Annual report on the administration of the Privacy Act for the 2016 to 2017 fiscal year
Alternate formats
Large print, braille, MP3 (audio), e-text and DAISY formats are available on demand by ordering online or calling 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105.
On this page
Executive summary
Employment and Social Development Canada (ESDC) is responsible for a range of programs and services that support Canadians throughout their lives—from school to work, from one job to another, from unemployment to employment, and from the workforce to retirement.
The mission of ESDC, which includes the Labour Program and Service Canada, is to build a stronger, more competitive Canada, support Canadians in making choices that help them live productive and rewarding lives, and improve Canadians’ quality of life. It delivers programs and services directly to Canadians at 589 points of service across Canada. ESDC serves the needs of millions of Canadians through multi-channel access points such as in-person services, on the Internet through web-based services and information, and via telephone through its network of call centres. With about 78.5 million annual visits to Service Canada’s website, Canadians are making a choice to interact with ESDC online.
The protection of personal information is a core organizational value and is fundamental to maintaining the public’s trust. The management and delivery of ESDC’s programs and services often require the collection, use, and disclosure of an individual’s personal information. For some departmental programs, detailed and sometimes sensitive personal information is required to determine program eligibility or to receive benefits and services.
ESDC is subject to the privacy protection requirements set out in the Privacy Act as well as personal information protection provisions in Part 4 of the Department of Employment and Social Development Act. Part 4 of the Department of Employment and Social Development Act establishes specific and limited circumstances for ESDC’s use and disclosure of personal information that take precedence over the requirements of the Privacy Act.
Key accomplishments for the 2016 to 2017 fiscal year include:
- improvement of planning and reporting on privacy to support ESDC’s annual privacy and information security work plan
- development of privacy guidance and directives to support programs
- management and coordination of Privacy Impact Assessments on new programs and activities
- development and update of Information Sharing Arrangements
- privacy and security training and awareness activities for employees, including a Privacy Awareness Week and Data Privacy Day
Moving forward, the Department will continue in its efforts to promote a proactive, risk-based approach to privacy management and nurture an organizational culture committed to the stewardship of information to meet the challenges of an ever-changing and evolving privacy landscape.
1.0 Introduction
1.1 About the Privacy Act
The Privacy Act received Royal Assent on July 1, 1983. Its purpose is to impose obligations on federal institutions subject to the Privacy Act to respect the privacy rights of individuals by limiting the collection, use and disclosure of personal information. The Privacy Act also gives individuals the right of access to their personal information and the right to request the correction of that information.
Section 72 of the Privacy Act requires the head of a federal institution to submit an annual report to Parliament on the administration of the Act following the close of each fiscal year.
The Privacy Act has not been significantly updated since its implementation. As a result, the Act is undergoing two separate review processes:
- The House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI Committee) initiated its review of the Privacy Act in March 2016. On December 12, 2016, the ETHI Committee tabled a report with the review’s findings and recommendations to update the Privacy Act
- In November 2016, the Minister of Justice announced to the ETHI Committee that Justice Canada would lead an additional review towards modernizing the Privacy Act
ESDC is a member of the Department of Justice’s Privacy Act Reform Working Group.
1.2 About Employment and Social Development Canada
The mission of Employment and Social Development Canada, which includes the Labour Program and Service Canada, is to build a stronger and more competitive Canada, to support Canadians in making choices that help them live productive and rewarding lives and to improve Canadians’ quality of life.
ESDC is one of the largest and most geographically distributed federal departments in the Government of Canada. Citizens and clients interact with ESDC on a daily basis through 589 points of service across Canada. In addition to in-person services, the organization also serves the needs of Canadians online at Canada.ca, through My Service Canada Account, and by telephone through 1-800-O-Canada and its network of call centres. The Department is responsible for delivering over $120 billion in benefits and has supported millions of Canadians through its many programs and services:
- 78.5 million visits to the Service Canada website
- 8.7 million clients assisted in-person at a Service Canada Centre or Service Canada Scheduled Outreach Site
- Over 2 million calls answered by 1-800-O-Canada agents
- 4.6 million passports issued
- 2.95 million applications processed for Employment Insurance (initial and renewal); 690,000 for the Canada Pension Plan and; 775,000 for Old Age Security
- $3.27 billion withdrawn from Registered Education Savings Plans by students to help fund their post-secondary education
- 94% of labour disputes settled as part of the collective bargaining process
ESDC delivers a range of programs and services that affect Canadians throughout their lives. The Department provides seniors with basic income security, supports unemployed workers, helps students finance their post-secondary education and assists parents who are raising young children. The Labour Program is responsible for labour laws and policies in federally regulated workplaces. Service Canada helps citizens access ESDC’s programs, as well as other Government of Canada programs and services.
1.3 Our ministers
The activities of ESDC are governed by federal legislation and reflected in the mandates of its 3 ministers:
- the Honourable Jean-Yves Duclos, Minister of Employment and Social Development, titled as Minister of Families, Children and Social Development
- the Honourable Patty Hajdu, Minister of Labour, titled as Minister of Employment, Workforce Development and Labour
- the Honourable Carla Qualtrough, Minister of Sport and Persons with Disabilities
The Honourable Jean-Yves Duclos is the Minister responsible for the purposes of the Department of Employment and Social Development Act.
2.0 Privacy management at Employment and Social Development Canada
ESDC is broadly recognized as one of the largest holders of personal information in the Government of Canada. The management of the Department’s personal information holdings is a complex undertaking. Client personal information is located both physically and electronically across several systems, program areas, branches, offices and regions across the country. For many programs, responsibility for the protection of personal information throughout the program life cycle is distributed across branches and regions.
Accordingly, ESDC has prioritized the management and protection of personal information. This includes:
- a legislative framework for privacy protection in its enabling legislation (Part 4)
- implementation of a robust Privacy Management Framework
- establishment of strong governance for privacy including executive committees to support effective decision making on privacy matters
- organization of the Department’s privacy function under the authority and leadership of its Corporate Secretary and Chief Privacy Officer
2.1 Legal framework for privacy
The Privacy Act protects the privacy of individuals with respect to their personal information held by government institutions. The Privacy Act also provides individuals with a right of access to that information, subject to the exceptions set out in the legislation, as well as the right to request the correction of inaccurate information.
Sections 4 to 8 of the Privacy Act commonly referred to as the “Code of Fair Information Practices,” govern the collection, use, disclosure, retention, and disposal of personal information. Subsection 8(2) of the Privacy Act provides that personal information may be disclosed in accordance with that provision, subject to there being another Act of Parliament governing the disclosure of personal information.
The disclosure of personal information by Employment and Social Development Canada is governed by one such Act of Parliament, Part 4 of the Department of Employment and Social Development Act. Part 4 provides that personal information obtained by Employment and Social Development Canada under a program or prepared from that information is privileged, and may only be made available in the specific and limited circumstances set out in that Part. Part 4 also sets out provisions governing the use of that personal information for research or statistical purposes.
2.2 Privacy Delegation Order
Section 73 of the Privacy Act empowers the head of the institution to delegate any of the powers, duties or functions assigned to him or her by this Act to employees of the institution.
