Privacy Act - Annual Report 2017-2018

(April 1, 2017 to March 31, 2018)

Canadian Heritage

This publication is available upon request in alternative formats.

© Her Majesty the Queen in Right of Canada, represented by the Minister of Canadian Heritage, 2018

Catalogue No. : CH1-1/2E-PDF

ISSN: 1926-7819

Table of contents

List of charts

List of acronyms and abbreviations

ATIP
Access to information and privacy
ATIP/D
Director, Access to Information and Privacy Secretariat
ATIP/DD
Deputy Director, Access to Information and Privacy Secretariat
CS
Corporate Secretary
DM
Deputy Minister
PIA
Privacy impact assessment
TBS
Treasury Board Secretariat

1. Introduction

The Department of Canadian Heritage is pleased to present to Parliament its annual report on the administration of the Privacy Act for fiscal year April 1, 2017 to March 31, 2018. Section 72 of the Act requires that the head of every federal government institution submit an annual report to Parliament on the administration of the Act during the fiscal year.

1.1. The Privacy Act

The purpose of the Privacy Act is to protect the privacy of individuals with respect to personal information about themselves held by a government institution and to provide individuals with a right of access to their information. It also protects the privacy of individuals by exercising strict control over the collection, disclosure and use of such information.

The Department of Canadian Heritage is fully committed to both the spirit and the intent of the Privacy Act, which are based on the principles of open government and the assurance of privacy of individuals with respect to their personal information held by the Department.

1.2. Mandate of Canadian Heritage

The Department of Canadian Heritage and Canada's major national cultural institutions play a vital role in the cultural, civic and economic life of Canadians. We work together to support culture, the arts, heritage, official languages, multiculturalism, citizenship and participation, in addition to Aboriginal, youth, and sport initiatives.

The Department of Canadian Heritage is responsible for programs and policies that help all Canadians participate in their shared cultural and civic life. The Department’s legislative mandate is set out in the Department of Canadian Heritage Act and other statutes for which the Minister of Canadian Heritage is responsible and presents a wide-ranging list of responsibilities for the Minister under the heading of “Canadian identity and values, cultural development, and heritage.”

The Department oversees numerous statutes, namely the Broadcasting Act, the Copyright Act and the Investment Canada Act (the latter two acts shared with Innovation, Science and Economic Development Canada), the Official Languages Act (Part VII), the Museums Act the Canada Travelling Exhibitions Indemnification Act, the Cultural Property Export and Import Act, the Status of the Artist Act, the Canadian Multiculturalism Act and the Physical Activity and Sport Act (shared with Health Canada).

The Department of Canadian Heritage is specifically responsible for formulating and implementing cultural policies related to copyright, foreign investment and broadcasting, as well as policies related to arts, culture, heritage, official languages, sport, state ceremonial and protocol, and Canadian symbols. The Department’s programs, delivered through Headquarters, and multiple points of service including five regional offices across the country, fund community and third-party organizations to promote the benefits of culture, identity, and sport for Canadians.

In 2017-2018, the Minister of Canadian Heritage, assisted by the Minister for Sport and Persons with Disabilities, was accountable to Parliament for the Department, five departmental agencies and twelve Crown corporations.

2. Structure of the Access to Information and Privacy Secretariat

The Access to Information and Privacy (ATIP) Secretariat is responsible for administering the Privacy Act within the Department of Canadian Heritage. Its mandate is to act on behalf of the Minister of Canadian Heritage in ensuring compliance with legislation, regulations and government policy and to create departmental directives, including standards, in all matters relating to the Act.

During the reporting period, the ATIP Secretariat consisted of an Operations Unit with 10 positions and a Policy and Governance Unit of two analysts.

The Operations Unit is responsible for processing requests under the Privacy Act. This includes receiving requests from the public, performing line-by-line review of the records requested, conducting external consultations as required and representing the Department in dealings with the Office of the Privacy Commissioner regarding the application of the Act.

The Policy and Governance Unit provides policy advice and guidance to the Department on the protection of personal information.  This unit develops policy instruments, processing products and tools.  It is responsible for assisting program officials when they complete Privacy Risk Checklists and/or conduct a privacy impact assessment (PIA) to ensure privacy legislation and policy requirements are respected.  The unit liaises with employees and prepares and delivers training and awareness sessions throughout the department.  In addition, the unit prepares the Department’s annual reporting requirements and publishes the Department’s Info Source chapter.

In the departmental organizational structure, the ATIP Secretariat reports to the Corporate Secretariat for Canadian Heritage.

3. Delegation order

The powers, duties and functions of the administration of the Privacy Act has been fully delegated by the Minister to the Director of the ATIP Secretariat.  A copy of the Canadian Heritage’s delegation order is appended to this report as Appendix A.

