Annual Report to Parliament on the Privacy Act 2024 to 2025

On this page

• List of acronyms
• 1. Introduction
• 2. Organizational structure
  
  • 2.1 About the Correctional Service of Canada
  • 2.2 The Access to Information and Privacy Division
  • 2.3 Initiatives and priorities
• 3. Delegation Order
• 4. Performance in 2024 to 2025
  
  • 4.1 Requests processed under the Access to Information Act
  • 4.2 Disposition of requests
  • 4.3 Exemptions and exclusions
  • 4.4 Extensions
  • 4.5 Completion time
  • 4.6 Deemed refusals
  • 4.7 Outstanding requests
  • 4.8 Outstanding active complaints
  • 4.9 Consultations from other institutions and organizations
  • 4.10 Disclosures made pursuant to paragraph 8(2)(e) of the Privacy Act
  • 4.11 Informal requests
• 5. Training and awareness
• 6. Policies, guidelines and procedures
• 7. Summary of key issues
• 8. Material privacy breaches
• 9. Privacy impact assessments
• 10. Public interest disclosures
• 11. Monitoring compliance
• Appendix A: Delegation Order

List of acronyms

1. Introduction

The Privacy Act (PA) protects the privacy of Canadian citizens and permanent residents against the unauthorized use and disclosure of personal information about them held by a government institution. It also provides individuals with a right of access to that information and the right to correct inaccurate personal information. In addition, the PA legislates how the government collects, stores, disposes of, uses and discloses personal information.

Section 72 of the PA requires that the Head of every federal government institution submits an Annual Report to Parliament on the administration of this Act over the Fiscal Year. The Minister of Public Safety has delegated the administration of the PA, including the reporting of the Annual Report, to the Commissioner of the Correctional Service of Canada (CSC).

CSC is a federal agency responsible for the administration of court-imposed sentences of 2 years or more. CSC’s Mandate is to contribute to public safety by actively encouraging and assisting offenders to become law-abiding citizens, while exercising reasonable, safe, secure and humane control.

This report describes how CSC fulfilled compliance with the PA during the reporting Fiscal Year (FY) period of April 1, 2024, to March 31, 2025.

Our institution did not have any non-operational (“paper”) subsidiaries during this reporting period.

2. Organizational structure

2.1 About the Correctional Service of Canada

The purpose of the federal correctional system, as defined in law, is to contribute to the maintenance of a just, peaceful and safe society by carrying out sentences for offenders sentenced to 2 years or more imposed by courts. This is done through the safe and humane custody and supervision of offenders, and by assisting the rehabilitation of offenders and their safe reintegration into the community as law-abiding citizens through the provision of programs in penitentiaries and in the community (Corrections and Conditional Release Act [CCRA], section 3).

CSC works closely with its Public Safety portfolio partners, including:

• the Royal Canadian Mounted Police (RCMP)
• the Parole Board of Canada (PBC)
• the Canada Border Services Agency (CBSA), and
• the Canadian Security Intelligence Service (CSIS)
• in addition to oversight bodies including the Office of the Correctional Investigator (OCI)

2.2 The Access to Information and Privacy Division

The Access to Information and Privacy (ATIP) Division reports to the Director General of Rights, Redress and Resolution under the Policy Sector and has 8 units:

• Intake, Processing and Retention Unit (ATIP Administrative Team)
• Access to Information Operations Team
• Privacy Operations Team
• Policy and Governance Unit
• Disclosure and Law Enforcement Team
• ATIP Backlog Team
• The Strategic Compliance, Reporting and Client Management Team
• The Business Transformation Team

The Intake, Processing and Retention Unit, is responsible for processing incoming requests, generating routine correspondence, tasking retrievals of records to Offices of the Primary Interest (OPIs), fostering the quality assurance of the ATIP process, preparing final release packages, responding to inquiries received on ATIP’s Toll Free number
(1-844-757-8031), and providing general support to the ATIP Division.

The Access to Information Operations Team is responsible for reviewing records under the PA, conducting consultations with internal and external stakeholders, applying exemptions and exclusions, preparing release packages for requesters, and responding to complaints from the Office of the Information Commissioner (OIC).

The Privacy Operations Team processes formal and informal requests under the PA and responds to complaints from the Office of the Privacy Commissioner (OPC). This team has been organized into 3 teams:

1. The Privacy Urgent Team is responsible for responding to urgent formal privacy requests (for example documents requested by offenders/requesters or their representatives for upcoming parole hearings, court purposes or other legal proceedings where time is of the essence, and where the individual consents to release of their personal information. They also process privacy consultation from other government departments
2. The Strategic Privacy Response Team (SPRT) Team is responsible for reviewing current requests pertaining to offender files such health care, employment, admission and discharge, visits and correspondence, sentence management, education and training
3. The Privacy Complaint Team is responsible for responding to delay and right of access complaints received by the OPC and to any judicial review applications related to these complaints

The Policy and Governance Unit (PGU) acts as a single point of contact for privacy within CSC. It develops privacy policies, guidelines, tools and procedures to support ATIP requirements within CSC. In addition, the unit provides advice, guidance and support regarding ATIP legislation and related policies; promotes privacy awareness; and manages privacy breaches, and any improper collection, use and disclosure complaints filed with the OPC. The unit also oversees:

• Privacy Impact Assessments (PIAs)
• reviews Memoranda of Understanding
• Information Sharing Agreements
• contracts
• forms and Commissioner’s Directives; and
• delivers privacy training

The PGU is also responsible for the informal review of disciplinary, harassment and workplace violence reports for the department. This also includes complex privacy requests related to investigations as well as other sensitive files such as public interest disclosures.

The Disclosure and Law Enforcement Team oversees releases under subsection 8(2) of the PA, which are requests without offender consent. These requests include files for litigation; dangerous offender applications and long-term supervision orders; other court purposes; and on-going investigations as well as various requests from provincial and federal partners.

The ATIP Backlog Team is responsible for processing files from the ATIP Division’s backlog, including assessing areas of ATIP operations that could be streamlined to foster efficiencies in addressing current legacy requests and preventing future backlog of requests.

The Strategic Compliance, Reporting and Client Management Team is responsible for collecting, analyzing and presenting information using to support ATIP in its reporting requirements (including the ATIP Annual Reports) and compliance rates. This team also liaises with the OIC as well as the OPC for data consistency.

The Business Transformation Team is responsible for onboarding the new ATIP digital solution and to find or develop modern software solutions, Artificial Intelligence or Robotic Process Automation to assist the Rights Redress and Resolution Branch to increase productivity and efficiency through the use of new technological solutions.

In addition, each sector, region, institution, district, parole office and community correctional centre has an ATIP liaison who assists the national ATIP Division in administering its overall responsibilities.

During the FY 2024 to 2025, there were 68.5 employees dedicated to privacy activities as follows:

• 67 full-time employees
• 1.5 part-time and casual employees

CSC was not party to any service agreements under section 73.1 of the PA during this reporting period.

2.3 Initiatives and priorities

This section will outline CSC’s initiatives and priorities for ATIP, and unless otherwise noted is referring to both the ATIA and the PA, as well as both formal requests and informal requests such as information sharing with our public safety partners.

The highest proportion of ATIP requests are Privacy requests. These account for 84% of the total workload, while Access requests represent about 16% of all ATIP requests.

The CSC ATIP Division has faced many challenges over the past several years, including an improving but persistent backlog, resources being diverted to internal services, and limited informal personal information sharing options at the institutional level. Despite these challenges, CSC has achieved many successes and has many initiatives underway, which include the following:

1. Increase in production: Production outpaces incoming workload

In FY 2024 to 2025, the ATIP Division received a total of 2,307,632 pages and processed a total of 2,967,237 pages, including all request types (Access requests, Privacy requests and informal requests including information sharing). The continued productivity is a positive step towards eliminating backlog and improving CSC’s compliance rate.

The following table and graph will show CSC’s overall production, including formal and informal requests under both Acts, and including both pages processed, and pages resolved (abandoned, not relevant, etc.).

Table 1: Total number of pages processed by year

All Teams	2015 to 2016	2016 to 2017	2017 to 2018	2018 to 2019	2019 to 2020	2020 to 2021	2021 to 2022	2022 to 2023	2023 to 2024	2024 to 2025
Pages Received	2,193,895	1,808,208	2,123,826	2,365,365	2,263,332	2,244,088	2,352,550	2,151,361	2,027,386	2,307,632
Pages Closed	1,579,873	1,245,688	1,630,098	1,031,973	1,342,959	944,669	2,221,015	3,224,977	3,259,771	2,967,237
Carried Forward	4,125,494	4,688,014	5,181,742	6,515,134	7,435,507	8,734,926	8,866,461	7,792,845	6,560,460	5,900,855

The following graph shows from FY 2021 to 2022 until FY 2024 to 2025, the ATIP Division was successful in changing the previous trend and making significant progress in addressing the backlog. 

With the current processes, procedures, technologies, and resources levels in place, the ATIP Division has successfully reduced its backlog by an average of 980,000 pages per year over the last 3 fiscal years. By maintaining this pace, CSC anticipates clearing its backlog by 2031. CSC aims to increase efficiency in processing ATIP requests, eliminate the current backlog, avoid accumulating further legacy requests, and improve CSC’s compliance rate.

2. Information Sharing with partners

The CSC’s ATIP Division is responsible for engaging with Provincial and Territorial Crown Attorneys, Law Enforcement agencies and other public safety organizations to exchange information to foster public safety and protection of Canadians. This fiscal year, the ATIP Division responded to 574 requests, including processing 242,919 pages, to requesting agencies. While these are considered as informal requests under the ATIA or the PA, they are an important function of ATIP to meet CSC’s disclosure and information sharing requirements with its criminal justice and law enforcement partners.

CSC has also been working with crown prosecutors across Canada to streamline information sharing and to ensure CSC has lawful authority to share personal information regarding dangerous offender and long-term supervision order cases. This includes preventing broad information sharing, especially where an individual has reached warrant expiry. The ultimate goal is to put a permanent solution in place to clarify what information can be shared and when, and when a production order will be required. This solution could be a legislative reform.

3. Pilot Project with the Department of Justice

In 2021 to 2022, the ATIP Division and CSC Legal Services Unit, in conjunction with the Department of Justice (DOJ) launched a Pilot Project entitled the Disclosure Review Process (DRP) 2.0 for litigation files. The DRP outlines which file banks can be processed by DOJ and which can be reviewed by the ATIP Division. This approach prevents “double-work” for example where files are reviewed more than once or where second reviews are unnecessary. DOJ lawyers are trained to recognize personal information and protect it if it is not relevant for court purposes. As such, there is no value added for them to consult the ATIP Division to confirm and identify personal information included in these files. However, DOJ consults ATIP Division to obtain expert advice on complex files involving security matters. In 2024 to 2025, nearly 32,610 pages have been reviewed by DOJ. The pilot is anticipated to end in FY 2025 to 2026 at which time, the DRP process will become formalized.

4. Transforming our inventory of backlog files

This fiscal year, the ATIP Division took significant steps to address our inventory of older files (backlog), including:

• Generating 2,099 backlog notification letters to verify with requesters whether they are still interested in the requested files. Of those requests, 1,875 were resolved totaling 793,835 pages
• Resolving all requests where the requester (offender) has reached their Warrant Expiry (no longer under CSC supervision) and did not leave their updated contact information with CSC. This project allowed CSC to close 729 requests totaling 208,636

The initiative to review backlog files is currently temporarily funded and will sunset in FY 2027 to 2028.

5. Managing Protected C documents: “Protected C” pilot project

In collaboration with Security Intelligence Officers from various sites, the ATIP Division is conducting a Preventive Security (PS) pilot project to modernize, digitize and streamline the consultation process required for processing PS requests. This streamlined process has eliminated the time and cost associated with sending printed copies back and forth between ATIP and the institutions. In FY 2024 to 2025, 86 PS requests were closed. The CSC ATIP Division anticipates implementing this process permanently by Fall 2025.

6. ATIPXpress migration

Following successful acceptance testing in February 2024, CSC received IT management Committee approval and authority to operate the ATIPXpress system in May 2024. The pilot phase of ATIPXpress was launched on June 24, 2024, initially focusing on processing privacy requests. The first request was fully processed through the system by July 19, 2024, marking a successful milestone. Throughout the fall of 2024, CSC ATIP Privacy teams were gradually onboarded, with the remaining Privacy and Access teams trained and integrated into the system by winter 2025. The pilot phase officially concluded at the end of the 2024 to 2025 fiscal year, and all privacy requests are now being processed through ATIPXpress.

As part of its commitment to ensuring the system meets operational needs, CSC completed user acceptance testing for 2 major version upgrades. Version 11.8 was tested between September and October 2024, while version 11.11.2 underwent testing in February and March 2025. These upgrades are critical to aligning the system’s functionality with CSC ATIP Division’s evolving requirements.

In parallel with system implementation, CSC collaborated closely with the vendor and other Government of Canada departments through dedicated workgroups to further develop key modules within ATIPXpress. These efforts focused on maximizing the efficiencies of the system, for example:

• enhancing document management and indexing capabilities
• streamlining the consultations process
• improving the handling of cabinet confidence documents
• managing ATIP complaints, and
• enabling the application to directly interact with files in the original format

This collaborative approach has been instrumental in ensuring that the system evolves in alignment with both CSC’s operational needs and broader federal requirements.

Despite this progress, the full transition to ATIPXpress experienced delays due to mandatory contract requirements not being fully delivered until April 2025. Additionally, 2 significant version updates are necessary to meet all operational requirements. The first of these updates was live in April 2025, while the second is scheduled for release in the fall of 2025.

To support the rollout at CSC, over 50 staff members at National Headquarters (NHQ)-ATIP and more than 240 employees across NHQ sectors and regional offices have been trained to use the ATIPXpress module for Offices of Primary Interest (OPIs). CSC continues onboarding ATIPXpress, the next step is working with the vendor to migrate backlog data from their legacy system to ATIPXpress in the 2025 to 2026 fiscal year.

7. Access Requests Tasking Pilot Project

In August 2024, CSC launched its Access Requests Tasking Pilot. This was a modernization initiative to centralize the Access to Information record retrieval process by designating a point of entry and exit for taskings, in order to ensure work was done at the lowest level possible. This allowed CSC to increase its compliance to ATIA timelines from 16% in July 2024 to 42% by the end of this fiscal year.

8. Goals and vision moving forward

In the 2025 to 2026 fiscal year, the ATIP Division will turn its focus to:

• Minimizing and eventually eliminating the existing backlog, including ensuring production continues to outpace new requests and that our clients are satisfied
• Providing training and awareness to prevent breaches of personal information and increase employees’ ATIP knowledge
• Complete the migration of AccessPro platform to ATIPXpress to enhance ATIP’s capacity to respond to information requests
• Continue to review our processes to find efficiencies
• Adjust the ATIA and PA delegation orders so that work is done at the lowest possible level
• Work towards digitization of the request intake system for incarcerated requesters under CSC jurisdiction
• Work towards an improved video review solution
• Identify opportunities for record sharing outside the formalized ATIP system

3. Delegation order

The Commissioner of CSC is responsible for the administration of the PA. The Minister delegates this authority to members of departmental senior management, including the ATIP Division Departmental Coordinator (ATIP Director), to carry out their powers, duties, and functions under the Act, in relation to ATIP requests. Certain authorities are delegated to positions in the ATIP Division at NHQ as shown in Appendix A of this report.

4. Performance in 2024 to 2025

4.1 Requests processed under the Privacy Act

In 2024 to 2025, the CSC ATIP Division received 7,503 requests for personal information, an approximate 29% increase from the previous year. A total of 16,654 requests were carried over from the previous reporting years, totaling 24,157 requests requiring processing in 2024 to 2025. CSC responded to 8,701 requests for personal information, representing 36% of the total number of requests received and outstanding from the previous reporting period. Of the 8,701 requests closed, 38% (3,266) of requests were closed within legislated timelines.

This graph shows the total workload of privacy requests as a sum of requests received during the reporting period and requests outstanding from the previous reporting periods. The line illustrates the trend of files closed. As the graph outlines, the number of requests closed remained high in 2024 to 2025 (almost triple the number of 2018 to 2019), which can be attributed to the work completed by the Transformation (Backlog) teams, and finding business efficiencies to improve results. This trend will continue as efficiencies continue to be implemented to address the long-standing backlog and the current workload.

4.2 Disposition of requests

Of the 8,701 requests completed during the 2024 to 2025 reporting period, 708 requests were full disclosures; 2,929 were partial disclosures; 5 were withheld in their entirety; no records existed for 762; 4,296 were abandoned by the requesters; and 1 was neither confirmed nor denied. In summary, 8% of requests were full disclosures and 34% were partial disclosures.

4.3 Exemptions and exclusions

During this reporting period, there were 6,726 exemptions applied and 2 exclusions applied. Most exemptions invoked by CSC were under 3 sections of the PA:

• Section 26 was applied in 3,594 cases (53%) to protect personal information of individuals
• Section 22 was applied in 1,683 cases (25%) to protect information relating to law enforcement and investigations
• Section 19 was applied in 1,209 cases (18%) to protect information obtained in confidence

A complete breakdown of the exemptions and exclusions applied during this reporting period is as follows:

Table 2: Breakdown of exemptions and exclusions applied during this reporting period

Exemption and exclusion description	Number of times applied
Obtained in Confidence	1,209
Law Enforcement and Investigation	1,682
Public Servants Disclosure Protection Act	1
Individuals Sentenced for an Offence	179
Safety of Individuals	7
Personal Information	3,594
Solicitor-Client Privilege	49
Medical Records	5
Library/Museum Material	2
Total	6,728

4.4 Extensions

A total of 3,855 extensions were required during this reporting period. Most of the extensions were taken due to a large volume of requests (3,848), and the others were due to a large volume of pages (6) and documents difficult to obtain (1). Extensions accounted for 44% of all formal requests closed during the fiscal year.

4.5 Completion time

During the reporting period, CSC completed 2,213 requests in 30 days or less; 1,131 requests between 31 and 60 days; 163 requests between 61 and 120 days; 121 requests between 121 and 180 days; and 5,073 requests in over 180 days.

4.6 Deemed refusals

Over the years, an increasing number of files have been closed beyond the legislated timeline however this has improved significantly in 2024 to 2025. During this fiscal year, 62% of the requests (5,435) were closed beyond the legislated timeline, representing a 1623% decrease from last fiscal year (74%). The decreased proportion of requests closed beyond the legislated timeline is largely attributed to the SPRT team processing current and low complexity files that deal with specific file banks.

4.7 Outstanding requests

At the end of this fiscal year, 15,456 requests were outstanding and were carried over to the 2025 to 2026 reporting period. Of those requests, 4,109 were received during this fiscal year, whereas 2,273 were received during the previous fiscal year. Also,

• 87 outstanding requests were received during fiscal year 2016 to 2017 or earlier
• 554 in 2017 to 2018
• 414 in 2018 to 2019
• 2,009 in 2019 to 2020
• 1,921 in 2020 to 2021
• 2,130 in 2021 to 2022 and
• 1,959 in 2022 to 2023

These requests, 14,424 in total, were beyond the legislated timeline as of March 31, 2025.

4.8 Outstanding active complaints

During this reporting period, CSC received a total of 231 complaints, a 30% increase in the number of complaints received during the last fiscal year (178 complaints in 2023 to 2024). Of those 231 complaints, 93 remained active and were carried over to the next fiscal year 2025 to 2026. Other complaints carried over to fiscal year 2025 to 2026 include

• (2) complaints received during fiscal year 2023 to 2024
• (1) complaint received during fiscal year 2022 to 2023
• (2) complaints received in 2021 to 2022
• (1) complaint received in 2020 to 2021; and
• (1) complaint received in 2016 to 2017

A total of 100 complaints were therefore still active as of March 31, 2025. Finally, a total of 204 findings were issued.

Most privacy complaints received during this reporting period are related to delay/time limit complaints, followed by denial of access.

4.9 Consultations from other institutions and organizations

The ATIP Division’s workload involves responding to consultations in response to formal requests received by other institutions and organizations. CSC works closely with its partners in the Public Safety portfolio such as CBSA, RCMP, CSIS and PBC to respond to consultations in a timely fashion. CSC is consulted on such subjects as

• court cases
• offender grievances
• OCI matters
• offender files, and
• deported individuals

During the 2024 to 2025 reporting period, the ATIP Division received a total of 16 consultations from other government institutions and organizations and started the fiscal year 2024 to 2025 with an additional 8 consultations carried over from more than 1 reporting period. CSC completed 16 consultation requests in 30 days or less; no other consultation requests took more than 30 days.

4.10 Disclosures made pursuant to paragraph 8(2)(e) of the Privacy Act

During the 2024 to 2025 fiscal year, 172 disclosures pursuant to paragraph 8(2)(e) of the PA were made by CSC.

4.11 Informal requests

During the reporting period, CSC received 522 informal requests. A total of 77 requests were carried over from the previous reporting periods, totaling 599 informal requests requiring processing in 2024 to 2025. These include:

• releasing information through informal means where possible; and
• processing requests under subsection 8(2) of the PA, excluding paragraphs 8(2)(e) and (m)

A total of 561 informal requests were closed during 2024 to 2025, with a total of 183,718 pages released.

In addition, the ATIP Division reviewed records informally for CSC, applying the PA as required, including disciplinary, harassment and workplace violence reports. The ATIP Division processed 283 of these requests, totaling 23,509 pages reviewed and 18,146 pages released. The ATIP Division also reviewed information sharing agreements/Memoranda of Understanding; contracts; Commissioner’s Directives; and forms. The ATIP Division processed 79 of these requests, totaling 1,086 countable pages reviewed.

5. Training and awareness

CSC offered several training and awareness sessions in this period. In general, the sessions covered both Access to Information and Privacy topics, with some variance based on the training participants. 

The ATIP Division plays a fundamental role in developing and delivering training on demand. This training is provided to employees at NHQ, Regional Headquarters and at the institutional level across Canada on ATIP related matters. The ATIP Division also continues to provide advice, and address questions and concerns regarding training, policy and guidelines, and interpretations of the Acts through its generic email account. Through the use of these email accounts, CSC staff is provided with a single point of contact to increase their knowledge of the ATIP legislation and related policies. 

During this fiscal year, the ATIP Division has focused on maintaining its commitment to providing timely privacy policy advice for urgent and pressing matters. They delivered an informal training session on the collection, use, and disclosure of employee personal information to the Labour Relations and Workplace Management Branch, which was attended by approximately 30 individuals. An informal training session was also delivered to the Incident Investigations Branch (IIB) staff on Coroner’s requests for information, which was attended by approximately 5 staff members from the IIB.

In addition, there was 1 ATIP training session (general content) delivered by staff at the Prairie Region Regional Headquarters to approximately 10 staff members of the Health Services sector.

6. Policies, guidelines and procedures

Over the past year, the ATIP Division has continued to update internal guidelines and procedures and attend working groups as required, including:

• Ensuring the ATIP’s information on CSC’s intranet and internet sites are kept up-to-date
• Conducting statistical reporting in response to PA requests to ensure accuracy and improved coordination
• Participating in Interdepartmental Privacy Policy Management meetings
• Participating in CSC’s Artificial Intelligence Council
• Participating in CSC’s Information/Data Sharing Working Group

7. Summary of key issues

Privacy complaints that CSC received during the reporting period included:

• Delays in the processing of formal PA requests or complaints for missing records
• The application of redactions to documents responsive to formal PA requests; and
• Privacy breaches

Of those complaints received in FY 2024 to 2025, there were 6 complaints under sections 4 to 8 of the PA relating to the collection, retention and disposal of personal information unrelated to ATIP requests received by CSC during the reporting period, which have not been resolved by the end of the reporting period. 5 were on the subject of whether disclosures of personal information were in line with the provisions of the PA, and (1) was on the subject of lost information.

Complaints resolved by the OPC as “Well Founded” during the reporting period were on the following subjects:

• Accidental disclosure of personal information to a third-party mail delivery company
• Accidental access to personal information caused by information being sent to the wrong address

In both cases, corrective measures were taken to prevent future occurrences by reminding staff of proper procedures.

Other issues that were raised by privacy complaints were either resolved, deemed unfounded or were discontinued by the OPC.

As a result of the OPC’s investigations, recommendations, and the number of privacy complaints received (and carried over), the CSC ATIP Division undertook several strategic measures to respond to complaints during this 2024 to 2025 period. For example:

• The ATIP Division remains focused on dedicating staff to reducing the backlog
• The ATIP Division worked closely with OPIs to resolve complaints and implement necessary corrective measures
• The ATIP Division worked closely with the OPC on outstanding complaints and will continue to make this a priority in the new fiscal year
• The ATIP Division has continued to make use of a divisional complaints coordinator to work closely with the OPC to respond to formal complaints and inquiries using a single point of contact
• To resolve privacy complaints for missing records, the ATIP Division re-tasks the OPI to conduct new searches for missing records. Should new records be provided, the ATIP Division conducts a review of the records and discloses them accordingly

There were no audits undertaken during this fiscal year.

CSC received 15 new complaints related to the improper collection, use and disclosure of personal information, 9 complaints were carried over from previous fiscal years. During this fiscal year, 18 complaints were closed and 6 were carried over to fiscal year 2025 to 2026.

8. Material privacy breaches

During the 2024 to 2025 reporting period, the ATIP Division reported 17 material privacy breaches to the OPC and the Treasury Board Secretariat (TBS). These breaches consisted of disclosures of personal information (1) due to theft or loss of hard copy records, (2) due to human error, (3) due to information being sent to outside parties, and (4) due to being sent to the media.

Actions taken as a result of these breaches included:

• Filing a police report
• Recalling emails that were sent in error
• Searches for any copies that may have been made of the breached information
• Verifying that information was not used or disclosed further
• Verifying that the recipient destroyed or returned information they received in error
• Addressing any security concerns for the affected individual
• Review of, and updates to, existing processes
• Updating documents that mistakenly included personal information of others
• Meeting with and providing reminders to staff of their obligations regarding the protection of personal information.
• Applying caution when sending emails containing attachments and a list of recipients in the carbon copy field
• Consultations with IT on technical issues

CSC takes breaches of personal information seriously and continues to educate staff on the protection of personal information as follows:

• A continued and ongoing component of CSC training includes a comprehensive section on privacy breaches
• Staff are continuously reminded of their obligations to safeguard and protect personal information and adopt privacy-sensitive approaches in the workplace
• The ATIP Division continues to work with all liaisons and management regarding reporting requirements, implementing corrective measures and prevention

9. Privacy impact assessments

In accordance with TBS policy, CSC undertakes PIA to ensure new and re-designed programs, initiatives and projects involving the collection, use, disclosure and retention of personal information are complying with the PA. CSC’s PIA website is located at the following hyperlink Privacy impact assessments - Canada.ca.

There was (1) PIA completed during the 2024 to 2025 fiscal year on CSC’s implementation of Body Scanner technology into the repertoire of search tools available for use within CSC Institutions. The body scanner is a device that utilizes very low doses of x-rays to produce a visual image on a monitor as a means of providing an alternative to strip searches. The body scan legislative framework, set out in the CCRA and the Corrections and Conditional Release Regulations, support CSC utilizing body scanners to further reduce drugs and contraband from entering institutions, increasing safety and security of the institution, for inmates, staff and visitors, and enhancing Public Safety results. Data related to the scanned subject is personal information that is already collected through other CSC programs and activities.

The “Body Scanner Images” Personal Information Bank was added to CSC’s Info Source during this evaluating year and is currently awaiting TBS review. CSC’s list of Personal Information Banks is located at the following hyperlink Access to Information and Privacy Info Source - Canada.ca.

10. Public interest disclosures

Paragraph 8(2)(m) of the PA permits the disclosure of personal information where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or where the disclosure would clearly benefit the individual to whom the information relates.

During the 2024 to 2025 fiscal year, 26 disclosures pursuant to paragraph 8(2)(m) of the PA were made by CSC. Of the 26, 23 of the public interest disclosures were made to family members/next of kin or the executor of the estate following a death while in the care and custody of CSC. 2 disclosures were made to victims whose needs for information were not met through regular information sharing procedures. Finally, (1) disclosure was made to a Coroner’s office when the information they required for an investigation could not be disclosed without consent through any other means than a public interest disclosure.

11. Monitoring compliance

The ATIP Division produces weekly reports for senior management that outlines various outputs, including the number of requests received, closed and outstanding. The ATIP Division also generates ad hoc reports to monitor and report on strategic areas or “quick wins” with the objective of identifying trends and measuring performance to increase compliance with legislated timeframes. Statistics related to the productivity are shared with ATIP’s Director and with the ATIP Director and the Rights, Redress and Resolutions’ Director General on a weekly basis.

In addition, the ATIP Division actively monitors, triages, and clarifies incoming requests, regularly reporting to senior management any requirement to reassess priorities and redistribute workload to improve performance.

To monitor compliance with portions of the Privacy Act that are not related to formal requests, CSC shares draft copies of forms, contracts, agreements and arrangements with the ATIP Division, so that a review of these documents is undertaken to ensure the appropriate privacy protections have been included.

Appendix A – Delegation order