Over the 2016 to 2017 fiscal year the Department worked to update its Privacy Delegation Orders, and a signed and dated copy can be found in Annex A.
2.3 Departmental Privacy Management Framework
Given the importance of personal information protection at ESDC, the Department has adopted, and continues to implement, a risk-based and proactive approach to privacy management that promotes the concept of “privacy by design.” Privacy by design emphasizes the importance of building privacy directly into the design and architecture of programs, systems, technologies and business processes. ESDC’s Privacy Management Framework includes the following key elements:
| Element | Definition |
|---|---|
| 1. Governance and accountability | Roles and responsibilities for privacy management are clearly defined to meet legal requirements, regulations, policies, standards and public expectations. |
| 2. Stewardship of personal information | Appropriate privacy protections are implemented to manage personal information through its life cycle. |
| 3. Assurance of compliance | Formal processes and practices are established to ensure adherence to privacy specifications, policies, standards and laws. |
| 4. Effective risk management | Structured and coordinated risk assessments are conducted to limit the probability and impact of negative events and maximize opportunities through risk identification, assessment and prioritization. |
| 5. Culture, training, and awareness | The protection of personal information is a core organizational value and is fundamental to maintaining the public’s trust. Formal privacy training and awareness activities promote a privacy-aware organization that values the protection and stewardship of personal information. |
2.4 Privacy governance
ESDC fosters governance and decision-making responsibilities for privacy through the Department’s Corporate Management Committee and the Privacy and Information Security Committee.
Corporate Management Committee
The Corporate Management Committee, a standing committee of ESDC’s Portfolio Management Board, oversees the implementation of the portfolio’s management agenda, including the operationalization of security and privacy plans and priorities.
The Corporate Management Committee is co-chaired by the Senior Associate Deputy Minister of ESDC and Chief Operating Officer for Service Canada, and the Associate Deputy Minister of ESDC.
Privacy and Information Security Committee
The Privacy and Information Security Committee is a sub-committee of the Corporate Management Committee, and is mandated to review matters related to privacy and the protection of personal information. The Committee supports horizontal coordination and prioritization of issues, plans, and strategies related to the management and protection of personal information. The Privacy and Information Security Committee is supported by a Databank Review Working Group, which supports the application of privacy policy and the use of personal information for non-administrative purposes, including policy analysis, research and evaluation activities.
The Privacy and Information Security Committee is co-chaired by the Chief Privacy Officer and ESDC’s Departmental Security Officer.
2.5 Organization of the privacy function
The Corporate Secretariat is the Department’s office of primary interest for the development of privacy policy, the provision of privacy advice and guidance to the portfolio, and the management of access to information and privacy operations. ESDC’s Corporate Secretary serves as the Department’s Chief Privacy Officer.
Figure 2 -Text description
This organizational chart displays a hierarchy beginning with the Corporate Secretary and Chief Privacy Officer of ESDC at the top. From this level, a dotted line leads to the bottom to the Regional Access to Information and Privacy Managers. Directly below the Corporate Secretary and Chief Privacy Officer are two levels: The Privacy Management Division and the Access to Information and Privacy Operations Division.
Directly below the Privacy Management Division are two units: The Privacy Policy, Planning and Coordination Unit, and the Compliance and Review Unit. Directly below the Access to Information and Privacy Operations Division are also two units: The Request Processing Unit, and the Incident Management and Legislative Disclosures Unit.
Corporate Secretary and Chief Privacy Officer
The Corporate Secretary serves as ESDC’s Chief Privacy Officer and is the Department’s functional authority on privacy matters, which includes the provision of authoritative advice and functional direction to all departmental branches and regions. In the Chief Privacy Officer role, the position is responsible for the proactive management of privacy in the Department and the establishment of privacy management frameworks, programs, review processes, and risk-based approaches to privacy management. The position is also responsible for providing advice, guidance, direction, and operational management for processing requests under the Privacy Act.
Privacy Management Division
The Privacy Management Division is the departmental focal-point for the management of privacy policy and the implementation of the Department’s Privacy Management Framework. Under the authority and direction of the Chief Privacy Officer, the Privacy Management Division supports the horizontal coordination and implementation of departmental strategic plans and priorities as they relate to the protection of privacy. The Division is responsible for privacy compliance and review services, privacy policy, strategic planning and coordination of privacy issues, and support and guidance for the development of Privacy Impact Assessments and Information Sharing Arrangements.
Access to Information and Privacy Operations Division
The Access to Information and Privacy Operations Division carries out the Department’s legislated requirements under the Access to Information Act, the Privacy Act and parts of the Department of Employment and Social Development Act. The Access to Information and Privacy Operations Division leads and advises on the processing of all requests under the Access to Information Act by managing requests for access to information in records in the control of ESDC, responding to requests from the public, performing a line-by-line review of records requested under the Access to Information Act and the Privacy Act, as well as delivering training and awareness programs to employees with respect to the administration of the Acts.
Regional operations
The Department has a network of Liaison Officers in the branches as well as Regional Access to Information and Privacy Managers who facilitate the work by providing expert Access to Information Act and Privacy Act advice and guidance directly to program areas within the regions, in consultation with Access to Information and Privacy Operations Division. Regional operations are responsible for processing the majority of the Department’s privacy requests.
3.0 Privacy activities and accomplishments for the 2016 to 2017 fiscal year
In the 2016 to 2017 fiscal year, ESDC continued to advance a proactive, risk-based approach to privacy management and to nurture an organizational culture committed to the stewardship of information. Highlights of key ESDC privacy activities and accomplishments include:
- ongoing support for the Department of Justice’s legislative reform of the Privacy Act
- support for the development and implementation of the annual privacy and security work plan in May 2016
- the completion of 13 Privacy Impact Assessments
- provided policy advice by providing privacy input into 2 Memoranda to Cabinet and 20 Treasury Board Submissions
- published an update of ESDC’s Info Source chapter in January 2017
- provided advice and guidance to program areas on over 127 Information Sharing Arrangements and assisted in the completion of over 26 Information Sharing Arrangements
- provided department-wide privacy training and awareness activities to over 2000 employees (in-person and online)
- integrated Privacy by Design in the Portfolio Management Process by providing training on Privacy Impact Assessments
3.1 Annual privacy and security work plan
In the 2016 to 2017 fiscal year, the Department developed and implemented its annual integrated privacy and security work plan to support the strategic planning and implementation of the Department’s privacy and security priorities. Overseen by the Privacy and Information Security Committee, the annual privacy and security work plan includes strategic and operational plans to address key privacy and information security risks effectively.
The 2016 to 2017 fiscal year priorities and work plan continue to focus on achieving desired outcomes related to:
- effective privacy and security support to departmental programs
- enhanced horizontal linkages
- privacy compliance assurance
3.2 Policy, advice and guidance
Under the functions of the Privacy Management Division, ESDC manages its privacy policies and provides privacy input and compliance review for the development of departmental products and policy instruments. In the 2016 to 2017 fiscal year the Privacy Management Division provided privacy input into 20 Treasury Board Submissions and 2 Memoranda to Cabinet for the Department.
In total, the Department’s Privacy Management Division received 490 requests for which advice and guidance was provided on various products such as Information Sharing Arrangements, Privacy Impact Assessments, Threshold Assessments, Consent Forms, Privacy Notice Statements, Contracts, Statements of Work, Forms, Surveys and Questionnaires. The Privacy Management Division also processed 103 requests for general privacy advice and guidance and 162 requests carried over from the previous fiscal year.
Of the 755 products and requests processed, 487 were reviewed and completed in the 2016 to 2017 fiscal year.
3.3 Completed privacy impact assessments
In accordance with the Treasury Board Secretariat's Directive on Privacy Impact Assessments, Employment and Social Development Canada is required to conduct a Privacy Impact Assessment before establishing any new or substantially modified program or activity involving the administrative use of personal information. The purpose of the Privacy Impact Assessment is to identify the privacy impacts, risks, and associated mitigation strategies. In the 2016 to 2017 fiscal year, ESDC completed 13 Privacy Impact Assessments. Copies of approved Privacy Impact Assessments were provided to the Treasury Board of Canada Secretariat and the Office of the Privacy Commissioner. Each Privacy Impact Assessment included a privacy risk mitigation action plan. The 13 completed Privacy Impact Assessments for the 2016 to 2017 fiscal year are as follows:
- Canada Disability Savings Program: Administration of Canada Disability Savings Grants and Bonds
- Canada Education Savings Program: Administration and the Delivery of the Canada Education Savings Grant, Canada Learning Bond and Provincial Education Savings Incentives
- Canadian Government Annuity Program
- Citizenship and Immigration Canada and Employment and Social Development Canada Global Case Management System: Social Insurance Register Linkages Project
- Disclosure of Information Collected under the Old Age Security Act to the Province of Alberta for the Administration of the Alberta Seniors and Housing Programs
- Exchange of Information Collected under the Canada Pension Plan in Support of the Superannuation Programs Administered by Public Works and Government Services Canada
- Exchange of Personal Information between Employment and Social Development Canada and Alberta Ministry of Seniors and Housing for the Administration of the Alberta Seniors Benefit
- Individual Quality Feedback – Accuracy program
- Integrated Learning Management System
- My Service Canada Account – Canada Revenue Agency Link Project
- Old Age Security: Proactive Enrolment Initiative – Phase II
- Service Canada Role in International Mobility Program Inspections
- Temporary Foreign Worker Program: Administration of new administrative monetary penalties and varied bans regulations
For summaries of completed for the 2016 to 2017 fiscal year Privacy Impact Assessments, see Annex B.
3.4 Info source update
In the 2016 to 2017 fiscal year, ESDC completed a comprehensive review and update of its Info Source holdings. Info Source is a series of publications containing information about the Government of Canada's access to information and privacy programs. The primary purpose of Info Source is to assist individuals in exercising their rights under the Access to Information Act and the Privacy Act. Info Source also supports the Government's commitment to facilitate access to information regarding its activities. As part of the review, ESDC undertook a significant cleanup of its Info Source content and continues to update the descriptions of its personal information holdings. ESDC published an update of its Info Source chapter in January 2017 in which 6 Personal Information Bank descriptions and 13 Class of Records were created or updated.
3.5 Internal privacy-related audits
Safeguarding of information assets remains an ongoing departmental priority as part of the implementation of ESDC’s Privacy Management Framework. Through its audit plan, ESDC continues to address privacy and security risks with several targeted audit reports. The plan outlines the list of upcoming audit reports over three-year periods which are published on ESDC’s website. No privacy audits were concluded by the Department for the 2016 to 2017 fiscal year reporting year. ESDC is currently undergoing work towards upcoming privacy audits related to risk management, Privacy Impact Assessments and Information Sharing Arrangements.
3.6 Information sharing arrangements involving personal information
An Information Sharing Arrangement is a record of understanding between parties that outlines the terms and conditions under which personal information is shared between them. For ESDC, Part 4 of the Department of Employment and Social Development Act contains specific provisions for the sharing of information under limited and specific circumstances. ESDC’s Privacy Management Division provided advice and guidance to program areas on 127 Information Sharing Arrangements and assisted in the completion of 26 Information Sharing Arrangements.
3.7 Raising privacy awareness
The Department continued to promote practical, easy to understand, and readily available privacy-related information and guidance to employees to reinforce proper privacy protection practices throughout the 2016 to 2017 fiscal year. This included the launch of the Virtual Privacy Office website available to employees in April 2016, sessions on privacy-themed topics during Privacy Awareness Week from May 2 to May 6, 2016, recognition of Data Privacy Day on January 28, 2017, and through a series of specialized knowledge talks. During Privacy Awareness Week, hundreds of informative pamphlets and brochures developed by the Department and the Office of the Privacy Commissioner were distributed to staff. An information kiosk was also on site to promote privacy awareness and the multiple privacy training activities that were offered throughout the week.
Additionally, as part of ESDC’s public commitment to maintaining the security of systems and protecting the personal information of clients and colleagues, all employees are required to maintain valid certification for the Stewardship of Information and Workplace Behaviours Program. See section 4.8: Privacy Training Activities for more details.
Project Portfolio Management Process Privacy Training
| Details | Number of sessions | Number of employees |
|---|---|---|
| Privacy impact assessment process | 3 | 34 |
| Threshold process | 3 | 56 |
| Total | 6 | 90 |
The Project Portfolio Management Process oversees the development and implementation of major and minor investment projects in ESDC. The Department is engaged in providing specific privacy-related training to promote the integration of privacy-by-design concepts into the Project Portfolio Management Process.
Privacy training sessions were provided to responsible project managers across the Department. These training sessions focused on providing information on Privacy Impact Assessments and the stages of privacy analysis of departmental programs and activities.
4.0 Privacy performance reporting for the 2016 to 2017 fiscal year
Under the Privacy Act, Canadians can request access to their personal information held by government institutions. Within ESDC, typical privacy requests are from clients seeking to obtain a copy of their Canada Pension Plan file, their Old Age Security file, the contents of their Employment Insurance file or their Canada Student Loans file, as well as from federal employees seeking to obtain a copy of their personnel information.
As per the Treasury Board Secretariat’s Statistical Report on the Administration of the Privacy Act (Annex C), ESDC tracks data on privacy requests and other information for the purposes of reporting on requests received, timeliness of processing, disclosure of personal information, and privacy breaches. The information is used to monitor trends and analyze issues to improve privacy operations. In the 2016 to 2017 fiscal year, ESDC received 8,353 formal requests under the Privacy Act and completed 8,510 requests which include requests that were previously carried over from the 2015 to 2016 fiscal year reporting period. In addition, the Department approved 300 public interest disclosure requests, received 22 complaints and reported 141 material privacy breaches. The key data is presented in the summary table below (Figure 4). The subsequent chart presents and explains more detailed information on the Department’s privacy performance.
| Activity | Fiscal year | ||
|---|---|---|---|
| 2014 to 2015 | 2015 to 2016 | 2016 to 2017 | |
| Formal Requests Received under the Privacy Act | 7,998 | 8,353 | 8,353 |
| Requests Completed During the Reporting Period | 7,781 | 8,240 | 8,510 |
| Requests Completed Within 30 Calendar Days | 6,983 | 7,169 | 8,234 |
| Requests Completed Within 31 to 60 Calendar Days | 663 | 999 | 252 |
| Requests Completed Within 61 or More Calendar Days | 135 | 72 | 24 |
| Public Interest Disclosures | 211 | 230 | 300 |
| Complaints to the Privacy Commissioner | 18 | 12Note de bas de page 1 | 22 |
| Material Privacy Breaches | 3 | 18 | 141Note de bas de page 2 |
4.1 Requests for information under the Privacy Act
In the 2016 to 2017 fiscal year, ESDC received 8,353 requests under the Privacy Act. Additionally, ESDC increased the overall number of requests completed during the reporting period by 3.3%, from 8,240 in the 2015 to 2016 fiscal year to 8,510 in the 2016 to 2017 fiscal year.
