Annual Report on the administration of the Privacy Act, 2021 to 2022
On this page
- ESDC’s privacy year in review, 2021 to 2022
- 1. Introduction
- 2. Organizational context
- 3. ESDC’s privacy regime
- 4. Policies, procedures, and initiatives
- 5. Performance overview
- 6. Complaints, investigations and court actions
- 7. Public interest disclosures
- 8. Material privacy breaches
- 9. Training and awareness activities
- Annex A: Privacy Act Delegation Order
- Annex B: Summaries of completed privacy impact assessments
- Annex C: ESDC Statistical Report on the Privacy Act, 2021 to 2022
Alternate formats
Annual Report on the administration of the Privacy Act [PDF - 2.53 MB]
Large print, braille, MP3 (audio), e-text and DAISY formats are available on demand by ordering online or calling 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105.
List of figures
- Figure 1: Privacy Act requests – total volume received
- Figure 2: Privacy Act consultation requests – total volume received
- Figure 3: Requests received and completed
- Figure 4: Privacy Act access requests by calendar days taken to complete
- Figure 5: Number of requests processed within and beyond legislated timeframes, Privacy Act
- Figure 6: Number of pages processed and disclosed, Privacy Act
List of tables
- Table 1: Summary of requests under the Privacy Act
- Table 2: Number of requests where an extension was taken, Privacy Act.
- Table 3: Number of active requests outstanding from previous reporting periods
- Table 4: Number of Requests and Percentage of Total Exemptions
- Table 5: Consultation requests received from other Government of Canada institutions and other organizations
- Table 6: Complaints, investigations and court actions, 2021 to 2022
- Table 7: Number of disclosures by reason
- Table 8: Description of material breaches and action plans
- Table 9: Privacy Act – Delegated authorities
- Table 10: Privacy Regulations – Delegated authorities
- Table 11: Number of requests received
- Table 12: Channels of requests
- Table 13: Number of informal requests
- Table 14: Channels of informal requests
- Table 15: Completion Times
- Table 16: Pages released informally
- Table 17: Disposition and completion time
- Table 18: Exemptions
- Table 19: Exclusions
- Table 20: Format of information released
- Table 21: Relevant pages processed and disclosed paper and e-record formats
- Table 22: Relevant pages processed by request disposition for paper and e-record formats by size of requests
- Table 23: Relevant minutes processed and disclosed for audio formats
- Table 24: Relevant minutes processed per request disposition for audio formats by size of requests
- Table 25: Relevant minutes processed and disclosed for video formats
- Table 26: Relevant minutes processed per request disposition for video formats by size of requests
- Table 27: Other complexities
- Table 28: Number of requests closed within legislated timelines
- Table 29: Reasons for not meeting legislated timelines
- Table 30: Requests closed beyond legislated timelines (including any extension taken)
- Table 31: Requests for translation
- Table 32: Disclosures under Subsections 8(2) and 8(5)
- Table 33: Requests for correction of personal information and notations
- Table 34: Reasons for extensions
- Table 35: Length of extensions
- Table 36: Consultations received from other Government of Canada institutions and other organizations
- Table 37: Recommendations and completion time for consultations received from other Government of Canada institutions
- Table 38: Recommendations and completion time for consultations received from other organizations outside the Government of Canada
- Table 39: Requests with Legal Services
- Table 40: Requests with Privy Council Office
- Table 41: Complaints and Investigations notices received
- Table 42: Privacy Impact Assessments
- Table 43: Institution-specific and Central Personal Information Banks
- Table 44: Material Privacy Breaches reported
- Table 45: Non-Material Privacy Breaches
- Table 46: Allocated Costs
- Table 47: Human Resources
- Table 48: Capacity to receive requests under the Access to Information Act and the Privacy Act
- Table 49: Number of weeks your institution was able to process paper records in different classification levels
- Table 50: Number of weeks your institution was able to process electronic records in different classification levels
- Table 51: Number of open requests that are outstanding from previous reporting periods under the Access to Information Act
- Table 52: Number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods
- Table 53: Number of open requests that are outstanding from previous reporting periods under the Privacy Act
- Table 54: Number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
- Table 55: Social Insurance Number (SIN)
ESDC’s privacy year in review, 2021 to 2022
Employment and Social Development Canada (ESDC) maintains one of the largest personal information holdings in the Government of Canada and protecting it is a top priority. The Department administers many of the federal government’s most critical social programs and services, including Employment Insurance, the Social Insurance Number (SIN) Register, Old Age Security (OAS), the Guaranteed Income Supplement (GIS), Canada Pension Plan, Canada Student Loans Program, and skills and employment training. These programs require the collection, use and disclosure of large volumes of detailed and often sensitive personal information.
To fulfil its mandate, ESDC regularly makes information available to several partners and stakeholders, including other federal departments and provincial, territorial and international governments. There are many reasons for these disclosures: to enable program delivery, to determine eligibility for federal and provincial programs and benefits, for the authentication of individuals, identity management, research and statistics, integrity operations, and legal proceedings. These relationships are managed through hundreds of personal information sharing agreements.
As stewards of this information, ESDC prides itself on ensuring that personal information is protected as an integral part of its commitment to Canadians.
Privacy and the ESDC operating context
There were 3 primary influences on ESDC’s privacy management during the reporting period:
- digital transformation continued to change how personal information is managed across all sectors, including within the Government. Individuals increasingly expect to interact with federal institutions digitally as a matter of convenience. As a result, ESDC continued to focus on transformation efforts to meet the expectations of Canadians and to modernize its service offerings
- the Department continued to adapt to the impacts of the COVID-19 pandemic by adopting electronic processes and digital signatures, as well as by adding critical resources to Access to Information and Privacy (ATIP) operations. These improvements led to a reduction in the backlog of requests created at the start of the pandemic
- as ESDC’s footprint is national in scale, the Department continued to leverage its decentralized model to process privacy requests. Through Service Canada, the Department operated more than 600 in-person points of service across the country, as well as national and regional call centres, and provided digital service options online through Canada.ca. Notably, ESDC’s Privacy Act request processing operations relied on the Department’s 4 regions to meet its legislative obligations
Privacy by design at ESDC
ESDC manages one of the most robust privacy regimes in the federal system through its privacy code, enshrined in our departmental enabling legislation, as well as departmental policies that complement the President of the Treasury Board’s requirements and Office of the Privacy Commissioner’s (OPC) expectations. A key element of ESDC’s “privacy by design” approach is the integration of privacy considerations into all of its project management activities and new funding proposals.
ESDC’s Privacy Assessment process begins with an early check to establish at an initial stage in the project lifecycle the type of privacy review that is required. The Department has a tailored suite of assessment tools to ensure the right level of attention is committed to each initiative depending on the sensitivity of the information involved. Active and regular communications with Treasury Board Secretariat’s (TBS) privacy specialists, as well as with the OPC, ensure oversight bodies are well informed on privacy risks and how they are mitigated at an early stage.
ESDC also actively tracks and reports privacy breach incidents to the OPC and TBS. Breach levels as a percentage of overall transactions remain relatively low considering the high volume of daily transactions. The link between privacy and cybersecurity is being closely monitored in order to ready the Department for current and future threats in this area.
Privacy requests
The 2021 to 2022 reporting period saw a large spike in Privacy Act requests, with more than 17,000 received and nearly 1.5 million pages processed. While considerable progress was made to improve the compliance rate (from 46% in 2020 to 2021 to 58% this past fiscal year), it remained below the rate that the Department typically achieved in pre-pandemic years. Corrective action is already underway to continue improving performance in this area.
Highlights and results for 2021 to 2022
- A record volume of pages (1,477,256) was processed for exemptions and exclusions this year, an increase of 27% from the previous fiscal year. A total of 1,384,322 pages was disclosed, which is also an increase from the previous year of 28%
- ESDC received 17,695 Privacy Act requests, up from the previous year’s total of 13,998. A record number of requests were completed, from 12,883 in 2020 to 2021 to 17,577 during 2021 to 2022
- ESDC completed or substantially revised 22 privacy impact assessments (PIAs), which represented approximately 20% of the total number approved by all federal institutions last year
- To protect personal information when it is shared with other federal government institutions or other jurisdictions, 98 information sharing agreements were prepared, an increase of 58% over the previous fiscal year
- Initial program, project, and software privacy reviews more than doubled to 199 in 2021 to 2022 from 97 in 2020 to 2021
- Privacy reviews were also completed for the Department’s policy analysis, research and evaluation activities involving personal information. This past fiscal year, 23 such reviews were completed compared with 13 during 2020 to 2021
This report describes how ESDC proactively supports the judicious use and protection of personal information in one of the most challenging privacy environments in government. The collective snapshot of the facts, figures and information provided in this report demonstrates the responsibility, diligence and effort that ESDC’s employees apply every day to maintain the trust of Canadians as responsible stewards.
1. Introduction
Presentation of this report
Section 72 of the Privacy Act requires the head of a federal institution to submit an annual report to Parliament on the administration of the Act following the end of every fiscal year. This is ESDC annual report to Parliament on the administration of the Privacy Act for the 2021 to 2022 fiscal year. ESDC is not reporting on behalf of a wholly owned subsidiary or non-operational institution.
About ESDC
ESDC is the Government of Canada department responsible for developing, managing and delivering social programs and services. Its mission is to build a stronger and more inclusive Canada, support Canadians in helping them have productive and rewarding lives and improve their quality of life. ESDC includes 2 major entities: the Labour Program and Service Canada.
The Department delivers a range of programs and services that affect Canadians throughout their lives. It provides seniors with basic income security, supports unemployed workers, helps students finance their post-secondary education and assists parents in raising young children. The Labour Program contributes to social and economic well-being by fostering safe, healthy, fair and inclusive work environments and cooperative workplace relations in the federal jurisdiction. Service Canada engages with millions of Canadians each year to provide a range of government services and information online, by phone, and in person.
ESDC is responsible for the design and delivery of some of the most well known Government of Canada programs and services, such as:
- OAS
- Canada Pension Plan
- Employment Insurance
- Canada Student Grants and Loans and Canada Apprentice Loans program
- Canada Education Savings Program
- Wage Earner Protection Program and
- Passport Services
For fiscal year 2021 to 2022, ESDC’s planned expenditures on programs and services totalled $101.7 billion. Of that amount, $100 billion was allocated to benefit Canadians directly through statutory payment, grant and contribution programs.
2. Organizational context
ESDC’s Corporate Secretary and Chief Privacy Officer
The Corporate Secretariat Branch is responsible for issuing and managing privacy management policy within ESDC, providing privacy advice and guidance and, in the National Capital Region, for processing privacy requests. These activities are carried out by the Branch’s ATIP Operations Division, and the Privacy Management Division (PMD), with the functional support of ESDC’s 4 regional branches.
The Corporate Secretary heads the Branch and is ESDC’s designated Chief Privacy Officer (CPO). The CPO is the Department’s functional authority on all privacy matters and leads the management of privacy in the Department. The CPO’s responsibilities consist of providing strategic privacy policy advice and maintaining ESDC’s privacy management program that includes conducting privacy risk assessments, monitoring compliance with privacy legislation, policies and standards, and providing privacy training.
Access to Information and Privacy Operations Division
The ATIP Operations Division administers the Access to Information Act and the privacy request components of the Privacy Act for ESDC. The Division’s Director is the designated ATIP Coordinator for the Department. The responsibility for processing Privacy Act requests in ESDC is shared between the ATIP Operations Division and the Department’s 4 regional branches: Atlantic, Ontario, Quebec and Western.
ATIP Operations Division is responsible for coordinating the ATIP activities of ESDC branches and regions. Their responsibilities include the following:
- responding to Access to Information Act requests
- responding to specific Privacy Act requests
- providing functional guidance to the regions with respect to the operational and reporting components of the privacy function and
- delivering general and tailored training sessions to employees on the administration of both Acts
Furthermore, the Division also reviews the Open Government publications to ensure that the handling of personal information practices are in compliance with the Act.
ATIP Operations Division is composed of an intake unit, several ATIP processing teams, and a small proactive disclosure operations and policy unit. During the 2021 to 2022 fiscal year, there were approximately 45 employees in the Division.
Regional privacy operations
The regional branches play an important role in fulfilling the Department’s Privacy Act responsibilities. During the 2021 to 2022 fiscal year, there were approximately 74 employees in the regions who processed ATIP files. A network of liaison officers and managers within the branches in each region support the processing of privacy requests as well as provide expert advice and guidance directly to program areas while working horizontally with the guidance of ATIP Operations Division.
Privacy Management Division
PMD is ESDC’s centre for privacy policy expertise and is the Department’s focal point for privacy advice. PMD leads the horizontal implementation of departmental privacy policies and initiatives, conducts risk analyses, including PIAs, and provides privacy compliance guidance to ESDC’s programs and services that includes supporting the preparation of information sharing agreements and contracts. The Division responds to court and law enforcement requests for documents, administers public interest disclosures, plays a key role in the management and prevention of privacy breaches, and supports privacy training and awareness activities. In addition, PMD provides strategic privacy policy and analytical advice to the CPO and ESDC’s senior leaders.
The Division is organized into 4 functional groups consisting of a privacy policy and risk management unit, a privacy compliance and advisory services unit, an incident management and legislative disclosures unit, and a small strategic advisory and planning team. During the 2021 to 2022 fiscal year, PMD had 44 employees.
Service Agreement with the Canadian Accessibility Standards Development Organization
ESDC has a memorandum of understanding to provide access to information and privacy services for the Canadian Accessibility Standards Development Organization, an independent departmental corporation in the Department’s portfolio. The Canadian Accessibility Standards Development Organization was established under the Accessible Canada Act and is mandated to contribute to the realization of a Canada without barriers, on or before January 1, 2040.
Through the memorandum of understanding, ESDC delivers Privacy Act request processing services, annual reporting advice and statistics, liaison functions, and training. ESDC also furnishes analysis and advice for PIAs, information sharing arrangements, disclosures, contracting, legislative and policy compliance, and the management of security incidents.
3. ESDC’s privacy regime
Legal framework for privacy
ESDC operates within one of the most complex privacy regimes in government. Its legal obligations are set out in the Privacy Act and in the personal information protection provisions found in the Department of Employment and Social Development Act (DESDA). Moreover, with the numerous collaborative efforts with which ESDC is involved to deliver national programs and services, legal interoperability with Government of Canada organizations, the provinces and territories, and municipal governments is always an important requirement.
The Privacy Act is the federal legislation that protects the personal information of Canadians, permanent residents, and individuals present in Canada that is held by federal public sector institutions. Extending from the Charter of Rights and Freedoms, it is a key foundation piece for preserving the privacy interests of individuals in Canada. The Act contains a set of rules for the Government’s management of personal information by providing a framework on how federal institutions can collect, use, retain, and disclose personal information.
The collection and use of personal information by federal institutions are based on lawful authority or legal authorization. Federal institutions can only collect or use personal information with a sufficiently direct connection to legally authorized programs and activities.
Personal information under the control of a government institution cannot be disclosed without the consent of the individual, except in specific circumstances. These include uses that are consistent with the purpose of the original collection, when authorized by federal legislation, to comply with legal instruments, such as subpoenas and court orders, in circumstances where there is a clear benefit to the individual, and where there is a public interest that outweighs the invasion of privacy. Importantly, the Act gives individuals the right to request access to their own personal information held by a federal institution and the right to request a correction to their information if it is inaccurate.
The Privacy Act also created the OPC of Canada, an independent agent of Parliament that oversees compliance with its implementation. The Privacy Commissioner has powers to receive and investigate complaints, including in cases where an individual’s request for access to their personal information has been refused by a government institution.
The administration of the Act by federal institutions, including ESDC, is supplemented by policies and directives issued by the President of the Treasury Board or an authorized delegate.
In addition to the Privacy Act, the management of personal information by ESDC is undertaken in accordance with the statutory obligations that are provided in the Department’s enabling legislation. DESDA describes the rules that apply to personal information controlled by ESDC and is applied in tandem with the Privacy Act. DESDA, which is more rigorous than the Privacy Act, sets out the requirements for:
- making personal information available, including public interest disclosures
- making available the information contained in the SIN Register
- using personal information for internal policy analysis, research and evaluation purposes and
- making personal information available for research or statistical analysis
Where the Department delivers services to the public on behalf of other federal institutions and jurisdictions, or when delivering select services for the Government of Canada, the partner’s privacy regime, normally the Privacy Act for federal partners, will apply instead of DESDA.
Privacy Act Delegation Order
Section 73 of the Privacy Act empowers the head of an institution to delegate any of the powers, duties or functions assigned to him or her by the Act to employees of that institution, typically through a Delegation Order. This instrument sets out the powers, duties and functions for the administration of the Act that have been delegated by the head of the institution and to whom that delegation has been assigned.
The Privacy Act Delegation Order that was approved by the Minister of Employment, Workforce Development and Disability Inclusion, is reproduced in Annex A.
Departmental Policy on Privacy Management
The Departmental Policy on Privacy Management supports a robust privacy regime for the protection and judicious use of personal information by ESDC. Supplementing TBS policies, directives and standards, this departmental policy codifies the requirements for the management and protection of personal information, articulates clear and universal privacy policy principles, and specifies roles and responsibilities for the management of personal information including discrete functional responsibilities and accountabilities for privacy. The policy sets out ESDC’s Privacy Management Framework, outlined below, designates the CPO function, and establishes the Department’s privacy governance mechanisms.
The expected results from the application of the Departmental Policy on Privacy Management include the sound management and safeguarding of personal information by the Department; robust practices for the identification, assessment and management of risks to personal information; and the establishment of clear accountabilities accompanied by effective governance structures and mechanisms to protect and manage personal information under ESDC’s stewardship.
Privacy Management Framework
ESDC’s Privacy Management Framework promotes a proactive approach for the management of personal information by fostering the integration of privacy practices into program, system, and business process design. The Framework consists of 5 elements:
- Governance and accountability: Roles and responsibilities for privacy are clearly defined
- Stewardship of personal information: Appropriate privacy protections are implemented to manage personal information properly throughout its life cycle
- Assurance of compliance: Formal processes and practices are in place to ensure adherence to privacy specifications, policies, standards and laws
- Effective risk management: Structured and coordinated risk identification and assessments are conducted to limit the probability and impact of negative events and
- Culture, training and awareness: Privacy training and awareness activities that sustain a privacy-aware organization that values the protection and stewardship of personal information
The Framework is a clear and succinct foundational element in establishing and operating a comprehensive privacy program for the Department.
Privacy governance at ESDC
ESDC uses a committee structure to support privacy governance, risk oversight, and decision-making. For this reporting period, the Department’s primary governance body for privacy and the safeguarding of personal information was the Data and Privacy Committee, co-chaired by the CPO and the Chief Data Officer. The Data and Privacy Committee is mandated to oversee the stewardship and management of data as well as the protection of personal information across the Department. The Committee supports the integration of data management, privacy and cyber security; provides oversight of ESDC’s risk management processes with respect to personal information; and promotes a departmental culture that recognizes that the protection of privacy is a core organizational value and is fundamental to maintaining the public’s trust.
The Data and Privacy Committee reports to the Assistant Deputy Minister-level Corporate Management Committee (CMC). The CMC is responsible for overseeing the Department’s management agenda including the implementation of the ESDC’s security measures. Chaired by the Associate Deputy Minister, the CMC is composed of branch and regional heads as well as the Department’s senior leaders of key functional activities.
4. Policies, procedures, and initiatives
The breadth and scale of ESDC’s activities means the Department is responsible for managing one of the largest personal information holdings in the Government of Canada. The delivery of programs and services by ESDC, in most cases, involves the collection, use, and disclosure of personal information. Often, detailed and sensitive personal information is required to determine program eligibility or to provide benefits and services. Furthermore, with its broad mandate and the responsibility to manage immense volumes of personal information, ESDC must operate within a complex privacy legal regime that includes the Privacy Act and DESDA, as well as respecting specific legislative requirements for the Department’s federal and provincial government partners.
Throughout 2021 to 2022, ESDC continued to advance a proactive, risk-based approach to privacy management and sought to adapt its activities and processes to the needs of the changing privacy environment. It applied its privacy lens to the large number of departmental initiatives, some of which involved the large-scale collection, use and disclosure of personal information.
ESDC delivered many of the Government of Canada’s COVID-19 economic initiatives as well as crucial programs and services to support children, students, seniors, workers, families and many communities in need to withstand the financial pressures resulting from the pandemic. It also provided additional service options to Canadian by implementing several solutions to strengthen the digital delivery of services and information exchanges. The Department’s privacy regime supported the protection of sensitive personal information required in the implementation of these initiatives.
Privacy assessments and reviews
In accordance with the Treasury Board’s Directive on PIAs, ESDC is required to conduct a PIA before establishing any new or substantially modified program or activity involving the administrative use of personal information. PIAs are used to identify and assess privacy risks as well as to develop plans to reduce or eliminate those risks. Among federal institutions, ESDC is an innovator in the methods used to conduct privacy assessments. For example, PMD draws from a suite of approaches that it developed, including full PIAs, Privacy Analyses (a type of “PIA light”), Privacy Analysis for Information Technology Solutions (PAITS), and Privacy Protocols, to tailor the assessment that is most appropriate for an ESDC project or initiative. These instruments have allowed ESDC to continue to be a leading Department for the completion of PIAs over the past 2 fiscal years.
During the 2021 to 2022 fiscal year, ESDC produced a departmental record 19 PIAs and prepared significant addendums to 3 others. Copies of the reports were provided to TBS and the OPC. The completion of time-sensitive PIAs supported the issuance of urgent payments to individuals that helped alleviate financial pressures brought on by COVID-19 that many Canadians were facing. Information on these assessments is provided in Annex B of this report and on ESDC’s PIA website.
Privacy reviews were also completed for the Department’s policy analysis, research and evaluation activities involving personal information. This past fiscal year, 23 such reviews were completed compared with 13 during 2020 to 2021.
Among its privacy responsibilities, ESDC verifies that arrangements for making personal information available to other federal institutions, other jurisdictions and service delivery providers are compliant with legislation and policy. PMD also checks that they have the necessary terms and conditions for the protection and appropriate management of personal information. This past fiscal year, 98 information sharing agreements and 122 procurement instruments were reviewed in detail, representing significant increases of 58% and 122% respectively over 2020 to 2021.
This growth in the demand for internal privacy services was experienced broadly. For example, the number of initial reviews for programs, projects and software applications more than doubled to 199 in 2021 to 2022. General privacy inquiries from internal clients rose by a third, totalling 221, and 88 privacy notices and consents were prepared compared to 57 during the previous fiscal year.
ATIP modernization
ESDC continued its ATIP modernization initiative by implementing digital solutions as the Department continued to move to a largely paperless office environment. Last fiscal year, the modernization initiative focussed on standardizing processes and procedures across the Department’s decentralized ATIP model to support further efficiencies in the processing of access to information and privacy access requests, a renewal exercise that is expected to enhance operational effectiveness once completed. This work continued to be given a high priority because of the COVID-19 pandemic, and the Department is now processing most requests in a digital environment.
Privacy approval process
Last fiscal year, ESDC’s internal auditors completed an advisory assessment on the 2019 implementation of the amended PIA assessment and approval process. These modifications were intended to increase the efficiency of PIAs by delegating approval authorities for common, routine, and low-risk items to the CPO and Director of the PMD, while the Deputy Minister retained the authority to approve assessments for initiatives that were high risk.
The audit team concluded that new approval authorities complied with the Privacy Act and that there were no substantive changes to the PIA process. It also found that the time required to obtain approval of a PIA decreased significantly while the quality of the finished product remained high. Based on interviews with key staff and an analysis of documents, no residual risks arising from the changes in approval process was identified. The audit team also noted that, given the effectiveness of the new approval process, there was an opportunity to revisit the Data and Privacy Committee’s mandate concerning the governance of PIAs.
Benefits Delivery Modernization
The large-scale transformation Benefits Delivery Modernization (BDM) programme is designed to deliver improved client experience for several of Canada’s largest benefits programs through a modern technology platform, streamlined processing, new digital services and enhanced service management capabilities. ESDC’s privacy management team is working closely on the Department’s service transformation projects, including the BDM programme where a multi-pronged strategy is being applied.
ESDC is taking a “privacy by design” approach with dedicated resources assigned to the programme. Privacy advice is being integrated into the BDM programme design as a whole, while detailed privacy analyses and risk assessments are conducted for individual project components. The use of personal information for programme-related policy analysis and research is reviewed before it is authorized. Privacy specialists are also helping the programme develop a long-term privacy strategy on personal information management that will enable clients to more actively assert their privacy rights as well as enhance overall the public trust in ESDC’s service delivery.
Strategic risks
ESDC refreshed its privacy strategic risk profile in order to identify and focus attention on the most prominent threats to the management and safeguarding of personal information under the Department’s control. Significant strides have been made to implement practices that allow for the effective safeguarding of personal information as an integrated part of operations. Risk management includes monitoring a rapidly changing context, including cyber security, information management, contracts, and information sharing agreements.
Privacy Management Road Map
In 2018, ESDC introduced a multi-year strategic plan, or road map, in response to the rapidly changing privacy environment and in support of the Department’s transformation and innovation initiatives. The implementation of the road map resulted in the strengthening risk management practices, revised privacy governance mechanisms, optimization of approval processes, and buttressed incident management activities and legal instrument disclosure processes. Due to the COVID-19 pandemic, it was necessary to carry-over some planned activities into future years.
Based on the success of the first Three-year Privacy Management Road Map, a new privacy road map was developed. This updated plan identifies actions to further strengthen privacy management processes, enhance collaboration with PMD’s information management and security partners, support ESDC’s strategic priorities and modernize the Department’s privacy practices as it seeks technological and methodological innovation in the use of personal information.
New SIN authority: One-time payment for older seniors
In accordance with the Directive on Social Insurance Number, the Minister of Seniors requested, and was granted, an authority for a new consistent use of the SIN that was collected for the purposes of administering the One-time payment for older seniors and OAS program. SIN information contained in the OAS database enabled ESDC to identify individuals eligible for the one-time payment. Since the program did not have an application process, the use of the SIN was the only means available to validate a recipient’s eligibility and entitlement.
5. Performance overview
This section provides key statistics and analysis on ESDC’s accomplishments in the 2021 to 2022 fiscal year and demonstrates how the Department contributed to the Government’s administration of the Privacy Act. Most of the charts and tables below (Figures 1 through 6 and 8 through 11) provide a 4-year comparison highlighting ESDC’s Privacy Act administration performance trends. The Department’s detailed statistical report on its administration of the Privacy Act is found in Annex C.
It is important to note that while the full-scale privacy operations resumed during the 2021 to 2022 reporting period, there was a large spike in privacy access requests with over 17 thousand received during the 2021 to 2022 fiscal year. This increased volume was a new record for ESDC. While considerable progress was made to improve compliance rates, they remained below levels that the Department typically achieved in pre-pandemic years.
Requests and consultations: total volume
During the 2021 to 2022 fiscal year, ESDC experienced a 26% increase in privacy requests, from 13,998 in 2020 to 2021 to 17,695. Conversely, consultation requests related to the Privacy Act continued to decline, dropping 73% from the previous year’s total of 11.

Text version
Year | Number of requests |
---|---|
2018 to 2019 | 12,678 |
2019 to 2020 | 15,405 |
2020 to 2021 | 13,998 |
2021 to 2022 | 17,695 |

Text version
Year | Number of requests |
---|---|
2018 to 2019 | 38 |
2019 to 2020 | 23 |
2020 to 2021 | 11 |
2021 to 2022 | 3 |
The following table (Table 1) provides a summary of ESDC’s Privacy Act access request metrics comparing them across the last four fiscal years.
Activity | 2018 to 2019 | 2019 to 2020 | 2020 to 2021 | 2021 to 2022 |
---|---|---|---|---|
Formal requests received under the Privacy Act | 12,678 | 15,405 | 13,998 | 17,695 |
Requests completed during the reporting period | 12,260 | 15,004 | 12,883 | 17,577 |
Number of requests completed within legislated timeframes (including extensions) | 12,137 | 14,949 | 5,906 | 10,190 |
Number of requests completed beyond legislated timeframes | 123 | 55 | 6,977 | 7,387 |
Proportion of requests that were responded to within legislated timeframes | 99% | 99% | 46% | 58% |
Total requests received and completed
The number of requests closed during the reporting period grew from 12,883 in 2020 to 2021 to 17,577 in 2021 to 2022. Recovery from the effects of the pandemic, which had caused a great number of responses to be late in the previous year, also began in the current reporting period. As a result, the Department was able to close a record number of requests during the year and 17% more than the previous record in 2019 to 2020.

Text version
Year | Total requests received | Total requests completed |
---|---|---|
2018 to 2019 | 12,678 | 12,260 |
2019 to 2020 | 15,405 | 15,004 |
2020 to 2021 | 13,998 | 12,883 |
2021 to 2022 | 17,695 | 17,577 |
Requests by calendar days taken to complete
For the first time since the onset of the pandemic, ESDC processed more privacy requests than it received during this reporting period. The compliance rate for closing requests within 30 days (or 60 days after an extension), however, has been slower to rebound increasing from 46% in 2020 to 2021 to 58% in 2021 to 2022. This remains below our strong compliance rates pre-pandemic, which averaged above 99%. As the Department continues to modernize the privacy request function, standardization will be a major focus so that Canadians receive dependable, responsive service to every request.

Text version
Year | 30 Calendar Days | 31-60 Calendar Days | 61 or more Calendar Days |
---|---|---|---|
2018 to 2019 | 11,832 (97%) | 370 (2%) | 58 (1%) |
2019 to 2020 | 14,613 (97%) | 358 (2%) | 33 (1%) |
2020 to 2021 | 5,029 (39%) | 2,459 (19%) | 5,395 (42%) |
2021 to 2022 | 8,130 (46%) | 5,009 (29%) | 4,438 (25%) |

Text version
Year | Within | Beyond |
---|---|---|
2018 to 2019 | 12,137 (99%) | 123 (1%) |
2019 to 2020 | 14,949 (99%) | 55 (1%) |
2020 to 2021 | 5,906 (46%) | 6,977 (54%) |
2021 to 2022 | 10,190 (58%) | 7,387 (42%) |
Reasons for extensions
Institutions may apply for an extension beyond the original 30-day statutory timeframe in cases where meeting the statutory date is not feasible. During the 2021 to 2022 reporting period, there were 1,048 large volume requests, 1 request requiring either translation or converting a record to another format, 1 request involving a Cabinet Confidence, and 19 internal consultations, which were required to be performed that could not reasonably be conducted within the initial 30 days. These requests resulted in ESDC to seek 1,069 extensions. This total represented an 8% increase from 2020 to 2021 when ESDC requested 990 extensions.
Privacy Act Section | Reason for extension | Number of requests for extension |
---|---|---|
15(a)(i) Interference with operations | Further review required to determine exemptions | 0 |
Large volume of pages | 0 | |
Large volume of requests | 1,048 | |
Documents are too difficult to obtain | 0 | |
15(a)(ii) Consultation | Cabinet Confidence (Section 70) | 1 |
External | 0 | |
Internal | 19 | |
15(b) Translation purposes or conversion | Translation or conversion | 1 |
TOTAL | 1,069 |
Timeframe monitoring
ESDC’s regional offices manage most of the privacy requests (personal information requests and requests for the correction of personal information) for the Department and prepare periodic reports concerning new requests, workload and status updates regarding on-time performance for privacy requests. Performance reports are generated by the regional offices on a monthly, quarterly and yearly basis.
Number of active requests that are outstanding from previous fiscal years
Occasionally, the processing time of some Privacy Act requests is longer than the legislated timeline.
Fiscal year during which the open request was received | Open requests that are within legislated timelines as of March 31, 2022 | Open requests that are beyond legislated timelines as of March 31, 2022 | Total |
---|---|---|---|
2021 to 2022 | 269 | 0 | 269 |
2020 to 2021 | 8 | 0 | 8 |
2019 to 2020 | 2 | 0 | 2 |
2018 to 2019 | 0 | 1,694 | 1,694 |
2017 to 2018 | 1 | 0 | 1 |
2016 to 2017 | 0 | 0 | 0 |
2015 to 2016 or earlier | 0 | 0 | 0 |
Totals | 280 | 1,694 | 1,974 |
Pages processed and disclosed
During this reporting period, 1,477,202 pages were processed for exemptions and exclusions, representing an increase of 27% from the previous fiscal year when 1,164,618 pages were processed. A total of 1,384,322 pages were disclosed, which is also an increase from the previous year when 1,084,077 pages were disclosed. Both the number of pages processed and disclosed during the reporting period were significantly higher than any previous reporting period.

Text version
Year | Pages Processed | Pages Disclosed |
---|---|---|
2018 to 2019 | 979,247 | 934,672 |
2019 to 2020 | 1,259,755 | 1,208,351 |
2020 to 2021 | 1,164,618 | 1,084,070 |
2021 to 2022 | 1,477,202 | 1,384,322 |
Exemptions and exclusions
As ESDC is one of the largest holders of personal information in the Government of Canada, the application of exemptions and exclusions under the Privacy Act typically occurs more frequently than most other federal institutions. During 2021 to 2022, the total number of requests that were completely disclosed was 1,880 (11%). The number of files that were disclosed in part was 12,058 (69%). There were 3,235 requests for which no records existed and 400 abandoned requests.
Exemptions
While the Privacy Act provides individuals with an enforceable right of access to their personal information, there are instances where certain limited and specific exemptions can be applied. The Privacy Act exemption that was applied most frequently was Section 26, which protects personal information, as defined by Section 3 of the Act, of another individual. This exemption occurred in 11,986 instances of completed requests during the 2021 to 2022 fiscal year. This represents an increase of 3,358 when compared to the previous fiscal year.
Section | 2018 to 2019 | 2019 to 2020 | 2020 to 2021 | 2021 to 2022 |
---|---|---|---|---|
s. 22 – Law enforcement and investigation | 61 (0.7%) | 56 (0.6%) | 63 (0.7%) | 13 (0.1%) |
s. 26 – Information about another individual | 8,082 (98.1%) | 9,812 (98.7%) | 8,628 (98.8%) | 11,986 (99.3%) |
s. 27 – Solicitor-client privilege | 72 (0.9%) | 63 (0.6%) | 42 (0.5%) | 48 (0.4%) |
Exclusions
The Privacy Act allows for the exclusion of certain types of information, such as records that are already available to the public (Section 69) and confidences of the King’s Privy Council for Canada (Section 70). During the 2021 to 2022 fiscal year, there were 4 exclusions under Section 69.1 for personal information that the Canadian Broadcasting Corporation collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.
Consultations received from other Government of Canada institutions and other organizations
ESDC received 3 external consultation requests during the 2021 to 2022 fiscal year, requiring a review of 127 additional pages. These requests originated from Government of Canada institutions and other organizations.
The Department closed 5 requests for consultations of which 1 was completed within 30 days. Of the total number of requests for consultation, 4 resulted in a recommendation to the consulting institution or organization to disclose the records entirely.
Types of consultation | 2018 to 2019 | 2019 to 2020 | 2020 to 2021 | 2021 to 2022 |
---|---|---|---|---|
Consultation requests received under the Privacy Act | 38 | 20 | 11 | 3 |
Additional pages reviewed under the Privacy Act | 1,578 | 3,137 | 388 | 127 |
Privacy Act requests for consultations closed | 36 | 21 | 9 | 5 |
Privacy Act requests for consultations closed within 30 days | 36 | 18 | 3 | 1 |
Requests for the correction of personal information under the Privacy Act
Under the Privacy Act, individuals have a right to request the correction of erroneous personal information pertaining to them that is retained by a government institution, provided that the individual can adequately substantiate the request. ESDC accepted 2 requests for correction and attached 11 notes to file during the 2021 to 2022 fiscal year.
COVID-19 operational impact
The Department’s overall extensive contributions to the Government of Canada’s national measures to support Canadians at the outset of COVID-19 pandemic, coupled with the challenges of transitioning to remote working, and the lower ATIP compliance rate in the 2020 to 2021 reporting period, resulted in a sizeable backlog in ATIP requests. This backlog was carried over into the 2021 to 2022 fiscal year.
To address these challenges, the Department during the 2021 to 2022 reporting period continued to improve its efficiency with its use of electronic processes and digital signatures. ESDC also provided additional staffing resources toward ATIP operations, resulting in a reduction in the backlog of requests.
6. Complaints, investigations and court actions
Under the Privacy Act, individuals may lodge a complaint to the OPC on the processing of their access requests if they were refused access or if they feel there was an undue delay. Individuals can also lodge complaints on the personal information handling practices of federal institutions subject to the Act, on matters such as the collection, use or disclosure of personal information.
During the 2021 to 2022 fiscal year, ESDC was notified by the OPC of 27 privacy complaints and that 6 complaints were determined to be well-founded. ESDC was also informed that 7 complaints were not well-founded, 11 were resolved during the investigation, and 2 were discontinued. There were 7 open complaints with the OPC that were outstanding from previous reporting periods: 4 from 2020 to 2021; 2 from 2016 to 2017; and 1 from 2015 to 2016 or earlier.
With respect to the well-founded use and disclosure complaints, 1 involved an inappropriate disclosure of personal information during an ESDC administrative investigation. The OPC found that the disclosure did not meet Privacy Act or DESDA requirements. In another instance, a well-founded complaint involved the loss of information between Service Canada Centres caused by an addressing error.
The remaining well-founded reports involved instances where the Department did not satisfy the legislated time limits in responding to Privacy Act requests. In all 4 cases, following the OPC’s investigation, the Department provided a response to the requestor.
There were no privacy complaints deliberated in the courts during the reporting period.
The following table provides additional information about the complaints and their outcomes.
Complaints received | Total |
---|---|
Collection | 3 |
Denied access | 9 |
Improperly applied exemptions | 1 |
Unreasonable time extension | 4 |
Use and disclosure/Retention and disposal | 10 |
Total number of complaints received | 27 |
Investigations | Total |
Well-founded | 6 |
Not well-founded | 7 |
Complaints resolved during investigation | 11 |
Discontinued | 2 |
Total number of findings received | 26 |
Court actions | Total |
Number of court actions | 0 |
Note: The total number of notifications of complaints received and the total number of investigations with findings received will not necessarily be the same in a given fiscal year. Investigations could relate to complaints that were received by the OPC in a fiscal year prior the 2021 to 2022 reporting period.
7. Public interest disclosures
Disclosures in the public interest are made by ESDC under Section 37(1) of the DESDA instead of under Section 8(2)(m) of the Privacy Act. All such disclosures are reported to the OPC.
During the 2021 to 2022 fiscal year, the Department made personal information available in the public interest in 565 instances. ESDC processed 517 of these disclosures in its regional branches, most of which consisted of incidents involving individuals who threatened to harm themselves or others. In situations where there is an imminent threat to the safety and security of individuals, employees have the delegated authority to make the disclosure. Given the urgency of these events, the OPC was notified after the disclosure was made.
PMD approved the disclosure of personal information in an additional 48 cases (“PMD disclosures”). In most of these instances, personal information was made available to locate an individual, such as a missing person or for a police investigation.
The reasons for these disclosures and the totals for each are provided in the following table.
Reason for disclosures | Number of disclosures |
---|---|
Regional disclosures (Imminent threats) | 517 |
PMD disclosures
|
32 14 2 |
Total | 565 |
8. Material privacy breaches
A privacy breach is defined by the TBS-issued policy as the “improper unauthorized collection, use, disclosure, retention or disposal of personal information.” A privacy breach is “material” when it “involves sensitive personal information and could reasonably be expected to cause injury or harm to the individual and/or to a significant number of individuals.”
During the 2021 to 2022 fiscal year, the Department reported 346 material breaches to the OPC and to the TBS, a 115% increase from the number of incidents in the previous fiscal year (161 in total during 2020 to 2021). Most of these breaches were caused by operational errors resulting in personal information becoming lost in transit in the postal system or sent to the wrong person. Most of these incidents (303 cases) involved lost, misdirected, or stolen passports and passport application documents of which the Canada Post Corporation took responsibility for 257 incidents (please refer to the table below). The other 46 incidents involving passports and passport applications were the result of errors, loss, theft or misrouted documents while under the control of ESDC. While there was an increase in the number of incidents, the total represents an overall decrease in the rate of material breaches involving passports. In 2020 to 2021, ESDC processed 363,000 passport applications, a total that rose dramatically by 250% during 2021 to 2022, to 1,273,000.
The unauthorized access of personal information stored in ESDC’s systems accounted for 21 incidents. These cases were identified because of the Department’s expanded Audit Log Monitoring tracks the access of personal information by employees in ESDC’s electronic data holdings.
The Department continually seeks to implement measures to reduce privacy breaches through administrative, technical, and physical means. Importantly, through ESDC’s privacy training and awareness activities, employees are informed and trained in the handling of personal information, including appropriate use and safeguarding protocols.
Table 8 provides a breakdown of the material breaches by cause and a brief description of follow-up measures.
Number of material breaches | Nature of information breached | Communication and notification | Actions undertaken in response |
---|---|---|---|
22 | Personal information incorrectly shared with third-party individuals via telephone, email, or mail; and/or Documents containing personal information of clients were lost or stolen. |
When possible, personal letters were sent to affected individuals informing them of the breach. |
|
21 | Employees who made unauthorized accesses into departmental systems of client information (mostly discovered as part of internal audits conducted on the departmental systems). | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
257 | Passports, passport applications, and documents included with passport applications, lost, stolen, or misdirected, where Canada Post Corporation was responsible for the breach. | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
46 | Passports, passport applications, and documents included with passport applications, lost, stolen or misdirected because of an internal ESDC error. | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
Total Number of Material Breaches: 346 |
9. Training and awareness activities
Online privacy training
ESDC has a comprehensive training program to increase the knowledge and awareness of appropriate personal information management practices. All employees are required to maintain a valid certification in Stewardship of Information and Workplace Behaviours (SIWB), a course that addresses privacy, the handling of personal information, security, access to information, information management, and values and ethics. The course is a component of the Department’s Essential Training Curriculum and is delivered online. At the end of the 2021 to 2022 fiscal year, 33,453 employees held SIWB certification, which is valid for 2 years.
In addition to SIWB, ESDC provided additional online courses in its training catalogue that were relevant to privacy. The Access to Information and Privacy (ATIP): It’s everybody’s business course gives employees the knowledge required to protect, use and disclose personal information on a daily basis and teaches them to prevent breaches by seeking guidance or by using good judgment in a timely manner. Last fiscal year, 25,370 employees completed it.
New employees take the Doing Things Right and Doing the Right Thing: Putting the Departmental Code of Conduct into Action course, which has a significant privacy component. The course helps participants understand the application of ethical behaviour in the workplace and how to use that knowledge to guide them in their day-to-day work and decision-making, including their interactions with clients and colleagues. The course was taken by 24,861 employees during the 2021 to 2022 fiscal year.
In-person training and awareness
Throughout the reporting period, the Department continued to provide practical, easy-to-understand, and readily available privacy information and guidance to employees to reinforce the application of appropriate personal information handling and safeguarding practices, as well as to provide general knowledge on the philosophical and legislative underpinnings on privacy. These activities included organizing various privacy-themed information events and a series of specialized knowledge talks for Privacy Awareness Week, which took place in January 2022. Over 1,000 individuals participated in the various activities during the event.
Overall, 1,127 ESDC employees attended privacy training and awareness activities in a virtual format during 2021 to 2022. This was an eight-fold increase from the previous fiscal year (146 people in 2020 to 2021) when the Department was transitioning to online operations in response to the pandemic.
Annex A: Privacy Act Delegation Order
Privacy Act and Regulations: Delegation of Authority, Department of Employment and Social Development
The Minister of Employment and Social Development, pursuant to section 73 of the Privacy Act (the Act), hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties or functions of the Minister as the head of a government institution, under the provisions of the Act and the Privacy Regulations (the Regulations) set out in the schedule opposite each position.
Original signed March 12, 2020 by the Honourable Carla Qualtrough, Minister of Employment and Social Development
Description | Section | Delegated Authority |
---|---|---|
Retention of a record of requests and disclosed records to investigative bodies under Section 8(2)(e) of the Privacy Act | 8(4) |
|
Retention of records of uses of personal information | 9(1) |
|
Notification of the Privacy Commissioner of any new consistent uses of personal information and ensure use is included in next statement of consistent uses set forth in the Index | 9(4) |
|
Include personal information in personal information banks | 10 |
|
Respond to request for access within 30 days and give written notice and, if access to be given, give access | 14 |
|
Extension of the 30-day time limit to respond to a privacy request | 15 |
|
Decision on whether to translate a response to a privacy request in one of the two official languages | 17(2)(b) |
|
Decision on whether to convert personal information to an alternate format | 17(3)(b) |
|
Decision to refuse to disclose personal information contained in an exempt bank | 18(2) |
|
Decision to refuse access to personal information that was obtained in confidence from the government of a foreign state or institution, an international organization of states or an institution thereof, the government of a province or institution thereof, a municipal or regional government established by or pursuant to an act of the legislature of a province or an institution of such a government, or the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act or the council of a participating in First Nation as defined in the First Nations Jurisdiction over Education in British Columbia Act | 19(1) |
|
Authority to disclose personal information referred to in 19(1) if the government, organization or institution described in 19(1) consents to the disclosure or makes the information public | 19(2) |
|
Refuse to disclose personal information that may be injurious to the conduct of federal-provincial affairs | 20 |
|
Refuse to disclose personal information that may be injurious to international affairs or the defence of Canada or one of its allies | 21 |
|
Refuse to disclose personal information prepared by an investigative body, information injurious to the enforcement of a law, or information injurious to the security of penal institutions | 22 |
|
Refuse to disclose personal information created for the Public Servants Disclosure Protection Act | 22.3 |
|
Refuse to disclose personal information prepared by an investigative body for security clearance | 23 |
|
Refuse to disclose personal information that was collected by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board while the individual was under sentence if the conditions in the Section are met | 24 |
|
Refuse to disclose personal information which could threaten the safety of individuals | 25 |
|
Refuse to disclose personal information about another individual and shall refuse to disclose such information where disclosure is prohibited under Section 8 | 26 |
|
Refuse to disclose personal information that is subject to solicitor-client privilege. | 27 |
|
Refuse to disclose personal information relating to the individual’s physical or mental health where the disclosure is contrary to the best interests of the individual | 28 |
|
Receive notice of investigation by the Privacy Commissioner | 31 |
|
Right to make representations to the Privacy Commissioner during an investigation | 33(2) |
|
Receive Privacy Commissioner’s report of findings of an investigation and give notice of action taken | 35(1) |
|
Provision of addition personal information to a complainant after receiving a 35(1)(b) notice. | 35(4) |
|
Receive Privacy Commissioner’s report of findings of investigation of exempt bank | 36(3) |
|
Receive report of Privacy Commissioner’s findings after compliance investigation | 37(3) |
|
Request that a court hearing, undertaken with respect to certain sections of the Act be held in the National Capital Region. | 51(2)(b) |
|
Request and be given right to make representations in Section 51 hearings | 51(3) |
|
Prepare annual report to Parliament | 72(1) |
|
Description | Section | Delegated Authority |
---|---|---|
Allow examination of the documents (Reading Room) | 9 |
|
Notification of Correction | 11(2) |
|
Correction refused, notation placed on file | 11(4) |
|
Disclosure to a medical practitioner or psychologist | 13(1) |
|
Disclosure in the presence of a medical practitioner or psychologist | 14 |
|
Annex B: Summaries of Completed Privacy Impact Assessments
ESDC completed 19 PIAs of different types over the course of the 2021 to 2022 fiscal year, as well as 3 substantive addendums to already completed assessments. Of this total, 3 were prepared in an adapted Privacy Compliance Evaluation format that was specified in the Interim Directive on PIA. Information on all PIAs is found below and on ESDC’s PIA website.
Canada Education Savings Program (CESP) Analytical and Monitoring Solution
The CESP uses 2 interactive databases: the Reporting Database (RDB) and the Canada Education Savings Grant Online Transactional Processing Database. The current RDB is inadequate in meeting the needs for data analytics and performance measurement. Consequently, the CESP intends to replace the RDB with an analytical and monitoring solution.
A PAITS was completed to identify and assess privacy risks associated with the collection and handling of personal information resulting from the introduction of a new database and relocation of personal information. 1 medium-level risk and 2 low-level risks were identified. The strategies to address these risks are scheduled for completion by June 2022.
Canada Emergency Student Benefit (CESB)
The CESB was established in May 2020 by the Government of Canada to provide financial support to students whose income was affected by the COVID‑19 pandemic.
A PIA was completed to identify the privacy risks associated with the collection and use of personal information of CESB applicants. 4 low-level risks and 5 compliance issues were identified. Mitigation actions to address them are being implemented and scheduled for completion by spring 2022.
Canada Service Corps Civic Participation Pilot
The Civic Participation Pilot is a Youth Leadership initiative by the Canada Service Corps administered by the Department’s Learning Branch. It will provide a virtual learning and leadership experience to 200 young adults from across the country and involve the selection of applicants using a third-party cloud-based web application portal. The application portal will collect and store applicants’ personal information and use them for administering activities.
A privacy analysis was completed to identify privacy risks associated with the collection and use of personal information received from youth applicants. 2 medium-level risks, 1 low-level risk and 2 compliance issues were identified. Mitigation actions to address these risks were scheduled for completion in 2021 to 2022.
Canada Student Financial Assistance (CSFA) Program use of Simplified Digital Identity Validation (SDIV) Solution
The CFSA Program’s use of the SDIV solution will deliver real-time multi-factor authentication that improves the Department’s Enterprise Cyber Authentication Service (ECAS). The ECAS provides registration and authentication services for the National Student Loans Service Centre account. The SDIV will be another solution for users who have forgotten the answers to their security questions and have locked themselves out of their account.
A privacy analysis was completed to identify the privacy risks associated with the handling of CSFA Program users’ personal information. 3 medium-level risks and 1 compliance issue were identified. The mitigation strategies to address these risks are being implemented and scheduled for completion by July 2022.
COVID-19 One-Time Non-Taxable Payment to Persons with Disabilities
In June 2020, the Government of Canada provided financial support for a one‑time non-taxable payment of up to $600 for persons with disabilities. Individuals with a valid Disability Tax Credit, beneficiaries of the Canada Pension Plan Disability benefit, the Quebec Pension Plan Disability benefit and individuals who receive any of the 7 Veterans Affairs Canada disability benefits received this payment.
A PIA was completed to identify privacy risks associated with the collection, use and handling of personal information for clients receiving this payment. 1 medium-level risk, 1 low-level risk and 2 compliance issues were identified and the mitigation strategies to address them are currently being implemented.
COVID-19 One-Time Tax-Free Payment for Seniors
In July 2020, the Government of Canada provided financial support for a one‑time tax-free payment for Canadians aged 65 and over who are eligible for the OAS. These payments were provided to help seniors cover the additional costs caused by the COVID-19 pandemic.
The COVID-19 one-time tax-free payment for seniors used personal information in a decision-making process to determine who was eligible for the COVID-19 Seniors Grant and the amount to which eligible recipients were entitled. We have completed a PIA to identify any privacy risks related to the collection, use and handling of personal information of clients receiving these payments. The PIA identified 2 medium-level risks and 2 compliance issues. The strategies to address these risks and compliance issues are scheduled for completion by June 2022.
COVID-19 One-Time Non-Taxable Grant for GIS Recipients who Received Pandemic Benefits in 2020: Issuance of Payments to Clients in Dire Need
The GIS is available to low-income OAS pensioners who live in Canada. In the Government of Canada’s 2021 Budget, a financial support for a one-time non-taxable grant payment of $200 was provided to GIS recipients who are in dire need of experiencing a loss or reduction to their GIS benefit due to the COVID‑19 pandemic.
We have completed a PIA to identify any privacy risks related to the collection, use, disclosure and handling of personal information of clients receiving this payment. The PIA identified 4 medium-level risks and 1 compliance issue. The strategies to address these risks and issue are scheduled for completion by March 31, 2023.
Electronic Public Trustee Portal to the Social Insurance Number (eSIN) Application
The Electronic Public Trustee Portal initiative will allow Public Trustees across Canada to apply for or request confirmation of a SIN as well as to request for personal information within the Social Insurance Register pertaining to individuals for whom they have legal authority. Personal information will be collected and used for administrative purposes, such as to identify and confirm the identity of clients (public trustees) to process a SIN application.
A PAITS was completed to identify any privacy risks associated with the collection and use of personal information through the Public Trustee Portal, a third-party cloud services platform. 2 medium-level risks, 1 low-level risk and 2 compliance issues were identified, and the mitigation strategies to address these risks are currently being implemented with scheduled completion in the 2021 to 2022 fiscal year.
EI Workload Efficiency and Process Improvement Project
The EI Workload Efficiency and Process Improvement project seeks to address workload challenges by implementing efficiencies and process improvements to ensure Service Canada is fulfilling client expectations in maintaining EI service standards. In addition, this work includes enhancing the client service experience.
A PAITS was completed to identify any risks associated with the projects task to address current challenges in the EI workload management system. 2 medium-level risks and 3 low-level risks were identified and the mitigation strategies to address them are currently being implemented with a scheduled completion date by March 2024.
Enabling Services Renewal Program – myEMS (PeopleSoft)
ESDC upgraded their Human Capital Management system (PeopleSoft) from version 9.1 to version 9.2 in order to leverage latest functionalities like enhanced data analytics, mobile capability and higher accessibility standards.
An addendum to the original PIA was completed to identify the privacy risks associated with the new collection and enhanced use of personal information. 2 compliance issues were identified and the corrective measures to address these issues are documented within the PIA.
eServiceCanada Passport
Service Canada created a new online passport renewal application portal in addition to a related case management system that together is called the “eServiceCanada Passport.” The eServiceCanada Passport is a new way to collect application information that was previously only collected by using a paper form that enables Service Canada to continue receiving passport renewal applications electronically, particularly when Service Canada Centres were closed.
A PAITS was completed to identify the privacy risks related to the use of eServiceCanada Passport. 2 medium-level risk and 2 compliance issues were identified, and the mitigation strategies to address them are currently being implemented.
Exchange of personal information on offenders between ESDC and Correctional Services Canada for the administration of the Employment Insurance Emergency Response Benefit (EI ERB)
As a result of the Government of Canada’s COVID-19 Emergency Response Act, measures were designed to provide immediate income support to Canadians and to help protect the economy from the impacts of the COVID-19 pandemic. ESDC is responsible for managing and processing payments for the EI ERB Program. Consequently, ESDC needs to collect personal information about offenders from Correctional Services Canada in cases of suspected ineligibility or overpayment.
As an urgent initiative related to COVID-19 and due to the sensitivity of the personal information collected from the Correctional Services Canada, a Privacy Compliance Evaluation (PCE) was completed for EI ERB. The PCE examined the privacy risks related to the management and protection of personal information involved in the collection, use and data matching activities to determine eligibility for the EI ERB. It identified 2 medium-level risks and 1 low-level risk. The strategies to address these risks were scheduled for completion during 2021 to 2022.
Hosted Contact Centre Solution (HCCS): Wave 2
The HCCS is a modernized, centrally managed and fully hosted solution for ESDC contact centres. The HCCS improves client experiences by leveraging industry-standard functionalities such as: cloud-based routing, enhanced self‑service, computer telephony integration, call and screen recording, virtual hold and workforce management to ensure prompt and efficient services.
A PAITS was completed to identify and assess the privacy risks associated with the major change to existing contact center practices in the protection of personal information. The PAITS identified 1 medium-level risk. The strategy to address this risk was scheduled for implementation in spring 2022.
Implementation of Adobe Target on Canada.ca
Service Canada applied Adobe Target, a third-party web analytic software, to Canada.ca webpages to improve visitor experience and to maximize the effectiveness of the webpages in matching the needs of visitors.
A PAITS was completed to identify and assess the privacy risks associated with the management and protection of personal information by using by the Adobe Target software. The PAITS identified 3 low-level risks, 1 insignificant-level risk and 4 compliance issues. The strategies to address these risks and issues are being implemented.
Integrated Labour System (ILS) Employer’s Annual Hazardous Occurrence Reports (EAHOR)
ESDC’s Labour Program oversees the facilitation of compliance with labour laws and Canadian labour standards. Each year, all federally regulated employers submit an EAHOR to the Minister of Labour. EAHORs record the total number of fatalities, accidents, occupational diseases and other hazardous occurrences in a workplace in a given year. ILS was implemented by the Labor Program to administer EAHORs as part of the modernization of its operating environment.
A PAITS was completed as part of multiple privacy analyses that the Labour Program will complete on the ILS. The PAITS was completed to identify and assess the privacy risks and impacts in the collection and use of personal information of employees by submitting the EAHOR report using the ILS. 1 medium-level risk, 2 low-level risks and 2 compliance issues were identified. The strategies to address these risks and issues have been recommended to the Program.
MyAlberta Digital Identity (MADI) Agreement
The MyAlberta Digital Identity Trusted Digital Identity Agreement will give Alberta residents the opportunity to streamline their access to their My Service Canada Account by using MADI, their provincially approved identity-bound credential as a Trusted Digital Identity. This agreement replaces the MADI pilot.
An addendum to the original PIA (April 2019) on the pilot was completed to identify the privacy risks associated with the indirect collection and use of personal information by ESDC from Service Alberta. 1 medium-level risk, 1 low-level risk and 2 compliance issues were identified. Mitigation strategies to address these risks were scheduled for completion by August 21, 2021.
Receipt of Entry-Exit Data from the Canada Border Services Agency by the OAS Program
ESDC receives Entry-Exit traveller information from the Canada Border Services Agency in order to investigate potential fraud and abuse of the OAS program. This information is matched with OAS client data to identify non‑portable beneficiaries who should have self-reported their absence from Canada.
An addendum to the original PIA was completed to identify the privacy risks associated with the collection and use of Entry-Exit data from Canada Border Services Agency resulting from the data matching activity using the Social Insurance Register. 1 low-level risk was identified with no scheduled mitigation action since the activity was expected to end by the end of the 2021 to 2022 fiscal year.
Record of Employment Comment (ROEC) Artificial Intelligence Model
A Record of Employment (ROE) provides information on employment history. The information on the ROE is used to decide if a person is eligible to collect EI benefits, what the benefit amount will be, for how long the benefits will be paid. Some ROEs online have free text comments. The ROEC tool automates the review of the ROE text comment field using machine learning, and confirms or updates the reason for separation in the ROE. Additionally, information from the ROE comment field helps decide EI benefits.
A PAITS was completed to identify and assess privacy risks associated with the ROEC tools automation in its review of the ROE Comments. The PAITS identified 1 medium-level risk and one compliance issue. The strategies to address this risk and compliance issue were scheduled for completion during the 2021 to 2022 fiscal year.
Security Screening Intake Process Simplification Project (SSIPS)
The SSIPS Project is a partnership between ESDC’s Integrity Service Branch and Transport Canada to support ESDC to process security clearances for employees. Before this project, the security screening solution at ESDC was manual. SSIPS is focused on improving the user experience to obtain security screening by digitalizing and simplifying the process through a portal for secure submissions for employees.
A PAITS was completed to identify and assess privacy risks associated with the collection, use and handling of personal information received from applicants to process their security clearance for work. The PAITS identified 4 privacy risks: 1 medium-level risk and 3 low-level risks. Additionally, 3 compliance issues were also identified. The mitigation strategies to address these risks and issues were scheduled for completion by March 2022.
Service Canada Compliance Verification Service for the Public Health Agency of Canada (PHAC)
During the COVID-19 pandemic, the Service Canada Compliance Verification Service for PHAC was modified to help PHAC contact more travelers. ESDC and Service Canada continue to provide service delivery for PHAC’s COVID‑19 Quarantine Compliance Campaign with changes to its services in determining whether travelers are following travel guidelines.
A PCE was completed to identify and assess any privacy risks associated with the collection and handling of travelers personal information. 1 medium-level risk, 2 low-level risks and 2 compliance issues were identified in the PCE. The strategies to address these risks and issues were scheduled for completion during the 2021 to 2022 fiscal year.
Simplified Digital Identity Validation Solution
The SDIV solution will provide real-time authentication that improves ESDC’s ECAS. The ECAS solution runs registration and authentication services for My Service Canada Account and the SDIV solution will provide users with the option to sign up for or sign in to it in real time by providing a digital second factor verification.
A PCE was completed to identify any privacy risks related to the collection and handling of personal information. 3 medium-level risks and 3 compliance issues were identified. The strategies to address these risks and issues were scheduled for completion by March 31, 2022.
Supplementary Payment for Older Seniors
As part of the Government of Canada’s Budget 2021, a one-time payment was provided to all Canadians aged 65 and over who met the residence requirements to receive the OAS pension. The one-time payment was intended to meet the immediate needs of older seniors until a 10% increase to the OAS pension for seniors 75 and older is permanently implemented.
A PIA was completed to identify any privacy risks related to the collection, use and handling of personal information for clients receiving the payment. 2 medium-level risks and 1 compliance issue was identified. The strategies to address these risks and compliance issues are scheduled for completion by June 2022.
Annex C: ESDC Statistical Report on the Privacy Act, 2021 to 2022
Statistical report on the Privacy Act
Name of institution: Employment and Social Development Canada
Reporting period: 2021-04-01 to 2022-03-31
Section 1: Requests under the Privacy Act
1.1 Number of requests received
Detail | Number of requests |
---|---|
Received during reporting period | 17,695 |
Outstanding from previous reporting period | 1,856 |
Outstanding from previous reporting periods | 1,847 |
Outstanding from more than one reporting period | 9 |
Total | 19,551 |
Closed during reporting period | 17,577 |
Carried over to next reporting period | 1,974 |
Carried over within legislated timeline | 1,694 |
Carried over beyond legislated timeline | 280 |
1.2 Channels of requests
Source | Number of requests |
---|---|
Online | 4,005 |
2,357 | |
6,354 | |
In person | 3 |
Phone | 14 |
Fax | 4,962 |
Total | 17,695 |
Section 2: Informal Requests
2.1 Number of informal requests
Detail | Number of requests |
---|---|
Received during reporting period | 6,481 |
Outstanding from previous reporting period | 690 |
Outstanding from previous reporting periods | 688 |
Outstanding from more than one reporting period | 2 |
Total | 7,171 |
Closed during reporting period | 5,858 |
Carried over to next reporting period | 1,313 |
2.2 Channels of informal requests
Source | Number of requests |
---|---|
Online | 18 |
122 | |
759 | |
In person | 3 |
Phone | 75 |
Fax | 5,504 |
Total | 6,481 |
2.3 Completion time of informal requests
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total |
---|---|---|---|---|---|---|---|
780 | 1,415 | 561 | 1,987 | 1,102 | 10 | 3 | 5,858 |
2.4 Pages released informally
Less Than 100 Pages Released | 100-500 Pages Released | 501-1,000 Pages Released | 1,001-5,000 Pages Released | More Than 5,000 Pages Released | |||||
---|---|---|---|---|---|---|---|---|---|
Number of Requests | Pages Released | Number of Requests | Pages Released | Number of Requests | Pages Released | Number of Requests | Pages Released | Number of Requests | Pages Released |
4,316 | 116,606 | 1,401 | 269,238 | 102 | 69,427 | 39 | 65,531 | 0 | 0 |
Section 3: Requests closed during the Reporting period
3.1 Disposition and completion time
Completion time | ||||||||
---|---|---|---|---|---|---|---|---|
Disposition of requests | 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total |
All disclosed | 60 | 644 | 530 | 637 | 8 | 0 | 1 | 1,880 |
Disclosed in part | 849 | 4,038 | 3,844 | 3,277 | 39 | 7 | 4 | 12,058 |
All exempted | 1 | 3 | 0 | 0 | 0 | 0 | 0 | 4 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
No records exist | 829 | 1,424 | 547 | 431 | 3 | 0 | 1 | 3,235 |
Request abandoned | 157 | 125 | 88 | 28 | 2 | 0 | 0 | 400 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 1,896 | 6,234 | 5,009 | 4,373 | 52 | 7 | 6 | 17,577 |
3.2 Exemptions
Section | Number of requests |
---|---|
18(2) | 0 |
19(1)(a) | 0 |
19(1)(b) | 0 |
19(1)(c) | 0 |
19(1)(d) | 0 |
19(1)(e) | 0 |
19(1)(f) | 0 |
20 | 0 |
21 | 0 |
22(1)(a)(i) | 0 |
22(1)(a)(ii) | 0 |
22(1)(a)(iii) | 2 |
22(1)(b) | 11 |
22(1)(c) | 0 |
22(2) | 0 |
22.1 | 0 |
22.2 | 0 |
22.3 | 0 |
22.4 | 0 |
23(a) | 1 |
23(b) | 0 |
24(a) | 0 |
24(b) | 0 |
25 | 15 |
26 | 11,986 |
27 | 48 |
27.1 | 0 |
28 | 3 |
3.3 Exclusions
Section | Number of requests |
---|---|
69(1)(a) | 0 |
69(1)(b) | 0 |
69.1 | 4 |
70(1) | 0 |
70(1)(a) | 0 |
70(1)(b) | 0 |
70(1)(c) | 0 |
70(1)(d) | 0 |
70(1)(e) | 0 |
70(1)(f) | 0 |
70.1 | 0 |
3.4 Format of information released
Paper | Electronic | Other | |||
---|---|---|---|---|---|
E- record | Data set | Video | Audio | ||
10,551 | 3,743 | 0 | 0 | 0 | 2,977 |
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of pages processed | Number of pages disclosed | Number of requests |
---|---|---|
1,477,202 | 1,384,322 | 14,342 |
3.5.2 Relevant pages processed by request disposition for paper and e-record formats by size of requests
Disposition | Less than 100 pages processed |
101–500 pages processed |
501-1,000 pages processed |
1,001–5,000 pages processed |
More than 5,000 pages processed |
|||||
---|---|---|---|---|---|---|---|---|---|---|
Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | |
All disclosed | 1,637 | 34,066 | 235 | 41,579 | 7 | 4,638 | 1 | 1,351 | 0 | 0 |
Disclosed in part | 7,758 | 309,354 | 4,006 | 774,230 | 209 | 140,333 | 81 | 143,764 | 4 | 24,569 |
All exempted | 2 | 33 | 2 | 692 | 0 | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Request aband.oned | 390 | 850 | 10 | 1,743 | 0 | 0 | 0 | 0 | 0 | 0 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 9,787 | 344,303 | 4,253 | 818,244 | 216 | 144,971 | 82 | 145,115 | 4 | 24,569 |
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of minutes processed | Number of minutes disclosed | Number of requests |
---|---|---|
0 | 0 | 0 |
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition | Less than 60 minutes processed |
60- 120 minutes processed |
More than 120 minutes processed |
|||
---|---|---|---|---|---|---|
Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
All disclosed | 0 | 0 | 0 | 0 | 0 | 0 |
Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 |
All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 |
3.5.5 Relevant minutes processed and disclosed for video formats
Number of minutes processed | Number of minutes disclosed | Number of requests |
---|---|---|
0 | 0 | 0 |
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition | Less than 60 minutes processed |
60- 120 minutes processed |
More than 120 minutes processed |
|||
---|---|---|---|---|---|---|
Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
All disclosed | 0 | 0 | 0 | 0 | 0 | 0 |
Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 |
All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 |
3.5.7 Other complexities
Disposition | Consultation required | Legal Advice sought | Interwoven information | Other | Total |
---|---|---|---|---|---|
All disclosed | 1 | 0 | 0 | 0 | 1 |
Disclosed in part | 7 | 0 | 0 | 0 | 7 |
All exempted | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 |
Request abandoned | 0 | 0 | 0 | 0 | 0 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
Total | 8 | 0 | 0 | 0 | 8 |
3.6 Closed requests
3.6.1 Number of requests closed within legislated timelines
Detail | Requests closed within legislated timelines |
---|---|
Number of requests closed within legislated timelines | 10,190 |
Percentage of requests closed within legislated timelines (%) | 57.97348808 |
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Principal Reason | ||||
---|---|---|---|---|
Number of requests closed past the legislated timelines | Interference with Operations / Workload | External consultation | Internal consultation | Other |
7,387 | 7,348 | 0 | 1 | 38 |
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of days past legislated timelines | Number of requests past legislated timeline where no extension was taken | Number of requests past legislated timelines where an extension was taken | Total |
---|---|---|---|
1 to 15 days | 1,242 | 54 | 1,296 |
16 to 30 days | 1,971 | 13 | 1,984 |
31 to 60 days | 2,622 | 4 | 2,626 |
61 to 120 days | 1,456 | 9 | 1,465 |
121 to 180 days | 5 | 1 | 6 |
181 to 365 days | 3 | 1 | 4 |
More than 365 days | 3 | 3 | 6 |
Total | 7,302 | 85 | 7,387 |
3.8 Requests for translation
Translation requests | Accepted | Refused | Total |
---|---|---|---|
English to French | 0 | 0 | 0 |
French to English | 1 | 0 | 1 |
Total | 1 | 0 | 1 |
Section 4: Disclosures under Subsections 8(2) and 8(5)
Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
---|---|---|---|
0 | 0 | 0 | 0 |
Section 5: Requests for correction of Personal information and Notations
Disposition for correction requests received | Number |
---|---|
Notations attached | 9 |
Requests for correction accepted | 2 |
Total | 11 |
Section 6: Extensions
6.1 Reasons for extensions
15(a)(i) Interference with operations | 15 (a)(ii) Consultation | 15(b) Translation purposes or conversion | ||||||
---|---|---|---|---|---|---|---|---|
Number of requests where an extension was taken | Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidence Section (Section 70) | External | Internal | |
1,069 | 0 | 0 | 1,048 | 0 | 1 | 0 | 19 | 1 |
6.2 Length of extensions
15(a)(i) Interference with operations | 15 (a)(ii) Consultation | 15(b) Translation purposes or conversion | ||||||
---|---|---|---|---|---|---|---|---|
Length of extensions | Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidence Section (Section 70) | External | Internal | |
1 to 15 days | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 |
16 to 30 days | 0 | 0 | 1,048 | 0 | 1 | 0 | 18 | 1 |
31 days or greater | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 1,048 | 0 | 1 | 0 | 19 | 1 |
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations | Other Government of Canada institutions | Number of pages to review | Other organizations | Number of pages to review |
---|---|---|---|---|
Received during the reporting period | 3 | 127 | 0 | 0 |
Outstanding from the previous reporting period | 3 | 1,074 | 0 | 0 |
Total | 6 | 1,201 | 0 | 0 |
Closed during the reporting period | 5 | 1,106 | 0 | 0 |
Carried over within negotiated timelines | 1 | 95 | 0 | 0 |
Carried over beyond negotiated timelines | 0 | 0 | 0 | 0 |
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation | Number of days required to complete consultation requests | |||||||
---|---|---|---|---|---|---|---|---|
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
Disclose entirely | 1 | 0 | 1 | 1 | 1 | 0 | 0 | 4 |
Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Other | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 1 |
Total | 1 | 0 | 1 | 1 | 1 | 0 | 1 | 5 |
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation | Number of days required to complete consultation requests | |||||||
---|---|---|---|---|---|---|---|---|
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of days | Fewer than 100 pages processed | 100 to 500 pages processed | 501 to 1,000 pages processed | 1,001 to 5,000 pages processed | More than 5,000 pages processed | |||||
---|---|---|---|---|---|---|---|---|---|---|
Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
8.2 Requests with Privy Council Office
Number of days | Fewer than 100 pages processed | 100 to 500 pages processed | 501 to 1,000 pages processed | 1,001 to 5,000 pages processed | More than 5,000 pages processed | |||||
---|---|---|---|---|---|---|---|---|---|---|
Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 9: Complaints and Investigations notices received
Section 31 | Section 33 | Section 35 | Court action | Total |
---|---|---|---|---|
27 | 21 | 26 | 0 | 74 |
Section 10: Privacy Impact Assessments (PIA) and Personal Information Banks (PIB)
10.1 Privacy Impact Assessments
Number of PIAs completed | 19 |
---|---|
Number of PIAs modified | 3 |
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks | Active | Created | Terminated | Modified |
---|---|---|---|---|
Institution-specific | 65 | 1 | 0 | 3 |
Central | 0 | 0 | 0 | 0 |
Total | 65 | 1 | 0 | 3 |
Section 11: Privacy breaches
11.1 Material Privacy breaches
Number of material privacy breaches reported to TBS | 346 |
---|---|
Number of material privacy breaches reported to OPC | 346 |
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches | 697 |
---|
Section 12: Resources related to the Privacy Act
12.1 Allocated Costs
Expenditures | Amount |
---|---|
Salaries | $6,790,105 |
Overtime | $304,698 |
Goods and services | $13,386 |
Goods and services: Professional services contracts | $0 |
Goods and Services: Other | $13,386 |
Total | $7,108,189 |
12.2 Human Resources
Resources | Person years dedicated to privacy activities |
---|---|
Full-time employees | 32.518 |
Part-time and casual employees | 0.325 |
Regional staff | 44.289 |
Consultants and agency personnel | 0.000 |
Students | 0.939 |
Total | 78.071 |
Supplemental statistical report on the Access to Information Act and the Privacy Act
Name of institution: Employment and Social Development Canada
Reporting period: 2021-04-01 to 2022-03-31
Section 1: Capacity to receive requests under the Access to Information Act and the Privacy Act
Number of Weeks | |
---|---|
Able to receive requests by mail | 52 |
Able to receive requests by email | 52 |
Able to receive requests through the digital request service | 52 |
Section 2: Capacity to process records under the Access to Information Act and the Privacy Act
2.1 Number of weeks your institution was able to process paper records in different classification levels
No Capacity | Partial Capacity | Full Capacity | Total | |
---|---|---|---|---|
Unclassified Paper Records | 28 | 0 | 24 | 52 |
Protected B Paper Records | 28 | 0 | 24 | 52 |
Secret and Top Secret Paper Records | 28 | 0 | 24 | 52 |
2.2 Number of weeks your institution was able to process electronic records in different classification levels
No Capacity | Partial Capacity | Full Capacity | Total | |
---|---|---|---|---|
Unclassified Electronic Records | 0 | 0 | 52 | 52 |
Protected B Electronic Records | 0 | 0 | 52 | 52 |
Secret and Top Secret Electronic Records | 0 | 0 | 52 | 52 |
Section 3: Open Requests and Complaints Under the Access to Information Act
3.1 Number of open requests that are outstanding from previous reporting periods
Fiscal Year Open Requests Were Received | Open Requests that are Within Legislated Timelines as of March 31, 2022 | Open Requests that are Beyond Legislated Timelines as of March 31, 2022 | Total |
---|---|---|---|
Received in 2021 to 2022 | 54 | 169 | 223 |
Received in 2020 to 2021 | 62 | 6 | 68 |
Received in 2019 to 2020 | 35 | 6 | 41 |
Received in 2018 to 2019 | 9 | 0 | 9 |
Received in 2017 to 2018 | 3 | 0 | 3 |
Received in 2016 to 2017 | 1 | 0 | 1 |
Received in 2015 to 2016 or earlier | 0 | 0 | 0 |
Total | 164 | 181 | 345 |
3.2 Number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints Were Received by Institution | Number of Open Complaints |
---|---|
Received in 2021 to 2022 | 19 |
Received in 2020 to 2021 | 8 |
Received in 2019 to 2020 | 9 |
Received in 2018 to 2019 | 8 |
Received in 2017 to 2018 | 5 |
Received in 2016 to 2017 | 5 |
Received in 2015 to 2016 or earlier | 0 |
Total | 54 |
Section 4: Open Requests and Complaints Under the Privacy Act
4.1 Number of open requests that are outstanding from previous reporting periods under the Privacy Act
Fiscal Year Open Requests Were Received | Open Requests that are Within Legislated Timelines as of March 31, 2022 | Open Requests that are Beyond Legislated Timelines as of March 31, 2022 | Total |
---|---|---|---|
Received in 2021 to 2022 | 269 | 0 | 269 |
Received in 2020 to 2021 | 8 | 0 | 8 |
Received in 2019 to 2020 | 2 | 0 | 2 |
Received in 2018 to 2019 | 0 | 1,694 | 1,694 |
Received in 2017 to 2018 | 1 | 0 | 1 |
Received in 2016 to 2017 | 0 | 0 | 0 |
Received in 2015 to 2016 or earlier | 0 | 0 | 0 |
Total | 280 | 1,694 | 1,974 |
4.2 Number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints Were Received by Institution | Number of Open Complaints |
---|---|
Received in 2021 to 2022 | 9 |
Received in 2020 to 2021 | 4 |
Received in 2019 to 2020 | 7 |
Received in 2018 to 2019 | 1 |
Received in 2017 to 2018 | 0 |
Received in 2016 to 2017 | 1 |
Received in 2015 to 2016 or earlier | 1 |
Total | 23 |
Section 5: Social Insurance Number (SIN)
Did your institution receive authority for a new collection or new consistent use of the SIN in 2021 to 2022? | Yes |
---|
Page details
- Date modified: