the exceptional circumstance rate 48 percent of the time.
153. Some senior executives told us they had advised the former Commissioner that these frequent hospitality lunches with senior OPC executives did not appear to be appropriate. However, they had also advised him that he had discretion in extending hospitality; the former Commissioner confirmed that he had received this advice.
154. In our opinion, the former Commissioner failed to exercise sound and reasonable judgment in using his discretion to override the policy on hospitality. We believe that this behaviour did not demonstrate appropriate prudence.
Value for money spent on hospitality was questionable
155. The Standing Committee asked us to look at "whether bills in the hundreds of dollars for lunches are acceptable from a value-for-money point of view."
156. Our audit of the records revealed questionable value received for money spent at any of the lunch and dinner meetings of the former Commissioner, the Senior Director General, and the Chief of Staff. We found no documentation of any decisions flowing from these meetings or any contribution to the achievement of OPC objectives.
157. We examined the daily agendas of these three senior executives and found that, according to their agendas, ample time had been available for executive meetings during regular business hours. Accordingly, we could find no apparent justification for the frequent meetings held by these three individuals over lunch and dinner.
An absence of financial controls over spending on travel and hospitality
158. Because financial management practices of the Office of the Privacy Commissioner had broken down, spending by the former Commissioner and his Senior Director General on travel and hospitality was not reviewed properly. The former Commissioner approved his own travel claims—an inappropriate practice; a senior executive should have approved the travel and hospitality expenditures.
159. Claims submitted by the former Commissioner and the Senior Director General were almost always processed and reimbursed as filed. We found that as a result, ineligible expenditures and double claims for meals and air travel were reimbursed. Staff told us that they had been intimidated and would not question anything the former Commissioner might submit or approve.
160. Further, we observed that on at least 15 occasions, the former Commissioner submitted supplementary claims for additional amounts to be reimbursed as hospitality and travel expenses. These supplementary claims were submitted from months to more than a year after the expenses were incurred. They were supported only by copies of the former Commissioner's monthly credit card statements, information that was insufficient support.
161. We analyzed the expenditures identified as hospitality on two of the largest supplementary claims. The first supplementary claim was a memo in November 2001 relating to expenditures of about $5,500 dating back to March 2001. The memo asked for reimbursement of about $2,900 for 34 expenditures identified as hospitality and about $2,600 for 13 expenditures identified as travel.
162. The second supplementary claim was a memo in May 2002 asking for reimbursement of about $4,600 covering expenditures going back to December 2000—about $3,900 for 37 expenditures identified as hospitality and about $700 for 12 expenditures identified as travel.
163. No details were provided about who received the hospitality set out in these claims or what business took place. We reviewed the former Commissioner's agendas to determine whether any OPC business might have been undertaken over lunch and dinner on the dates in question. We found no evidence of any business conducted on 59 occasions with expenditures amounting to over $6,000; 26 of the occasions were in Toronto while the former Commissioner was at home. In our opinion, in the absence of any ev idence that these hospitality expenditures facilitated government business, they should not have been reimbursed and the funds should therefore be recovered.
Abuse of discretion
164. In our view, the former Commissioner consistently ignored the Treasury Board policies and guidelines on travel and hospitality and did not follow them. He spent funds unreasonably and extravagantly, without regard to prudence and probity. We believe that the former Commissioner's spending on travel and hospitality was not in keeping with the responsibility of public office holders to exercise reasonable and sound judgment and to conduct themselves in a manner that can bear the closest public scrutiny.
165. Weaknesses in the management of contracting further illustrate the breakdown in the management control framework of the Office of the Privacy Commissioner. We assessed whether contracts had been awarded and administered in accordance with the Financial Administration Act and government contracting regulations and policies and with appropriate prudence and probity.
166. Contracting in any department or agency is governed by two fundamental principles: open competition and value for money. Our audit found that contracting at the Office of the Privacy Commissioner circumvented these two principles and government contracting regulations.
Sole-source contracting avoided competition
167. Sole-source contracting is the awarding of a contract without competition. Sole-source contracts are permissible up to a value of $25,000, including taxes. Other circumstances that may allow the use of sole-source contracts are set out in Exhibit 11. However, under most circumstances, standard contracting procedures call for soliciting bids from potential suppliers to help ensure that an organization gets good value from its contracting activities. Our audit focussed on contracts for professional services.
168. We found it difficult to select a sample of contracts for testing, because the Office of the Privacy Commissioner could not provide a list of all contracts it had awarded over the last three years. However, we did examine 78 contracts and memoranda of understanding with a total value of about $2 million that had been awarded without competition. Many of these were subsequently amended for amounts well over $25,000—the maximum amount allowed for a sole-source contract—particularly contracts for personal services.
169. In the contract files we examined, we found several instances of sole-source contracting and splitting of contracts that resulted in the avoidance of competition. Specifically, we found that the OPC had awarded virtually all professional services contracts on a sole-source basis, with 50 percent issued for $25,000.
170. We also found that the Office of the Privacy Commissioner had contracted through companies and a government agency to obtain the long-term services of particular people. Some people had worked almost full-time for the OPC under contract either as a preliminary step to being hired or to perform certain work until the OPC could hire someone else (Exhibit 12). We note that such contracting arrangements contravene Treasury Board contract regulations.
Contract management controls lacked rigour
171. We found that contract management was weak and that the controls over contracting activities were either ineffective or non-existent. Good management of contracts is important to ensure that they meet the basic requirements of the government's contracting policies. Essentially, these policies were designed to help ensure that contracts provide the goods and services that the government needs and at an appropriate price.
172. We found that the Office of the Privacy Commissioner had no formal procedures for controlling contracts. Responsibility for negotiating, signing, and monitoring contracts had not been clearly defined. Segregation of duties was lacking: the same person would negotiate and sign a contract, amend it if cost overruns occurred, and certify that the contractor had delivered what was promised. Based on this certification, the invoices were processed for payment. We noted instances in which staff had signed contracts on behalf of the Privacy Commissioner even though they had not been delegated the authority to do so. In other cases, payments had exceeded the limits of the contract without amendments to the contract having been issued. This calls into question the Commission's financial controls over commitments.
173. For example, legal firms retained were hired on the basis of a letter rather than a standard contract. The letters did not clarify key items such as limits on the fees to be charged, hourly rates for the firm's staff at senior and junior levels, or what specific work the firm would do. In some cases, invoices included disbursements for travel expenditures; however, receipts for such disbursements were not provided to the OPC.
174. We also noted that the former Commissioner's Chief of Staff signed some invoices, even though he lacked the delegated authority to sign under section 34 of the Financial Administration Act. We were not able to determine what procedures he used to ensure that the services provided were those that the OPC had requested.
175. The OPC did establish a Contract Review Checklist to be completed for all contracts. This checklist was meant to ensure, among other things, that contracts were legal, security clearances were adequate, and funds were available and committed. We found that the usefulness of this checklist was questionable, however, since it was usually completed after the contract had been signed—sometimes months afterward, and in some cases after the contracted work had been completed. The effect of this weakness was that often commitments were recorded in financial systems after the work was completed. This in part contributed to the OPC's overspending of its Vote.
176. We also found that due to the absence of formal procedures, no one at the Office of the Privacy Commissioner was aware of all the contracts that had been issued or of subsequent amendments to them. The contracting officer, who also had other administrative responsibilities, did not receive copies of all contracts and amendments. This made it impossible for the OPC to provide the Treasury Board Secretariat with the accurate number, type, and value of contracts and amendments issued—yearly reporting required of all departments and agencies for accountability purposes.
Value received for money spent on some contracts cannot be determined
177. Given that basic contract-management practices were largely absent at the Office of the Privacy Commissioner, it was not always clear whether it received good value from its contracts. In some cases, employees who had the delegated authority under section 34 of the Financial Administration Act were unable to provide evidence that the supplier had delivered the product under terms of the contract.
178. Contracts for translation services also raised questions of value for money. Before the former Commissioner was appointed, the OPC had been using the government's Translation Bureau. However, after the former Commissioner took office, the OPC started using private sector translation firms. We were told that this change was made because the former Commissioner required a quick turnaround.
179. During fiscal year 2002-03, the OPC had six active translation contracts of $25,000 each with six different firms. These contracts had all been awarded on a sole-source basis; one of these was subsequently amended to add another $25,000. Two contracts were increased by $50,000. None of these contracts specified the various rates the translators would charge per word for normal, rush, and weekend work. Without this information, it is difficult to determine whether the rates that the firms charged were reasonable and represented good value.
180. Staff of the Office of the Privacy Commissioner told us that the organization realized it was spending large sums on translation. Accordingly, it decided to get competitive bids for future translation services. In the meantime, it has reverted to using the Translation Bureau to meet its needs.
Governance arrangements and the role of central agencies
Role of central agencies is to ensure compliance with legislation and policies
181. As central agencies, the Treasury Board Secretariat and the Public Service Commission have a responsibility to ensure that government departments and agencies adhere to the legislative and policy framework established by central agencies on behalf of the government.
182. Central agencies have taken a lesser role in overseeing servants of Parliament, who are accorded more independence from the executive branch of government as they carry out their work for Parliament. Nevertheless, if central agencies become aware of wrongdoing by parliamentary officers, they are obliged to take corrective action.
183. We found that central agencies knew about the problems in the Office of the Privacy Commissioner but generally failed to act on that knowledge. For example, as noted in paragraphs 48 to 64, the Public Service Commission did not act decisively on known and serious breaches of policies governing the staffing of human resources. Nor did it withdraw the staffing authority that had been delegated to the Privacy Commissioner until after the former Privacy Commissioner had resigned from office. And the Treasury Board Secretariat did not act when all senior executives received a performance rating indicating that they had "surpassed" expectations and were given higher performance awards than suggested in the guidelines.
184. Similarly, the Treasury Board Secretariat did not act decisively on weaknesses it knew about in the financial management capabilities of the Office of the Privacy Commissioner. We have been told that late in the fall of 2002, the Secretariat was advised that the OPC would likely exceed its approved funding levels. While the Secretariat did provide it with $73,000 from the Vote 5 operating reserve for additional personnel costs, it did not insist on any action to correct the obvious weaknesses it was aware of in financial management and administrative capabilities. Even with the infusion of additional funds, the Office of the Privacy Commissioner still exceeded its appropriation.
Whistleblowing mechanisms are perceived as ineffective or non-existent
185. A key function of central agencies is to provide a means for public servants to report wrongdoing. Mechanisms that serve the purpose include section 80 of the Financial Administration Act, which requires that public servants report financial wrongdoing or mismanagement to a superior officer. Another is the government's Policy on the Internal Disclosure of Information Concerning Wrongdoing. The policy defines wrongdoing as any act or omission concerning a violation of a law or regulation; misuse of public funds or assets; gross mismanagement; or a substantial or specific danger to the life, health, and safety of Canadians or the environment. The policy requires departments to designate a senior officer to be responsible for the policy and recommends that the employees report wrongdoing internally to this senior officer. At the OPC, the designated officer was the Executive Director.
186. If a federal employee believes that an issue cannot be disclosed within his or her department, or if it has been raised but not addressed appropriately, the employee can report it to the Public Service Integrity Officer.
187. We found that employees at the Office of the Privacy Commissioner perceived the avenues for reporting wrongdoing or financial mismanagement as generally ineffective, offering little or no protection to staff who might notify a superior officer or the Public Service Integrity Officer.
188. Many employees told us that the Public Service Integrity Officer's role is not working as expected and the position lacks the necessary clout. We also found that many employees of the OPC were unaware that the position of Public Service Integrity Officer even existed.
Privy Council Office and the appointment process
189. All organizations have an established culture and set of rules or guidelines within which their employees must operate. The Government of Canada is no exception. The orientation and introduction that new employees or appointees receive are a critical step in ensuring good governance and helping them adapt to the organizational culture and understand the norms of expected behaviour. We found that the former Commissioner had been given little or no orientation to the public service culture beyond the provision of two information booklets—"A Guide Book for Heads of Agencies—Operations, Structures and Responsibilities in the Federal Government" and "Terms and Conditions of Employment for Full Time Governor-in-Council Appointees."
190. In addition, we were unable to find any evidence that an oath of office was administered to the former Commissioner.
191. The many problems we observed at the Office of the Privacy Commissioner can be attributed to the absence of sound management controls and practices. We found that even the most basic management principles had broken down, allowing the former Privacy Commissioner and some of his senior executives to benefit personally from bending or breaking the rules. They failed to manage public money prudently and to properly account for its use.
192. The breaches of policy were evident in the large salary increases and unsupported performance awards for executives. Others, particularly the former Privacy Commissioner and the Senior Director General, enjoyed costly travel and hospitality at public expense. The violation of policies also opened the door to favouritism in hiring and promoting staff. Further, numerous contracts were awarded without competition and then amended to increase their size substantially, contrary to contracting rules and principles.
193. Indeed, our audit identified many examples of wrongdoing and a failure to follow federal laws and Treasury Board policies, leading us to ask how and why this occurred at the Office of the Privacy Commissioner and why it continued unchecked for so long. The answers are clear from our audit findings. First, the former Commissioner did not fulfil a key obligation as Deputy Head of the organization: he failed to ensure that his office was—at a minimum—managed reasonably well. Second, the OPC's senior executives failed to fulfil their management obligations. Some turned a blind eye to obvious wrongdoing. Finally, the Treasury Board Secretariat and the Public Service Commission failed to respond decisively when they became aware of problems in the Office of the Privacy Commissioner.
194. Regardless of why the situation arose, it persisted at a significant human cost. Many employees complained of stress, abuse, and intimidation. The financial cost was also high: the organization spent a large amount of its discretionary resources on items and activities that appear to have contributed little to protecting the privacy rights of Canadians. One such item was the former Commissioner's travel and hospitality budget. Money earmarked for areas such as research, investigative work, and privacy impact assessments were reduced, but at the same time, expenditures by the former Commissioner for travel continued to grow. We found little evidence that the organization or the Canadian taxpayer benefited from this travel.
195. We have concluded that the behaviour of the former Privacy Commissioner and many of his executive team was not conducive to promoting a sustainable, supportive workplace, as called for in the Treasury Board Secretariat's Human Resources Management Framework.
196. Small agencies such as the Office of the Privacy Commissioner represent relatively small amounts of money compared with large government departments. However, as our audit has shown, a poorly managed small agency can entail important, non-financial consequences. The most obvious one in the present case has been the damage to the organization's credibility with Parliament and the Canadian public. There is a pressing need to restore confidence in this organization, given its importance in protecting the privacy rights of Canadians.
197. Under section 10 of the Auditor General Act and section 80 of the Financial Administration Act, we have reported to the President of the Treasury Board and the Interim Privacy Commissioner instances that, in our opinion, involve public money improperly retained by individuals. Under section 12 of the Auditor General Act, we have advised senior government officials.
198. We have made a number of recommendations intended to ensure that
- the problems at the Office of the Privacy Commissioner are addressed;
- strong actions are taken to ensure that those who benefited from the abuse of the public treasury make full restitution;
- the governance mechanisms of central agencies are applied to prevent abuse and wrongdoing from occurring; and
- central agencies act decisively to correct problems as they arise.
Office of the Privacy Commissioner
199. Recommendation. The Office of the Privacy Commissioner should take immediate steps to acquire and maintain effective management capabilities in the key areas of financial management, human resources management, and contracting.
200. Recommendation. The Office of the Privacy Commissioner should take immediate steps to establish an effective management control framework to ensure that proper books and records are maintained and that all transactions are conducted in accordance with the requirements of the Financial Administration Act, Treasury Board policies, Receiver General directives, and all other applicable regulatory authorities.
201. Recommendation. The Office of the Privacy Commissioner should establish management oversight mechanisms for monitoring the effectiveness of its management control framework and taking corrective action where needed.
202. Recommendation. The Office of the Privacy Commissioner should seek the Treasury Board Secretariat's advice on the actions needed to correct classification decisions that were not made in accordance with the government's classification policies.
203. Recommendation. The Office of the Privacy Commissioner should consult with the Treasury Board Secretariat and the Public Service Commission on what steps are needed to correct inappropriate staffing actions arising from incorrect classification decisions.
204. Recommendation. The Privacy Commissioner, in concert with the President of the Treasury Board, should act immediately to recover all money that was improperly paid. This includes improper cash-outs of vacation leave, performance awards paid improperly, improper payments upon retirement, ineligible travel and hospitality expenditures, and advances paid improperly.
205. Recommendation. The Office of the Privacy Commissioner should provide the Canada Customs and Revenue Agency with the information needed to review relevant transactions and ensure the proper reporting of taxable benefits.
206. Recommendation. The Office of the Privacy Commissioner should establish a proper union-management consultation committee and enable the existing health and safety committee to do its job.
Response of the Interim Privacy Commissioner. The Interim Privacy Commissioner (OPC) fully acknowledges the importance of the Auditor General's findings, conclusions, and recommendations, which clearly reveal a major breakdown of external governance and internal control processes. While he bears no accountability or responsibility, he recognizes that the state of the financial and human resources management practices must be completely reformed. Serious allegations of misuse and abuse of public funds will require further probing by regulatory and law enforcement agencies. The OPC staff, who have remained loyal to public service values and have been effective throughout this period, are profoundly distraught by the situation. The Interim Privacy Commissioner intends to act decisively on these issues and, when and where possible, to seek redress based on further consultation with the Office of the Auditor General, the Treasury Board Secretariat, and the Public Service Commission. A key priority for the OPC will be to develop the institutional safeguards to prevent a leadership and management deficit of such magnitude from occurring again in the future.
The Interim Privacy Commissioner has adopted a principled approach in responding to this audit. Six guiding principles will direct action and decision-making:
- Rebuild and regain the confidence of the Parliament of Canada and Canadians and reflect the need to have a national institution responsible for defending and protecting privacy rights in Canada.
- Maintain and develop a strong operational capacity to ensure that the OPC continues to deliver on its legislative mandate, especially as it relates to the provisions of the Personal Information Protection and Electronic Documents Act that will come into force on 1 January 2004 regarding private sector privacy practices. Private sector firms will need help from the OPC to understand their obligations and responsibilities under the new law. Citizens also will need to be made aware of their rights and duties under the new law.
- Integrate the OPC's response to the audits of OPC business by the Auditor General and the Public Service Commission, in a manner that is consistent with the principles of modern comptrollership in developing a feasible, comprehensive and fiscally responsible action plan. The implementation plan will be guided and reviewed by an external governance advisory body.
- Restore the overall well-being of the OPC's workplace by improving management practices, encouraging innovation, and engaging employees and their union representatives in rebuilding this vital institution.
- Sustain a process of organizational learning aimed at all levels of employees to ensure that the lessons learned will be shared and that the developmental needs of individuals will be met and will dovetail with the operational needs of OPC.
- Make it the primary objective of the renewed management team to ensure ethics and values and a harassment-free work environment.
Prior to this report, the Interim Privacy Commissioner took early action to strengthen the management and financial framework of the OPC. The Interim Privacy Commissioner arrived on 2 July 2003 and immediately took steps to secure financial controls by retaining contracted financial expertise for the duration of the audit. Expertise in human resources was also retained. The recent Governor-in-Council appointments of two Assistant Privacy Commissioners, responsible for ensuring compliance with privacy laws and each assuming horizontal management of key management functions, will guarantee ethical decision-making and values-based management but also ensure harmonization in policy insights and legislative perspectives.
More measures are also being contemplated and/or introduced at the moment of publication of this report. These include, but are not limited to the following:
- Responding to a Treasury-Board-funded study of perceptions and attitudes related to the implementation of the spirit and letter of the Policy on the Internal Disclosure of Information Concerning Wrongdoing in the Workplace.
- Appointing a Senior Officer for external disclosure who would operate in conformity with the current Policy on the Internal Disclosure of Information Concerning Wrongdoing in the Workplace.
- Hiring, under an institutional memorandum of understanding, an external audit team to develop a risk-management-based audit plan and initiate its implementation in early 2004-05.
- Creating an independent external advisory board to address the governance challenges of the OPC and provide advice on strategy and vision.
- Developing and implementing a strategy to recover public funds and assets that may have wrongly been appropriated by past and current OPC employees.
- Completing a control self-assessment carried out by an independent audit team to ascertain the modern comptrollership capacity at the OPC as it currently stands.
- Taking legally founded action to remediate staffing, classification, and compensation/remuneration actions that have been judged unjustified by auditors from the Office of the Auditor General and the Public Service Commission.
- Developing, with an appropriate education institution, a comprehensive learning strategy to support executive leadership, staff training, and organizational learning.
The Interim Privacy Commissioner wishes to thank the OPC staff who have offered their full participation to the audit teams, despite the fact that many experienced personal and professional hardships under the previous regime. Their journey will not be in vain.
The Interim Privacy Commissioner has been impressed by the commitment of the Office's staff and looks forward to continuing to work with them as we rebuild this institution that is vital to our Canadian democracy.
Treasury Board Secretariat
207. Recommendation. The President of the Treasury Board and the Interim Privacy Commissioner should submit to Parliament a report that sets out the actions that will be taken to identify the full amounts of money improperly retained, the steps that will be taken to ensure complete restitution, and the timeframe within which this will be done.
Treasury Board Secretariat's response. Agreed. The President and the Interim Privacy Commissioner will table a report before the end of October outlining actions to be taken. In this regard, it will be necessary to review with the Office of the Auditor General the specific findings of its audit. Once these actions are completed, a final report will be provided to Parliament.
208. Recommendation. The Treasury Board Secretariat should review all performance awards given to executives at the Office of the Privacy Commissioner on a case-by-case basis to determine what should be recovered.
Treasury Board Secretariat's response. Agreed. All awards for performance for executives at the Office of the Privacy Commissioner will be reviewed on a case-by-case basis and recovery action taken if appropriate.
209. Recommendation. The Treasury Board Secretariat should revoke the Privacy Commissioner's authority to award performance pay until it is satisfied that the Office of the Privacy Commissioner is complying with the policy on executive compensation.
Treasury Board Secretariat's response. The Office of the Privacy Commissioner will be required to secure the agreement of the Treasury Board Secretariat that it is fully complying with the requirements of the Performance Management Program for Executives before any performance-related payments are made, until the Secretariat is confident that the program is well-administered.
Public Service Commission
210. Recommendation. The Public Service Commission should review all staffing decisions made at the Office of the Privacy Commissioner between September 2000 and June 2003 and should correct faulty decisions where necessary.
Public Service Commission's response. The Public Service Commission (PSC) agrees with the recommendation. It has reviewed all staffing files for this period in the course of its audit of the Office of the Privacy Commissioner. Beyond this, it will investigate all allegations concerning fraud under section 42 of the Public Service Employment Act (PSEA), as well as a number of allegations concerning improper staffing practices and individual transactions, pursuant to section 7.1 of the PSEA, and will take or order the deputy head to take appropriate corrective measures.
When warranted, the PSC will establish boards of inquiry to determine if appointments are to be revoked and if a board so decides, it will recommend such revocations to the PSC pursuant to subsection 6(2) of the PSEA.
At this time, the PSC expects to open eight investigation files. After reviewing the Auditor General's report and/or obtaining further information or analysis, the PSC may determine that further investigations are required.
With regard to the comments concerning the PSC's oversight of the OPC, it should also be noted that in 1999, the PSC progressively began to put in place a new oversight program in line with the Modern Comptrollership initiative and to accommodate the resource reductions it had incurred during Program Review. The program consisted of several components: Staffing Delegation and Accountability Agreements with all Deputy Heads; thematic studies; evaluations; surveys of staffing transactions; and only a limited capacity for audit. These agreements with deputy heads require self-assessment on the part of departments and agencies and subsequent assessment by the PSC of their staffing performance reports. The PSC oversight program relied on deputy heads taking action to follow up on concerns brought to their attention, with direct PSC intervention as a last resort.
The PSC has already taken steps to strengthen its oversight program. The accountability process has been modified to ensure a more timely and complete assessment of selected departments and agencies. The PSC will also go on-site to conduct interviews and review pertinent information to ensure a complete assessment. Furthermore, the PSC has developed a departmental observation system through its regional offices to gather and analyze staffing issues. As well, the PSC is rebuilding its audit capacity as resources become available, to ensure that it can respond with an audit quickly when deficiencies in departments have been identified.
Privy Council Office
211. Recommendation. The Privy Council Office should ensure that Governor-in-Council appointees are appropriately briefed on the government's control framework and its legislative and policy framework and on the standards of conduct expected of them.
Privy Council Office's response. Since the autumn of 2002, the Privy Council has been arranging customized orientation sessions for new heads of agencies and Crown corporations. A letter is sent to each new agency and Crown corporation head inviting them to register for a number of essential and some optional sessions.
The essential sessions for heads of agencies are currently the following:
- Role of Agency in Relation to the Responsible Minister
- Responsibility and Accountability of Heads of Agencies
- Modern Comptrollership
- Staffing and Recruitment (for organizations subject to the Public Service Employment Act)
- Official Languages
- Performance Management Program
The optional sessions are the following:
- How Government Operates
- Business Planning and Expenditure Management
- Performance Measurement and Reporting to Parliament
- Human Resources Management
- Legislative Process
- Access to Information Act and Privacy Act (for organizations subject to these Acts)
- Regulatory Process
- Governor-in-Council Appointments
Heads of federal agencies, as full-time Governor-in-Council appointees, must as a condition of employment comply with the provisions of the Conflict of Interest and Post-Employment Code for Public Office Holders. The Code sets out principles by which public office holders are required to carry out their duties and responsibilities—in particular, principles 3(1) and 3(2) of the Code:
3(1) Public office holders shall act with honesty and uphold the highest ethical standards so that public confidence and trust in the integrity, objectivity and impartiality of government are conserved and enhanced.
3(2) Public office holders have an obligation to perform their official duties and arrange their private affairs in a manner that will bear the closest public scrutiny, an obligation that is not fully discharged by simply acting within the law.
Following appointment, the head of an agency must disclose confidentially to the Ethics Counsellor detailed and personal information regarding his or her assets, liabilities, and outside activities. Once this confidential disclosure is received by the Office of the Ethics Counsellor, one-on-one discussions ensue between the Head of Agency and an advisor of the Office of the Ethics Counsellor; this ensures a complete and full disclosure of all of the private interests of the individual. The Head of Agency is then provided with a detailed and personal letter advising him or her what measures are necessary in order to comply with the provisions of the Conflict of Interest and Post-Employment Code.
This proactive relationship with heads of agencies ensures that they appreciate first-hand how the values and ethics of the federal government uniquely and particularly apply to their personal situation. It is through this unique process of one-on-one contact with the advisors of the Office of the Ethics Counsellor that the heads of agencies personally appreciate the implications of the federal government's values and ethics in the discharge of their mandates and those of their agencies.
About the Audit
Human resources management. Our objective was to assess the extent to which the human resources management policies and practices respected the values and desired outcomes set out in the Treasury Board Secretariat's Human Resources Management Framework and complied with the Public Service Employment Act and the Public Service Staff Relations Act.
Financial management. An objective of our audit was to determine whether the Office of the Privacy Commissioner had appropriate financial management controls in place and was monitoring their effectiveness. We looked at whether it was managing its resources with prudence and probity and due regard to economy, efficiency, and effectiveness. We also looked at whether it accounted properly for its use of resources.
We used the criteria set out in our Office's Financial Management Capability Model which provides a framework to identify and analyze key financial controls and assess their application and effectiveness in the Office of the Privacy Commissioner.
Travel and hospitality. We examined spending on travel, hospitality, and other costs reimbursed to the former Privacy Commissioner and other senior executives to determine whether they were in accordance with the Financial Administration Act and with Treasury Board regulations and policies and those of the Office of the Privacy Commissioner. We also set out to determine whether spending on travel and hospitality was reasonable, adequately controlled, and managed with prudence and probity.
We examined cash advances to determine whether they complied with relevant policies, were accounted for properly, and were handled with prudence and probity.
We sought to identify, examine, and report any cases of suspected wrongdoing related to travel, hospitality, human resources management, contracting, and other financial matters.
Contracting. Our objective was to assess whether contracts issued over the past three years were awarded and administered with appropriate prudence and probity and in accordance with the Financial Administration Act and government contracting regulations and policies. We looked at the practices and procedures for
- selecting and awarding contracts;
- managing and administering contracts; and
- reviewing and approving goods and/or services delivered under the terms of the contracts.
Our audit included the tests and other audit procedures that we determined were appropriate to the scope of our work. We reviewed a sample of human resources files, contracts, travel and hospitality claims, and other financial records of the Office of the Privacy Commissioner. We interviewed the former Commissioner, executives, and key personnel of the OPC, including personnel who had left the organization. Our audit did not include assessing program delivery or the results of day-to-day operations.
This report is tabled pursuant to section 8(1) of the Auditor General Act. The review was conducted under sections 7 and 13 of the Auditor General Act.
Assistant Auditor General: Hugh A. McRoberts
Principals: Bruce Sloan (Lead), Kathryn Elliott, Neil Papineau,
Directors: Christian Asselin, Greg Boyd, Claude Brunette, Frank Cotroneo, Ronald Oswald, Gaëtan Poitras
For information, please contact Communications at (613) 995-3708 or