4. requestsAdministration of

The statistical report submitted to the Treasury Board Secretariat on the administration of the Privacy Act has been completed and is appended to this report as Appendix B.

4.1. requestsPrivacy

Between April 1, 2017 and March 31, 2018, nineteen formal requests for information were received under the Privacy Act. In comparison with the last reporting period, this represents a 30% decrease in requests, as shown in Chart 1.

Chart 1: Number of requests received, 2011-2012 to 2017-2018

This bar graph shows the number of requests received from 2011-2012 to 2017-2018.  Data is as follows:

  • 2011-2012: 10
  • 2012-2013: 5
  • 2013-2014: 12
  • 2014-2015: 3
  • 2015-2016: 19
  • 2016-2017: 27
  • 2017-2018: 19

One request was carried over from the previous reporting period.

No formal requests for correction of personal information were received for this fiscal year.

4.2. Disposition of completed requests

Nineteen requests were completed during the reporting period.  Three requests resulted in the partial disclosure of information and two requests were abandoned. It was not possible to process fourteen requests as no records existed.

4.3. Extensions

Requests can be extended for up to 30 additional days beyond the 30-day statutory time frame in two circumstances: when meeting the original time limit would unreasonably interfere with the operations of the government institution or when consultations are necessary. The Department was not required to take an extension for a request beyond the statutory time frame.

4.4. Exemptions

The Privacy Act sets out specific exceptions to the right of access. These exceptions are known as exemptions. Each exemption is intended to protect information relating to a particular public or private interest and form the only basis for refusing access to personal information under the Privacy Act. In processing the requests, one type of exemption was invoked in 2017-2018. Section 26 (personal information about another individual) was applied in three requests.

4.5. Exclusions

The Privacy Act does not apply to information that is already publicly available, such as government publications and material in libraries and museums.  It also excludes material deemed to be Cabinet confidences.  There were no exclusions cited in the requests completed during the reporting period.

4.6. Costs

For the fiscal year 2017-2018 the cost for the ATIP Secretariat to administer the Privacy Act was $192,631, of which $184,360 was for salaries and $8,271 was for material goods and supplies.

5. Education and training activities

Data Privacy Day

On January 28, 2018, Canada and many countries around the world celebrated Data Privacy Day.  Data Privacy Day highlights the impact technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.

In a lead-up to Data Privacy Day, the Director of ATIP Secretariat published a communique on the Department’s intranet news service that offered advice on how employees could protect their personal information.  It also promoted on-line and in-class privacy awareness training for employees.  In addition, advertisements were posted on the electronic billboards located in various locations across the Department informing employees of the upcoming event and encouraging them to visit the ATIP Secretariat intranet page for more information.

Privacy awareness and training

In the reporting period, ATIP Secretariat published a training calendar on its intranet page that identified in class and distant (Webex) privacy awareness training sessions being offered in both official languages. The ATIP Secretariat promoted its learning activities via the internal news service on the Department’s intranet site and all Departmental employees were invited to participate.

During the reporting period, 19 privacy awareness training sessions were held.  Eleven sessions were delivered in class and eight were delivered using the Webex service for regional staff. A total of 173 employees participated in these training sessions.

Cyber Security Awareness Month

The ATIP Secretariat supported and contributed to the Chief Information and Transformation Officer Branch’s month long Cyber Security Awareness campaign in October 2017.  Week 3 of the campaign focused on the theme of “Privacy Protection and the Internet of Things.”  A communique on the Department’s intranet news service provided employees with tips on protecting their privacy online and on their mobile devices and directed them to the Office of the Privacy Commissioner’s website.  The communique also encouraged employees to register for ATIP Secretariat privacy protection training sessions.

6. Policy instruments, procedures and initiatives

Policy instruments

During the reporting period, the ATIP Secretariat continued to work toward embedding a culture of privacy excellence by updating the Privacy Risk Checklist.

Info Source update

Info Source: Sources of Federal Government and Employee Information provides information about the functions, programs, activities and related information holdings of government institutions.  It provides individuals, as well as current and former employees of the government, with relevant information to assist them to access personal information about themselves held by government institutions.

The Treasury Board Secretariat (TBS) requires that government institutions publish their Info Source chapteron their Internet site.  During the reporting period, the Department of Canadian Heritage completed its review of its Info Source chapter and met all legislative and TBS mandatory requirements.

7. Complaints and federal court cases

There were no complaints regarding the processing of a request filed with the Office of the Privacy Commissioner against the Department of Canadian Heritage in fiscal year 2017-2018.

There were no Federal Court cases concerning the refusal of access during this reporting period.

8. Monitoring the processing of requests and requests for corrections

The ATIP Secretariat monitors the processing of requests on a daily basis using the ATIP management system (Access Pro Case Management) as well as through bi-weekly meetings between the officers and management of the Secretariat. This ensures accurate and timely responses to applicants.

9. Material privacy breaches

A privacy breach is deemed to be a material breach if it involves sensitive personal information, could reasonably be expected to cause serious injury or harm to the individual, or involves a large number of affected individuals. There were no breaches during this reporting period.

10. Privacy impact assessment

Summaries of completed Privacy Risk Assessments (PIA) are posted on PCH’s Internet site: Transparency - Access to Information and Privacy.

In keeping with the guidance from the Office of the Privacy Commissioner of Canada and the Treasury Board Directive on Privacy Impact Assessment, privacy risks identified in PIAs are aligned with the 10 universal privacy principles found in the Canadian Standards Association’s Model Code for the Protection of Personal Information.

During the reporting period, PCH completed two PIAs:

  • Site-Secure system - a security management solution that provides a common source of documenting incidents, occurrences, the registration of guests, assets, service calls, etc.; and
  • The Canada Day Challenge - an annual art, photography and creative writing contest for youth in Canada.

In the reporting period, departmental colleagues requested advice on the use and disclosure of personal information.

Twelve Privacy Risk Checklists were evaluated for new or changed programs or systems, one of which resulted in the recommendation to perform a full PIA.  Additionally, the ATIP Secretariat drafted four privacy notices further to the analysis of Privacy Risk Checklists.

11. Disclosure of personal information pursuant to paragraph 8(2)(m)

Subsection 8(2) of the Privacy Act stipulates under which circumstances personal information under the control of a government institution may be disclosed.  Paragraph 8(2)(m) states that disclosure of personal information is permitted for any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or the disclosure would clearly benefit the individual to whom the information relates. During the reporting period, no disclosures were made pursuant to paragraph 8(2)(m) of the Privacy Act.

Appendix A – Delegation order

Access to Information Act and Privacy Act

Pursuant to Section 73 of the Access to Information Act and the Privacy Act, I, as head of the Department of Canadian Heritage, hereby designate the persons holding the positions set out in the schedule hereto, or persons occupying on an acting basis those positions, to exercise my powers and functions under these Acts specified opposite each position.

This Delegation Order supersedes all previous Access to Information Act and Privacy Act Delegation Orders.

The Honourable Mélanie Joly
Minister of Canadian Heritage
Date: May 31, 2016

Powers and functions delegated pursuant to Section 73 of the Privacy Act and Privacy Regulations

Legend:

DM
Deputy Minister
CS
Corporate Secretary
ATIP/D
Director, Access to Information and Privacy Secretariat
ATIP/DD
Deputy Director, Access to Information and Privacy Secretariat

Note: The Xs indicate which position has delegated authority for each section of the Act.

Privacy Act

Section Description DM CS ATIP/D ATIP/DD
8(2)(j) Disclosure for research purposes x x x
8(2)(m) Disclosure in the public interest or in the interest of the individual x
8(4) Copies of requests under 8(2)(e) to be retained x x x
8(5) Notice of disclosure under 8(2)(m) x x x
9(1) Record of disclosures to be retained x x x
9(4) Consistent uses x x x
10 Personal information to be included in personal information banks x x x
14 Notice where access requested x x x
15 Extension of time limits x x x x
17(2)(b) Language of access x x x
17(3)(b) Access to personal information in alternative format x x x
18(2) Exemption (exempt bank) - disclosure may be refused x x x
19(1) Exemption - personal information obtained in confidence x x x
19(2) Exemption - where authorized to disclose x x x
20 Exemption - federal-provincial affairs x x x
21 Exemption - international affairs and defence x x x
22 Exemption - law enforcement and investigation x x x
22.3 Exemption - Public Servants Disclosure Protection Act x x x
23 Exemption - security clearances x x x
24 Exemption - individuals sentenced for an offence x x x
25 Exemption - safety of individuals x x x
26 Exemption - information about another individual x x x
27 Exemption - solicitor-client privilege x x x
28 Exemption - medical record x x x
31 Notice of intention to investigate x x x
33(2) Right to make representation x x x
35(1) Findings and recommendations of Privacy Commissioner (complaints) x x x
35(4) Access to be given x x x
36(3) Report of findings and recommendations (exempt banks) x x x
37(3) Report of findings and recommendations (compliance review) x x x
51(2)(b) Special rules for hearings x x x
51(3) Ex parte representations x x x
72(1) Report to Parliament x x x

Privacy Act Regulations

Section Description DM CS ATIP/D ATIP/DD
9 Reasonable facilities and time provided to examine personal information x x x
11(2) Notification that correction to personal information has been made x x x
11(4) Notification that correction to personal information has been refused x x x
13(1) Disclosure of personal information relating to physical or mental health may be made to a qualified medical practitioner or psychologist for an opinion on whether to release information to the requestor x x x
14 Disclosure of personal information relating to physical or mental health may be made to a requestor in the presence of a qualified medical practitioner or psychologist x x x

Appendix B – Statistical report on the Privacy Act

Name of institution: Canadian Heritage

Reporting period: 2017-04-01 to 2018-03-31

Part 1: Requests Under the Privacy Act

Number of Requests
Received during reporting period 19
Outstanding from previous reporting period 1
Total 20
Closed during reporting period 19
Carried over to next reporting period 1

Part 2: Requests Closed During the Reporting Period

2.1 Disposition and completion time

Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 3 0 0 0 0 0 3
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 9 5 0 0 0 0 0 14
Request abandoned 2 0 0 0 0 0 0 2
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 11 8 0 0 0 0 0 19

2.2 Exemptions

Section Number of Requests Section Number of Requests Section Number of Requests
18(2) 0 22(1)(a)(i) 0 23(a) 0
19(1)(a) 0 22(1)(a)(ii) 0 23(b) 0
19(1)(b) 0 22(1)(a)(iii) 0 24(a) 0
19(1)(c) 0 22(1)(b) 0 24(b) 0
19(1)(d) 0 22(1)(c) 0 25 0
19(1)(e) 0 22(2) 0 26 8
19(1)(f) 0 22.1 0 27 2
20 0 22.2 0 28 0
21 0 22.3 0

2.3 Exclusions

Section Number of Requests Section Number of Requests Section Number of Requests
69(1)(a) 0 70(1) 0 70(1)(d) 0
69(1)(b) 0 70(1)(a) 0 70(1)(e) 0
69.1 0 70(1)(b) 0 70(1)(f) 0
70(1)(c) 0 70.1 0

2.4 Format of information released

Disposition Paper Electronic Other formats
All disclosed 0 0 0
Disclosed in part 0 3 0
Total 0 3 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed
Disposition of Requests Number of Pages Processed Number of Pages Disclosed Number of Requests
All disclosed 0 0 0
Disclosed in part 621 497 3
All exempted 0 0 0
All excluded 0 0 0
Request abandoned 0 0 2
Neither confirmed nor denied 0 0 0
Total 621 497 5
2.5.2 Relevant pages processed and disclosed by size of requests
Disposition Less Than 100
Pages Processed
101-500
Pages Processed
501-1000
Pages Processed
1001-5000
Pages Processed
More Than 5000
Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 0 0 3 497 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 2 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 2 0 3 497 0 0 0 0 0 0
2.5.3 Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0

Deemed refusals

2.6.1 Reasons for not meeting statutory deadline
Number of Requests Closed Past the Statutory Deadline Principal Reason
Workload External Consultation Internal Consultation Other
0 0 0 0 0
2.6.2 Numbers of days past deadline
Number of Days Past Deadline Number of Requests Past Deadline Where No Extension Was Taken Number of Requests Past Deadline Where An Extension Was Taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121  to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0

2.7 Request for translation

Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Part 3: Disclosures Under Subsections 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Part 4: Request for Correction of Personal Information and Notations

Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Part 5: Extensions

5.1 Reasons for extensions and disposition of requests

Disposition of Requests Where an Extension Was Taken 15(a) (i)
Interference With Operations
15(a) (ii)
Consultation
15(b)
Translation or Conversion
Section 70 Other
All disclosed 0 0 0 0
Disclosed in part 0 0 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
No records exist 0 0 0 0
Request abandoned 0 0 0 0
Total 0 0 0 0

5.2 Length of extensions

Length of Extensions 15(a)(i)
Interference with operations
15(a)(ii)
Consultation
15(b)
Translation purposes
Section 70 Other
1 to 15 days 0 0 0 0
16 to 30 days 0 0 0 0
Total 0 0 0 0

Part 6: Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and other organizations

Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Pending at the end of the reporting period 0 0 0 0

6.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendation Number of days required to complete consultation requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121  to 180 Days 181 to 365 Ddays More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

6.3 Recommendations and completion time for consultations received from other organizations

Recommendation Number of days required to complete consultation requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121  to 180 Days 181 to 365 Ddays More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services

Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

7.2 Request with Privy Council Office

Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Part 8: Complaints and Investigations Notices Received

Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Part 9: Privacy Impact Assessments (PIAs)

Number of PIA(s) completed 2

Part 10: Resources Related to the Privacy Act

10.1 Costs

Expenditures Amount
Salaries $184,360
Overtime $0
Goods and Services $8,271
• Professional services contracts $0
• Other $8,271
Total $192,631

10.2 Human Resources

Resources Person Years Dedicated to Privacy Activities
Full-time employees 2.00
Part-time and casual employees 0.00
Regional staff 0.00
Consultants and agency personnel 0.00
Students 0.00
Total 2.00
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: