2018-2019 Annual Report to Parliament — Administration of the Privacy Act - DND

1. Introduction

The Department of National Defence and the Canadian Armed Forces are pleased to present to Parliament their annual report on the administration of the Privacy Act. Section 72 of the Act requires the head of every federal government institution to submit an annual report to Parliament on its administration each financial year. This report describes National Defence activities that support compliance with the Privacy Act for the fiscal year (FY) commencing 1 April 2018 and ending 31 March 2019.

1.1. Purpose of the Privacy Act

The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.

These rights of protection and access are in accordance with the principles that individuals should have a right to know why their information is collected by the government, how it will be used, how long it will be kept and who will have access to it.

2. Access to Information and Privacy at National Defense

2.1. Mandate of National Defence

Who we are

The Department of National Defence (DND) and the Canadian Armed Forces (CAF) make up the largest federal government department. Under Canada’s defence policy, the Defence Team will grow to over 125,000 personnel, including 71,500 Regular Force members, 30,000 Reserve Force members and 25,000 civilian employees.

What we do

DND and the CAF have complementary roles to play in providing advice and support to the Minister of National Defence, and implementing Government decisions regarding the defence of Canadian interests at home and abroad.

At any given time, the Government of Canada can call upon the CAF to undertake missions for the protection of Canada and Canadians and to maintain international peace and stability.

Canada’s defence policy presents a new strategic vision for defence: Strong, Secure, Engaged. This is a vision in which Canada is:

The National Defence Act (NDA) establishes DND and the CAF as separate entities, operating within an integrated National Defence Headquarters as they pursue their primary responsibility of providing defence for Canada and Canadians.

2.1. National Defence organization

Senior leadership

The Governor General of Canada is the Commander-in-Chief of Canada. DND is headed by the Minister of National Defence. The Associate Minister of National Defence supports the Minister of National Defence. The Deputy Minister of National Defence is the Department’s senior civil servant. The CAF are headed by the Chief of the Defence Staff, Canada’s senior serving officer. These senior leaders each have different responsibilities:

• The Governor General is responsible for appointing the Chief of the Defence Staff on the recommendation of the Prime Minister, awarding military honours, presenting colours to CAF regiments, approving new military badges and insignia, and signing commission scrolls;
• The Minister of National Defence presides over the Department and over all matters relating to national defence;
• The Associate Minister is also responsible for defence files, as mandated by the Prime Minister, with the specific priority of ensuring that CAF members have the equipment they need to do their jobs;
• The Deputy Minister is responsible for policy, resources, interdepartmental coordination and international defence relations; and
• The Chief of the Defence Staff is responsible for command, control and administration of the CAF, as well as military strategy, plans and requirements.

Defence organization

The National Defence organizational structure is represented in the diagram below. Additional information about the National Defence organization is available online.

2.3. The Directorate of Access to Information and Privacy

Delegation of authority

In accordance with section 73 of the Access to Information Act and the Privacy Act, a delegation of authority, signed by the Minister, designates the Deputy Minister, Corporate Secretary, Access to Information and Privacy (ATIP) Director, and ATIP Deputy Directors to exercise all powers and functions of the Minister, as the head of institution, under both Acts. It also designates other specific powers and functions to employees within the Directorate Access to Information and Privacy (DAIP).

Under the authority of the Corporate Secretary, the ATIP Director administers and coordinates both the Access to Information Act and the Privacy Act, and acts as the departmental ATIP Coordinator. In the administration of the Acts, DAIP seeks advice on legal, public affairs, policy, and operational security matters from other organizations and specialists as required.

A copy of the Access to Information Act and Privacy Act Designation Order is provided at Annex A.

DAIP organization

DAIP is responsible for matters regarding access to information and privacy protection within the National Defence portfolio, except in the case of the following organizations: the Communication Security Establishment, the Office of the Communications Security Establishment Commissioner, the Military Police Complaints Commission, the Military Grievances External Review Committee, the Office of the National Defence and Canadian Forces Ombudsman, and Canadian Forces Morale and Welfare Services.

DAIP implemented organizational changes in 2018-2019 with the aim to integrate and streamline key intake processes. General operations support activities and access to information tasking functions were consolidated into a single Intake Team, and a Chief of Staff was established to manage this unit in addition to the existing Systems Liaison Team and Business Management Office.

DAIP’s ATIP program management workforce is divided functionally into four main areas, and supported by Defence organization liaison officers, as illustrated in the diagram at FIGURE 2. The number of employees indicated are number of full time equivalents staffed at the end of the reporting period.

DAIP is also supported by a Systems Liaison Team that maintain the ATIP application system and database, and a Business Management Office that is responsible for business planning, budgeting, human resources, physical security, and other administrative duties.

Additionally, in response to a key priority for National Defence, DAIP established a new Litigation Support Team. Stood up in the fall of 2018, this unit performs an ATIP-like review of records in support of class action settlements such as the LBGT Purge Class Action.

3. Highlights of the Statistical report

The statistical report at Annex B consists of data submitted by National Defence as part of Treasury Board Secretariat (TBS) annual collection of ATIP-related statistics. The following sections contain highlights, trends and an analysis of notable statistical data from a departmental perspective.

3.1. Requests received

During the reporting period, National Defence received 6,637 requests for personal information under the Privacy Act versus 7,393 in FY 2017-2018, representing a 10 percent decrease. Despite a second year of decreasing requests received, the large number of files carried over into the reporting period (4,183 requests) continued the trend of an increasing overall workload. This combined workload of 10,820 requests is the highest National Defence has experienced in over ten years.

Additionally, for the past ten years, National Defence has ranked in the top five federal institutions for highest volume of personal information requests received according to annual statistics compiled by TBS.

A large portion of Privacy Act requests received by National Defence are applications from CAF members for their health and personnel records upon releasing from the Forces. Canada’s Defence Policy has directed improvements to the transition experience for CAF members to better prepare them for the shift to civilian life. As part of this new approach, relevant medical and dental records are provided to members as part of the release process to allow for a positive transition from the military health system to a civilian physician.

The reduction in number of requests received is likely due in large part to this proactive disclosure of health records to the releasing CAF member.

3.2. Requests completed

National Defence closed a total of 9,006 privacy requests during the reporting period, over 3,000 more requests over FY 2017-2018, representing a 53 percent increase in productivity.

Pages reviewed

The volume of pages reviewed in FY 2018-2019 more than doubled from the previous reporting period with over 3.0 million pages processed. This volume represents a 129 percent increase over the 1.3 million pages processed in FY 2017-2018.

The number of pages reviewed represents the total processed pages for closed requests and does not include the number of pages processed for requests that were carried over into the next reporting period.

National Defence consistently processes the highest volume of pages in response to personal information requests when compared to other federal government institutions.

Exemptions and exclusions

Consistent with previous reporting periods, section 26 of the Privacy Act was the most frequently invoked exemption and was applied in 3,653 requests. This section of the Act protects personal information of individuals other than the requester.

No information was excluded under the Privacy Act for requests completed in FY 2018-2019.

Completion time

Figure 6 illustrates completion time for privacy requests. Despite the increase in total workload, Defence closed 4,134 requests within 30 days. This represents 46 percent of the total volume of requests closed and a 60 percent increase of files closed within 30 days compared to the last reporting period.

There was also a 75 percent increase in the number of requests closed that took 121 days or more to complete; however, this was a result of focused efforts to successfully reduce the number of backlogged files.

Files closed beyond 30 days were not necessarily late as legal extensions may have been applied.

On-time compliance

A total of 4,567 requests were closed past the statutory deadline in FY 2018-2019. This represents a 49 percent increase from the previous year, due in large part to focused efforts during the reporting period to clear out backlogged files.

National Defence responded to 49 percent of requests within legislated timelines.

Workload continued to be the most common reason for deemed refusal, cited for over 75 percent of requests closed late during the reporting period. Some factors affecting performance and deemed refusal rates include:

• Productivity and efficiency loss due to staff turnover: There continues to be staff turnover at all levels due to a competitive job market and other factors. New employees require a learning and adjustment period to realize performance potential. The hiring and training of new employees also created additional workload for ATI management and support services.

3.3. Consultations received and completed

During the reporting period, Defence received nine requests for consultation, all from other Government of Canada institutions. No consultations were received from other organizations in FY 2018-2019.

All nine consultations received were closed during the reporting period.

4. Privacy protection and personal information management

4.1. Public interest disclosures

Paragraph 8(2)(m) of the Privacy Act permits the disclosure of personal information, without the consent of the individual to whom it relates, where the public interest in disclosure clearly outweighs any invasion of privacy that could result, or where the disclosure would clearly benefit the individual to whom the information relates.

During the reporting period, 48 disclosures of personal information were made in accordance with paragraph 8(2)(m). These public interest disclosures included information regarding Boards of Inquiry or Summary Investigations into the death or serious injury of a CAF member; others related to disclosures providing information in CAF medical records, personnel records or military police reports. In all cases, the information was disclosed to the CAF member’s family or representative.

For the 48 disclosures made in the public interest during FY 2018-2019, the Office of the Privacy Commissioner (OPC) was notified in advance of each release.

4.2. Privacy breaches

Privacy rights are a matter of ongoing public concern. In respect of sections 4 to 8 of the Privacy Act, which govern personal information management, DAIP received 104 complaints regarding contravention of one or more of these provisions, a 20 percent increase from the previous reporting period.

DAIP’s privacy incident response team worked to resolve 84 complaints alleging a breach of privacy, 33 of which were deemed to be well-founded.

Material privacy breaches

TBS defines a material privacy breach as one that involves sensitive personal information and could reasonably be expected to cause injury or harm to the individual, and/or involves a large number of affected individuals.

National Defence did not report any material privacy breaches this reporting period.

4.3. Privacy impact assessments

National Defence collects, uses and discloses personal information in the delivery of mandated programs and services. In accordance with TB policy, the DND and the CAF undertake privacy impact assessments (PIA) to evaluate privacy impacts in the administration of these activities. A PIA provides a framework to identify the extent to which proposals comply with the Privacy Act and applicable privacy policies, assist program officials in avoiding or mitigating privacy risks, and promote informed program and system design choices.

National Defence completed^{Footnote 1}  one PIA during FY 2018-2019 in support of the program described below. The Department is preparing to post the summary on its website.

In addition, DAIP continues to provide ongoing advice and support to National Defence organizations in the development of PIAs.

Sexual Assault Review Program

In support of Operation HONOUR, which aims to eliminate sexual misconduct in the CAF, National Defence launched the Sexual Assault Review Program (SARP) to review unfounded sexual assault files investigated by the Military Police. An External Review Team (ERT), comprised of stakeholders and representatives from both the civilian and CAF communities, is responsible for conducting an annual review of unfounded investigations from the previous year. The ERT reports their findings to the Canadian Forces Provost Marshal and makes recommendations as to the conduct of the investigations, identifying policy, training or best practice proposals for consideration.

5. Complaints, Audits and Reviews

5.1. Complaints from the Office of the Privacy Commissioner

In FY 2018-19, National Defence received a total of 77 complaints from the Office of the Privacy Commissioner (OPC), less than one percent of all requests closed during the reporting period.

Further to Part 8 of the Statistical Report, which notes complaints received and closed:

• Section 31:  When the OPC gives formal notice of their intention to investigate a complaint regarding the processing of a request under the Act. Defence received 77 such notices during FY 2018-19.
• Section 33:  When the OPC requests further representations from institutions pursuant to an ongoing complaint investigation. Defence was not required to provide any such formal written representations to the OPC during the reporting period.
• Section 35:  When the OPC issues a findings report for a well-founded complaint upon conclusion of an investigation. During the reporting period, 61 complaints were found to have merit. Note that these complaints are not necessarily from the 77 complaints received during the reporting period.

The 61 well-founded determinations represent 66 percent of all findings issued in FY 2018-2019. The majority of these complaints – 56 – were administrative in nature (about delays and time extensions) and five were refusal complaints (regarding application of exemptions or possible missing records). Figure 7 illustrates the reasons for complaints that had findings issued during the reporting period.

There were no significant investigations to note regarding the processing of Privacy Act requests during the reporting period.

5.2. Court decisions

In FY 2018-19, there were no court proceedings actioned in respect of requests processed by National Defence.

5.3. ATIP program review

Further to the ATIP program review initiated in the fall 2017, National Defence continues to implement recommendations to improve the design, operational effectiveness and efficiency of key ATIP processes within the Department. Progress updates were provided to the Defence Audit Committee throughout the reporting period. Notable achievements have been made in the areas of Training and Awareness, and ATIP Governance and are outlined in the sections below.

Efforts and improvements will continue into the next reporting period. Additional information about the Assessment of the Access to Information and Privacy Program is available on the National Defence website.

6. Policies and procedures

6.1. Departmental policies

DND/CAF corporate administrative direction is set out in the comprehensive collection of Defence Administrative Orders and Directives (DAOD) that are issued under the authority of the Deputy Minister and the Chief of the Defence Staff.

During the reporting period, DND/CAF drafted and revised several DAODs that describe authorities, responsibilities, and requirements in respect of appropriate personal information management within the institution. These DAODs are scheduled for publishing early next fiscal year.

6.2. Internal procedures

DAIP continues to review and update procedures for processing personal information requests and managing privacy incidents, to document process improvements, and to ensure alignment with TB policies and directives.

Litigation holds and preservation orders

In addition to ongoing improvements to ATIP-specific procedures, DAIP developed internal instructions to assist information management activities for requests that are subject to preservation orders.

Litigation holds, or preservation orders, are issued by departmental legal services to Defence organizations when litigation involving National Defence information is imminent or ongoing. These orders detail the legal obligations to preserve relevant records for possible disclosure as may be required for the litigation action.

DAIP procedures in respect of litigation holds ensures that steps are taken to prevent otherwise routine disposition of records when the normal retention periods have ended.

7. Training and awareness

7.1. ATIP training program

Departmental ATIP training increased during this reporting period and included the creation of a dedicated ATIP training and awareness team. A three-pronged approach was implemented, where Directorate training resources supported the development and delivery of:

• Introductory courses (either General ATIP or Privacy Fundamentals)
• Advanced courses (either General ATIP or organization-specific content)
• ATIP awareness and engagement activities with the various branches and divisions

Introductory level courses continued to be offered along with various newly-developed advanced courses. Regional training at Canadian Forces Base Kingston was also delivered during this reporting period.

7.2. Training and awareness activities

A total of 90 face-to-face training sessions were delivered to approximately 1,500 Defence employees and CAF members on the administration of both the ATI Act and Privacy Act, as well as on appropriate management of personal information under the control of the institution. These training sessions were provided through participation in ATIP 101 (introductory) sessions, ATIP 201 (advanced) sessions, GCDOCS privacy-focused training, and targeted training sessions for specific Defence organizations. Most training sessions were delivered by ATIP Directorate staff in person, however some organizations conducted their own courses and one-on-one sessions. Defence employees and CAF members were also encouraged to take the Access to Information and Privacy Fundamentals course offered through the Canada School of Public Service.

In keeping with promoting awareness, ATIP Directorate employees also provided guidance to third parties and requesters on the requirements of the Access to Information Act and the Privacy Act, TB policies and directives, and associated institutional procedures as required.

Liaison officer engagement

Two ATIP Town Halls were conducted in FY 2018-2019, which brought ATIP Directorate staff, organizational ATIP Liaison Officers and other departmental officials together to provide awareness, recognize achievements, and discuss experiences and solutions on various issues. As a result of positive feedback, the ATIP Town Hall will continue on an annual basis.

Integrated privacy training

DAIP continued to collaborate on program-specific training offered by other Defence organizations to integrate supporting content on privacy protection concepts and personal information management practices. During FY 2018-2019, DAIP participated in the following courses:

• Integrated Conflict and Complaint Management course (three sessions)
• Harassment Advisor course (one session)
• GCDOCS on-boarding for information management specialists (19 sessions)

Canadian Forces Health Services training

The Canadian Forces Health Services (CFHS) operates a privacy office that is responsible for providing advice and support to the CFHS Group on policies and activities that involve personal health information. In accordance with their mandate, the CHFS privacy office maintains training modules to educate staff on the principles of “Privacy, Confidentiality and Security” to support appropriate use of the Canadian Forces Health Information System.

During this reporting period, members of CFHS Group completed these modules and over 200 of their staff attended training offered specifically to the CFHS organization.

8. Initiatives and projects

8.1. DAIP engagement with Defence organizations

An initiative to engage with Defence organizations to enhance performance and strengthen relationships with partners in DND was implemented during the reporting period. Current structures, staffing, processes and systems in support of ATIP activities were reviewed and discussed, in addition to opportunities for DAIP to assist through job aids, research, training or other forms of support. Reports for each organization were prepared following each assessment, which provided DAIP with a framework of details to identify efficiencies and areas of support that will inform planning for next fiscal year.

9. Monitoring compliance

The ATIP Directorate regularly monitors and reports on a number of ATIP metrics.  In FY 2018-2019, a new Performance Dashboard was developed to provide general awareness to Defence leadership on ATIP performance and metrics. In addition, the Department receives on-demand statistical reports. Performance is also compared to previous fiscal years to identify trends. This monitoring allows the ATIP Operations teams to manage workload and to determine where process improvement may be required. ATIP statistics are also provided to the Corporate Secretary upon request and are often accompanied by other key elements such as human resources data.

Currently, the time to process requests for correction of personal information is not formally monitored as this number is regularly very low. In FY 2018-2019, DAIP received only two requests for correction.

10. Privacy operating costs

The annual cost to administer the National Defence privacy program increased by 27 percent to approximately $3.27 million in FY 2018-2019.

The cost of operations includes salaries, overtime, goods and services, contracts and all other expenses specific to the access to information and privacy office. Costs associated with time spent by program areas searching for and reviewing records are not included here.

The overall increase in operating costs is due in large part to growth in spending for operational personnel in FY 2018-2019:

• An additional $299,500 (approximately) was spent on professional services contracts
• An additional $476,000 (approximately) in salary costs

Additional resourcing in both these areas enabled National Defence to close over 3,000 more requests in FY 2018-2019 despite a largest total request workload experience in at least a decade.

Annex A: Designation Order

National Defence and the Canadian Armed Forces

Access to Information Act and Privacy Act Designation Order

1. Pursuant to section 73 of the Access to Information Act and the Privacy Act, the Minister of National Defence, as the head of a government institution under these Acts, hereby designates the persons holding the following positions, or the persons occupying those positions on an acting basis, to exercise or perform all of the powers, duties and functions of the head of a government institution under these Acts:
   1. the Deputy Minister;
   2. the Corporate Secretary;
   3. the Director Access to Information and Privacy; and
   4. Deputy Directors Access to Information and Privacy.
2. Pursuant to section 73 of the above-mentioned Acts, the Minister also designates the following:
   1. those persons holding the position of Access Team Leader, or the persons occupying this position on an acting basis, to exercise or perform the powers, duties and functions in respect of:
      • The application of the following provisions under the Access to Information Act: section 9; subsection 11(2), 11(3), 11(4), 11(5), 11(6); sections 19, 20, 23 and 24; subsections 27(1) and 27(4); paragraph 28 (1)(b), subsections 28(2) and 28(4); and
      • The response to requests made under the Access to Information Act if no records exist.
   2. those persons holding the position of Privacy Team Leader, or the persons occupying this position on an acting basis, to exercise or perform any of the powers, duties and functions of the head of an institution under the Privacy Act, other than under sub-paragraphs 8(2)(j) and 8(2)(m); and
   3. those persons holding the position of Privacy Senior Analyst, or the persons occupying this position on an acting basis, to exercise or perform the powers and duties in respect of the application of section 26 of the Privacy Act.

Original signed by

The Honourable Harjit S. Sajjan, PC, OMM, MSM, CD, MP
Minister of National Defence
Date: 2016-01-12

Annex B: Statistical Report on the Privacy Act for 2018-2019

Government of Canada

Statistical Report on the Privacy Act

Name of institution: National Defence

Reporting period: 2018-04-01 to 2019-03-31

Part 1: Request Under the Privacy Act

1.1 Requests under the Privacy Act

Part 2: Requests Closed During the Reporting Period

2.1 Disposition and Completion time

2.4 Format of information released

2.5 Complexity

2.5.1 Relevant pages processed and disclosed

2.5.2 Relevant pages processed and disclosed by size of requests

2.5.3 Other complexities

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline

2.6.2 Number of days past deadline

2.7 Requests for translation

Part 3: Disclosures under Subsections 8(2) and 8(5)

Part 4: Requests for Correction of Personal Information and Notations

Part 5: Extensions

5.1 Reasons for extensions and disposition of requests

5.2 Length of extensions

Part 6: Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and other organizations

6.2 Recommendations and completion time for consultations received from other Government of Canada institutions

6.3 Recommendations and completion time for consultations received from other organizations

Part 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services

7.2 Requests with Privy Council Office

Part 8: Complaints and Investigations Notices Received

Part 9: Privacy Impact Assessments (PIAs)

Number of PIA(s) completed: 1

Part 10: Resources Related to the Privacy Act

10.1 Costs

10.2 Human Resources

New Exemptions Table: Privacy Act