Annual Report on the administration of the Privacy Act, 2021 to 2022

Privacy and the ESDC operating context

There were 3 primary influences on ESDC’s privacy management during the reporting period:

• digital transformation continued to change how personal information is managed across all sectors, including within the Government. Individuals increasingly expect to interact with federal institutions digitally as a matter of convenience. As a result, ESDC continued to focus on transformation efforts to meet the expectations of Canadians and to modernize its service offerings
• the Department continued to adapt to the impacts of the COVID-19 pandemic by adopting electronic processes and digital signatures, as well as by adding critical resources to Access to Information and Privacy (ATIP) operations. These improvements led to a reduction in the backlog of requests created at the start of the pandemic
• as ESDC’s footprint is national in scale, the Department continued to leverage its decentralized model to process privacy requests. Through Service Canada, the Department operated more than 600 in-person points of service across the country, as well as national and regional call centres, and provided digital service options online through Canada.ca. Notably, ESDC’s Privacy Act request processing operations relied on the Department’s 4 regions to meet its legislative obligations

Privacy by design at ESDC

ESDC manages one of the most robust privacy regimes in the federal system through its privacy code, enshrined in our departmental enabling legislation, as well as departmental policies that complement the President of the Treasury Board’s requirements and Office of the Privacy Commissioner’s (OPC) expectations. A key element of ESDC’s “privacy by design” approach is the integration of privacy considerations into all of its project management activities and new funding proposals.

ESDC’s Privacy Assessment process begins with an early check to establish at an initial stage in the project lifecycle the type of privacy review that is required. The Department has a tailored suite of assessment tools to ensure the right level of attention is committed to each initiative depending on the sensitivity of the information involved. Active and regular communications with Treasury Board Secretariat’s (TBS) privacy specialists, as well as with the OPC, ensure oversight bodies are well informed on privacy risks and how they are mitigated at an early stage.

ESDC also actively tracks and reports privacy breach incidents to the OPC and TBS. Breach levels as a percentage of overall transactions remain relatively low considering the high volume of daily transactions. The link between privacy and cybersecurity is being closely monitored in order to ready the Department for current and future threats in this area.

Privacy requests

The 2021 to 2022 reporting period saw a large spike in Privacy Act requests, with more than 17,000 received and nearly 1.5 million pages processed. While considerable progress was made to improve the compliance rate (from 46% in 2020 to 2021 to 58% this past fiscal year), it remained below the rate that the Department typically achieved in pre-pandemic years. Corrective action is already underway to continue improving performance in this area.

Highlights and results for 2021 to 2022

• A record volume of pages (1,477,256) was processed for exemptions and exclusions this year, an increase of 27% from the previous fiscal year. A total of 1,384,322 pages was disclosed, which is also an increase from the previous year of 28%
• ESDC received 17,695 Privacy Act requests, up from the previous year’s total of 13,998. A record number of requests were completed, from 12,883 in 2020 to 2021 to 17,577 during 2021 to 2022
• ESDC completed or substantially revised 22 privacy impact assessments (PIAs), which represented approximately 20% of the total number approved by all federal institutions last year
• To protect personal information when it is shared with other federal government institutions or other jurisdictions, 98 information sharing agreements were prepared, an increase of 58% over the previous fiscal year
• Initial program, project, and software privacy reviews more than doubled to 199 in 2021 to 2022 from 97 in 2020 to 2021
• Privacy reviews were also completed for the Department’s policy analysis, research and evaluation activities involving personal information. This past fiscal year, 23 such reviews were completed compared with 13 during 2020 to 2021

This report describes how ESDC proactively supports the judicious use and protection of personal information in one of the most challenging privacy environments in government. The collective snapshot of the facts, figures and information provided in this report demonstrates the responsibility, diligence and effort that ESDC’s employees apply every day to maintain the trust of Canadians as responsible stewards.

Presentation of this report

Section 72 of the Privacy Act requires the head of a federal institution to submit an annual report to Parliament on the administration of the Act following the end of every fiscal year. This is ESDC annual report to Parliament on the administration of the Privacy Act for the 2021 to 2022 fiscal year. ESDC is not reporting on behalf of a wholly owned subsidiary or non-operational institution.

About ESDC

ESDC is the Government of Canada department responsible for developing, managing and delivering social programs and services. Its mission is to build a stronger and more inclusive Canada, support Canadians in helping them have productive and rewarding lives and improve their quality of life. ESDC includes 2 major entities: the Labour Program and Service Canada.

The Department delivers a range of programs and services that affect Canadians throughout their lives. It provides seniors with basic income security, supports unemployed workers, helps students finance their post-secondary education and assists parents in raising young children. The Labour Program contributes to social and economic well-being by fostering safe, healthy, fair and inclusive work environments and cooperative workplace relations in the federal jurisdiction. Service Canada engages with millions of Canadians each year to provide a range of government services and information online, by phone, and in person.

ESDC is responsible for the design and delivery of some of the most well known Government of Canada programs and services, such as:

• OAS
• Canada Pension Plan
• Employment Insurance
• Canada Student Grants and Loans and Canada Apprentice Loans program
• Canada Education Savings Program
• Wage Earner Protection Program and
• Passport Services

For fiscal year 2021 to 2022, ESDC’s planned expenditures on programs and services totalled $101.7 billion. Of that amount, $100 billion was allocated to benefit Canadians directly through statutory payment, grant and contribution programs.

ESDC’s Corporate Secretary and Chief Privacy Officer

The Corporate Secretariat Branch is responsible for issuing and managing privacy management policy within ESDC, providing privacy advice and guidance and, in the National Capital Region, for processing privacy requests. These activities are carried out by the Branch’s ATIP Operations Division, and the Privacy Management Division (PMD), with the functional support of ESDC’s 4 regional branches.

The Corporate Secretary heads the Branch and is ESDC’s designated Chief Privacy Officer (CPO). The CPO is the Department’s functional authority on all privacy matters and leads the management of privacy in the Department. The CPO’s responsibilities consist of providing strategic privacy policy advice and maintaining ESDC’s privacy management program that includes conducting privacy risk assessments, monitoring compliance with privacy legislation, policies and standards, and providing privacy training.

Access to Information and Privacy Operations Division

The ATIP Operations Division administers the Access to Information Act and the privacy request components of the Privacy Act for ESDC. The Division’s Director is the designated ATIP Coordinator for the Department. The responsibility for processing Privacy Act requests in ESDC is shared between the ATIP Operations Division and the Department’s 4 regional branches: Atlantic, Ontario, Quebec and Western.

ATIP Operations Division is responsible for coordinating the ATIP activities of ESDC branches and regions. Their responsibilities include the following:

• responding to Access to Information Act requests
• responding to specific Privacy Act requests
• providing functional guidance to the regions with respect to the operational and reporting components of the privacy function and
• delivering general and tailored training sessions to employees on the administration of both Acts

Furthermore, the Division also reviews the Open Government publications to ensure that the handling of personal information practices are in compliance with the Act.

ATIP Operations Division is composed of an intake unit, several ATIP processing teams, and a small proactive disclosure operations and policy unit. During the 2021 to 2022 fiscal year, there were approximately 45 employees in the Division.

Regional privacy operations

The regional branches play an important role in fulfilling the Department’s Privacy Act responsibilities. During the 2021 to 2022 fiscal year, there were approximately 74 employees in the regions who processed ATIP files. A network of liaison officers and managers within the branches in each region support the processing of privacy requests as well as provide expert advice and guidance directly to program areas while working horizontally with the guidance of ATIP Operations Division.

Privacy Management Division

PMD is ESDC’s centre for privacy policy expertise and is the Department’s focal point for privacy advice. PMD leads the horizontal implementation of departmental privacy policies and initiatives, conducts risk analyses, including PIAs, and provides privacy compliance guidance to ESDC’s programs and services that includes supporting the preparation of information sharing agreements and contracts. The Division responds to court and law enforcement requests for documents, administers public interest disclosures, plays a key role in the management and prevention of privacy breaches, and supports privacy training and awareness activities. In addition, PMD provides strategic privacy policy and analytical advice to the CPO and ESDC’s senior leaders.

The Division is organized into 4 functional groups consisting of a privacy policy and risk management unit, a privacy compliance and advisory services unit, an incident management and legislative disclosures unit, and a small strategic advisory and planning team. During the 2021 to 2022 fiscal year, PMD had 44 employees.

Service Agreement with the Canadian Accessibility Standards Development Organization

ESDC has a memorandum of understanding to provide access to information and privacy services for the Canadian Accessibility Standards Development Organization, an independent departmental corporation in the Department’s portfolio. The Canadian Accessibility Standards Development Organization was established under the Accessible Canada Act and is mandated to contribute to the realization of a Canada without barriers, on or before January 1, 2040.

Through the memorandum of understanding, ESDC delivers Privacy Act request processing services, annual reporting advice and statistics, liaison functions, and training. ESDC also furnishes analysis and advice for PIAs, information sharing arrangements, disclosures, contracting, legislative and policy compliance, and the management of security incidents.

Legal framework for privacy

ESDC operates within one of the most complex privacy regimes in government. Its legal obligations are set out in the Privacy Act and in the personal information protection provisions found in the Department of Employment and Social Development Act (DESDA). Moreover, with the numerous collaborative efforts with which ESDC is involved to deliver national programs and services, legal interoperability with Government of Canada organizations, the provinces and territories, and municipal governments is always an important requirement.

The Privacy Act is the federal legislation that protects the personal information of Canadians, permanent residents, and individuals present in Canada that is held by federal public sector institutions. Extending from the Charter of Rights and Freedoms, it is a key foundation piece for preserving the privacy interests of individuals in Canada. The Act contains a set of rules for the Government’s management of personal information by providing a framework on how federal institutions can collect, use, retain, and disclose personal information.

The collection and use of personal information by federal institutions are based on lawful authority or legal authorization. Federal institutions can only collect or use personal information with a sufficiently direct connection to legally authorized programs and activities.

Personal information under the control of a government institution cannot be disclosed without the consent of the individual, except in specific circumstances. These include uses that are consistent with the purpose of the original collection, when authorized by federal legislation, to comply with legal instruments, such as subpoenas and court orders, in circumstances where there is a clear benefit to the individual, and where there is a public interest that outweighs the invasion of privacy. Importantly, the Act gives individuals the right to request access to their own personal information held by a federal institution and the right to request a correction to their information if it is inaccurate.

The Privacy Act also created the OPC of Canada, an independent agent of Parliament that oversees compliance with its implementation. The Privacy Commissioner has powers to receive and investigate complaints, including in cases where an individual’s request for access to their personal information has been refused by a government institution.

The administration of the Act by federal institutions, including ESDC, is supplemented by policies and directives issued by the President of the Treasury Board or an authorized delegate.

In addition to the Privacy Act, the management of personal information by ESDC is undertaken in accordance with the statutory obligations that are provided in the Department’s enabling legislation. DESDA describes the rules that apply to personal information controlled by ESDC and is applied in tandem with the Privacy Act. DESDA, which is more rigorous than the Privacy Act, sets out the requirements for:

• making personal information available, including public interest disclosures
• making available the information contained in the SIN Register
• using personal information for internal policy analysis, research and evaluation purposes and
• making personal information available for research or statistical analysis

Where the Department delivers services to the public on behalf of other federal institutions and jurisdictions, or when delivering select services for the Government of Canada, the partner’s privacy regime, normally the Privacy Act for federal partners, will apply instead of DESDA.

Privacy Act Delegation Order

Section 73 of the Privacy Act empowers the head of an institution to delegate any of the powers, duties or functions assigned to him or her by the Act to employees of that institution, typically through a Delegation Order. This instrument sets out the powers, duties and functions for the administration of the Act that have been delegated by the head of the institution and to whom that delegation has been assigned.

The Privacy Act Delegation Order that was approved by the Minister of Employment, Workforce Development and Disability Inclusion, is reproduced in Annex A.

Departmental Policy on Privacy Management

The Departmental Policy on Privacy Management supports a robust privacy regime for the protection and judicious use of personal information by ESDC. Supplementing TBS policies, directives and standards, this departmental policy codifies the requirements for the management and protection of personal information, articulates clear and universal privacy policy principles, and specifies roles and responsibilities for the management of personal information including discrete functional responsibilities and accountabilities for privacy. The policy sets out ESDC’s Privacy Management Framework, outlined below, designates the CPO function, and establishes the Department’s privacy governance mechanisms.

The expected results from the application of the Departmental Policy on Privacy Management include the sound management and safeguarding of personal information by the Department; robust practices for the identification, assessment and management of risks to personal information; and the establishment of clear accountabilities accompanied by effective governance structures and mechanisms to protect and manage personal information under ESDC’s stewardship.

Privacy Management Framework

ESDC’s Privacy Management Framework promotes a proactive approach for the management of personal information by fostering the integration of privacy practices into program, system, and business process design. The Framework consists of 5 elements:

• Governance and accountability: Roles and responsibilities for privacy are clearly defined
• Stewardship of personal information: Appropriate privacy protections are implemented to manage personal information properly throughout its life cycle
• Assurance of compliance: Formal processes and practices are in place to ensure adherence to privacy specifications, policies, standards and laws
• Effective risk management: Structured and coordinated risk identification and assessments are conducted to limit the probability and impact of negative events and
• Culture, training and awareness: Privacy training and awareness activities that sustain a privacy-aware organization that values the protection and stewardship of personal information

The Framework is a clear and succinct foundational element in establishing and operating a comprehensive privacy program for the Department.

Privacy governance at ESDC

ESDC uses a committee structure to support privacy governance, risk oversight, and decision-making. For this reporting period, the Department’s primary governance body for privacy and the safeguarding of personal information was the Data and Privacy Committee, co-chaired by the CPO and the Chief Data Officer. The Data and Privacy Committee is mandated to oversee the stewardship and management of data as well as the protection of personal information across the Department. The Committee supports the integration of data management, privacy and cyber security; provides oversight of ESDC’s risk management processes with respect to personal information; and promotes a departmental culture that recognizes that the protection of privacy is a core organizational value and is fundamental to maintaining the public’s trust.

The Data and Privacy Committee reports to the Assistant Deputy Minister-level Corporate Management Committee (CMC). The CMC is responsible for overseeing the Department’s management agenda including the implementation of the ESDC’s security measures. Chaired by the Associate Deputy Minister, the CMC is composed of branch and regional heads as well as the Department’s senior leaders of key functional activities.

Privacy assessments and reviews

In accordance with the Treasury Board’s Directive on PIAs, ESDC is required to conduct a PIA before establishing any new or substantially modified program or activity involving the administrative use of personal information. PIAs are used to identify and assess privacy risks as well as to develop plans to reduce or eliminate those risks. Among federal institutions, ESDC is an innovator in the methods used to conduct privacy assessments. For example, PMD draws from a suite of approaches that it developed, including full PIAs, Privacy Analyses (a type of “PIA light”), Privacy Analysis for Information Technology Solutions (PAITS), and Privacy Protocols, to tailor the assessment that is most appropriate for an ESDC project or initiative. These instruments have allowed ESDC to continue to be a leading Department for the completion of PIAs over the past 2 fiscal years.

During the 2021 to 2022 fiscal year, ESDC produced a departmental record 19 PIAs and prepared significant addendums to 3 others. Copies of the reports were provided to TBS and the OPC. The completion of time-sensitive PIAs supported the issuance of urgent payments to individuals that helped alleviate financial pressures brought on by COVID-19 that many Canadians were facing. Information on these assessments is provided in Annex B of this report and on ESDC’s PIA website.

Privacy reviews were also completed for the Department’s policy analysis, research and evaluation activities involving personal information. This past fiscal year, 23 such reviews were completed compared with 13 during 2020 to 2021.

Among its privacy responsibilities, ESDC verifies that arrangements for making personal information available to other federal institutions, other jurisdictions and service delivery providers are compliant with legislation and policy. PMD also checks that they have the necessary terms and conditions for the protection and appropriate management of personal information. This past fiscal year, 98 information sharing agreements and 122 procurement instruments were reviewed in detail, representing significant increases of 58% and 122% respectively over 2020 to 2021.

This growth in the demand for internal privacy services was experienced broadly. For example, the number of initial reviews for programs, projects and software applications more than doubled to 199 in 2021 to 2022. General privacy inquiries from internal clients rose by a third, totalling 221, and 88 privacy notices and consents were prepared compared to 57 during the previous fiscal year.

ATIP modernization

ESDC continued its ATIP modernization initiative by implementing digital solutions as the Department continued to move to a largely paperless office environment. Last fiscal year, the modernization initiative focussed on standardizing processes and procedures across the Department’s decentralized ATIP model to support further efficiencies in the processing of access to information and privacy access requests, a renewal exercise that is expected to enhance operational effectiveness once completed. This work continued to be given a high priority because of the COVID-19 pandemic, and the Department is now processing most requests in a digital environment.

Privacy approval process

Last fiscal year, ESDC’s internal auditors completed an advisory assessment on the 2019 implementation of the amended PIA assessment and approval process. These modifications were intended to increase the efficiency of PIAs by delegating approval authorities for common, routine, and low-risk items to the CPO and Director of the PMD, while the Deputy Minister retained the authority to approve assessments for initiatives that were high risk.

The audit team concluded that new approval authorities complied with the Privacy Act and that there were no substantive changes to the PIA process. It also found that the time required to obtain approval of a PIA decreased significantly while the quality of the finished product remained high. Based on interviews with key staff and an analysis of documents, no residual risks arising from the changes in approval process was identified. The audit team also noted that, given the effectiveness of the new approval process, there was an opportunity to revisit the Data and Privacy Committee’s mandate concerning the governance of PIAs.

Benefits Delivery Modernization

The large-scale transformation Benefits Delivery Modernization (BDM) programme is designed to deliver improved client experience for several of Canada’s largest benefits programs through a modern technology platform, streamlined processing, new digital services and enhanced service management capabilities. ESDC’s privacy management team is working closely on the Department’s service transformation projects, including the BDM programme where a multi-pronged strategy is being applied.

ESDC is taking a “privacy by design” approach with dedicated resources assigned to the programme. Privacy advice is being integrated into the BDM programme design as a whole, while detailed privacy analyses and risk assessments are conducted for individual project components. The use of personal information for programme-related policy analysis and research is reviewed before it is authorized. Privacy specialists are also helping the programme develop a long-term privacy strategy on personal information management that will enable clients to more actively assert their privacy rights as well as enhance overall the public trust in ESDC’s service delivery.

Strategic risks

ESDC refreshed its privacy strategic risk profile in order to identify and focus attention on the most prominent threats to the management and safeguarding of personal information under the Department’s control. Significant strides have been made to implement practices that allow for the effective safeguarding of personal information as an integrated part of operations. Risk management includes monitoring a rapidly changing context, including cyber security, information management, contracts, and information sharing agreements.

Privacy Management Road Map

In 2018, ESDC introduced a multi-year strategic plan, or road map, in response to the rapidly changing privacy environment and in support of the Department’s transformation and innovation initiatives. The implementation of the road map resulted in the strengthening risk management practices, revised privacy governance mechanisms, optimization of approval processes, and buttressed incident management activities and legal instrument disclosure processes. Due to the COVID-19 pandemic, it was necessary to carry-over some planned activities into future years.

Based on the success of the first Three-year Privacy Management Road Map, a new privacy road map was developed. This updated plan identifies actions to further strengthen privacy management processes, enhance collaboration with PMD’s information management and security partners, support ESDC’s strategic priorities and modernize the Department’s privacy practices as it seeks technological and methodological innovation in the use of personal information.

New SIN authority: One-time payment for older seniors

In accordance with the Directive on Social Insurance Number, the Minister of Seniors requested, and was granted, an authority for a new consistent use of the SIN that was collected for the purposes of administering the One-time payment for older seniors and OAS program. SIN information contained in the OAS database enabled ESDC to identify individuals eligible for the one-time payment. Since the program did not have an application process, the use of the SIN was the only means available to validate a recipient’s eligibility and entitlement.

Requests and consultations: total volume

During the 2021 to 2022 fiscal year, ESDC experienced a 26% increase in privacy requests, from 13,998 in 2020 to 2021 to 17,695. Conversely, consultation requests related to the Privacy Act continued to decline, dropping 73% from the previous year’s total of 11.

Text version

Year	Number of requests
2018 to 2019	12,678
2019 to 2020	15,405
2020 to 2021	13,998
2021 to 2022	17,695

Text version

Year	Number of requests
2018 to 2019	38
2019 to 2020	23
2020 to 2021	11
2021 to 2022	3

The following table (Table 1) provides a summary of ESDC’s Privacy Act access request metrics comparing them across the last four fiscal years.

Total requests received and completed

The number of requests closed during the reporting period grew from 12,883 in 2020 to 2021 to 17,577 in 2021 to 2022. Recovery from the effects of the pandemic, which had caused a great number of responses to be late in the previous year, also began in the current reporting period. As a result, the Department was able to close a record number of requests during the year and 17% more than the previous record in 2019 to 2020.

Text version

Year	Total requests received	Total requests completed
2018 to 2019	12,678	12,260
2019 to 2020	15,405	15,004
2020 to 2021	13,998	12,883
2021 to 2022	17,695	17,577

Requests by calendar days taken to complete

For the first time since the onset of the pandemic, ESDC processed more privacy requests than it received during this reporting period. The compliance rate for closing requests within 30 days (or 60 days after an extension), however, has been slower to rebound increasing from 46% in 2020 to 2021 to 58% in 2021 to 2022. This remains below our strong compliance rates pre-pandemic, which averaged above 99%. As the Department continues to modernize the privacy request function, standardization will be a major focus so that Canadians receive dependable, responsive service to every request.

Text version

Year	30 Calendar Days	31-60 Calendar Days	61 or more Calendar Days
2018 to 2019	11,832 (97%)	370 (2%)	58 (1%)
2019 to 2020	14,613 (97%)	358 (2%)	33 (1%)
2020 to 2021	5,029 (39%)	2,459 (19%)	5,395 (42%)
2021 to 2022	8,130 (46%)	5,009 (29%)	4,438 (25%)

Text version

Year	Within	Beyond
2018 to 2019	12,137 (99%)	123 (1%)
2019 to 2020	14,949 (99%)	55 (1%)
2020 to 2021	5,906 (46%)	6,977 (54%)
2021 to 2022	10,190 (58%)	7,387 (42%)

Reasons for extensions

Institutions may apply for an extension beyond the original 30-day statutory timeframe in cases where meeting the statutory date is not feasible. During the 2021 to 2022 reporting period, there were 1,048 large volume requests, 1 request requiring either translation or converting a record to another format, 1 request involving a Cabinet Confidence, and 19 internal consultations, which were required to be performed that could not reasonably be conducted within the initial 30 days. These requests resulted in ESDC to seek 1,069 extensions. This total represented an 8% increase from 2020 to 2021 when ESDC requested 990 extensions.

Timeframe monitoring

ESDC’s regional offices manage most of the privacy requests (personal information requests and requests for the correction of personal information) for the Department and prepare periodic reports concerning new requests, workload and status updates regarding on-time performance for privacy requests. Performance reports are generated by the regional offices on a monthly, quarterly and yearly basis.

Number of active requests that are outstanding from previous fiscal years

Occasionally, the processing time of some Privacy Act requests is longer than the legislated timeline.

Pages processed and disclosed

During this reporting period, 1,477,202 pages were processed for exemptions and exclusions, representing an increase of 27% from the previous fiscal year when 1,164,618 pages were processed. A total of 1,384,322 pages were disclosed, which is also an increase from the previous year when 1,084,077 pages were disclosed. Both the number of pages processed and disclosed during the reporting period were significantly higher than any previous reporting period.

Text version

Year	Pages Processed	Pages Disclosed
2018 to 2019	979,247	934,672
2019 to 2020	1,259,755	1,208,351
2020 to 2021	1,164,618	1,084,070
2021 to 2022	1,477,202	1,384,322

Exemptions and exclusions

As ESDC is one of the largest holders of personal information in the Government of Canada, the application of exemptions and exclusions under the Privacy Act typically occurs more frequently than most other federal institutions. During 2021 to 2022, the total number of requests that were completely disclosed was 1,880 (11%). The number of files that were disclosed in part was 12,058 (69%). There were 3,235 requests for which no records existed and 400 abandoned requests.

Exemptions

While the Privacy Act provides individuals with an enforceable right of access to their personal information, there are instances where certain limited and specific exemptions can be applied. The Privacy Act exemption that was applied most frequently was Section 26, which protects personal information, as defined by Section 3 of the Act, of another individual. This exemption occurred in 11,986 instances of completed requests during the 2021 to 2022 fiscal year. This represents an increase of 3,358 when compared to the previous fiscal year.

Exclusions

The Privacy Act allows for the exclusion of certain types of information, such as records that are already available to the public (Section 69) and confidences of the King’s Privy Council for Canada (Section 70). During the 2021 to 2022 fiscal year, there were 4 exclusions under Section 69.1 for personal information that the Canadian Broadcasting Corporation collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

Consultations received from other Government of Canada institutions and other organizations

ESDC received 3 external consultation requests during the 2021 to 2022 fiscal year, requiring a review of 127 additional pages. These requests originated from Government of Canada institutions and other organizations.

The Department closed 5 requests for consultations of which 1 was completed within 30 days. Of the total number of requests for consultation, 4 resulted in a recommendation to the consulting institution or organization to disclose the records entirely.

Requests for the correction of personal information under the Privacy Act

Under the Privacy Act, individuals have a right to request the correction of erroneous personal information pertaining to them that is retained by a government institution, provided that the individual can adequately substantiate the request. ESDC accepted 2 requests for correction and attached 11 notes to file during the 2021 to 2022 fiscal year.

COVID-19 operational impact

The Department’s overall extensive contributions to the Government of Canada’s national measures to support Canadians at the outset of COVID-19 pandemic, coupled with the challenges of transitioning to remote working, and the lower ATIP compliance rate in the 2020 to 2021 reporting period, resulted in a sizeable backlog in ATIP requests. This backlog was carried over into the 2021 to 2022 fiscal year.

To address these challenges, the Department during the 2021 to 2022 reporting period continued to improve its efficiency with its use of electronic processes and digital signatures. ESDC also provided additional staffing resources toward ATIP operations, resulting in a reduction in the backlog of requests.

Online privacy training

ESDC has a comprehensive training program to increase the knowledge and awareness of appropriate personal information management practices. All employees are required to maintain a valid certification in Stewardship of Information and Workplace Behaviours (SIWB), a course that addresses privacy, the handling of personal information, security, access to information, information management, and values and ethics. The course is a component of the Department’s Essential Training Curriculum and is delivered online. At the end of the 2021 to 2022 fiscal year, 33,453 employees held SIWB certification, which is valid for 2 years.

In addition to SIWB, ESDC provided additional online courses in its training catalogue that were relevant to privacy. The Access to Information and Privacy (ATIP): It’s everybody’s business course gives employees the knowledge required to protect, use and disclose personal information on a daily basis and teaches them to prevent breaches by seeking guidance or by using good judgment in a timely manner. Last fiscal year, 25,370 employees completed it.

New employees take the Doing Things Right and Doing the Right Thing: Putting the Departmental Code of Conduct into Action course, which has a significant privacy component. The course helps participants understand the application of ethical behaviour in the workplace and how to use that knowledge to guide them in their day-to-day work and decision-making, including their interactions with clients and colleagues. The course was taken by 24,861 employees during the 2021 to 2022 fiscal year.

In-person training and awareness

Throughout the reporting period, the Department continued to provide practical, easy-to-understand, and readily available privacy information and guidance to employees to reinforce the application of appropriate personal information handling and safeguarding practices, as well as to provide general knowledge on the philosophical and legislative underpinnings on privacy. These activities included organizing various privacy-themed information events and a series of specialized knowledge talks for Privacy Awareness Week, which took place in January 2022. Over 1,000 individuals participated in the various activities during the event.

Overall, 1,127 ESDC employees attended privacy training and awareness activities in a virtual format during 2021 to 2022. This was an eight-fold increase from the previous fiscal year (146 people in 2020 to 2021) when the Department was transitioning to online operations in response to the pandemic.

Privacy Act and Regulations: Delegation of Authority, Department of Employment and Social Development

The Minister of Employment and Social Development, pursuant to section 73 of the Privacy Act (the Act), hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties or functions of the Minister as the head of a government institution, under the provisions of the Act and the Privacy Regulations (the Regulations) set out in the schedule opposite each position.

Original signed March 12, 2020 by the Honourable Carla Qualtrough, Minister of Employment and Social Development

Canada Education Savings Program (CESP) Analytical and Monitoring Solution

The CESP uses 2 interactive databases: the Reporting Database (RDB) and the Canada Education Savings Grant Online Transactional Processing Database. The current RDB is inadequate in meeting the needs for data analytics and performance measurement. Consequently, the CESP intends to replace the RDB with an analytical and monitoring solution.

A PAITS was completed to identify and assess privacy risks associated with the collection and handling of personal information resulting from the introduction of a new database and relocation of personal information. 1 medium-level risk and 2 low-level risks were identified. The strategies to address these risks are scheduled for completion by June 2022.

Canada Emergency Student Benefit (CESB)

The CESB was established in May 2020 by the Government of Canada to provide financial support to students whose income was affected by the COVID‑19 pandemic.

A PIA was completed to identify the privacy risks associated with the collection and use of personal information of CESB applicants. 4 low-level risks and 5 compliance issues were identified. Mitigation actions to address them are being implemented and scheduled for completion by spring 2022.

Canada Service Corps Civic Participation Pilot

The Civic Participation Pilot is a Youth Leadership initiative by the Canada Service Corps administered by the Department’s Learning Branch. It will provide a virtual learning and leadership experience to 200 young adults from across the country and involve the selection of applicants using a third-party cloud-based web application portal. The application portal will collect and store applicants’ personal information and use them for administering activities.

A privacy analysis was completed to identify privacy risks associated with the collection and use of personal information received from youth applicants. 2 medium-level risks, 1 low-level risk and 2 compliance issues were identified. Mitigation actions to address these risks were scheduled for completion in 2021 to 2022.

Canada Student Financial Assistance (CSFA) Program use of Simplified Digital Identity Validation (SDIV) Solution

The CFSA Program’s use of the SDIV solution will deliver real-time multi-factor authentication that improves the Department’s Enterprise Cyber Authentication Service (ECAS). The ECAS provides registration and authentication services for the National Student Loans Service Centre account. The SDIV will be another solution for users who have forgotten the answers to their security questions and have locked themselves out of their account.

A privacy analysis was completed to identify the privacy risks associated with the handling of CSFA Program users’ personal information. 3 medium-level risks and 1 compliance issue were identified. The mitigation strategies to address these risks are being implemented and scheduled for completion by July 2022.

COVID-19 One-Time Non-Taxable Payment to Persons with Disabilities

In June 2020, the Government of Canada provided financial support for a one‑time non-taxable payment of up to $600 for persons with disabilities. Individuals with a valid Disability Tax Credit, beneficiaries of the Canada Pension Plan Disability benefit, the Quebec Pension Plan Disability benefit and individuals who receive any of the 7 Veterans Affairs Canada disability benefits received this payment.

A PIA was completed to identify privacy risks associated with the collection, use and handling of personal information for clients receiving this payment. 1 medium-level risk, 1 low-level risk and 2 compliance issues were identified and the mitigation strategies to address them are currently being implemented.

COVID-19 One-Time Tax-Free Payment for Seniors

In July 2020, the Government of Canada provided financial support for a one‑time tax-free payment for Canadians aged 65 and over who are eligible for the OAS. These payments were provided to help seniors cover the additional costs caused by the COVID-19 pandemic.

The COVID-19 one-time tax-free payment for seniors used personal information in a decision-making process to determine who was eligible for the COVID-19 Seniors Grant and the amount to which eligible recipients were entitled. We have completed a PIA to identify any privacy risks related to the collection, use and handling of personal information of clients receiving these payments. The PIA identified 2 medium-level risks and 2 compliance issues. The strategies to address these risks and compliance issues are scheduled for completion by June 2022.

COVID-19 One-Time Non-Taxable Grant for GIS Recipients who Received Pandemic Benefits in 2020: Issuance of Payments to Clients in Dire Need

The GIS is available to low-income OAS pensioners who live in Canada. In the Government of Canada’s 2021 Budget, a financial support for a one-time non-taxable grant payment of $200 was provided to GIS recipients who are in dire need of experiencing a loss or reduction to their GIS benefit due to the COVID‑19 pandemic.

We have completed a PIA to identify any privacy risks related to the collection, use, disclosure and handling of personal information of clients receiving this payment. The PIA identified 4 medium-level risks and 1 compliance issue. The strategies to address these risks and issue are scheduled for completion by March 31, 2023.

Electronic Public Trustee Portal to the Social Insurance Number (eSIN) Application

The Electronic Public Trustee Portal initiative will allow Public Trustees across Canada to apply for or request confirmation of a SIN as well as to request for personal information within the Social Insurance Register pertaining to individuals for whom they have legal authority. Personal information will be collected and used for administrative purposes, such as to identify and confirm the identity of clients (public trustees) to process a SIN application.

A PAITS was completed to identify any privacy risks associated with the collection and use of personal information through the Public Trustee Portal, a third-party cloud services platform. 2 medium-level risks, 1 low-level risk and 2 compliance issues were identified, and the mitigation strategies to address these risks are currently being implemented with scheduled completion in the 2021 to 2022 fiscal year.

EI Workload Efficiency and Process Improvement Project

The EI Workload Efficiency and Process Improvement project seeks to address workload challenges by implementing efficiencies and process improvements to ensure Service Canada is fulfilling client expectations in maintaining EI service standards. In addition, this work includes enhancing the client service experience.

A PAITS was completed to identify any risks associated with the projects task to address current challenges in the EI workload management system. 2 medium-level risks and 3 low-level risks were identified and the mitigation strategies to address them are currently being implemented with a scheduled completion date by March 2024.

Enabling Services Renewal Program – myEMS (PeopleSoft)

ESDC upgraded their Human Capital Management system (PeopleSoft) from version 9.1 to version 9.2 in order to leverage latest functionalities like enhanced data analytics, mobile capability and higher accessibility standards.

An addendum to the original PIA was completed to identify the privacy risks associated with the new collection and enhanced use of personal information. 2 compliance issues were identified and the corrective measures to address these issues are documented within the PIA.

eServiceCanada Passport

Service Canada created a new online passport renewal application portal in addition to a related case management system that together is called the “eServiceCanada Passport.” The eServiceCanada Passport is a new way to collect application information that was previously only collected by using a paper form that enables Service Canada to continue receiving passport renewal applications electronically, particularly when Service Canada Centres were closed.

A PAITS was completed to identify the privacy risks related to the use of eServiceCanada Passport. 2 medium-level risk and 2 compliance issues were identified, and the mitigation strategies to address them are currently being implemented.

Exchange of personal information on offenders between ESDC and Correctional Services Canada for the administration of the Employment Insurance Emergency Response Benefit (EI ERB)

As a result of the Government of Canada’s COVID-19 Emergency Response Act, measures were designed to provide immediate income support to Canadians and to help protect the economy from the impacts of the COVID-19 pandemic. ESDC is responsible for managing and processing payments for the EI ERB Program. Consequently, ESDC needs to collect personal information about offenders from Correctional Services Canada in cases of suspected ineligibility or overpayment.

As an urgent initiative related to COVID-19 and due to the sensitivity of the personal information collected from the Correctional Services Canada, a Privacy Compliance Evaluation (PCE) was completed for EI ERB. The PCE examined the privacy risks related to the management and protection of personal information involved in the collection, use and data matching activities to determine eligibility for the EI ERB. It identified 2 medium-level risks and 1 low-level risk. The strategies to address these risks were scheduled for completion during 2021 to 2022.

Hosted Contact Centre Solution (HCCS): Wave 2

The HCCS is a modernized, centrally managed and fully hosted solution for ESDC contact centres. The HCCS improves client experiences by leveraging industry-standard functionalities such as: cloud-based routing, enhanced self‑service, computer telephony integration, call and screen recording, virtual hold and workforce management to ensure prompt and efficient services.

A PAITS was completed to identify and assess the privacy risks associated with the major change to existing contact center practices in the protection of personal information. The PAITS identified 1 medium-level risk. The strategy to address this risk was scheduled for implementation in spring 2022.

Implementation of Adobe Target on Canada.ca

Service Canada applied Adobe Target, a third-party web analytic software, to Canada.ca webpages to improve visitor experience and to maximize the effectiveness of the webpages in matching the needs of visitors.

A PAITS was completed to identify and assess the privacy risks associated with the management and protection of personal information by using by the Adobe Target software. The PAITS identified 3 low-level risks, 1 insignificant-level risk and 4 compliance issues. The strategies to address these risks and issues are being implemented.

Integrated Labour System (ILS) Employer’s Annual Hazardous Occurrence Reports (EAHOR)

ESDC’s Labour Program oversees the facilitation of compliance with labour laws and Canadian labour standards. Each year, all federally regulated employers submit an EAHOR to the Minister of Labour. EAHORs record the total number of fatalities, accidents, occupational diseases and other hazardous occurrences in a workplace in a given year. ILS was implemented by the Labor Program to administer EAHORs as part of the modernization of its operating environment.

A PAITS was completed as part of multiple privacy analyses that the Labour Program will complete on the ILS. The PAITS was completed to identify and assess the privacy risks and impacts in the collection and use of personal information of employees by submitting the EAHOR report using the ILS. 1 medium-level risk, 2 low-level risks and 2 compliance issues were identified. The strategies to address these risks and issues have been recommended to the Program.

MyAlberta Digital Identity (MADI) Agreement

The MyAlberta Digital Identity Trusted Digital Identity Agreement will give Alberta residents the opportunity to streamline their access to their My Service Canada Account by using MADI, their provincially approved identity-bound credential as a Trusted Digital Identity. This agreement replaces the MADI pilot.

An addendum to the original PIA (April 2019) on the pilot was completed to identify the privacy risks associated with the indirect collection and use of personal information by ESDC from Service Alberta. 1 medium-level risk, 1 low-level risk and 2 compliance issues were identified. Mitigation strategies to address these risks were scheduled for completion by August 21, 2021.

Receipt of Entry-Exit Data from the Canada Border Services Agency by the OAS Program

ESDC receives Entry-Exit traveller information from the Canada Border Services Agency in order to investigate potential fraud and abuse of the OAS program. This information is matched with OAS client data to identify non‑portable beneficiaries who should have self-reported their absence from Canada.

An addendum to the original PIA was completed to identify the privacy risks associated with the collection and use of Entry-Exit data from Canada Border Services Agency resulting from the data matching activity using the Social Insurance Register. 1 low-level risk was identified with no scheduled mitigation action since the activity was expected to end by the end of the 2021 to 2022 fiscal year.

Record of Employment Comment (ROEC) Artificial Intelligence Model

A Record of Employment (ROE) provides information on employment history. The information on the ROE is used to decide if a person is eligible to collect EI benefits, what the benefit amount will be, for how long the benefits will be paid. Some ROEs online have free text comments. The ROEC tool automates the review of the ROE text comment field using machine learning, and confirms or updates the reason for separation in the ROE. Additionally, information from the ROE comment field helps decide EI benefits.

A PAITS was completed to identify and assess privacy risks associated with the ROEC tools automation in its review of the ROE Comments. The PAITS identified 1 medium-level risk and one compliance issue. The strategies to address this risk and compliance issue were scheduled for completion during the 2021 to 2022 fiscal year.

Security Screening Intake Process Simplification Project (SSIPS)

The SSIPS Project is a partnership between ESDC’s Integrity Service Branch and Transport Canada to support ESDC to process security clearances for employees. Before this project, the security screening solution at ESDC was manual. SSIPS is focused on improving the user experience to obtain security screening by digitalizing and simplifying the process through a portal for secure submissions for employees.

A PAITS was completed to identify and assess privacy risks associated with the collection, use and handling of personal information received from applicants to process their security clearance for work. The PAITS identified 4 privacy risks: 1 medium-level risk and 3 low-level risks. Additionally, 3 compliance issues were also identified. The mitigation strategies to address these risks and issues were scheduled for completion by March 2022.

Service Canada Compliance Verification Service for the Public Health Agency of Canada (PHAC)

During the COVID-19 pandemic, the Service Canada Compliance Verification Service for PHAC was modified to help PHAC contact more travelers. ESDC and Service Canada continue to provide service delivery for PHAC’s COVID‑19 Quarantine Compliance Campaign with changes to its services in determining whether travelers are following travel guidelines.

A PCE was completed to identify and assess any privacy risks associated with the collection and handling of travelers personal information. 1 medium-level risk, 2 low-level risks and 2 compliance issues were identified in the PCE. The strategies to address these risks and issues were scheduled for completion during the 2021 to 2022 fiscal year.

Simplified Digital Identity Validation Solution

The SDIV solution will provide real-time authentication that improves ESDC’s ECAS. The ECAS solution runs registration and authentication services for My Service Canada Account and the SDIV solution will provide users with the option to sign up for or sign in to it in real time by providing a digital second factor verification.

A PCE was completed to identify any privacy risks related to the collection and handling of personal information. 3 medium-level risks and 3 compliance issues were identified. The strategies to address these risks and issues were scheduled for completion by March 31, 2022.

Supplementary Payment for Older Seniors

As part of the Government of Canada’s Budget 2021, a one-time payment was provided to all Canadians aged 65 and over who met the residence requirements to receive the OAS pension. The one-time payment was intended to meet the immediate needs of older seniors until a 10% increase to the OAS pension for seniors 75 and older is permanently implemented.

A PIA was completed to identify any privacy risks related to the collection, use and handling of personal information for clients receiving the payment. 2 medium-level risks and 1 compliance issue was identified. The strategies to address these risks and compliance issues are scheduled for completion by June 2022.