Privacy Act — Annual Report — April 1, 2017, to March 31, 2018

Table of contents

Introduction

The Privacy Act (the Act) was proclaimed on July 1, 1983.

The Act gives individuals the right to access information about them that is held by the government. This is, however, subject to specific and limited exceptions.

The Act also protects individuals’ privacy by preventing others from accessing their personal information and by giving them rights to request access and corrections to their personal information.

Section 72 of the Act requires that the head of every federal government institution prepare an annual report, for submission to Parliament, on the administration of the Act within the institution. Every report shall be laid before each House of Parliament within 3 months after the financial year in respect of which it is made or, if that House is not then sitting, on any of the first 15 days next thereafter that it is sitting.

This annual report provides a summary of the management and administration of the Act within the Public Service Commission of Canada for the fiscal year 2017-2018.

Part I – General information on the Public Service Commission of Canada

1. Raison d’être, mandate and role: who we are and what we do^{Footnote 1} 

Raison d’être

The mandate of the Public Service Commission is to promote and safeguard merit-based appointments and, in collaboration with other stakeholders, to protect the non-partisan nature of the public service. The Minister of Public Services and Procurement Canada as designated minister, tables our Annual Report and special reports in Parliament.

Under the delegated staffing system set out in the Public Service Employment Act (PSEA), we fulfill our mandate by providing policy guidance and expertise as well as by conducting effective oversight. In addition, we deliver innovative staffing and assessment services.

Mandate and role

We are responsible for promoting and safeguarding merit-based appointments that are free from political influence and, in collaboration with other stakeholders, for protecting the non-partisan nature of the public service.

We are mandated to:

• Make appointments to and within the public service, based on merit and free from political influence. The PSEA provides the authority to the Commission to delegate to deputy heads its authority to make appointments to positions in the public service. This authority is currently delegated to deputy heads subject to the PSEA, across the federal government.
• Administer the provisions of the PSEA related to the political activities of employees and deputy heads. Part 7 of the PSEA recognizes the right of employees to engage in political activities, while maintaining the principle of political impartiality in the public service.
• Oversee the integrity of the staffing system and, in collaboration with other stakeholders, ensure non-partisanship of the public service. This oversight role includes:
  • the regulatory authority and policy-setting function
  • the ongoing support and guidance and the monitoring of the staffing performance of delegated organizations
  • the conduct of audits that provide an independent assessment of the performance and management of staffing activities
  • the conduct of investigations of staffing processes and improper political activities by public servants

2. Strategic outcome and Program Alignment Architecture

Our Program Alignment Architecture consists of one strategic outcome and 4 programs.

Public Service Commission strategic outcome

To provide Canadians with a highly competent, non-partisan and representative public service, able to provide service in both official languages, in which appointments are based on merit and the values of fairness, access, representativeness and transparency.

Program – Staffing System Integrity and Political Impartiality

The Staffing System Integrity and Political Impartiality program is focused on independently safeguarding merit and non-partisanship in the federal public service. This program includes developing and advancing strategic policy positions and directions; conducting policy research; establishing our policies and standards; providing advice, interpretation and guidance; and administering delegated and non-delegated authorities, including official languages, the political activities regime and priority administration.

Program – Staffing Services and Assessment

The Staffing Services and Assessment program maintains the systems that link Canadians and public servants seeking employment opportunities in the federal public service with hiring departments and agencies. It provides assessment-related products and services in the form of research and development, consultation, assessment operations and counselling for use in recruitment, selection and development throughout the federal public service. This program also includes delivering staffing services, programs and products to departments and agencies, to Canadians and public servants, through client service units located across Canada.

Program – Oversight of Integrity in Staffing and of Non-partisanship

The Oversight of Integrity in Staffing and of Non-Partisanship program provides an accountability regime for the implementation of the appointment policy and regulatory framework for safeguarding the integrity of public service staffing and ensuring staffing is free from political influence. This program includes monitoring departments’ and agencies’ staffing performance and compliance with legislative requirements; conducting audits and studies; carrying out investigations; and reporting to Parliament on the integrity of public service staffing and the non-partisanship of the public service.

Program – Internal Services

Internal Services are those groups of related activities and resources that the federal government considers to be services in support of programs and/or required to meet corporate obligations of an organization. Internal Services refers to the activities and resources of the 10 distinct service categories that support program delivery in the organization, regardless of the internal services delivery model in a department. The 10 service categories are:

• Management and Oversight Services
• Communications Services
• Legal Services
• Human Resources Management Services
• Financial Management Services
• Information Management Services
• Information Technology Services
• Real Property Services
• Materiel Services
• Acquisition Services

Part II – Report on the Privacy Act

1. Organization of delegation and activities

1.1 Delegation order

The President of the Public Service Commission is designated as the head of the government institution for the administration of the Privacy Act (the Act).

Pursuant to section 73 of the Act, deputy heads may delegate any of their powers, duties or functions under the Act by signing an order authorizing one or more officers or employees of the institution, who are at the appropriate level, to exercise or perform the powers, duties or functions of the head specified in the order.

A large portion of the powers, duties and functions of the President, under the Act, are delegated to the Chief of Staff, who is the designated Access to Information and Privacy (ATIP) Coordinator for the Public Service Commission. Operational responsibility for the application of the Act resides with the ATIP Manager, who has partial delegation. See Annex A – Delegation Instrument.

1.2 The Access to Information and Privacy Coordinator

The ATIP Coordinator is responsible for developing, coordinating and implementing effective policies, guidelines, systems and procedures to ensure requests are processed efficiently under the Access to Information Act and the Privacy Act (the acts).

The Coordinator is also responsible for developing, coordinating and implementing policies, systems and procedures that are required by both acts as well as Treasury Board of Canada policies and directives. The activities of the Coordinator include:

• processing requests made under both Acts
• acting as spokesperson for the Public Service Commission in dealings with the Treasury Board Secretariat, the Office of the Information Commissioner, the Office of the Privacy Commissioner and other government departments and agencies on matters related to the acts
• responding to consultation requests submitted by other federal institutions with respect to Public Service Commission documents
• reviewing information collected in accordance with the Communications Policy of the Government of Canada and the Procedures for the Management of Public Opinion Research
• preparing the Annual Report to Parliament and other statutory reports, as well as other material that may be required by central agencies
• promoting awareness and providing advice to our employees to ensure the obligations of both acts and Treasury Board Secretariat policies are met, and assessing their impact on various program initiatives
• monitoring our compliance with both acts, regulations and other relevant policies and procedures

1.3 The Access to Information and Privacy Office

The Access to Information and Privacy Office (the ATIPO) supports the ATIP Coordinator in administering the provisions of the acts and related Treasury Board Secretariat policies for the Public Service Commission. The ATIPO currently comprises a manager, 2 analysts and one administrative assistant. The ATIPO falls under the Corporate Secretariat.

The analysts are responsible for processing requests and consultations under both the Access to Information Act and the Privacy Act, preparing responses to complaints, reviewing our Info Source chapter and supporting all other ATIP responsibilities. The analysts provide privacy advice and support in the evaluation of program activities and aid in the creation of privacy compliance documents, such as privacy notice statements and privacy impact assessments. Additionally, the analysts help departmental officials manage privacy breaches and disclosures of personal information.

The ATIPO delivers general and customized training sessions for our employees.

The ATIPO also reviews its policies and procedures to improve the support it provides to its sector liaison officers and to promote a better understanding of their roles, responsibilities and obligations related to the processing of requests under both acts.

1.4 Access to Information and Privacy Liaison Officers

The ATIPO processes requests with the assistance of ATIP liaison officers, who are employees knowledgeable of their sector’s activities. There is one liaison officer for each sector as well as for the Corporate Secretariat. In addition to acting as the point of contact between their sector and the Office, the ATIP liaison officers are responsible for:

• tasking the appropriate program experts within their sector to search for relevant records
• advising if there are other offices of primary interest
• keeping the ATIPO apprised of any issues in relation to specific requests (delays, interference with operations, consultations required)
• duly delivering to the ATIPO the relevant records, complete with sector recommendations
  • liaison officers play an important role in ensuring that the Commission conducts a thorough and complete search of its record holdings when processing requests

The ATIPO regularly holds meetings with liaison officers to discuss best practices and explore improvements to internal processes. The ATIP Liaison Working Group met 3 times during the reporting period to discuss best practices, address gaps and to provide training opportunities. The ATIPO will also contact liaison officers to obtain background information for the purpose of clarifying requests with requesters.

2. Statistical report: interpretation

Over the last reporting period, we received a total of 151 requests submitted under both acts and responded to 158 requests. This number represents a 95% decrease in requests received compared to the previous year. When compared to our historical average, which excludes a temporary surge in 2015-2017, these 151 requests represent a 49% increase.

2.1 Requests under the Privacy Act

From April 1, 2017, to March 31, 2018, we received 51 new requests under the Act, in addition to 4 requests that were carried over from the previous period. This represents a 98.3% decrease in requests received compared with the previous year.

We responded to 54 requests during the reporting period, requiring the review of 8 139 pages of records. One request was ongoing at the end of the reporting period and was carried forward to the next one.

2.2 Nature of requests

In keeping with the trend established in the previous reporting period, the majority of the 54 closed requests were for personal information held by specific Public Service Commission employees:

• 17 requests (31.5%) concerned staffing activities; for the most part, requesters were seeking information related to staffing documents, priority entitlements and assessments
• 10 requests (18.5%) were for personal information held by specific employees of the Public Service Commission
• 2 requests (3.7%) pertained to investigations and audits conducted under the PSEA
• the remaining 25 requests (46.3%) were on a variety of subjects

2.3 Inter-organizational consultations

We received 4 requests for consultation from other government departments and agencies during this reporting period; none were carried over from the previous reporting period. The processing of these requests required a review of 174 pages of documents. No consultations were outstanding at the end of the period; none were carried over into the 2018-2019 reporting period.

In response to the 4 consultations completed during the reporting period, the Public Service Commission had no objection to the disclosure of records for 2 of the requests and recommended exemptions for the 2 other requests.

We consulted other government departments and agencies 4 times in relation to the processing of 3 requests completed during this reporting period.

2.4 Informal requests

In an attempt to improve and facilitate access, we promote informal methods of access whenever possible. Requesters may obtain access to their personal information on an informal basis by contacting the manager of the program area that controls the records. In these instances, the ATIPO provides assistance and advice, as required.

2.5 Disposition of requests completed

For the 54 requests closed during this reporting period, information was released either in whole or in part in 30 cases, representing 55.6% of the requests. The remaining requests were either abandoned (38.9%) or no records existed (5.6%). Out of the 21 requests that were abandoned the reporting period, 17 were redirected to another government institution.

When compared to the previous reporting period, there is a significant decrease in the proportion of requests where no records existed. This is due to the return to a normal workload following a temporary surge in requests from previous reporting periods.

2.6 Exemptions invoked

Sections 18 through 28 of the Act set out the exemptions intended to protect information pertaining to a particular public or private interest. During the reporting period, the most frequently invoked exemptions were section 26 [personal information of another individual], paragraph 22(1)(b) [law enforcement and investigations], and section 27 [solicitor-client privilege].

2.7 Exclusions invoked

Sections 69 and 70 of the Act outline certain types of information to which the Act does not apply. These exclusions relate to published material, library and museum material, material placed in Library and Archives Canada by or on behalf of third parties, some materials relating to the Canada Broadcasting Corporation and Cabinet confidences.

We did not invoke any exclusions during the reporting period.

2.8 Extensions of time limits

Extensions of the 30-day statutory response time are permissible under section 15 of the Act. A request may be extended in accordance with multiple provisions of this section. During the reporting period, a total of 5 extension provisions were invoked in the processing of requests (7.4%) completed during the reporting period.

2.9 Completion time

Of the 54 closed requests, we responded to 47 within 30 days or less, representing 87% of all the requests completed. Four requests (7.4%) were completed within 31 to 60 days, 2 (3.7%) within 61 to 120 days, and 1 (1.8%) required more than 120 days to process.

Of these, 52 (96.2%) were closed within the allowable time limit.

2.10 Translation

We did not receive any requests for translation of personal information pursuant to paragraph 17(2)(b) of the Act.

2.11 Format of information released

Regarding the 30 requests for which information was released in whole or in part, information for 9 requests (30%) was provided on paper; information regarding the rest, 21 requests (70%), was provided electronically.

2.12 Corrections and notations

We did not receive any requests for the correction of personal information under subsection 12(2) of the Act.

2.13 Costs

During the reporting period, the ATIPO spent $146,798 on salaries and $20,281 on goods and services, including $28,561 for professional service contracts, for the administration of the Privacy Act.

The salary and professional service costs represented 1.82 full-time equivalent employees.

3. Summary of Access to Information and Privacy Office activities

3.1 Development of policies, directives, guidelines and other key documents

In this reporting period, the ATIPO engaged a consultant to produce a Privacy Impact Assessment (PIA) Architecture. Using the Departmental Program Inventory, this document examines privacy risks in Public Service Commission programs and illustrates which PIAs should be completed. Using this architecture, the ATIPO will create an action plan and a timeline during which we plan to address these assessments.

Additionally, the ATIPO completed a review of ATIP request procedures using the LEAN methodology. Several possible areas of improvement were identified, and a draft work plan will be established for consultation for fiscal year 2018-2019.

3.2 Advice and training

Advice

In addition to processing Access to Information Act and Privacy Act requests, the ATIPO provides advice to Public Service Commission managers and employees, as well as to other organizations and members of the public regarding a variety of issues and questions related to both acts.

Requests for guidance and advice were of the following nature:

• reviewing memoranda of understanding and information-sharing agreements to ensure compliance with the requirements of the acts and associated policies
• reviewing audit reports, responses to parliamentary questions and other documents prior to publication to ensure that information is released in accordance with the acts
• reviewing administrative investigation reports (such as reports on violence in the workplace or harassment reports) prior to disclosure to the concerned parties to ensure that information is released in accordance with the principles of exemptions defined in the acts
• making recommendations regarding the disclosure of personal information
• answering general written and telephone enquiries from the public

Participation in the governance process

The ATIP Coordinator is a member of the Integration Committee and the Resource Management Committee and the Open Government Advisory Group. The ATIP Manager is a member of the Integration Committee, Security Committee, Open Data Core Project Team and Open Government Advisory Council. Additionally, the ATIPO sits as a non-voting member of the Project Review Committee and the IT Business Operations Team. The ATIPO also acts in an advisory capacity on the New Direction in Staffing Interface working group.

Active participation in these committees and various other working groups allows the ATIPO to:

• be aware of upcoming issues, initiatives and projects that may have ATIP implications
• integrate ATIP considerations in the planning and implementation of initiatives and projects

Open government

Our Open Government Implementation Plan outlines a set of activities and deliverables to meet our requirements under the Treasury Board Secretariat’s Directive on Open Government. The plan’s goal is for the Public Service Commission to develop the internal mechanisms necessary to maximize the release of government information and data of business value. As a member of the Open Government Advisory Council and the Open Data Core Project Team, the ATIPO provides ongoing strategic advice regarding privacy, confidentiality, and security concerns.

Internal reporting

We have a stable and effective ATIP program. As a result, the ATIPO only reports on significant issues in an ad hoc manner, when required. The ATIPO meets with individual senior executives to address specific issues.

The ATIPO also provides annual updates to the Executive Management Committee on the administration of the ATIP program and the status of privacy impact assessments.

Training

The ATIPO continues to deliver core training for supervisors and managers. The primary goal of the program is to ensure that managers are fully aware of their responsibilities under both acts and related internal policies. The ATIPO delivered 3 training sessions attended by 11 participants.

The ATIP Liaison Working Group met 3 times during the reporting period to discuss best practices, how to address gaps and training opportunities.

3.3 Tracking system and imaging software

The ATIPO continues to use AccessPro Case Management and AccessPro Redaction. With the eventual department-wide migration to Windows 10, the latest release of AccessPro Suite is being tested prior to deployment within the ATIPO.

3.4 Collection, use and disclosure of personal information

3.4.1 Personal information banks

During this reporting period, we reviewed 77 personal information banks to ensure that they were aligned with our program activity architecture.

3.4.2 Exempt banks

We do not have any exempt banks. There were no denials of access under subsection 18(2) of the Act.

3.4.3. Disclosure under subsection 8(2) of the Act

Personal information under the control of a government institution should not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with subsection 8(2) of the Act.

Paragraph 8(2)(e) of the Act allows for the disclosure of personal information, without the consent of the individual, upon request from an investigative body for the purpose of enforcing a law or carrying out a lawful investigation. This provision was not invoked during the reporting period.

Paragraph 8(2)(m) of the Act concerns cases where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure or where disclosure would clearly benefit the individual to whom the information relates. We invoked this provision twice during the reporting period.

One disclosure was in the best interest of the public, and the personal information was disclosed to the RCMP. The second disclosure was made to the deputy head of the department where the individual works. In both cases, the Privacy Commissioner was notified after the disclosure.

3.4.4 Review of documents

The ATIPO regularly reviews certain documents prior to disclosure or project implementation in order to identify personal information that may have been included. These reviews ensure that proper procedures for release of these documents are followed and respect the provisions of the Act.

In order to protect the privacy of participants in internal investigations, the ATIPO offers a service to review investigation reports before they are communicated to concerned individuals. The ATIPO reviewed 5 such reports for the Human Resources Management Directorate during the reporting period.

The ATIPO reviewed and provided advice regarding updates to 2 privacy notice statements. No privacy/security contract clauses were reviewed over the course of this reporting period.

3.5 Privacy breaches

There were 6 confirmed privacy breaches that were reported during this reporting period. Two of these resulted from human error, while 4 were caused by a lack of awareness of the requirements of the Privacy Act and the PSEA. Of these 4 breaches, 2 of them happened in 2015, 1 in 2016 and the last during this reporting period. Five of these breaches occurred within the same program. As a result, the directorate, in consultation with the ATIPO, developed a new framework for the disclosure of personal information, which was approved by the Commissioners. Additionally, a PIA will be undertaken during the 2018-2019 fiscal year. The ATIPO is committed to supporting and guiding the directorate during this process.

Our internal Policy on Privacy Breaches does not distinguish between material and immaterial privacy breaches. Therefore, all privacy breaches are reported to the Office of the Privacy Commissioner and Treasury Board Secretariat.

At the time of drafting of this report, the Office of the Privacy Commissioner had responded to all 6 privacy breaches. Two of the breaches resulted in complaints being submitted to the Privacy Commissioner, which will be examined further in the complaints section below.

3.6 Annual report on the status of privacy impact assessments

In June 2018, the ATIPO presented the third annual and redesigned Status Report on PIAs to the Executive Management Committee. The purpose of this year’s report is to:

• list all collections of personal information conducted by program areas
• provide information on the status of PIAs at the Public Service Commission
• identify gaps related to the management of risks associated with collections of personal information

Last year’s report included a key recommendation to the effect that the ATIPO develop a PIA Architecture during the 2017-2018 fiscal year. The analysis for the development of a PIA Architecture was completed. This end-state model will support the comprehensive identification and management of privacy risks across all of our program activities.

4. Complaints

4.1 Number of complaints

During the reporting period, 2 complaints were submitted to the Office of the Privacy Commissioner regarding the processing of Privacy Act requests as well as 2 complaints regarding the Public Service Commission’s management of personal information.

4.2 Nature of complaints

The following complaints were received during the reporting period:

• 1 complaint regarding the application of exemptions
• 1 complaint related to missing records from a response to a request
• 2 complaints regarding the unauthorized disclosure of personal information

4.3 Complaints closed

During the reporting period, the Office of the Privacy Commissioner confirmed that one investigation was discontinued with the consent of the complainant.

Three complaints regarding the use of exemptions and alleged missing records were settled by agreement with the applicant.

One complaint regarding the use of extensions was deemed not well-founded by the Office of the Privacy Commissioner.

The Office of the Privacy Commissioner deemed 3 complaints to be well-founded, with no further action required. These 3 complaints dealt with missing records, a delay in responding to a request and an unauthorized disclosure of personal information.

Five investigations were carried forward to the next reporting period.

5. Court cases

During the reporting period, one application was filed in Federal Court pursuant to section 41 of Act. The applicant was denied access to a record following a request under the Act when the ATIPO was unable to contact the applicant. The Federal Court application was discontinued.

6. Privacy impact assessments

The Privacy Impact Assessment Policy came into effect in May 2002 and was replaced by the Directive on Privacy Impact Assessment in April 2010. The goal of the directive is to allow government institutions to identify whether a program or a service delivery initiative involving the collection, use or disclosure of personal information, as defined in the Act, complies with privacy principles. PIAs also aim to avoid or mitigate any identifiable risks to privacy. The ATIPO provides advice and guidance to Public Service Commission managers throughout the PIA production process, including the review of PIA reports and liaison with the Office of the Privacy Commissioner.

Summaries of completed PIAs are posted on our website.

The Public Service Commission’s Personnel Psychology Centre engaged a consultant to complete a PIA on its activities. At the time this report was drafted, the PIA was still in development. The ATIPO will continue to support the centre to finalize this PIA.

Annex A – Delegation Instrument

Privacy Act – Delegation Order

The President of the Public Service Commission of Canada, as head of the government institution, hereby designates Pursuant to section 73 of the Privacy Act, the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties or functions of the President vested in him by the Privacy Act.

This delegation is effective as of the 29^th day of the month of December, 2016.

Christine Donoghue
Acting President

Date : December 16, 2016

Annex B – 2017-2018 Annual Privacy Act Statistical Report

Name of institution: Public Service Commission of Canada

Reporting period: 2017-04-01 to 2018-03-31

Part 1: Requests Under the Privacy Act