Report on the administration of the Privacy Act 2022-2023

Introduction

Summary of the purpose of the Privacy Act

The Privacy Act (the Act), promulgated on July 1, 1983, aims to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution.

The purpose of the Act is to protect personal information by allowing individuals to consult information about them. It also imposes strict controls on how such information is gathered, used, and shared.

Annual report prepared in accordance with section 72

This document was prepared in response to section 72 of the Act, which requires federal institutions to submit an annual report to Parliament on the administration of the Act. This report provides details on activities related to the administration of the Act at Canada Economic Development for Quebec Regions (CED). This report was also prepared in accordance with section 20 of the Service Fees Act.

Mandate of the institution

CED is the key economic development player for Quebec’s regions for small and medium-sized enterprises (SMEs). In order to accomplish its core responsibility, which is economic development in Quebec, CED fosters business start-ups and growth. It helps them become more innovative, productive and competitive. It supports efforts to engage the regions of Quebec and attract investments that will help boost the economic well-being of Quebec and Canada.

CED contributes to the economic vitality of all of Quebec’s regions by leveraging their competitive regional advantages, such as wind power and marine technologies. It also supports the transition and diversification of communities that remain dependent on a limited number of sectors or that have been affected by an economic shock.

CED achieves its results by supporting businesses, primarily SMEs, and non-profit organizations (NPOs), through strategic investments. Through its 12 business offices across Quebec’s regions and the relationships it has developed with other economic development players, CED stays abreast of the needs of the regions and businesses and is able to offer financial support to carry out projects that support businesses and communities in their economic development efforts.

To learn more about CED's mandate, programming and activities, visit its website: ced.canada.ca.

Organizational structure

Access to Information and Privacy Office

CED fulfills its responsibilities under the Access to Information Act (ATI), including Part 2 on proactive publication, and the Privacy Act (PA) through an Access to Information and Privacy (ATIP) Office to process requests. The ATIP Office reports to the manager of the Corporate Secretariat, which in turn reports to the Chief of Staff to The Deputy Minister/President.

The ATIP Office has an access to information and privacy coordinator and an advisor. In addition to being responsible for all daily ATIP activities, the coordinator, who is supported by the advisor, oversees the development, coordination and implementation of policies, guidelines and procedures necessary to manage the agency’s compliance with the acts.

Through its delegated authority, the ATIP Office represents CED on matters relating to the ATI and PA in dealings with the public, the Treasury Board Secretariat, information and privacy commissioners, and with other federal institutions and departments.

During the reporting period, CED did not receive or provide any services under section 73.1 of the PA.

Delegation Order

In accordance with its enabling act, CED defines its chief executive officer as being the acting Deputy Minister/President. In addition to leading the institution and overseeing management of its staff, he is responsible for administering the Access to Information Act and the Privacy Act.

To this end, he has delegated authority for the application of these acts to the position of Manager of the Corporate Secretariat and to the position of Coordinator, Access to Information and Privacy. Administrative authorities were also delegated to the position of Advisor, Access to Information and Parliamentary Affairs.

A signed and dated copy of the delegation order is appended to this report.

2022–2023 Performance

Requests received and processed

During fiscal year 2022–2023, no personal information requests were received. Furthermore, no requests were carried forward from the previous year. In the previous fiscal year, 9 requests were received.

The following graph shows the number of requests for access to personal information received since 2018–2019. Excluding abandoned requests, CED processed 11 personal information requests during this period.

Text version: Requests received

• In 2022-2023, 0 requests were received
• In 2021-2022, 9 requests were received
• In 2020-2020, 3 requests were received
• In 2019-2020, 8 requests were received
• In 2018-2019, 11 requests were received

Pages processed and pages disclosed

Exceptionally, no pages were reviewed or disclosed in relation to personal information requests in 2022–2023. This is in fact the first time that CED has received no personal information requests. The previous year, a total of 1,713 pages were processed. Referring to previous years, we do not believe that this unique situation represents a trend that will be repeated in the future.

The following chart shows the number of personal information requests received since 2018‑2019. Excluding abandoned requests, CED processed 11 personal information requests during this period.

Text version: Pages Processed

• In 2022-2023, 0 page were processed
• In 2021-2022, 1713 pages were processed
• In 2020-2020, 319 pages were processed
• In 2019-2020, 1928 pages were processed
• In 2018-2019, 0 pages were processed

Other performance components

Since no personal information requests were received during the reporting period, no information can be provided for the following components:

• Processing time
• Response rates within the time prescribed under the Act
• Extensions
• Exemptions and exclusions invoked

Consultations

CED did not conduct any consultations in connection with the requests for access to personal information received. In addition, CED did not receive any consultations from another institution.

Active complaints

In fiscal year 2022–2023, CED did not receive any complaints regarding the Privacy Act.

Costs

Expenses related to the administration of the Act amounted to $15,349 in 2022–2023. This amount includes $12,288 in salaries for the equivalent of 0.1 full-time employees. An amount totalling $3,061 was also spent on the acquisition of new software for managing access to information and personal information requests, software rental, travel, supplies, and translation.

Impact of COVID-19 pandemic measures on the institution’s ability to fulfill its responsibilities under the Privacy Act

The measures taken by CED in connection with the COVID-19 pandemic, such as telework, did not have an impact on the organization’s ability to fulfill its responsibilities under the Privacy Act.

Statistical report

A copy of the 2022–2023 statistical report on the administration of the Privacy Act is appended to this report.

Training and awareness

In 2022–2023, several privacy training sessions were offered to employees of the organization through various activities. Approximately 70 people from the Policy and Communications sector in the spring, about 20 people from the Deputy Minister’s Office in the fall, and about 100 people from Operations participated in an information session on access to information and protection of information. In addition, during the fall, presentations on the principles of access to information and privacy were given to the organization’s new employees, totalling about 30 individuals. An awareness video and training material on the subject were also created and are now an integral part of the information package provided to all new employees of the organization.

An internal communication to all CED employees was also shared via the organization’s intranet platform to reiterate the requirement to complete the Canada School of Public Service online training on access to information and privacy. By the end of the reporting period, 52% of CED employees had completed this training. In addition, a message was sent to all employees to celebrate Right to Know Week, and information capsules highlighting best practices regarding access to information and privacy were shared on the organization’s intranet page.

The ATIP Office remains available to provide employees whose tasks require some knowledge of access to information with specific training.

Policies, guidelines, and procedures

During the reporting period, the ATIP Office developed several procedures and guidelines to ensure compliance with its obligations under the Privacy Act and related instruments. Therefore, an internal procedure to manage requests to correct personal information was developed and shared across all areas of the organization. The purpose of this procedure is to meet the requirements for requests for correction of personal information, contained in the Directive on Personal Information Requests and Correction of Personal Information, in accordance with the Privacy Act and as specified in Section 2.2 of the Policy on Privacy Protection, with the purpose to establish consistent practices for processing requests from individuals regarding the correction of their personal information under the control of CED that has been used, are being used or may be used for administrative purposes. It includes the steps to follow by the requester, the actions to be taken for processing requests, the principles of the duty to assist, the correspondence templates, the tracking system, the principles governing the decision to grant or deny the request for correction, the integration of the amendments, and compliance monitoring. As suggested by TBS, the procedure was posted on CED’s internal website.

In addition, the ATIP Office has developed a procedure for identifying access to information and privacy requesters. The purpose of this procedure is to meet the requirements set out in the Notice of Implementation issued pursuant to paragraph 71(1)(d) of the Privacy Act. Specifically, this notice provides guidance on the requirement set out in section 4.2.3.1 of the Directive on Personal Information Requests and Correction of Personal Information that institutions develop procedures to validate a requester’s identity. It is important to properly verify a requester’s identity in order to avoid disclosing personal information to an unauthorized person or organization, which would constitute a privacy breach. This internal procedure was shared with all ATIP Office employees and details the steps and actions to be taken to verify the identity of requesters, as well as a template of guidelines regarding the level of proof to ensure the identity depending on the situation.

At the same time, The ATIP Office developed a protocol for personal information used for non-administrative purposes in collaboration with all CED sectors. The purpose of this protocol is to meet the requirements of TBS as set out in the Policy on Privacy Protection, namely, that CED must have its own protocol regarding the collection, retention, and use of personal information for non-administrative purposes such as research, statistics, audit, or evaluation. The protocol includes guidelines for the processing of information, the purpose and use of data, collection methods, information management, required permissions, and the agreement for the exchange of information between federal and private institutions.

Finally, the organization also continued to update its internal procedures on the application of access to information and privacy requests, as well as the one on the management of privacy breaches, including the completion of an annual registry.

Initiatives and projects to improve privacy protection

In the summer of 2022, CED entered into an agreement with TBS to subscribe to the services of the new ATIP Online Portal, as TBS announced the completion of its online system for the filing of access to information and personal information requests used by CED. In lieu, TBS created an ATIP Online Portal that enables requesters to submit access to information and personal information requests to any government institution, and institutions to provide responses to completed requests. This ATIP Online Portal, under the operational responsibility of TBS on behalf of all government institutions subject to the Access to Information Act and Privacy Act includes the ATIP Online Management Tool (AOMT), the ATIP Online Request Service (AORS), and the ATIP Online Administration Service.

In addition, during the reporting period, CED initiated a process to replace the software for managing and processing access to information and personal information requests used by the organization since 2011, because the software will soon be no longer available to government institutions. While the replacement project is underway, this new system is designed to better equip the ATIP Office in the processing and management of access to information and personal information requests, intergovernmental consultations, informal requests, and complaints filed with the Office of the Information Commissioner or the Office of the Privacy Commissioner.

Summary of key issues and actions taken on complaints or audits

Complaints

CED did not receive any privacy complaints during the reporting period.

Audits

CED was not the subject of any audits or investigations during the reporting period.

Monitoring compliance

Monitoring of the processing time

Since 2011, the ATIP Office has monitored the processing time of privacy requests using software for managing and processing requests for access to information and personal information. This system also facilitates the tracking of the various activities and tasks surrounding the processing of a request and serves as a tool to ensure compliance with the deadlines set out in the PA. The time required to process requests for personal information is tracked through the software dashboard, and a status report on the file is provided to the ATIP Office manager.

Limitations on consultations between institutions

In order to limit the need for inter-institutional consultations, the ATIP Office ensures that it targets only the information in each request for which it needs more information to properly exercise its discretion not to disclose information or where the ATIP Office intends to disclose potentially sensitive information.

As CED effectively identifies the need for such consultations, no specific monitoring was conducted during the period covered by this report to limit them.

Frequently requested information

Year after year, the same trend is seen with respect to information frequently sought in requests received at CED, namely, information related to grants and contributions granted by CED or information related to the institution’s internal activities.

Since some of this information is already available through the proactive publications that CED issues in accordance with the requirements set out in Part 2 of the ATIA, no specific monitoring was conducted during the period covered by this report to make this information available by other means.

Privacy measures included in contracts, agreements, and arrangements

When entering into a contract, agreement or arrangement that involves personal information, besides the standard clauses and conditions, CED ensures that appropriate additional clauses are included to protect and manage personal information, such as the storage of personal information and the obligation for the third party to immediately notify the institution of any security breach involving personal information.

Furthermore, in accordance with the Policy on Government Security, CED is required to use the Security Requirements Checklist (SRCL) for entry into contracts, agreements or arrangements.

As CED meets all requirements for contracts, agreements and arrangements, no specific monitoring was conducted during the reporting period.

Monitoring requests for correction

Requests for correction of personal information are processed by the ATIP Office and recorded in an internal tracking system. No requests for correction of personal information were received during the reporting period.

Material privacy breaches

No material privacy breaches occurred at CED during the period covered by this report.

Privacy Impact Assessments

During the reporting period, the ATIP Office conducted a Privacy Impact Assessment (PIA) regarding a software solution for processing access to information and privacy requests. Upon internal approval, it was forwarded to TBS for review.

Public interest disclosures

In fiscal year 2022–2023, no information was disclosed pursuant to paragraph 8(2)(m) of the PA.

Conclusion

Canada Economic Development for Quebec Regions recognizes the right to privacy as a fundamental right. The Agency is aware of the crucial importance of protecting personal information in the context of its programs and activities and ensures compliance with related principles such as transparency, need-to-know, and adequate data collection and protection standards, whether it be the personal information of employees or that of its clients.

To do so, CED deploys multiple means such as ensuring the security of its computer systems, good information management practices as well as training and messages to employees to make them aware of their obligations and responsibilities in this regard. Canada Economic Development for Quebec Regions is proud to have contributed to the application of these principles during the 2022–2023 fiscal year and will continue its efforts in this regard in the coming years.

Appendices