Figure 5 – Text description
| Fiscal year | Formal requests received under the Privacy Act | Requests completed during the reporting period |
|---|---|---|
| 2014 to 2015 | 7,998 | 7,781 |
| 2015 to 2016 | 8,353 | 8,240 |
| 2016 to 2017 | 8,353 | 8,510 |
4.2 Requests by calendar days taken to complete
ESDC increased processing timelines performance in the 2016 to 2017 fiscal year. Performance trends for the 2016 to 2017 fiscal year are as follows:
- ESDC completed 8,234 out of its 8,510 total completed requests within 30 calendar days, up from 7,169 out of 8,240 requests within 30 calendar days in 2015 to 2016
- ESDC decreased the number of requests it completed in 31 to 60 calendar days, lowering the count from 999 requests in 2015 to 2016 to only 252 requests in the 2016 to 2017 fiscal year
- ESDC decreased the number of requests it completed in 61 calendar days, lowering the count from 72 requests in 2015 to 2016 to only 24 requests in 2016 to 2017
The distribution of the number of completed requests by calendar days is illustrated in the chart below.
Figure 6 - Text description
| Fiscal year | Requests completed within 30 calendar days | Requests completed within 31 to 60 days | Requests completed in 61 calendar days |
|---|---|---|---|
| 2014 to 2015 | 6,983 | 663 | 135 |
| 2015 to 2016 | 7,169 | 999 | 72 |
| 2016 to 2017 | 8,234 | 252 | 24 |
4.3 Pages reviewed
Subsequent to the increase in the number of privacy requests completed during the reporting period, the total number of pages of documents requiring review for exemptions and exclusions also increased. In the 2016 to 2017 fiscal year, 818,954 pages were reviewed which represented an increase of 29,192 pages (3.7%) from 2015 to 2016 when 789,762 pages were reviewed.
4.4 Requests for correction of information
Individuals have a right to request correction of any erroneous personal information pertaining to them, provided that the individual can adequately substantiate the request. ESDC accepted 2 requests for correction of personal information in the 2016 to 2017 fiscal year – a decrease from the previous year, in the 2015 to 2016 fiscal year, when ESDC accepted 4 requests for correction of personal information.
4.5 Public interest disclosures
As per section 2.1, “ESDC’s Legal Framework for Privacy”, Part 4 of the Department of Employment and Social Development Act takes precedence over the Privacy Act as it relates to the use and disclosure of personal information. Accordingly, any disclosures in the public interest are not made in accordance with section 8(2)(m) of the Privacy Act, rather the disclosure is in line with subsection 37(1) of the Department of Employment and Social Development Act, which states that personal information may be disclosed “…if the Minister is of the opinion that the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure or that disclosure would clearly benefit the individual to whom the information relates.” As with public interest disclosures under the Privacy Act, these are reported to the Office of the Privacy Commissioner.
In the 2016 to 2017 fiscal year, the Department approved the disclosure of personal information in the public interest in 300 instances.
Access to Information and Privacy Operations received notification from the regions regarding 228 public interest disclosures. These normally involved individuals who were threatening to harm themselves or others. Disclosure has been delegated to regional staff in instances where there is an imminent threat to the safety and security of individuals. Given the urgency of these situations, the Office of the Privacy Commissioner is informed after the disclosure.
Access to Information and Privacy Operations, National Headquarters, received an additional 113 requests for public interest disclosures, with 17 files carried over from the previous fiscal year, for a total of 130. In 72 instances, disclosure was authorized – see the table below for a summary. Of the 72 requests that were authorized by National Headquarters, the Office of the Privacy Commissioner was informed prior to the disclosure in 42 instances, after the disclosure in 10, and were not informed in 20 instances as it was determined that no information existed.
| Number of public interest disclosures | Reason for disclosure |
|---|---|
| 20 | Locate a missing person |
| 18 | Safety of individuals |
| 12 | Identity theft/fraud/drug trafficking |
| 6 | Locate next of kin or power of attorney |
| 9 | Confirm or validate information or identity of individuals |
| 7 | Find or locate individuals to face justice |
Total of 72 disclosures in the public interest at national headquarters
Of the remaining 58 requests for disclosure, 12 cases were refused, 10 were transferred to another institution or internal program for processing under another provision of Part 4 of the Department of Employment and Social Development Act, 30 were abandoned and the remaining 6 are still ongoing.
4.6 Material privacy breaches
A privacy breach refers to the improper or unauthorized collection, use, disclosure, retention or disposal of personal information. According to the Treasury Board of Canada Secretariat definition, “a material privacy breach has the highest risk impact and is defined as involving sensitive personal information; and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.”
As one of the largest and most regionally present departments in the Government of Canada, ESDC is responsible for the day-to-day management of social programs and services delivered directly to Canadians. Through its role as a service provider, the Department engages in millions of interactions with citizens every year. Personal information on clients - virtually all Canadian citizens (and others) - is located physically and electronically across several systems, program areas, branches, offices, and in every region of the country. These factors contribute to the complexity of the Department’s privacy environment and should be taken into account in understanding the number of material beaches that have occurred within the Department.
With the privacy environment constantly changing and becoming more complex, ESDC strives to mature its privacy model. Over the last three years, more time and resources have been invested to promote a privacy-aware organization through formal privacy and access to information training and awareness activities. In 2014 and 2015, ESDC introduced new processes that have contributed to a slow and steady increase in reporting of material breaches, 3 in the 2014 to 2015 fiscal year and 18 in the 2015 to 2016 fiscal year (see the table below for a summary).
With ESDC’s goal of continuous improvement of client services, the Access to Information and Privacy Operations Division focused its efforts on following-up with key programs to support increased awareness, understanding and reporting of material breaches. In the 2016 to 2017 fiscal year, ESDC reported 141 material privacy breaches which were the result of operational processes such as when information was lost in mailing transit. The majority of the increase is due to better understanding and improved reporting by program and operational areas within the Department. Following the breaches, appropriate corrective measures were applied, such as the review and updating of procedures and training for employees.
Post 2016 to 2017 fiscal year, ESDC plans to conduct a review of the recurring issues associated with material breaches and explore potential solutions which will, in turn, be presented to senior management for discussion and approval. ESDC is also committed to the continuous promotion of privacy awareness throughout the organization and will continue to improve its reporting measures related to material breaches.
| Number of material breaches | Summary and nature of Information breached | Communication and notification strategies | Actions undertaken as a result |
|---|---|---|---|
| 107 | Individual program benefit applications were misdirected to a wrong location. | Affected individuals were contacted by letter and/or phone to inform them of the breach. In some instances, individuals were asked to re-submit their application, and they were processed on a priority basis to minimize delays in payments. | Various mitigating strategies were undertaken such as:
|
| 6 | Personal information (some included supporting documents) incorrectly shared with the wrong individuals, business or medical professional. | Personal letters were sent to affected individuals informing them of the breach. |
|
| 3 | Personal information uploaded into a Cloud (via the usage of a PDF online Converter). | In some instances the Department was unable to confirm addresses to ensure secure communication, therefore it was determined that no notification would be sent. For the remainder, letters to be sent to the affected individuals. |
|
| 25 | Lost passport applications, lost passports or lost documentation associated with passport applications where personal information could have been compromised. | Personal letters were sent to affected individuals informing them of the breach. |
|
Total of 141 Material breaches
4.7 Complaints and investigations
In the 2016 to 2017 fiscal year, the Department was notified of a total of 33 privacy-related complaints:
- 22 complaints received by the Office of the Privacy Commissioner were related to the processing of Privacy Act requests. Of these cases, 10 related to delay, 10 related to denied access, 1 pertained to improper use and disclosure and 1 related to a time extension. ESDC received findings on 20 complaints. The Office of the Privacy Commissioner ruled 8 were well founded, 2 were not well founded, 1 was settled in the course of the investigation and 9 were resolved
- In addition, the Department was notified of 11 complaints received by the Office of the Privacy Commissioner, pertaining to sections 4 to 8 of the Privacy Act. The majority (7) pertained to improper collection of information and the other remaining were related to improper use, disclosure, retention and/or disposal. All are still on-going
4.8 Privacy training activities
ESDC has a comprehensive mandatory on-line training strategy to educate, increase knowledge of, and raise awareness about the stewardship of information and effective workplace behaviours. The Department also offers online training on privacy and access to information to foster a common understanding of the proper management of information resources, ensuring that the privacy of information is respected and to improve timeliness and compliance results.
As part of the Department’s public commitment to maintain the security of our systems and to protect the personal information of our clients and colleagues, all ESDC employees are required to maintain valid certification in the Stewardship of Information and Workplace Behaviours (SIWB). SIWB certification provides all term and indeterminate staff, students, casuals and contractors with the critical knowledge they need to safely manage ESDC assets.
The initial SIWB certification process was launched in 2014 and was ongoing for new employees. Since the release of the SIWB training program, a total of 26,398 employees have successfully completed the course (including 2,251 employees in the 2016 to 2017 fiscal year). The SIWB training material certification was updated in 2016 and addresses topics such as privacy, access to information, information management, security, and values and ethics. At the beginning of 2017, the Department notified staff that completed the original training that they would be required to be re-certified by summer of this year.
In addition, the online training module Privacy and Access to Information – It’s Everybody’s Business, successfully trained a total of 5,462 employees (including 2,364 employees in the 2016 to 2017 fiscal year). Cumulatively, these training and awareness activities demonstrate the consistent effort of ESDC to safeguard and protect Departmental information, and ensure Canadians that the security of their personal information is taken seriously.
Figure 9 – Text description
| Fiscal year | Training sessions | Employee trained |
|---|---|---|
| 2014 to 2015 | 37 | 1,120 |
| 2015 to 2016 | 48 | 1,131 |
| 2016 to 2017 | 59 | 963 |
Figure 10 – Text description
| Fiscal year | Stewardship of information and effective workplace behaviours | Privacy and access to information – it’s everybody’s business |
|---|---|---|
| 2013 to 2014 | 8,669 | Not applicable |
| 2014 to 2015 | 13,800 | 1,356 |
| 2015 to 2016 | 1,678 | 1,742 |
| 2016 to 2017 | 2,251 | 2,364 |
The Department has undertaken a number of activities to educate and increase knowledge of access to information and privacy, such as regular meetings with Liaison Officers and in-person (or WebEx) training sessions. Since the 2014 to 2015 fiscal year, the Department delivered 144 in-person sessions to 3,214 employees. In the 2016 to 2017 fiscal year, ESDC delivered 59 in-person sessions to 963 employees.
5.0 Moving forward
Moving forward, the Department will continue to mature its privacy policies and processes, conduct privacy and risk assessments, and continue to strengthen the overall approach to privacy management.
In the upcoming year, ESDC plans to engage in privacy priorities related to:
- proactive “privacy by design” in policies, programs and service delivery
- modernizing the delivery of privacy service to internal clients
- enhancing monitoring, reporting and privacy analytics
- integrating privacy into service delivery
- supporting legislative reform of the Privacy Act
- assessing the current state of operations including internal audit on select function.
Annexes
Annex A: Delegation order
Delegation order – Employment and Social Development Canada
The Minister of Employment and Social Development, pursuant to section 11 of the Department of Employment and Social Development Act, hereby designates the persons, officers or employees holding the positions with Employment and Social Development set out in the schedules attached hereto, or the persons, officers or employees occupying on an acting basis those positions, to exercise the powers or perform the duties or functions of the Minister or to exercise or perform the powers, duties or function of the head of the institution, as specified in the attached schedules.
- Privacy Act
Original signed June 22, 2017 by the Honourable Jean-Yves Duclos, Minister of Employment and Social Development
Privacy Act and regulations - Delegation of authority Employment and Social Development Canada
Privacy Act
| Description | Section | Delegated authority |
|---|---|---|
| Retention of a record of requests and disclosed records to investigative bodies under section 8(2) (e) of the Privacy Act. | 8(4) |
|
| Retention of records of uses of personal information | 9(1) |
|
| Notification of the Privacy Commissioner of any new consistent uses of personal information and ensure use is included in next statement of consistent uses set forth in the Index | 9(4) |
|
| Include personal information in personal information banks | 10 |
|
| Respond to request for access within 30 days and give written notice and, if access to be given, give access. | 14 |
|
| Extension of the 30 day time limit to respond to a privacy request. | 15 |
|
| Decision on whether to translate a response to a privacy request in one of the two official languages. | 17(2)(b) |
|
| Decision on whether to convert personal information to an alternate format | 17(3)(b) |
|
| Decision to refuse to disclose personal information contained in an exempt bank. | 18(2) |
|
| Decision to refuse access to personal information that was obtained in confidence from the government of a foreign state or institution, an international organization of states or an institution thereof, the government of a province or institution thereof, a municipal or regional government established by or pursuant to an Act of the legislature of a province or an institution of such a government, or the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act or the council of a participating in First Nation as defined in the First Nations Jurisdiction over Education in British Columbia Act | 19(1) |
|
| Authority to disclose personal information referred to in 19(1) if the government, organization or institution described in 19(1) consents to the disclosure or makes the information public. | 19(2) |
|
| Refuse to disclose personal information that may be injurious to the conduct of federal-provincial affairs | 20 |
|
| Refuse to disclose personal information that may be injurious to international affairs or the defence of Canada or one of its allies. | 21 |
|
| Refuse to disclose personal information prepared by an investigative body, information injurious to the enforcement of a law, or information injurious to the security of penal institutions | 22 |
|
| Refuse to disclose personal information created for the Public Servants Disclosure Protection Act. | 22.3 |
|
| Refuse to disclose personal information prepared by an investigative body for security clearance. | 23 |
|
| Refuse to disclose personal information that was collected by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board while the individual was under sentence if the conditions in the section are met | 24 |
|
| Refuse to disclose personal information which could threaten the safety of individuals | 25 |
|
| Refuse to disclose personal information about another individual and shall refuse to disclose such information where disclosure is prohibited under section 8 | 26 |
|
| Refuse to disclose personal information that is subject to solicitor-client privilege. | 27 |
|
| Refuse to disclose personal information relating to the individual’s physical or mental health where the disclosure is contrary to the best interests of the individual | 28 |
|
| Receive notice of investigation by the Privacy Commissioner | 31 |
|
| Right to make representations to the Privacy Commissioner during an investigation | 33(2) |
|
| Receive Privacy Commissioner’s report of findings of an investigation and give notice of action taken | 35(1) |
|
| Provision of addition personal information to a complainant after receiving a 35(1) (b) notice. | 35(4) |
|
| Receive Privacy Commissioner’s report of findings of investigation of exempt bank | 36(3) |
|
| Receive report of Privacy Commissioner’s findings after compliance investigation | 37(3) |
|
| Request that a court hearing, undertaken with respect to certain sections of the Act, be held in the National Capital Region. | 51(2)(b) |
|
| Request and be given right to make representations in section 51 hearings | 51(3) |
|
| Prepare annual report to Parliament | 72(1) |
|
Privacy Act Regulations
| Description | Section | Delegated authority |
|---|---|---|
| Allow examination of the documents (Reading Room) | 9 |
|
| Notification of Correction | 11(2) |
|
| Correction refused, notation placed on file | 11(4) |
|
| Disclosure to a medical practitioner or psychologist | 13(1) |
|
| Disclosure in the presence of a medical practitioner or psychologist | 14 |
|
Annex B: Summaries of completed privacy impact assessments
Canada Education Savings Program: Administration and the delivery of the Canada Education Savings Grant, Canada Learning Bond and Provincial Education Savings Incentives
The Government of Canada encourages Canadians to use a Registered Education Savings Plan (RESP) to save for the post-secondary education of their children. The Canada Education Savings Program (CESP) offers two education savings incentives, which are linked to RESPs: the Canada Education Savings Grant and the Canada Learning Bond. Two provincial education savings incentives are also delivered by ESDC. A new Privacy Impact Assessment (PIA) was completed in 2016 to identify, assess, and mitigate risks to the protection of personal information as a result of the delivery by ESDC of the British Columbia Training and Education Savings Grant in 2014 and the Saskatchewan Advantage Grant for Education Savings in 2013.
Canada Disability Savings Program: Administration of Canada Disability Savings Grants and bonds
In 2007, Parliament passed the Canada Disability Savings Act (CDSA) and related amendments to the Income Tax Act to help parents and others save for the long-term financial security of persons with severe and prolonged disabilities by establishing Registered Disability Savings Plans (RDSPs). Pursuant to the CDSA, the Government of Canada helps to increase the savings by paying Canada Disability Savings Grants and Canada Disability Savings Bonds into the RDSPs of eligible beneficiaries. A PIA was conducted to identify, assess, and mitigate privacy risks associated with the administration of these grants and bonds.
Service Canada role in international mobility program inspections
Immigration, Refugees and Citizenship Canada (IRCC) is responsible for the administration of the International Mobility Program (IMP), which enables employers to hire temporary workers without a Labour Market Impact Assessment. Through a Memorandum of Understanding, Service Canada (ESDC), carries out inspections on IMP employers to verify their compliance with program requirements on behalf of IRCC. Information gathered by Service Canada during the inspection process is provided to IRCC, which undertakes all decision-making on IMP employers’ compliance status. To support the administration and enforcement of the IMP and the Temporary Foreign Worker Program, ESDC and IRCC have replaced an existing 2009 Memorandum of Understanding with an Information Sharing Agreement (ISA) that expands on the previous agreement to reflect the exchange of personal information related to IMP inspection activities and Temporary Foreign Worker Program employer non-compliance sanctions. A PIA was conducted to identify, assess, and mitigate privacy risks associated with Service Canada’s role in administering IMP inspections on behalf of IRCC, including the exchange of personal information with IRCC under the new ISA.
Temporary Foreign Worker Program: Administration of new administrative monetary penalties and varied bans regulations
The Temporary Foreign Worker Program (TFWP) assists employers in filling their acute labour shortages, on a temporary and limited basis, when qualified Canadians and permanent residents are not available. The TFWP is jointly managed by ESDC, IRCC, and the Canada Border Services Agency under the authority of the Immigration and Refugee Protection Act (IRPA) and the Immigration and Refugee Protection Regulations (IRPR). In June 2014, the IRPA was amended to provide the authority to make regulations to establish a system of administrative monetary penalties (AMPs) and varied bans for employers who fail to comply with the conditions of both the TFWP and the International Mobility Program (IMP). The amendments to the Regulations in December 2015 replaced the two-year non-compliant employer ban with periods of ineligibility up to and including a permanent ban for employer violations. To support the administration and enforcement of both the TFWP and the IMP, ESDC and IRCC have replaced an existing 2009 Memorandum of Understanding with an Information Sharing Agreement that expands on the previous agreement to reflect the exchange of personal information related to TFWP employer non-compliance sanctions and IMP inspection activities. A PIA was conducted to identify, assess, and mitigate privacy risks associated with the amendments to IRPR authorizing a system of AMPs and varied bans for the TFWP and the amendment to the ESDC-IRCC ISA to expand the exchange of personal information for TFWP purposes.
Canadian Government Annuity Program
The Canadian Government Annuity Program administers the Government Annuities Account, which was established under the Government Annuities Act in 1908. Under this program, government annuities – deferred annuities and immediate annuities – were purchased by employees or by employers as pension plans for their employees. This is meant to encourage Canadians to prepare financially for their retirement. In 1975, an act of Parliament formally ended the sale of annuities and the last group of new employees was added until 1979. The Government Annuities Account is reported in the Public Accounts of Canada, and as of March 31, 2016, over 31,024 annuitants held 33,673 active contracts with the Government of Canada. A PIA was conducted to identify, assess, and mitigate any privacy risks associated with the administration of the program, including the exchange of personal information with partner departments and agencies for the delivery of annuitant payments, the recovery of overpaid annuities, and taxation purposes.
Integrated Learning Management System
The College at Employment and Social Development Canada (College@ESDC) currently develops and manages training for the Department. In August 2015, a contract was established and signed with Saba, a third party service provider, for a cloud-based Learning Management System. In 2017, the new Learning Management System was implemented by ESDC that can fully support the Department’s training activities. The new application replaces ESDC’s 3 legacy learning systems and provides the same type of learning activities. A PIA was conducted to identify, assess, and mitigate any privacy risks associated with the collection, use, retention and disclosure of personal information for the administration of the cloud-based Learning Management System provided by Saba.
Individual Quality Feedback – Accuracy program
Quality assurance is an essential component of ESDC’s administration of Employment Insurance (EI), Old Age Security (OAS) and the Canada Pension Plan (CPP). Performing quality assurance includes the ability to identify, measure, and correct payment and processing errors, the ability to assess the quality of processing employees’ work, and to provide feedback and business intelligence to improve the quality of program delivery. The Individual Quality Feedback - Accuracy Program was implemented to enable quality reviews of EI, OAS and CPP by providing a nationally consistent approach to measure employee file processing accuracy, identify and correct payment and processing errors, provide employee feedback, and generate business intelligence to support continuous improvement of program delivery. A PIA was conducted to identify, assess, and mitigate any privacy risks associated with the collection, use, retention and disclosure of personal information pertaining to the Individual Quality Feedback – Accuracy program.
Citizenship and Immigration Canada and Employment and Social Development Canada Global Case Management System: Social insurance register linkages project
The ability of Employment and Social Development Canada (ESDC) to validate the personal information contained in immigration and citizenship documents with Immigration, Refugees and Citizenship Canada (IRCC)—then, Citizenship and Immigration Canada – is essential to the delivery of the Social Insurance Number (SIN) program. On December 6, 2014, IRCC integrated data contained in their Field Operating Support System (FOSS) into their existing Global Case Management System (GCMS) and decommissioned ESDC’s access to FOSS. Therefore, to ensure the continuance of the validation process, ESDC and IRCC established a connection between the Social Insurance Register (SIR) and the GCMS. To allow for a seamless transition to the GCMS, the project has taken a two-phased approach. A PIA was conducted to identify, assess, and mitigate any privacy risks associated with phase I of this approach, which is the replacement of ESDC’s access to the decommissioned FOSS for validation purposes with the implementation of an electronic validation of citizenship documents from IRCC, transmitted through the SIR to the GCMS.
Exchange of Information Collected under the Canada Pension Plan in support of the superannuation programs administered by public works and government services Canada
Employment and Social Development Canada (ESDC) and Public Services and Procurement Canada (PSPC) (then Public Works and Government Services Canada) have collaborated to improve the efficiency and effectiveness of the information exchange that is currently in place between the Departments to administer the Public Service Superannuation program, Canadian Forces Superannuation program and Royal Canadian Mounted Police Superannuation program. A significant number of overpayments are a result of PSPC not being notified of a superannuation pensioner’s death. The proposed ISA will allow for ESDC to disclose to PSPC the date of death of individuals who are both CPP and Superannuation beneficiaries. A PIA was conducted to identify, assess, and mitigate any risks associated with the new disclosure of personal information to PSPC.
Disclosure of information collected under the Old Age Security Act to the province of Alberta for the administration of the Alberta seniors and housing programs
In spring 2015, Employment and Social Development (ESDC) learned that approximately 141 000 client accounts had not been automatically renewed for the Old Age Security (OAS) Guaranteed Income Supplement (GIS). Consequently, these accounts were identified for manual review to determine whether they were owed any retroactive GIS payments or forward adjustments. The Alberta Department of Seniors and Housing (Alberta) has reviewed their programs and has noted that the GIS retroactive payments could negatively impact applicants and beneficiaries of the Alberta seniors programs. ESDC and Alberta have negotiated an Information Sharing Agreement to set the parameters for a one-way disclosure by ESDC to Alberta of GIS retroactive review of personal information, which will be used in the administration of the Alberta programs. The ISA is for a limited period and has a sunset clause, terminating the ISA on December 31, 2017. A PIA was conducted to identify, assess, and mitigate any risks associated with the one-way disclosure of personal information to Alberta for the administration of Alberta seniors programs.
My Service Canada Account – Canada Revenue Agency Link Project
To meet initiatives aimed at improving digital service, Employment and Social Development Canada (ESDC) and the Canada Revenue Agency (CRA) have identified an opportunity to work jointly to increase user uptake of their respective digital channels by connecting them through a link within a secure space. ESDC clients who use My Service Canada Account (MSCA) will be able to access the CRA’s My Account (MyA)—and vice-versa—without the need for a separate login or the need to create an account in the other portal. Users are asked to consent to the disclosure of their information to the receiving department in order to access MyA or MSCA through the link. A Privacy Impact Assessment was conducted to identify, assess, and mitigate any risks associated with creating a link between MyA and MSCA.
Old Age Security: Proactive Enrolment Initiative – Phase II
Over the next decades the baby-boom generation will begin to reach the age of 65 and the number of Old Age Security (OAS) beneficiaries is projected to increase by 39%. This increase will put exceptional pressure on the OAS program. As a result, Employment and Social Development Canada (ESDC) developed the OAS/Guaranteed Income Supplement (GIS) Service Improvement Strategy (SIS). The OAS/GIS SIS seeks to alleviate the paper application requirement for the OAS pension by implementing the Proactive Enrolment Initiative. The OAS/GIS SIS is being implemented in a phased approach. The PIA for OAS: Proactive Enrolment Initiative Phase I was conducted in 2012 and included the automatic enrolment of Category 1 individuals. Phase II includes the implementation of automatic enrolment of Category 2 individuals. The PIA was conducted to identify, assess, and mitigate any risks associated with the administration of the OAS Category 2 automatic enrolment.
Exchange of personal information between Employment and Social Development Canada and Alberta Ministry of Seniors and Housing for the Administration of the Alberta Seniors Benefit
Currently 200 to 300 seniors per month are required to provide Alberta with proof of receipt of Old Age Security (OAS) pension in order to receive the Alberta Seniors Benefit (Seniors Benefit). If the client cannot provide proof, they then contact Employment and Social Development Canada (ESDC) to obtain a letter confirming receipt of OAS pension and deliver it to Alberta to receive their Seniors Benefit. The purpose of the Information Sharing Agreement is to reduce this burden by establishing a monthly electronic exchange between ESDC and Alberta. A PIA was conducted to identify, assess, and mitigate any risks associated with the exchange of personal information for the administration of the Seniors Benefit.
Annex C: Statistical report on the Privacy Act
Name of institution: Employment and Social Development Canada
Reporting period: 2016-04-01 to 2017-03-31
Part 1: Requests under the Privacy Act
| Details | Number of requests |
|---|---|
| Received during reporting period | 8,353 |
| Outstanding from previous reporting period | 588 |
| Total | 8,941 |
| Closed during reporting period | 8,510 |
| Carried over to next reporting period | 431 |
Part 2: Requests closed during the reporting period
2.1 Disposition and completion time
| Disposition of requests | Completion time | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| All disclosed | 282 | 517 | 27 | 2 | 0 | 0 | 0 | 828 |
| Disclosed in part | 1,642 | 4,723 | 212 | 13 | 5 | 3 | 0 | 6,598 |
| All exempted | 13 | 2 | 0 | 0 | 0 | 0 | 0 | 15 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 723 | 154 | 3 | 0 | 0 | 0 | 0 | 880 |
| Request abandoned | 144 | 34 | 10 | 1 | 0 | 0 | 0 | 189 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 2,804 | 5,430 | 252 | 16 | 5 | 3 | 0 | 8,510 |
2.2 Exemptions
| Section | Number of requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 0 |
| 19(1)(b) | 0 |
| 19(1)(c) | 0 |
| 19(1)(d) | 0 |
| 19(1)(e) | 1 |
| 19(1)(f) | 1 |
| 20 | 0 |
| 21 | 0 |
| 22(1)(a)(i) | 1 |
| 22(1)(a)(ii) | 0 |
| 22(1)(a)(iii) | 0 |
| 22(1)(b) | 43 |
| 22(1)(c) | 1 |
| 22(2) | 1 |
| 22.1 | 1 |
| 22.2 | 4 |
| 22.3 | 1 |
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 2 |
| 26 | 5977 |
| 27 | 91 |
| 28 | 1 |
2.3 Exclusions
| Section | Number of requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
2.4 Format of information released
| Disposition | Paper | Electronic | Other formats |
|---|---|---|---|
| All disclosed | 757 | 67 | 4 |
| Disclosed in part | 6,006 | 560 | 32 |
| Total | 6,763 | 627 | 36 |
2.5 Complexity
2.5.1 Relevant pages processed and disclosed
| Disposition of requests | Number of pages processed | Number of pages disclosed | Number of requests |
|---|---|---|---|
| All disclosed | 17,892 | 13,075 | 828 |
| Disclosed in part | 800,004 | 755,192 | 6,598 |
| All exempted | 62 | 0 | 15 |
| All excluded | 0 | 0 | 0 |
| Request abandoned | 996 | 906 | 189 |
| Neither confirmed nor denied | 0 | 0 | 0 |
| Total | 818,954 | 769,173 | 7,630 |
2.5.2 Relevant pages processed and disclosed by size of requests
| Disposition | Less than 100 pages processed | 101 to 500 Pages processed | 501 to 1000 Pages processed | 1001 to 5000 Pages processed | More than 5000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages Disclosed | Number of requests | Pages disclosed | |
| All disclosed | 797 | 9,653 | 29 | 3,398 | 2 | 24 | 0 | 0 | 0 | 0 |
| Disclosed in part | 4,223 | 195,237 | 2,207 | 412,357 | 121 | 80,890 | 46 | 61,227 | 1 | 5,481 |
| All exempted | 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 184 | 130 | 5 | 776 | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 5,219 | 205,020 | 2,241 | 416,531 | 123 | 80,914 | 46 | 61,227 | 1 | 5,481 |
2.5.3 Other complexities
| Disposition | Consultation required | Legal advice sought | Interwoven information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 1 | 89 | 90 |
| Disclosed in part | 24 | 0 | 600 | 305 | 929 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 2 | 2 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 24 | 0 | 601 | 396 | 1,021 |
2.6 Deemed refusals
2.6.1 Reasons for not meeting statutory deadline
| Number of requests closed past the statutory deadline | Principal reason | |||
|---|---|---|---|---|
| Workload | External consultation | Internal consultation | Other | |
| 71 | 45 | 1 | 8 | 17 |
2.6.2 Number of days past deadline
| Number of days past deadline | Number of requests past deadline where no extension was taken | Number of requests past deadline where an extension was taken | Total |
|---|---|---|---|
| 1 to 15 days | 26 | 6 | 32 |
| 16 to 30 days | 17 | 2 | 19 |
| 31 to 60 days | 8 | 2 | 10 |
| 61 to 120 days | 3 | 2 | 5 |
| 121 to 180 days | 2 | 0 | 2 |
| 181 to 365 days | 1 | 2 | 3 |
| More than 365 days | 0 | 0 | 0 |
| Total | 57 | 14 | 71 |
2.7 Requests for translation
| Translation requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 6 | 0 | 6 |
| Total | 6 | 0 | 6 |
Part 3: Disclosures under Subsection 8(2) and 8(5)
| Section | Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|---|
| Disclosures | 0 | 0 | 0 | 0 |
Part 4: Requests for correction of personal information and notations
| Disposition for correction requests received | Number |
|---|---|
| Notations attached | 0 |
| Requests for correction accepted | 2 |
| Total | 2 |
Part 5: Extensions
5.1 Reasons for extensions and dispositions of requests
| Disposition of requests where an extension was taken | 15(a)(i) Interference with operations | 15(a)(ii) Consultation | 15(b) Translation or conversion | |
|---|---|---|---|---|
| Section 70 | Other | |||
| All disclosed | 4 | 0 | 1 | 0 |
| Disclosed in part | 71 | 0 | 9 | 5 |
| All exempted | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 |
| No records exist | 1 | 0 | 0 | 0 |
| Request abandoned | 1 | 0 | 0 | 0 |
| Total | 77 | 0 | 10 | 5 |
5.2 Length of extensions
| Length of extensions | 15(a)(i) Interference with operations | 15(a)(ii) Consultation | 15(b) Translation purposes | |
|---|---|---|---|---|
| Section 70 | Other | |||
| 1 to 15 days | 0 | 0 | 1 | 0 |
| 16 to 30 days | 77 | 0 | 9 | 5 |
| Total | 77 | 0 | 10 | 5 |
Part 6: Consultations received from other institutions and organizations
6.1 Consultations received from other Government of Canada institutions and other organizations
| Consultations | Other Government of Canada institutions | Number of pages to review | Other organizations | Number of pages to review |
|---|---|---|---|---|
| Received during the reporting period | 8 | 132 | 0 | 0 |
| Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
| Total | 8 | 132 | 0 | 0 |
| Closed during the reporting period | 8 | 132 | 0 | 0 |
| Pending at the end of the reporting period | 0 | 0 | 0 | 0 |
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| All disclosed | 2 | 2 | 0 | 0 | 0 | 0 | 0 | 4 |
| Disclosed in part | 3 | 0 | 1 | 0 | 0 | 0 | 0 | 4 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 5 | 2 | 1 | 0 | 0 | 0 | 0 | 8 |
6.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 7: Completion time of consultations on cabinet confidences
7.1 Requests with legal services
| Number of days | Fewer than 100 pages processed | 101 to 500 pages processed | 501 to 1000 pages processed | 1001 to 5000 pages processed | More than 5000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
| Number of days | Fewer than 100 pages processed | 101 to 500 pages processed | 501 to 1000 pages processed | 1001 to 5000 pages processed | More than 5000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 8: Complaints and investigations notices received
| Section | Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|---|
| Number | 22 | 24 | 20 | 0 | 66 |
Part 9: Privacy Impact Assessments (PIAs)
- Number of PIA(s) completed = 13
Part 10: Resources related to the Privacy Act
10.1 Costs
Expenditures amounts:
- Salaries = $4,757,032
- Overtime = $31,877
- Goods and Services = $143,710
- Professional services contracts = $32,999
- Other = $110,711
- Total = $4,932,619
10.2 Human resources
| Resources | Person years dedicated to privacy activities |
|---|---|
| Full-time employees | 30.23 |
| Part-time and casual employees | 0.31 |
| Regional staff | 42.64 |
| Consultants and agency personnel | 1.00 |
| Students | 0.80 |
| Total | 74.98 |
Page details
- Date modified: