Annual Report to Parliament on the Administration of the Privacy Act 2017–2018

Table of Contents

Introduction
Purpose of the Privacy Act
Mandate of the Department of Finance Canada
Administration of the Privacy Act

Information Holdings
Interpretation of Statistical Report (Annex A)

Appeals to the Federal Court of Canada
Monitoring Compliance
Material Privacy Breaches
Disclosures Pursuant to Paragraph 8(2)(m)
Annex A  - Statistical Report on Privacy Act Requests

Introduction

The Annual Report to Parliament on the Administration of the Privacy Act (the Act) within the Department of Finance Canada (the 'Department') is prepared and tabled in Parliament in accordance with section 72 of the Act and covers the period from April 1, 2017 to March 31, 2018.

Purpose of the Privacy Act

The Act came into force on July 1, 1983. Its purpose is to protect the privacy of individuals with respect to personal information about themselves held by federal government institutions. It also provides Canadian citizens, permanent residents, and individuals present in Canada a right of access to their personal information.

The Department recognizes that the right of access to personal information is an essential element of our system of democracy. It is committed to openness and transparency, respecting both the spirit and the requirements of the Act, its regulations and related policy instruments. The Department further acknowledges the importance of facilitating access to information by requiring that its employees make every reasonable effort to assist applicants.

Mandate of the Department of Finance Canada

The Department helps the Government of Canada develop and implement strong and sustainable economic, fiscal, tax, social, security, international and financial sector policies and programs. It plays an important central agency role, working with other departments to ensure that the government's agenda is carried out and that ministers are supported with high-quality analysis and advice.

The Department's responsibilities include:

  • preparing the federal Budget and the Update of Economic and Fiscal Projections;
  • preparing the Annual Financial Report of the Government of Canada and, in cooperation with the Treasury Board of Canada Secretariat and the Receiver General for Canada, the Public Accounts of Canada;
  • developing tax and tariff policy and legislation;
  • managing federal borrowing on financial markets;
  • designing and administering major transfers of federal funds to the provinces and territories;
  • developing financial sector policy and legislation; and
  • representing Canada in various international financial institutions and groups.

The Minister of Finance is accountable for ensuring that his responsibilities are fulfilled both within his portfolio and with respect to the authorities assigned through legislation. In particular, the Minister has direct responsibility for a number of acts as well as fiscal and tax policy relating to other acts that are under the responsibility of other ministers.

Administration of the Privacy Act

Access to Information and Privacy Division

The Access to Information and Privacy (ATIP) Division is part of the Communications Policy Division, Consultations and Communications Branch. The ATIP Division is responsible for administering the Access to Information Act and the Privacy Act for the Department. As a centralized operation, the ATIP Division coordinates the timely processing of requests under the legislation, handles complaints lodged with the Privacy Commissioner, and responds to informal inquiries. Division staff also provides guidance to departmental officials on matters involving the Act. Within the ATIP Division, 16 employees were dedicated on a full-time basis to the administration of the Access to Information Act and the Privacy Act along with related functions. The ATIP Division comprises a director, supported by two team leaders, ten ATIP analysts and three administrative assistants.

Principles on Assistance to Applicants

With the passing of the Federal Accountability Act, section 4(2.1) was added to the Access to Information Act:

"The head of a government institution shall, without regard to the identity of a person making a request for access to a record under the control of the institution, make every reasonable effort to assist the person in connection with the request, respond to the request accurately and completely and, subject to the regulations, provide timely access to the record in the format requested."

While a similar provision was not included in the Privacy Act, the Department is nonetheless committed to both the spirit and intent of these principles and to the Directive on Privacy Requests and Correction of Personal Information with respect to their application when processing Privacy Act requests.

Educational and Training Activities

This year, the ATIP Division participated in two departmental Orientation Sessions. These are provided to employees who are new to the Department as a means to introduce them to the activities of each Branch. It provided information about the ATIP Division, the Act, and information management practices to 47 new employees.

Five other training sessions were given to 151 departmental employees within various branches of the Department. Some of the training was delivered using the Canada School of Public Service on-line ATIP training module to ensure that it is consistent with the whole of government approach. Other specific training included information sessions on the Privacy Act. This included awareness on the Guidelines for Privacy Breaches and Directive on Privacy Impact Assessment.

Ad hoc training on a variety of subjects was also provided as needed to individuals throughout the Department including to new ATIP branch contacts. 

Policies, Guidelines, Procedures and Initiatives

To ensure policy compliance and adherence to procedures for appropriate handling and preparation of responses to ATIP requests, the ATIP Division continued to update tools used by staff both in the ATIP Division and across the Department and held face-to-face meetings with new staff and contacts. Both tools and meetings were instrumental in ensuring that the Department's employees are aware of their roles and responsibilities related to access to information and privacy requests.

Delegation of Authority

The delegation of authority approved on December 1, 2015 provides the authority to approve or deny the release of information under the Act is shared by the Deputy Minister, the Associate Deputy Ministers, the Assistant Deputy Ministers of Consultations and Communications Branch and Corporate Services Branch, the Senior Director, Communications Policy Division, the ATIP Director, ATIP Team Leaders and Senior ATIP analysts to sign off on more administrative matters. The ATIP Director normally performs the function, with the exception of disclosures pursuant to paragraph 8(2)(e) of the Act, which are usually handled by the Assistant Deputy Minister of the Corporate Services Branch.

Privacy Act Designation Order

 

Schedule 1
Designation Order—Privacy Act
  Section Deputy Minister Associate Deputy Minister Associate Deputy Minister and G7 Deputy for Canada Assistant Deputy Minister Consultations and Communications Branch Assistant Deputy Minister Corporate Services Branch     Senior Director, Communications Policy Director, ATIP ATIP Team Leaders, Senior ATIP Analysts
Powers, duties, or functions
Disclosure for research purposes 8(2)(j) Yes Yes Yes Yes No Yes No
Disclosure in the public interest or in the interest of the individual 8(2)(m) Yes Yes Yes Yes No Yes No
Copies of requests under 8(2)(e) to be retained 8(4) Yes Yes Yes Yes Yes Yes Yes
Notice of disclosure under 8(2)(m) 8(5) Yes Yes Yes Yes No Yes No
Record of disclosures to be retained 9(1) Yes Yes Yes Yes No Yes Yes
Consistent uses 9(4) Yes Yes Yes Yes No Yes Yes
Personal information to be included in personal information banks 10 Yes Yes Yes Yes No Yes Yes
Notice where access requested 14 Yes Yes Yes Yes No Yes No
Extension of time limits 15 Yes Yes Yes Yes No Yes Yes
Language of access 17(2)(b) Yes Yes Yes Yes No Yes Yes
Access to personal information in alternative format 17(3)(b) Yes Yes Yes Yes No Yes Yes
Exemption (exempt bank) - Disclosure may be refused 18(2) Yes Yes Yes Yes No Yes No
Exemption - Personal information obtained in confidence 19(1) Yes Yes Yes Yes No Yes No
Where authorized to disclose 19(2) Yes Yes Yes Yes No Yes No
Exemption - Federal-provincial affairs 20 Yes Yes Yes Yes No Yes No
Exemption - International affairs and defence 21 Yes Yes Yes Yes No Yes No
Exemption - Law enforcement and investigation 22 Yes Yes Yes Yes No Yes No
Exemption - Public Servants Disclosure Protection Act 22.3 Yes Yes Yes Yes No Yes No
Exemption - Security clearances 23 Yes Yes Yes Yes No Yes No
Exemption - Individuals sentenced for an offence 24 Yes Yes Yes Yes No Yes No
Exemption - Safety of individuals 25 Yes Yes Yes Yes No Yes No
Exemption - Information about another individual 26 Yes Yes Yes Yes No Yes No
Exemption - Solicitor-client privilege 27 Yes Yes Yes Yes No Yes No
Exemption - Medical record 28 Yes Yes Yes Yes No Yes No
Notice of intention to investigate 31 Yes Yes Yes Yes No Yes No
Right to make representation 33(2) Yes Yes Yes Yes No Yes Yes
Findings and recommendations of Privacy Commissioner (complaints) 35(1) Yes Yes Yes Yes No Yes Yes
Access to be given 35(4) Yes Yes Yes Yes No Yes No
Report of findings and recommendations (exempt banks) 36(3) Yes Yes Yes Yes No Yes Yes
Report of findings and recommendations (compliance review) 37(3) Yes Yes Yes Yes No Yes Yes
Special rules for hearings 51(2)(b) Yes Yes Yes Yes No Yes Yes
Ex parte representations 51(3) Yes Yes Yes Yes No Yes Yes
Report to Parliament 72(1) Yes Yes Yes Yes No Yes Yes
                 
Privacy Regulations                  
Reasonable facilities and time provided to examine personal information 9 Yes Yes Yes Yes No Yes Yes
Notification that correction to personal information has been made 11(2) Yes Yes Yes Yes No Yes Yes
Notification that correction to personal information has been refused 11(4)  Yes Yes Yes Yes No Yes Yes
Disclosure of personal information relating to physical or mental health may be made to a qualified medical practitioner or psychologist for an opinion on whether to release information to the requestor 13(1) Yes Yes Yes Yes No Yes No
Disclosure of personal information relating to physical or mental health may be made to a requestor in the presence of a qualified medical practitioner or psychologist 14 Yes Yes Yes Yes No Yes No

Information Holdings

All government institutions subject to the Access to Information Act and the Privacy Act publish an inventory of their information holdings as well as relevant details about personal information under their control. The information can assist individuals in making an access to information or personal information request, or in exercising their privacy rights.

A description of the Department's programs, activities, and information holdings, including its classes of records and personal information banks can be found in Info Source: Sources of Federal Government and Employee Information.

Some programs and activities, such as human resources and financial management, are common to most government institutions. These are known as internal services and they involve the following types of information:

Interpretation of Statistical Report (Annex A)

Part 1 – Requests under the Privacy Act

The number of formal requests received in 2017-2018 was 20, a 10% increase from 18 formal requests received the previous reporting year. One request was carried over from 2016-2017. By the end of 2017-2018, all 21 requests were completed.

Table 1 illustrates a five-year trend.

Table 1
Overview of Privacy Act Requests
Fiscal Year New Requests Received Requests Completed Number of Pages Processed Number of Pages Released On-Time Compliance Rate
%
2017-2018 20 21 40 40 100%
2016-2017 18 17 183 177 100%
2015-2016 36 37 2,746 2,595 100%
2014-2015 20 19 439 381 89.5%
2013-2014 5 5 6 6 100%

Part 2 – Requests Closed During the Reporting Period

Disposition / Completion Time of Requests

Many individuals who submit Privacy Act requests incorrectly assume that the Department holds the same type and amount of personal information as is held by the Canada Revenue Agency, banks, and trust companies. That is not the case and explains why many requests do not result in the retrieval of personal information. The following table indicates the disposition of the 21 completed requests this fiscal year:

Disposition / Completion Time of Requests
Disposition Number of Requests Percentage of Requests
All disclosed 3 14.2 %
Disclosed in part 0 0 %
All exempted 0 0 %
All excluded 0 0 %
No records exist 15 71.4 %
Request abandoned 3    14.2 %
Neither confirmed or denied     0 0 %
Total 21 100.0 %

Completion Time

Of the 21 requests completed, all were closed on time. Of the 21 requests closed during the reporting period; all 21 (100%) were completed within 30 days.

Exemptions / Exclusions

In 2017-2018, the Department did not invoke any exemptions pursuant to specific sections of the Act.

No exclusions were also applied.

Format of Information Released

Records were provided to applicants in three cases and all were in paper format. No applicants asked to review the records as opposed to receiving a copy.

Complexity

None of the requests were considered complex as they did not contain any personal information about individuals other than the requestors.

Deemed Refusals

All requests were responded to within the statutory deadlines

Translations

There were no requests for translation this reporting period. 

Part 3 – Disclosures under Subsection 8(2) and 8(5)

Paragraph 8(2)(e) of the Act allows for disclosures of personal information "to an investigative body…for the purpose of enforcing any law." The Department did not make any disclosures pursuant to paragraph 8(2)(e) of the Act in this reporting period.

Paragraph 8(2)(m) of the Act allows for disclosures of personal information in the public interest.  The Department did not make any disclosures pursuant to paragraph 8(2)(m) of the Act in this reporting period.

Part 4 – Requests for Correction of Personal Information and Notations

No requests for corrections or notations were received from applicants this reporting period.

Part 5 – Extensions

One extension of the statutory time limits under the Act was taken due to interference with operations.

Part 6 – Consultations Received from Other Institutions and Organizations

No consultations were received from other government institutions or organizations.

Part 7 – Completion Time of Consultations on Cabinet Confidences

No consultations with respect to Cabinet confidences were required.

Part 8 - Complaints/Investigations/Audits

No complaints were lodged against the Department during the reporting period and none were carried forward from 2016-2017.

An investigative review (audit) initiated by the Office of the Privacy Commissioner (OPC) in 2015-2016 reviewed the personal information handling practices related to the operationalization of the Security of Canada Information-Sharing Act (SCISA). As the Department does not use or disclose any personal information pursuant to SCISA no further information was required by the Department. The OPC has concluded its review and released their findings on September 21, 2017:  Review of the Operationalization of the Security of Canada Information Sharing Act.  

Part 9 - Privacy Impact Assessments

The Department did not initiate or complete any Privacy Impact Assessments this reporting period.

Part 10 – Resources Related to the Privacy Act

Administration of the Act cost the Department $25,779.00 in 2017-2018. Costs incurred in the reporting period include the salaries of ATIP Division staff and the administrative expenses associated with administration of the Act. Costs do not include salaries of other departmental personnel involved in processing requests.

Appeals to the Federal Court of Canada

No appeals were made to the Federal Court.

Monitoring Compliance

Due to the small number of requests processed by the Department under the Act, including corrections or notations, monitoring of requests is conducted within the ATIP Division as required in order to ensure that the Department meets its legislated obligations.

Material Privacy Breaches

There were two material privacy breaches which occurred this reporting period.

The first privacy breach involved the incorrect storage and handling of personnel information of employees in branch shared drive. The type of information stored included various human ressources files. Files could be accessed by all branch employees who all have Secret security clearance.

Further to the initial privacy breach of May 29, 2017, a departmental review of all shared drives was conducted by each branch in consultation with the ATIP Division to ensure proper storage and handling of personal information. Appropriate measures have since been put into place to ensure any sensitive human resource type information is stored properly and access is provided on a need to know basis.

The second privacy breach involved a former employee's security file which was inadvertently sent to an incorrect recipient at another department. The former employee was made aware of the privacy breach shortly after the file was mistakenly sent to someone else in her new department, who then provided the file directly to her. Since this privacy breach, measures have been put in place to prevent a recurrence of a similar incident.

Disclosures Pursuant to Paragraph 8(2)(m)

Paragraph 8(2)(m) of the Act allows for the disclosure of personal information when the public interest clearly outweighs any invasion of privacy or when the disclosure would benefit the individual. There were no disclosures pursuant to paragraph 8(2)(m) for the 2017–2018 period.

Annex A
Statistical Report on Privacy Act Requests

Part 1 – Requests Under the Privacy Act

Part 1 – Requests Under the Privacy Act
Requests under the Privacy Act Number of Requests
Received during reporting period 20
Outstanding from previous reporting period 1
Total 21
Closed during reporting period 21
Carried over to next reporting period 0

Part 2 – Requests Closed During the Reporting Period

2.1 Disposition and Completion Time
Disposition of requests Completion Time
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
All disclosed 1 2 0 0 0 0 0 3
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 15 0 0 0 0 0 0 15
Request abandonned 3 0 0 0 0 0 0 3
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 19 2 0 0 0 0 0 21
2.2 Exemptions
Section Number of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 0
27 0
28 0
2.3 Exclusions
Section Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
2.4 Format of Information Released
Disposition Paper Electronic Other formats
All disclosed 3 0 0
Disclosed in part 0 0 0
Total 3 0 0

2.5 Complexity

2.5.1 Relevant Pages Processed and Disclosed
Disposition of requests Number of pages processed Number of pages disclosed Number of requests
All disclosed 40 40 3
Disclosed in part 0 0 0
All exempted 0 0 0
All excluded 0 0 0
Request abandonned 0 0 3
Neither confirmed nor denied 0 0 0
Total 40 40 6
2.5.2 Relevant Pages Processed and Disclosed by Size of Requests
Disposition Less than 100 pages processed
101-500 pages
processed

501-1000 pages processed
1001-5000 pages processed
More than 5000 pages processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
All disclosed 3 40 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandonned 3 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 6 40 0 0 0 0 0 0 0 0
2.5.3 Other Complexities
Disposition Consultation required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandonned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0

2.6 Deemed Refusals

2.6.1 Reasons for not meeting statutory deadline
Number of requests closed past
the statutory deadline
Principal Reason
Workload External consultation Internal consultation Other
0 0 0 0 0
2.6.2 Number of Days Past Deadline
Number of days past deadline Number of requests past deadline
where no extension was taken
Number of requests past deadline
where an extension was taken
Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0
2.7 Requests for Translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Part 3 – Disclosures Under Subsection 8(2) and 8(5)

Disclosures Under Subsection 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Part 4 – Requests for Correction of Personal Information and Notations

Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Part 5 – Extensions

5.1 Reasons for Extensions and Disposition of Requests
Disposition of requests where
an extension was taken
15(a)(i)
Interference with operations
15(a)(ii)
Consultation

15(b)
Translation or conversion
Section 70 Other
All disclosed 1 0 0 0
Disclosed in part 0 0 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
No records exist 0 0 0 0
Request abandonned 0 0 0 0
Total 1 0 0 0
5.2 Length of Extensions
Length of extensions 15(a)(i)
Interference with operations
15(a)(ii)
Consultation

15(b)
Translation purposes
Section 70 Other
1 to 15 days 1 0 0 0
16 to 30 days 0 0 0 0
Total 1 0 0 0

Part 6 – Consultations Received from Other Institutions and Organizations

6.1 Consultations Received from Other Government of Canada Institutions and Organizations
Consultations Other governement of Canada institutions Number of pages to review Other organizations Number of pages to review
Received during reporting period 0 0 0 0
Outsanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Pending at the end of the reporting period 0 0 0 0
6.2 Recommendations and Completion Time for Consultations Received from Other Governement of Canada Institutions
Recommendation Number of days required to complete consultation requests
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
All disclosed 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0
6.3 Recommendations and Completion Time for Consultations Received from Other Organizations
Recommendation Number of days required to complete consultation requests
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
All disclosed 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7 – Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000
Pages Processed
1001-5000
Pages Processed
More than 5000
Pages Processed





Number of
Requests
Pages Disclosed Number of
Requests
Pages Disclosed Number of
Requests
Pages Disclosed Number of
Requests
Pages Disclosed Number of
Requests
Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
7.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000
Pages Processed
1001-5000
Pages Processed
More than 5000
Pages Processed





Number of
Requests
Pages Disclosed Number of
Requests
Pages Disclosed Number of
Requests
Pages Disclosed Number of
Requests
Pages Disclosed Number of
Requests
Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Part 8 – Complaints and Investigations Notices Received

Complaints and Investigations Notices Received
Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Part 9 – Privacy Impact Assessments (PIAs)

Number of PIA(s) completed:
0

Part 10 – Resources Related to the Privacy Act

10.1 Costs
Expenditures Amount
Salaries $25,779
Overtime $0
Goods and Services $758
  Professional services contracts $0
  Other $758
Total $26,537
10.2 Human Resources
Resources Person Years Dedicated to Privacy Activities
Full-time employees 0.31
Part-time and casual employees 0.01
Regional staff 0.00
Consultants and agency personnel 0.00
Students 0.00
Total 0.32