Annual Report on the Administration of the Privacy Act 2023 to 2024
On this page
- Employment and Social Development Canada’s privacy year in review, 2023 to 2024
- 1. Introduction
- 2. Organizational context
- 3. Employment and Social Development Canada’s privacy regime
- 4. Policies, procedures, and initiatives
- 5. Performance overview
- 6. Complaints, investigations, and court actions
- 7. Public interest disclosures
- 8. Material privacy breaches
- 9. Training and awareness activities
- Annex A: Delegation Orders
- Annex B Summaries of completed Privacy Impact Assessments
- Annex C Statistical reports
List of tables
- Table 1: Number of active requests that are outstanding from previous fiscal years
- Table 2: Number of Privacy Act requests where an extension was invoked
- Table 3: Consultation requests received from other Government of Canada institutions and other organizations
- Table 4: Percentage of completed requests for which records were “all disclosed”, and percentage for which records were “disclosed in part”
- Table 5: Number of disclosures by reason
- Table 6: Description of material breaches and action plans
Employment and Social Development Canada’s privacy year in review, 2023 to 2024
Employment and Social Development Canada (ESDC) is responsible for developing, managing, and delivering social programs and services, including some of Canada’s largest, such as Employment Insurance (EI), the Canada Pension Plan (CPP), and the Passport Program. Given its mandate, ESDC collects and controls a large volume of personal information, involving a range of collection, use, retention, and disclosure activities, as well as coordination with an array of partners and stakeholders. Privacy management continues to be a core component in delivering ESDC’s programs and priorities, whether through program delivery, validation of the identity of individuals, conducting research and analysis, or carrying out integrity operations.
During the 2023 to 2024 fiscal year, ESDC received 21,722 requests, an increase of 4.3% from the previous year, and achieved a 73.5% compliance rate, as a measure of the percentage of all files that were closed either within the initial 30 days or during an extension period. In addition, the Department processed a record volume of 1.91 million pages for exemptions and exclusions, of which 1.77 million pages were disclosed.
As Privacy Act request volumes continue to grow, the Department remains committed to providing Canadians with their personal information when they ask for it, and to do so in an efficient and timely manner. In this reporting period, ESDC made significant strides to improve publicly available information, with updated guidance, navigation, and search results on Canada.ca, designed to help Canadians obtain information as efficiently as possible. When personal information is readily available and does not need a Privacy Act request for access, individuals are offered the use of My Service Canada Account and My account for individuals (CRA). They can also receive assistance with submitting their requests in digital form. It is expected that these solutions could redirect thousands of requests to more readily available sources instead of undertaking the longer Privacy Act process.
Organizational readiness for a digitally enabled ATIP function is equally important to ESDC’s commitment to client-centric service. In this reporting period, the Department continued preparations for the implementation of new ATIP technologies along with updated standards and procedures that are expected to enhance the client experience and service standards.
On a broader scale, departmental information technology modernization projects were assessed to ensure that the appropriate technical and administrative means to protect personal information are built into the new systems before they become operational. For example, ESDC has adopted a privacy‑by‑design approach for ESDC’s Benefits Delivery Modernization programme, a large-scale transformation initiative for the delivery of EI, CPP, and Old Age Security (OAS) benefits. The programme is served by a dedicated privacy team to integrate privacy management throughout its development. For current systems that are up and running, the links between privacy and cybersecurity are closely monitored to help defend the Department against current and future threats to ESDC-controlled data. Each new initiative or activity is reviewed to ensure that the privacy interests of Canadians are respected and safeguarded.
ESDC takes pride in delivering programs and services to Canadians at key stages of their lives. As demonstrated in this report, the responsible stewardship of personal information, transparency, and client service, continues to be prioritized as an integral part of fulfilling the ESDC mandate.
1. Introduction
Presentation of this report
Section 72 of the Privacy Act requires the head of a federal institution to submit an annual report to Parliament on the administration of the Act following the end of every fiscal year. This is ESDC’s annual report to Parliament on the administration of the Privacy Act for the 2023 to 2024 fiscal year.
There are no ESDC wholly owned subsidiaries or non-operational institutions on which to report.
About ESDC
The Department of Human Resources and Social Development, commonly referred to as ESDC, is the Government of Canada’s department responsible for developing, managing, and delivering social programs and services. Its mission is to build a stronger and more inclusive Canada, support Canadians in helping them have productive and rewarding lives and improve their quality of life. ESDC’s core responsibilities are:
- social development to increase inclusion and opportunities for Canadians to participate in their communities
- pensions and benefits to assist Canadians in maintaining income for retirement and provide financial benefits to surviving spouses, people with disabilities, and their families
- learning, skills development, and employment to help Canadians access postsecondary education, obtain the skills and training needed to participate in a changing labour market, and provide support to those who are temporarily unemployed
- working conditions and workplace relations to promote safe, healthy, fair, and inclusive work conditions and cooperative workplace relations
- information delivery and services for other departments: to provide information to the public on the programs of the Government of Canada and provide services for government departments and other partners
ESDC consists of 3 major entities within its structure:
- Employment and Social Development designs and manages programs that affect Canadians of all ages, such as seniors with basic income security, supports for unemployed workers, help for students to finance their postsecondary education, and assistance for parents in raising young children.
- The Labour Program contributes to social and economic well-being by fostering safe, healthy, fair, and inclusive work environments and cooperative workplace relations under federal jurisdiction. It also offers labour relations mediation services, enforces minimum working conditions, promotes decent work, and fosters respect for international labour standards.
- Service Canada provides Canadians with a single point of access to a wide range of government services and benefits. As of October 2022, it had a network of 598 in‑person points of service across the country, including 318 Service Canada Centres, 247 scheduled outreach sites, and 17 stand-alone Passport offices. It operated 28 call centres and 47 other operations centres in 5 regions across Canada. In addition to in‑person services, Service Canada also serves the needs of Canadians online at Canada.ca, through the MSCA, and by telephone with “1 800 O‑Canada” and its network of call centres.
ESDC is responsible for the design and delivery of many important federal programs, such as:
- Old Age Security
- Canada Pension Plan
- Employment Insurance
- Social Insurance Number
- Canada Disability Savings Program
- Canada Student Financial Assistance Program
- Canada Apprentice Loan
- Canada Education Savings Program
- Wage Earner Protection Program
- Passport Services
These programs and services, along with many others, are some of the largest and most well known that are delivered by the Government of Canada.
ESDC is led by 5 Ministers, supported by 5 Deputy Ministers responsible for its day-to-day operations, budget, and program development.
With over 41,000 employees, ESDC is one of the largest departments within the Government of Canada. Operating across Canada, 73% of its employees work outside the National Capital Region.
Organization of Employment and Social Development Canada
Mission
The mission of Employment and Social Development Canada, including the Labour Program and Service Canada, is to build a strong and more inclusive Canada, to support Canadians in helping them live productive and rewarding lives and to improve Canadians' quality of life.
Ministers
- Minister of Employment, Workforce Development and Official Languages
- Minister of Families, Children and Social Development
- Minister of Labour and Seniors
- Minister of Diversity, Inclusion and Persons with Disabilities
- Minister of Citizens' Services
Deputy Ministers
- Deputy Minister of Employment and Social Development
- Associate Deputy Minister of Employment and Social Development and Chief Operating Officer for Service Canada
- Deputy Minister of Labour and Associate Deputy Minister of Employment and Social Development
- Senior Associate Deputy Minister of Employment and Social Development
- Business Lead, Benefits Delivery Modernization, Employment and Social Development Canada
Employment and Social Development
Responsible for policy development and program design and management for:
- Old Age Security
- Canada Pension Plan
- Canada Student Financial Assistance Program
- Canada Education Savings Program
- Canada Service Corps
- Canadian Apprenticeship Strategy
- Employment Insurance Program
- Enabling Fund for Official Languages Minority Communities
- Foreign Credential Recognition Program
- Indigenous Skills and Employment Training Program
- Labour Market Transfer Agreements
- Opportunities Fund for Persons with Disabilities
- Skills and Partnership Fund
- Youth Employment and Skills Strategy Program
Branches:
- Income Security and Social Development Branch
- Learning Branch
- Skills and Employment Branch
- Strategic and Service Policy Branch
Labour Program
Responsible for labour issues affecting federally regulated industries in Canada, including:
- Managing the Government of Canada’s relationships with its international, federal, provincial, and territorial partners; and with unions and employers
- Providing mediation and conciliation services to unions and employers in the federally regulated private sector
- Promoting respect for international labour standards with Canada’s international partners
- Leading the administration of labour legislation and regulations in the areas of workplace safety, labour standards, employment equity, and federal workers’ compensation
Branches:
- Compliance, Operations and Program Development Branch
- Policy, Dispute Resolution, and International Affairs Branch
Service Canada
Provides Canadians with services and information in person, online, by phone and by mail and is a single point of access to ESDC and other Government of Canada programs. It is responsible for providing:
- Benefits and program delivery
- Service Canada Centres (SCC)
- Scheduled outreach sites
- SCC Passport Services sites
- My Service Canada Account
- Community outreach
- Telephone operations
- Digital presence (eSIN and Canada.ca)
- Identity management
- Program integrity operations
- Temporary Foreign Worker Program
Branches:
- Benefits and Integrated Services Branch
- Canadian Digital Service
- Citizen Services Branch
- Integrity Services Branch
- Program Operations Branch
- Strategic and Service Policy Branch
- Temporary Foreign Worker Program Branch
- Atlantic Region
- Québec Region
- Ontario Region
- Western and Territories Region
Internal Enablers
- Chief Data Officer Branch
- Chief Financial Officer Branch
- Corporate Secretariat
- Human Resources Services Branch
- Innovation, Information and Technology Branch
- Internal Audit and Enterprise Risk Management Branch
- Legal Services Unit
- Public Affairs and Stakeholder Relations Branch
2. Organizational context
ESDC’s Corporate Secretary and Chief Privacy Officer
ESDC’s Corporate Secretariat Branch is responsible for issuing and overseeing the implementation of the Department’s privacy management policy, and providing privacy advice and guidance. It also processes ESDC’s privacy requests in the National Capital Region. These activities are conducted by the branch’s ATIP Operations Division, with functional support from ESDC’s 4 regional branches, and the Privacy Management Division (PMD) (see Figure 1).
The Corporate Secretary heads the branch and is ESDC’s designated Chief Privacy Officer (CPO). The CPO is the Department’s functional authority on all privacy matters, including privacy request processing and the management of personal information. The CPO provides strategic privacy policy advice and maintains ESDC’s privacy management program, which includes the assessment of privacy risks, determination of compliance with privacy legislation, policies, and standards, and the delivery of privacy training, all of which are crucial in implementing a privacy‑by‑design approach.
Access to Information and Privacy Operations Division
The ATIP Operations Division administers the Access to Information Act and the privacy request components of the Privacy Act for ESDC. It leads and advises on the processing of all ESDC requests under the Access to Information Act, performs line-by-line reviews of records requested under the Acts, and delivers training and awareness sessions to departmental employees on their administration. The Director of ATIP Operations is ESDC’s designated ATIP Coordinator.
The responsibility for processing Privacy Act requests in ESDC is shared between the ATIP Operations Division and the Department’s 4 regional branches: Atlantic, Ontario, Quebec, and Western and Territories. The ATIP Operations Division is responsible for coordinating ATIP activities in ESDC’s branches and regions, which include:
- responding to Access to Information Act requests
- responding to specific Privacy Act requests
- providing functional guidance to the regions about the operational and reporting components of the privacy function
- delivering general and tailored training sessions to employees on the administration of both acts
The Division also reviews Open Government publications for compliance with the Privacy Act.
The ATIP Operations Division is composed of an intake unit and ATIP processing teams. At the end of the 2023 to 2024 fiscal year, there were approximately 28 ATIP Operations employees.
Text description of Figure 1
The image represents a direct reporting relationship between the Corporate Secretary and Chief Privacy Officer and the ATIP Operations and Privacy Management divisions. It also shows a functional guidance relationship between the Corporate Secretary and Chief Privacy Officer and the 4 regional ATIP operation offices (Western, Ontario, Québec and Atlantic).
Regional privacy operations
The regional branches play a key role in fulfilling the Department’s Privacy Act responsibilities. During the 2023 to 2024 fiscal year, there were approximately 65 employees in the regions with ATIP processing duties. A network of liaison officers and managers within each region supports the processing of privacy requests and provides advice and guidance directly to program areas while coordinating with ATIP Operations Division.
Privacy Management Division (PMD)
PMD is ESDC’s centre for privacy policy expertise and is the Department’s focal point for authoritative privacy advice. It leads the horizontal implementation of departmental privacy policies and initiatives, conducts risk assessments, and provides privacy compliance guidance. In doing so, the Division leverages privacy‑by‑design approaches that integrate privacy considerations in the early stages of new programs, projects, and initiatives. PMD also reviews proposed information-sharing agreements and draft contracts. The Division responds to court and law enforcement requests for documents, administers public interest disclosures, plays a key role in the management and prevention of privacy breaches, and supports privacy training and awareness activities. As the Department’s privacy centre of expertise, PMD provides strategic privacy policy and analytical advice to the CPO and ESDC’s senior leaders.
The Division is organized into 4 functional groups consisting of a privacy policy and risk assessment unit, a privacy compliance and advisory services unit, an incident management and legislative disclosures unit, and a very small strategic advisory and planning unit. At the end of the 2023 to 2024 fiscal year, PMD had 37 employees. Three consultants were engaged on a part-time basis during the reporting period.
Service Agreement with Accessibility Standards Canada (ASC)
ESDC has a memorandum of understanding to provide ATIP services for ASC, an independent departmental corporation in the Department’s portfolio. Established under the Accessible Canada Act, ASC is mandated to contribute to the realization of a Canada without barriers on or before January 1, 2040. Privacy services that are provided include request processing, annual reporting advice and statistics, liaison functions, and training. ESDC also furnishes, when required, analysis and advice for privacy impact assessments (PIA), information-sharing arrangements, disclosures, contracting, legislative and policy compliance, and the management of security incidents involving personal information.
3. Employment and Social Development Canada’s privacy regime
Legal framework for privacy
ESDC operates within one of the most complex privacy regimes in the federal government, requiring the effective application and navigation of a myriad of privacy laws and policies. Its legal obligations are set out in the Privacy Act and in the personal information protection provisions found in the Department of Employment and Social Development Act (DESDA). Moreover, with the many collaborative efforts with which ESDC is involved to deliver national programs and services, legal interoperability with Government of Canada organizations, the provinces and territories, and municipal governments is always an important requirement.
The Privacy Act is the federal law that protects personal information under the control of federal public-sector institutions. Extending from the Charter of Rights and Freedoms, the Act is a key foundation piece for preserving the privacy interests of individuals in Canada. It sets the rules for the Government’s management of personal information by providing a framework that establishes the requirements for federal institutions on how they can collect, use, retain, and disclose personal information.
The collection and use of personal information by federal institutions are based on lawful authority or legal authorization. Federal institutions can only collect or use personal information with a sufficiently direct connection to legally authorized programs and activities.
Personal information under the control of a government institution cannot be disclosed without the consent of the individual, except in specific circumstances. These include uses that are consistent with the purpose of the original collection, when authorized by federal legislation, to comply with legal instruments, such as subpoenas and court orders, in circumstances where there is a clear benefit to the individual, and where there is a public interest that outweighs the invasion of privacy. Importantly, the Act gives individuals the right to request access to their own personal information held by a federal institution and the right to request a correction to their information when it is inaccurate. The Privacy Act also establishes the Privacy Commissioner, an independent agent of Parliament who oversees the Act’s implementation and has powers to receive and investigate complaints.
The administration of the Act by federal institutions, including ESDC, is supplemented by policies and directives. These are issued by the President of the Treasury Board or an authorized delegate.
In addition to the Privacy Act, the management of personal information by ESDC is undertaken in accordance with the statutory obligations in the Department’s enabling legislation. DESDA describes the rules for personal information controlled by ESDC and is applied in tandem with the Privacy Act. DESDA sets out the requirements for:
- making personal information available to other federal institutions, provincial and territorial authorities or international partners for administrative and integrity purposes
- making personal information available in the public interest and for law enforcement
- making available the information contained in the Social Insurance Register
- using personal information for internal policy analysis, research, and evaluation purposes
- making personal information available for research or statistical analysis
Where the Department delivers services to the public on behalf of other federal institutions and jurisdictions, or when delivering select services for the Government of Canada, the partner’s privacy regime, normally the Privacy Act, will apply instead of DESDA.
Privacy Act Delegation Order
Section 73 of the Privacy Act empowers the head of an institution to delegate any of the powers, duties or functions assigned to that person by the Act to employees of that institution, typically through a delegation order. This instrument assigns the powers, duties, and functions for the administration of the Act that have been delegated by the head of the institution and to whom that delegation has been assigned.
The current Privacy Act Delegation Order, which was approved by the Minister of Employment, Workforce Development and Official Languages in March 2024, is reproduced in Annex A.
Departmental Policy on Privacy Management
The Departmental Policy on Privacy Management supports a robust privacy regime for the protection and judicious use of personal information by ESDC. Supplementing TBS policies, directives, and standards, the ESDC policy contextualizes these privacy obligations for the departmental operating context. It codifies the requirements for the management and protection of personal information, articulates clear and universal privacy policy principles, and specifies roles and responsibilities for the management of personal information, including discrete functional responsibilities and accountabilities. The policy also sets out ESDC’s Privacy Management Framework, outlined below, designates the CPO, and establishes the Department’s privacy governance mechanisms.
The expected results from the application of the Departmental Policy on Privacy Management include:
- the sound management and safeguarding of personal information by the Department
- the implementation of robust practices for the identification, assessment, and management of risks to personal information
- the establishment of clear accountabilities with effective governance structures and mechanisms to protect and manage personal information under ESDC’s stewardship
Privacy Management Framework
ESDC’s Privacy Management Framework promotes a proactive approach for the management of personal information by fostering the integration of privacy practices in all departmental functions and privacy‑by‑design into the program, system, and business process architecture. The Framework consists of 5 elements:
- Governance and accountability: Roles and responsibilities for privacy are clearly defined
- Stewardship of personal information: Appropriate privacy protections are implemented to properly manage personal information throughout its life cycle
- Assurance of compliance: Formal processes and practices are in place to ensure adherence to privacy specifications, policies, standards, and laws
- Effective risk management: Structured and coordinated risk identification and assessments are conducted to limit the probability and impact of negative events
- Culture, training, and awareness: Privacy training and awareness activities that sustain a privacy-aware organization that values the protection and stewardship of personal information
The Framework is a clear and succinct foundational element for establishing and operating a comprehensive privacy program in the Department.
Privacy governance at ESDC
ESDC uses a committee structure to support privacy governance, risk oversight, and decision-making. The Department’s primary governance body for privacy and the safeguarding of personal information is the Data and Privacy Committee (DPC), which is co-chaired by the CPO and a Director General from the Chief Data Officer Branch. The DPC is mandated to provide oversight on the management of personal information entrusted to the Department and the management of enterprise data resources. The DPC supports the implementation and maintenance of ESDC’s data strategy and privacy management programs, provides oversight on risk management processes for the management of data and personal information, and promotes a departmental culture that recognizes that data is a business asset that should be maximized while respecting the privacy rights of Canadians.
The DPC reports to the Assistant Deputy Minister-level Enterprise Management Committee (EMC). The EMC serves as the Department’s horizontal oversight and decision-making body for the implementation of enterprise strategies, plans, policies, and guidelines related to the management of risk, data, information, technology, and security, as well as corporate finances and resources.
4. Policies, procedures, and initiatives
The breadth and scale of ESDC’s activities mean that it is responsible for managing one of the largest personal information holdings in the Government of Canada. The delivery of programs and services by the Department involves the collection, use, and disclosure of large amounts of data. Often, detailed and sensitive personal information is required to determine program eligibility or to deliver benefits and services. Along with its broad mandate and the responsibility to manage immense volumes of personal information, ESDC must operate within a complex privacy legal regime that includes not only the Privacy Act and DESDA but also involves the specific statutory requirements of the Department’s federal and provincial government partners.
Throughout 2023 to 2024, ESDC continued to use and promote a proactive, risk-based approach to privacy management and sought to adapt its activities and processes to the needs of the changing privacy landscape. It applied its privacy lens to the large number of departmental initiatives, some of which will involve the large-scale collection, use, and disclosure of personal information.
Privacy impact assessments (PIAs) and compliance reviews
In accordance with the TBS’s Directive on Privacy Impact Assessment, ESDC must conduct a PIA before establishing any new or substantially modified program or activity involving the administrative use of personal information. PIAs are used to identify and assess privacy risks, as well as to develop plans to reduce or eliminate those risks. Among federal institutions, ESDC is an innovator in the methods used to conduct privacy assessments. For example, to support its privacy‑by‑design approach, PMD draws from a suite of tools that it developed, which includes full PIAs, Privacy Analyses for Information Technology Solutions (PAITS), and privacy protocols when personal information is not used for an administrative purpose. PAITS is an assessment methodology that is focused on an IT solution or system and is used to identify privacy risks and assess impacts on privacy in the solution’s design, procurement, or acquisition stages. PAITS satisfy departmental and TBS requirements for the fulfillment of PIAs.
In 2023 to 2024, ESDC completed 16 PIAs and prepared significant updates for 2 others. Copies of the PIA reports were provided to TBS and the Office of the Privacy Commissioner of Canada (OPC). Information on these assessments is found in Annex B of this report and on ESDC’s Corporate information webpage Privacy impact assessments.
Several privacy protocol reviews for the Department’s policy analysis, research, and evaluation activities were also conducted. This past fiscal year, 10 such reviews were completed for these initiatives involving non-administrative uses of personal information, compared to 26 during 2022 to 2023.
DESDA and its related regulations set out strict parameters for making personal information that is under the control of the Department availableFootnote *. ESDC’s privacy policy requires that all such arrangements with federal institutions, other levels of government, and service delivery providers are verified by PMD. The Division also ensures that these instruments have the necessary terms and conditions for the use, disclosure, protection, and disposal of personal information. Moreover, the implementation of information-sharing agreements requires the endorsement of the appropriate privacy authority designated in the DESDA Delegation Order, which is normally the CPO or the Executive Director of PMD. Similarly, all procurement documents are required by policy to be examined by PMD to verify compliance with statutory and privacy policy requirements. This past fiscal year, 61 information‑sharing agreements and 60 procurement instruments were reviewed in detail.
The internal departmental demand for other types of privacy services remains high. For example, initial reviews of programs and projects, along with the privacy analysis of software applications generated large volumes of service requests. The Division completed 206 such reviews in 2023 to 2024. The number of general privacy inquiries and requests for service from internal clients totalled 248 during the reporting period. PMD also prepared 62 privacy notices and consent forms.
ATIP Modernization
ESDC has laid the groundwork to modernize its ATIP infrastructure and processes to create a modern, digitally enabled ATIP program that is client‑centric and able to meet the needs of the evolving privacy operations environment. The Department launched this program to replace legacy ATIP systems that are nearing the end of their life cycle, enhance client service, and improve staff recruitment, capacity, and retention.
The modernization project consists of 4 program streams that gained momentum in 2023 to 2024: technology renewal, client-service enhancements, process review and standardization, and enhanced transparency measures. It is anticipated that modernization benefits will be realized over the course of the upcoming fiscal years and completed by 2026.
In the 2023 to 2024 fiscal year, progress was made in establishing new procedures that are expected to:
- improve ATIP information clarity and relevance on Canada.ca to guide Canadians to where they can find their personal information or get help in doing so
- aid clients with submitting digital requests
- help clients navigate to an efficient way to obtain their information through their My Service Canada Accounts thereby reducing the time and burden required to process a Privacy Act request that is not required
- pave the way for successful technological renewal and advances with the introduction of the TBS ATIP Online Platform and new ATIPXpress request processing system in fiscal 2024 to 2025
Benefits Delivery Modernization (BDM) Programme
The BDM programme is transforming how the Government of Canada delivers benefits, ensuring Canadians are at the core of its services. It will deliver a world-class service experience through modernizing the way that Government serves Canadians, from the elderly to the young, from people looking for work to those living with a disability.
Through the BDM programme, Canadians can expect to find:
- a simple and user-friendly digital interface
- a single sign-in and a “tell us once” principle
- increased access to self-service
- reduced wait times
- streamlined applications
- faster payment of benefits
In addition, the BDM programme will upgrade technology, minimizing the risk of cyber and security threats and lowering fraud, mistakes, and delays.
To ensure that privacy‑by‑design principles are maintained in BDM’s architecture and implementation, ESDC has dedicated significant privacy resources to work closely with the project team. Privacy advice is being integrated into the BDM design, while detailed privacy analyses and risk assessments are conducted for individual project components. The results of this work are compiled in a “privacy book”, which is continually updated as new capabilities and additional programs are onboarded.
New Directive on the Management of Privacy Breaches
In October 2022, TBS issued its revised Policy on Privacy Protection and Directive on Privacy Practices, which introduced significant changes to privacy breach contingency planning and response requirements for federal institutions. These included: mandatory procedures for privacy breaches; a new threshold and timing to notify TBS and the OPC for material privacy breaches; senior privacy officials must collaborate in security investigations; establishing TBS’s advisory role in multi-institutional material breaches; information sharing agreements and contracts must include a provision that all parties be notified in the event of a privacy breach; and mandatory breach management training for all employees.
ESDC launched a review of its own breach policies and procedures to ensure that they were aligned and included a collaborative effort between the Privacy Management Division, Corporate Security, and Cyber and IT Security to revise processes and amend roles and responsibilities. The resulting departmental Directive on the Management of Privacy Breaches codified the Department’s implementation of TBS policy requirements. The Directive established ESDC’s governance and accountability for managing privacy breaches throughout the Department, whether the breach resulted from an ESDC activity, or a service outsourced to another organization. It also stipulates that privacy breaches must be contained and mitigated in a timely fashion, affected individuals and the appropriate oversight bodies are promptly notified, and ESDC’s practices involving the handling of personal information are reviewed and modified to rectify vulnerabilities that are revealed when incidents occur.
Social Insurance Number (SIN) Authorities
DESDA was amended in 2023 to 2024 with the addition of section 8.1, which granted the Minister of Employment and Social Development with the authority to collect and use SINs for the purposes of administering or enforcing any Act, program, or activity in respect of which the administration or enforcement is the responsibility of the Minister. The SIN is sensitive personal information, its collection and use are regarded as particularly intrusive to the privacy of individuals and warrant special consideration. It is a unique identifier and is managed in accordance with DESDA and the Privacy Act, as well as with TBS and ESDC privacy policies and directives.
For each new collection or use of SIN information by a departmental program or activity, a special privacy assessment will be conducted to examine, among other factors:
- the reasonableness of its proposed use and collection by looking at necessity, effectiveness, proportionality, and the minimization of intrusiveness
- its management and use, including any disclosures
- roles and responsibilities
The OPC will be consulted during this process. The assessment could determine specific conditions for the proposed use of SIN information by an ESDC activity or trigger a wider privacy impact assessment.
Updated Delegation Orders
It is ESDC’s practice to amend Delegation Orders under the Privacy Act and Part 4 of DESDA when the circumstances require changes to one or more delegations. The Minister approved refreshed delegation orders for these 2 Acts during the fiscal year. The amendments updated position titles and established authorities for responsibilities assigned to newly designated officials for the administration of the Privacy Act and for DESDA Part 4. In addition, the implementation of ESDC’s ATIP system and process modernization required adjustments to the Privacy Act delegation orders. With respect to DESDA, the updated order designated officials in ESDC’s regional enquiries units to make personal information available under section 33 (2) of the Act to Members of Parliament who make inquiries on behalf of individuals on applications, benefits, or other assistance for the individual under a program.
Privacy Act Modernization
ESDC has actively collaborated with officials from the Department of Justice on its Privacy Act modernization initiative as part of a broader interdepartmental effort. This law reform process presents a unique opportunity for ESDC to share issues and exchange ideas on options. During the 2023 to 2024 fiscal year, ESDC conducted an internal cross–departmental consultation at the Department of Justice’s request on its vision and proposals for a modernized Privacy Act, the results of which will be used in the next steps in the process.
Timeframe monitoring
Given the Department’s decentralized approach to processing privacy requests, it currently does not employ centrally directed monitoring of the time taken to process personal information requests, limits to inter-institutional consultations, or reviews of frequently requested types of information. ESDC’s regional offices manage most of the privacy requests (personal information requests and requests for the correction of personal information) for the Department and prepare periodic reports concerning new requests, workload, and status updates regarding on‑time performance for privacy requests. Performance reports are generated by the regional offices on a monthly, quarterly, and yearly basis.
As the Department continues to modernize the privacy request function, standardization and compliance monitoring will be a major focus so that Canadians receive dependable, responsive service for every request.
5. Performance overview
This section provides key statistics and analysis on ESDC’s request processing performance during the 2023 to 2024 fiscal year. Most of the charts and tables below provide 4-year comparisons that show the Department’s trends for that metric in administering requests under the Privacy Act. The Department’s detailed statistical report on its administration of the Privacy Act is found in Annex C. Please note that some totals may exceed 100% due to rounding.
Requests by calendar days taken to complete
The on-time compliance rate is the percentage of requests responded to within their legislative timelines, including requests for which the department invoked legislative extensions. Last fiscal year, ESDC’s compliance rate for closing requests within 30 days (or 60 days after an extension) continued to improve, increasing from 71% in 2022 to 2023 to 74% in 2023 to 2024.
Text description of Figure 2
The image represents a graphical representation of the number Privacy Act requests processed within and beyond legislative timeframes for the past 4 years.
For 2020 to 2021
- 45.8% of requests were processed within legislative timeframes, 54.2% were beyond
For 2021 to 2022
- 58% of requests were processed within legislative timeframes, 42% were processed beyond
For 2022 to 2023
- 70.8% of requests were processed within legislative timeframes, 29.2% were processed beyond
For 2023 to 2024
- 73.5% of requests were processed within legislative timeframes, 26.5% were processed beyond
Completion times
ESDC’s rate for closing requests within 30 days continues to improve, edging upwards to 60% in 2023 to 2024.
Text description of Figure 3
The image represents a graphical representation of the number of calendar days taken to complete requests received under the Privacy Act for the past 4 years.
For 2020 to 2021:
- 5,029 (39%) were completed in 30 calendar days
- 2,459 (19%) were completed in 31 to 60 calendar days
- 5,395 (42%) were completed in 61 or more calendar days
For 2021 to 2022
- 8,130 (46%) were completed in 30 calendar days
- 5,009 (29%) were completed in 31 to 60 calendar days
- 4,438 (25%) were completed in 61 or more calendar days
For 2022 to 2023
- 12,257 (58%) were completed in 30 calendar days
- 5,694 (27%) were completed in 31 to 60 calendar days
- 3,370 (15%) were completed in 61 or more calendar days
For 2023 to 2024
- 12,410 (60%) were completed in 30 calendar days
- 4,421 (21%) were completed in 31 to 60 calendar days
- 3,942 (19%) were completed in 61 or more calendar days
Active requests
As of April 1, 2024, there were 2,623 active requests carried over from the previous reporting periods, of which 1,788, or 68%, were on track to be processed within the legislated deadlines.
| Fiscal year during which the open request was received | Open requests that are within legislated timelines as of March 31, 2024 | Open requests that are beyond legislated timelines as of March 31, 2024 | Total |
|---|---|---|---|
| 2023 to 2024 | 1,786 | 790 | 2,576 |
| 2022 to 2023 | 0 | 20 | 20 |
| 2021 to 2022 | 2 | 15 | 17 |
| 2020 to 2021 | 0 | 8 | 8 |
| 2019 to 2020 | 0 | 2 | 2 |
| Totals | 1,788 | 835 | 2,623 |
Reasons for extensions
Institutions may apply for an extension beyond the original 30-day statutory time limit in cases where meeting the statutory date is not feasible. The Privacy Act sets timelines for responding to privacy requests and allows for extensions, up to a maximum of 30 days, in any of the following cases:
- when complying with the timeline would interfere with operations because of:
- a review being required to determine exemptions or exclusions
- a large volume of pages requiring review
- a large volume of requests
- the documents being difficult to obtain
- when a consultation is required
- when documents must be translated
In 2023 to 2024, there were 1,302 large volume requests and 18 requests requiring internal consultations, which could not reasonably be conducted within the initial 30 days. These requests resulted in ESDC invoking 1,323 extensions. This total is similar to the previous fiscal year when the Department invoked 1,304 extensions.
| Privacy Act Section | Reason for extension | Number of requests for extension |
|---|---|---|
| 15(a)(i) Interference with operations | Further review required to determine exemptions | 0 |
| Large volume of pages | 0 | |
| Large volume of requests | 1,302 | |
| Documents are too difficult to obtain | 0 | |
| 15(a)(ii) Consultation | Cabinet Confidence (Section 70) | 0 |
| External | 0 | |
| Internal | 18 | |
| 15(b) Translation purposes or conversion | Translation or conversion | 3 |
| TOTAL | 1,323 | |
Consultations received from other Government of Canada institutions and organizations
ESDC received 3 external consultation requests during the 2023 to 2024 fiscal year, which required the review of 25 pages. These requests originated from Government of Canada institutions and other organizations. The Department closed 2 requests for consultations, both of which were completed in over 30 days. One request resulted in the recommendation to disclose the records in their entirety; the other was recommended to disclose in part. One request was carried over.
| Types of consultation | 2020 to 2021 | 2021 to 2022 | 2022 to 2023 | 2023 to 2024 |
|---|---|---|---|---|
| Consultation requests received under the Privacy Act | 11 | 3 | 11 | 3 |
| Additional pages reviewed under the Privacy Act | 388 | 127 | 215 | 25 |
| Privacy Act requests for consultations closed | 9 | 5 | 12 | 2 |
| Privacy Act requests for consultations closed within 30 days | 3 | 1 | 8 | 0 |
Disposition of completed requests
During 2023 to 2024, the number of requests that were “all disclosed” was 4,035, representing 19.4% of completed requests, compared with 2,969 and 13.9% in the previous fiscal year. Out of the 20,773 completed requests last fiscal year, only 5 files were exempted in their entirety, and none were excluded.
| Disposition | 2020 to 2021 | 2021 to 2022 | 2022 to 2023 | 2023 to 24 | ||||
|---|---|---|---|---|---|---|---|---|
| Number of requests | Percentage of total | Number of requests | Percentage of total | Number of requests | Percentage of total | Number of requests | Percentage of total | |
| All disclosed | 1,355 | 10.5% | 1,880 | 10.7% | 2,969 | 13.9% | 4,035 | 19.4% |
| Disclosed in part | 9,256 | 71.8% | 12,058 | 68.6% | 13,633 | 63.9% | 11,157 | 53.7% |
| All exempted | 1 | 0.0% | 4 | 0.0% | 2 | 0.0% | 5 | 0.0% |
| All excluded | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| No records exist | 1960 | 15.2% | 3,235 | 18.4% | 3,539 | 16.6% | 4,313 | 20.8% |
| Request abandoned | 311 | 2.4% | 400 | 2.3% | 1,178 | 5.5% | 1,262 | 6.1% |
| Neither confirmed nor denied | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% | 1 | 0.0% |
| Totals | 12,883 | 100.0% | 17,577 | 100.0% | 21,321 | 100.0% | 20,773 | 100.0% |
6. Complaints, investigations, and court actions
Under the Privacy Act, individuals may lodge complaints to the OPC about the processing of their requests if they were refused access to their personal information or if they feel there was an undue delay. They can also lodge complaints about personal information handling practices, including the collection, use, or disclosure of their personal information.
Last fiscal year, the OPC accepted 32 complaints about the Department. These consisted of 6 access complaints, 2 collection complaints, 15 request processing time limits complaints, and 9 use and disclosure complaints. Of the complaints that were lodged during 2023 to 2024 and the preceding fiscal years, the early resolution process resolved 40 and dismissed one. At the end of the reporting period, ESDC had 12 open complaints: 6 from 2023 to 2024, 4 from 2022 to 2023, and one each from 2021 to 2022 and 2020 to 2021. Four open complaints were in the early resolution process at the end of the reporting period.
OPC investigations determined that 15 complaints were not well founded, or the complaint was withdrawn during the inquiry. In all, 7 complaints were deemed well founded: 2 were conditionally resolved, 2 could not be resolved, and 3 were considered “deemed refusals” and not resolved.
No privacy complaints were deliberated in the courts during the reporting period.
7. Public interest disclosures
Disclosures in the public interest are made by ESDC under subsection 37(1) of DESDA instead of under paragraph 8(2)(m) of the Privacy Act. All such disclosures are reported to the OPC.
During the 2023 to 2024 fiscal year, the Department made 482 public interest disclosures. ESDC carried out 382 in its regional branches, most of which resulted from incidents involving individuals who threatened to harm themselves or others, including Service Canada employees. In situations where there is an immediate threat to the safety and security of individuals, Service Canada employees have the delegated authority to make the disclosure. Given the urgency of these incidents, the OPC was notified after the disclosure was made.
PMD approved the disclosure of personal information in an additional 100 cases (“PMD disclosures”). In most of these instances, personal information was made available to locate an individual, such as a missing person, or for a police investigation.
The reasons for these disclosures and the totals for each are described in the following table.
| Reason for disclosures | Number of disclosures |
|---|---|
| Regional disclosures (Imminent threats) | 382 |
| PMD disclosures | |
|
74 |
|
22 |
|
4 |
| Total | 482 |
8. Material privacy breaches
A privacy breach is defined by TBS policy as “the improper or unauthorized access to, creation, collection, use, disclosure, retention or disposal of personal information”. A privacy breach is “material” when it “could reasonably be expected to create a real risk of significant harm to an individual.” Significant harm includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on the credit record, and damage to or loss of property.
During the 2023 to 2024 fiscal year, the Department reported 364 material breaches to the OPC and TBS, an 87% increase from the number of incidents in the previous fiscal year (193). In 346 cases, the breach consisted of lost, misdirected, or stolen passports and passport application documents, of which the Canada Post Corporation took responsibility for 308 incidents. ESDC was responsible for the other 38 incidents.
The unauthorized access of personal information stored in ESDC’s systems accounted for 4 material breaches, a decrease of 91%. These cases were identified through the Department’s audit log monitoring activities, which track the access of personal information by employees in ESDC’s electronic data holdings.
The Department continuously applies administrative, technical, and physical measures to reduce privacy breaches. Importantly, through ESDC’s privacy training and awareness activities, employees are informed and trained in the handling of personal information, including appropriate use and safeguarding protocols.
Table 6 provides a breakdown of the material breaches by cause and a brief description of follow-up measures.
| Number of material breaches | Nature of information breached | Communication and notification | Actions undertaken in response |
|---|---|---|---|
| 14 | Personal information incorrectly shared with third‑party individuals via telephone, email, or mail; and/or Documents containing personal information of clients were lost or stolen. |
When possible, personal letters were sent to affected individuals informing them of the breach. |
|
| 4 | Employees who made unauthorized access into departmental systems of client information (mostly discovered as part of internal audits conducted on the departmental systems). | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
| 308 | Passports, passport applications, and documents included with passport applications, lost, stolen, or misdirected, where Canada Post Corporation was responsible for the breach. | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
| 38 | Passports, passport applications, and documents included with passport applications, lost, stolen, or misdirected because of an internal ESDC error. | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
| Total Number of Material Breaches: 364 | |||
9. Training and awareness activities
Online privacy training
ESDC has a comprehensive training program to increase knowledge and awareness of appropriate personal information management practices throughout the Department. All employees must maintain a valid 2-year certification in Stewardship of Information and Workplace Behaviours (SIWB), which addresses privacy, the handling of personal information, security, access to information, information management, and values and ethics. It is a component of the Department’s Essential Training Curriculum and is delivered online. At the end of the reporting period, 19,828 employees had attained SIWB certification during the fiscal year.
To complement SIWB certification, ESDC has additional privacy-relevant online courses in its training catalogue. The “Access to Information and Privacy (ATIP): It’s Everybody’s Business” course gives employees the knowledge required to protect, use, and disclose personal information daily and teaches them to prevent breaches by seeking guidance or by using good judgment in a timely manner. In the last fiscal year, 15,586 employees completed it.
New employees take the “Doing Things Right and Doing the Right Thing: Putting the Departmental Code of Conduct into Action” course, which has a significant privacy component. The course helps participants understand the application of ethical behaviour in the workplace and how to use that knowledge to guide them in their day-to-day work and decision-making. The course was taken by 16,302 employees during the 2023 to 2024 fiscal year.
In-person and virtual training and awareness
Throughout the reporting period, the Department continued to deliver practical, easy‑to‑understand, and readily available privacy information and guidance to employees to reinforce the application of appropriate personal information handling and safeguarding practices, as well as to provide general knowledge on the philosophical and legislative underpinnings of privacy. The highlight of these activities were privacy-themed information events, and a series of specialized knowledge talks delivered during Privacy Awareness Week in January 2024. In support of Privacy Act request processing, specialized training was provided to key departmental stakeholders and ATIP Operations staff. Overall, 1,135 ESDC employees attended, either in-person or by video, 20 privacy training and awareness sessions offered during 2023 to 2024.
Annex A: Delegation Orders Privacy Act: Delegation of Authority Department of Employment and Social Development
The Minister of Employment and Social Development, pursuant to section 73 of the Privacy Act and section 11 of the Department of Employment and Social Development Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister as the head of the Department of Employment and Social Development, under the provisions of the aforementioned Acts and related regulations set out in the schedule opposite each position.
This designation replaces all previous delegation orders.
Original signed March 6, 2024 by the Honourable Randy Boissonnault, Minister of Employment and Social Development
Department of Employment and Social Development
Department of Employment and Social Development
| Description | Section | Delegated Authority |
|---|---|---|
| Retention of a record of requests and disclosed records to investigative bodies under section 8(2)(e) of the Privacy Act. | 8(4) |
|
| Retention of records of uses of personal information | 9(1) |
|
| Notification of the Privacy Commissioner of any new consistent uses of personal information and ensure use is included in next statement of consistent uses set forth in the Index | 9(4) |
|
| Include personal information in personal information banks | 10 |
|
| Respond to request for access within 30 days and give written notice and, if access to be given, give access. | 14 |
|
| Extension of the 30-day time limit to respond to a privacy request. | 15 |
|
| Decision on whether to translate a response to a privacy request in one of the 2 official languages. | 17(2)(b) |
|
| Decision on whether to convert personal information to an alternate format | 17(3)(b) |
|
| Decision to refuse to disclose personal information contained in an exempt bank. | 18(2) |
|
| Decision to refuse access to personal information that was obtained in confidence from the government of a foreign state or institution, an international organization of states or an institution thereof, the government of a province or institution thereof, a municipal or regional government established by or pursuant to an Act of the legislature of a province or an institution of such a government, or the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act or the council of a participating in First Nation as defined in the First Nations Jurisdiction over Education in British Columbia Act | 19(1) |
|
| Authority to disclose personal information referred to in 19(1) if the government, organization or institution described in 19(1) consents to the disclosure or makes the information public. | 19(2) |
|
| Refuse to disclose personal information that may be injurious to the conduct of federal-provincial affairs | 20 |
|
| Refuse to disclose personal information that may be injurious to international affairs or the defence of Canada or one of its allies. | 21 |
|
| Refuse to disclose personal information prepared by an investigative body, information injurious to the enforcement of a law, or information injurious to the security of penal institutions | 22 |
|
| Refuse to disclose personal information created for the Public Servants Disclosure Protection Act. | 22.3 |
|
| Refuse to disclose personal information prepared by an investigative body for security clearance. | 23 |
|
| Refuse to disclose personal information that was collected by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board while the individual was under sentence if the conditions in the section are met | 24 |
|
| Refuse to disclose personal information which could threaten the safety of individuals | 25 |
|
| Refuse to disclose personal information about another individual and shall refuse to disclose such information where disclosure is prohibited under section 8 | 26 |
|
| Refuse to disclose personal information that is subject to solicitor-client privilege. | 27 |
|
| Refuse to disclose personal information relating to the individual’s physical or mental health where the disclosure is contrary to the best interests of the individual | 28 |
|
| Receive notice of investigation by the Privacy Commissioner | 31 |
|
| Right to make representations to the Privacy Commissioner during an investigation | 33(2) |
|
| Receive Privacy Commissioner’s report of findings of an investigation and give notice of action taken | 35(1) |
|
| Provision of addition personal information to a complainant after receiving a 35(1)(b) notice. | 35(4) |
|
| Receive Privacy Commissioner’s report of findings of investigation of exempt bank | 36(3) |
|
| Receive report of Privacy Commissioner’s findings after compliance investigation | 37(3) |
|
| Request that a court hearing, undertaken with respect to certain sections of the Act, be held in the National Capital Region. | 51(2)(b) |
|
| Request and be given right to make representations in section 51 hearings | 51(3) |
|
| Prepare annual report to Parliament | 72(1) |
|
| Description | Section | Delegated Authority |
|---|---|---|
| Allow examination of the documents (Reading Room) | 9 |
|
| Notification of Correction | 11(2) |
|
| Correction refused; notation placed on file | 11(4) |
|
| Disclosure to a medical practitioner or psychologist | 13(1) |
|
| Disclosure in the presence of a medical practitioner or psychologist | 14 |
|
Annex B Summaries of completed Privacy Impact Assessments
ESDC completed 16 privacy impact assessments (PIA) over the course of the 2023 to 2024 fiscal year and significantly updated 2 previously completed assessments. In addition to standard PIAs, ESDC uses Privacy Analysis for IT Solutions (PAITS), which is a customized PIA focused on an IT solution or system. The purpose of a PAITS is to identify privacy risks and assess impacts on privacy in the solution’s design, procurement, or acquisition stages. Its conclusions give assurances to senior management that the protection of personal information has been considered prior to implementation and outlines a mitigation action plan to resolve identified risks. PAITS satisfy departmental and TBS requirements for the fulfillment of PIAs. Of the completed PIAs, 9 were PAITS.
Information on ESDC’s PIAs is found on the Department’s PIA webpage.
Addendum to the Enabling Services Renewal Program “myEMS (PeopleSoft)” Privacy Impact Assessment
PeopleSoft is the core system that enables ESDC’s digital human resources services providing employees and managers with various self-service tools. A PIA was undertaken with the implementation of the system in 2015. In May 2021, an addendum was added to the PIA, which assessed an upgrade to the core PeopleSoft system. This upgrade standardizes case management processes and leverages personal information within the core system. One medium-level risk and one low-level risk were identified. An action plan was developed to address these risks in 2024.
Canada Student Financial Assistance Program Repayment Assistance Plan – Enhanced Verification Model (CSFA RAP – EVM)
The Canada Student Financial Assistance (CSFA) Program (formerly known as the Canada Student Loans Program) is introducing modifications to the Repayment Assistance Plan – Enhanced Verification Model, which will verify the information declared by borrowers during the application process against taxpayer information provided by the CRA. The PIA assessed the collection, management, use, and exchange of personal information by the CSFA Program through RAP–EVM and the proposed data exchange with CRA. A total of 2 privacy risks, one low-level and one medium-level, were identified. ESDC’s CSFA Program has prepared an action plan to address the recommendations in 2024.
COVID-19 Mandatory and Voluntary Rapid Testing Programs
The Federal Public Service implemented rapid testing as an accommodation measure for employees who are required to regularly report on-site and who are unable to receive the COVID-19 vaccine due to a Duty to Accommodate exemption, as well as a temporary measure for partially vaccinated employees. Rapid testing is also available for fully vaccinated employees. The Rapid Testing Program at ESDC was broken into 2 separate programs: the Mandatory Rapid Testing Program and the Voluntary Rapid Testing Program. Participation in the Mandatory Rapid Testing Program was required for ESDC employees who had an approved Duty to Accommodate exemption and regularly reported to an ESDC workplace, while participation in the Voluntary Rapid Testing Program was for willing employees who were fully vaccinated and regularly reported to the workplace. The PIA identified 2 medium-level privacy risks, which were mitigated. The testing programs are no longer active.
Service Referral Initiative (SRI) under the Reaching All Canadians program portfolio
The eServiceCanada Service Request Form project under the SRI, which is part of the Reaching All Canadians portfolio, involves the implementation of a new application to the existing eServiceCanada solution that will enhance the delivery of services and benefits to better support vulnerable populations. Service Canada outreach activities will trigger the engagement of community-based organizations to provide referrals to clients in need of enhanced services through the new solution to initiate a Service Canada specialist callback to the client. The solution will also improve tracking and managing cases. SRI involves the limited collection and use of personal information when clients are contacted. The PIA identified 3 low-level privacy risks. Mitigations to address the risks are planned to be in place in 2024.
First Phase of the Canadian Dental Care Plan
The Canadian Dental Care Plan will provide dental coverage for uninsured Canadians with an annual family income of less than $90,000, with no co-pays for those with family incomes under $70,000. It will be delivered by a third-party contractor, Sun Life. ESDC will deliver services on behalf of Health Canada, including receiving applications and validating applicant eligibility for enrollment. These activities will involve collecting personal information from the CRA to help validate eligibility. The PIA identified 3 medium-level risks. Measures to address these risks and issues are scheduled for completion in 2024.
Internal Activity and Access Monitoring Project 1: Employment Insurance Applications
The Internal Activity and Access Monitoring Project involves the implementation of an enterprise-wide monitoring solution that will enhance the Department’s ability to identify insider threats and provide digital evidence of unauthorized access or misuse of personal information held in key ESDC applications. This is a multi-year, multi-phase implementation starting with IAAM for Employment Insurance systems. The solution automates existing manual processes and provides near real-time monitoring for better outcomes in the detection and prevention of threats and vulnerabilities to personal information. The solution will rely on the use of personal information held in various ESDC databases and systems. The PIA identified 2 medium-level risks. Measures to address these risks are scheduled for completion in 2024.
Old Age Security (OAS) Release 1 Foreign Benefits (FB) and Liaisons
The Benefits Delivery Modernization (BDM) programme was created to transform and modernize the delivery of Benefits and Services to Canadians. Personal information is exchanged between the OAS FB Program and 60 countries under Social Security Agreements. Through these agreements, individuals who have lived or worked outside of Canada may qualify for a benefit paid by another country. OAS Release 1 FB and Liaisons is the first benefit to operate on the BDM Cúram platform and will act as a transfer of client information between Canada and the foreign country. This information is used to qualify the client for benefits when the evidence is insufficient to approve a benefit. The PIA identified 6 privacy risks, of which 4 were assessed as high-level and 2 were medium level. Mitigations are planned to be completed in 2024.
PeopleSoft-Offboarding: Addendum to the Enabling Services Renewal Program myEMS (PeopleSoft) PIA
PeopleSoft is ESDC’s primary system for digital Human Resources services. The Department is adopting a new module into PeopleSoft to centralize employee departure processes in the system. The Offboarding project replaces a manual process for the managers who initiate separation clearance for departing employees with a streamlined automated system. Several manual tasks have been automated in a logical workflow to ensure that the manager or the delegate completing the separation clearance does so consistently. Two low-level privacy risks were identified. An action plan is in place to address these risks in 2024.
Wage Earner Protection Program (WEPP)
WEPP is a Government of Canada program that provides timely payment of eligible wages owing to workers whose employer has gone bankrupt or become subject to receivership. Eligible wages under the Program include salaries, commissions, vacation, termination, and severance pay. The federal government seeks recovery of the amounts as the creditor of the employer and pays the worker. Applicants can request a review in the case of disagreements or an appeal. The types of personal information collected and used by WEPP include SINs and financial information such as banking and tax data. The assessment identified 2 medium-level risks. Mitigations are planned to be in place in 2024.
Business Intelligence for Active Outreach (BIAO)
The Government of Canada provides funding to the provinces and territories under Labour Market Development Agreements to deliver EI–funded skills training and employment supports to Canadians. The BIAO project involves developing an interactive business intelligence dashboard to facilitate data sharing between ESDC and provincial and territorial counterparts for Labour Market Development Agreements programming purposes. The BIAO dashboard provides filters and charts of summary (aggregate) counts for various demographic variables of a province or territory active EI claimant population for various demographic variables. The dashboard includes functionality for the provinces and territories to request individual claimant data, including contact information, to match EI claimants to opportunities in their labour market. The PAITS identified one medium-level risk. The mitigation strategy to address the risk is scheduled for completion by April 2024.
Canada Apprentice Loan’s (CAL) Use of the Enterprise Cyber Authentication Solution (ECAS)
The Canada Student Financial Assistance Program has been modernizing the CAL Electronic Identity Verification process with ECAS, the Department’s standard registration and authentication solution. As a result, the My Service Canada Account (MSCA) portal will serve as a single point of entry for client registration and authentication to access the CAL Service Centre. CAL clients will also benefit from robust security measures that leverage the MSCA process. The PAITS examined the privacy risks and strategies related to the management and protection of personal information that are handled by the ECAS system. The PAITS identified 4 medium-level risks. Mitigations to address these risks are scheduled for completion in 2025.
Corporate Correspondence Tool (CCT)
The CCT is an IT solution used to generate, deliver, and archive print and electronic correspondence for several ESDC programs. It was deployed in 2012 to reduce the number of discreet templating tools in use throughout the Department, with the goal of having one central electronic repository of correspondence sent to clients. ESDC’s BDM Programme will use the CCT for outgoing correspondence needs. The PAITS examined the processes for generating, delivering, and archiving correspondence. One medium-level risk was identified. Activities to address the risk are planned to be completed in 2024.
Integrated Corporate Accounting and Accountability Directorate Client-Facing Tool for Internal Clients
The financial services provided by ESDC’s Integrated Corporate Accounting and Accountability Directorate include responding to general financial questions, receiving invoices, and employee reimbursements for payments. The Client-Facing Tool is hosted in Microsoft Dynamics. The PAITS looked at the internal client portal to submit requests as well as the back‑end case management system used by ESDC employees to process the requests. No privacy risks were identified.
Privacy Analysis for IT Solutions on the Passport Application Status Checker (Amended)
ESDC, in collaboration with Immigration, Refugees and Citizenship Canada, launched the Passport Application Status Checker to enhance the level of service provided to clients without compromising privacy or program integrity. This project is part of the Passport Program that enables passport applicants to request their application file number and check their passport application status online. The assessment focused on the Passport Application Status Checker tool, the Electronic Service Request File requestor application, and the various system components that transmit data back and forth from Immigration, Refugees and Citizenship Canada to the Passport Application Status Checker. The PAITS identified 3 low-level risks and one medium-level risk. Mitigation strategies were implemented by the end of 2025 for the medium-level risk and one low-level risk. ESDC accepted the remaining 2 low-level risks.
Security Screening Intake Process Simplification (SSIPS) Project 2.0 – Minimum Viable Product (MVP) 2 Update
The SSIPS uses Transport Canada’s platform to electronically process security clearances for employees. This work focused on improving the user experience to obtain security screening by digitalizing and simplifying the procedure by using an online portal for the secure submission of documents and personal information and a repository for their secure safeguarding. MVP 2 introduces the SSIPS and Transport Canada’s platform to administer security clearance upgrades and renewals for employees with an existing security clearance. The PAITS identified 2 low-level privacy risks. Mitigation strategies to address these risks are scheduled for completion by March 2025.
Social Insurance Number (SIN) on My Service Canada Account (SINOM) – Minimum Viable Product (MVP 1)
The SINOM project seeks to provide real-time SIN confirmation to clients by leveraging the existing client service platform, MSCA, once their online SIN (eSIN) application has been processed. SINOM will expand the current SIN-based registration requirements to enable clients who do not have a SIN to register for MSCA using their Birth Registration Number or Unique Client Identifier in combination with their SIN Application Number issued at the time of eSIN application. SINOM will be released in 2 phases using the MVP approach. MVP 1 is scheduled for release in August 2023, where a digital display of the SIN will be available on MSCA while the SIN Confirmation Letter will continue to be sent by mail. The PAITS examined the modifications to the MSCA, the registration, authentication, and eSIN processes as well as the personal information collected and used in the SINOM process flow. Three medium-level risks were identified. Risk management strategies are expected to be fully implemented by mid-2025.
Privacy Analysis for IT Solutions – Updates to the Canada Student Financial Assistance (CSFA) Program Federal Disbursement Approval (FDA) Process
Before federal loan and grant funding can be sent to students and educational institutions, funding must be approved through the federal disbursement approval process. This is a multistage procedure that involves information being sent, processed, and reviewed at different levels. The CSFA Program is modernizing the procedure and will be using new tools. This PAITS focused on the handling of personal information by the new systems involved in the updates to the FDA process of the CSFA Program. The FDA process takes place after the borrower has applied for and been approved with funding. The PAITS identified one medium-level risk. The strategies to address these risks and issues are scheduled for completion in 2024.
Data Migration Solution (DMS) for Old Age Security (OAS) / Benefits Delivery Modernization
The BDM Programme was created by ESDC to transform and modernize the delivery of benefits and services to Canadians. The OAS DMS is a temporary environment that will be used to copy, prepare, test, and refine data from existing ESDC systems and databases to the new Cúram platform. A PAITS was conducted because the solution changes the way client personal information is managed during the transfer to the new platform. Once legacy OAS data is successfully migrated to Cúram, DMS will no longer be required. One medium-level risk and 2 low-level risks were identified.
Annex C Statistical reports
ESDC Statistical Report on the Privacy Act, 2023 to 2024
Name of institution: Employment and Social Development Canada
Reporting period: April 1, 2023 to March 31, 2024
Section 1 Requests under the Privacy Act
| Detail | Number of requests | ||
|---|---|---|---|
| Received during reporting period | 21,722 | ||
| Outstanding from previous reporting period | 1,674 | ||
|
1,644 | N/A | |
|
30 | ||
| Total | 23,396 | ||
| Closed during reporting period | 20,773 | ||
| Carried over to next reporting period | 2,623 | ||
|
1,788 | N/A | |
|
835 | ||
| Source | Number of requests |
|---|---|
| Online | 7,606 |
| 3,302 | |
| 5,124 | |
| In person | 30 |
| Phone | 22 |
| Fax | 5,638 |
| Total | 21,722 |
Section 2 Informal Requests
| Detail | Number of requests | |
|---|---|---|
| Received during reporting period | 4,885 | |
| Outstanding from previous reporting period | 2,294 | |
|
62 | N/A |
|
2,232 | |
| Total | 7,179 | |
| Closed during reporting period | 6,113 | |
| Carried over to next reporting period | 1,066 | |
| Source | Number of requests |
|---|---|
| Online | 607 |
| 234 | |
| 2,934 | |
| In person | 4 |
| Phone | 55 |
| Fax | 1,051 |
| Total | 4,885 |
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total |
|---|---|---|---|---|---|---|---|
| 1,261 | 657 | 491 | 962 | 268 | 1,069 | 1,405 | 6,113 |
| Less Than 100 Pages Released | 100-500 Pages Released | 501-1,000 Pages Released | 1,001-5,000 Pages Released | More Than 5,000 Pages Released | |||||
|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Released | Number of Requests | Pages Released | Number of Requests | Pages Released | Number of Requests | Pages Released | Number of Requests | Pages Released |
| 4,323 | 114,099 | 1,634 | 318,528 | 114 | 76,064 | 41 | 67,392 | 1 | 6,087 |
Section 3 Requests closed during the Reporting period
| Disposition of requests | Completion time | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| All disclosed | 1,061 | 1,577 | 768 | 568 | 24 | 36 | 1 | 4,035 |
| Disclosed in part | 1,614 | 3,274 | 3,115 | 3,048 | 51 | 40 | 15 | 11,157 |
| All exempted | 0 | 3 | 2 | 0 | 0 | 0 | 0 | 5 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 2,162 | 1,594 | 433 | 112 | 2 | 10 | 0 | 4,313 |
| Request abandoned | 835 | 289 | 103 | 24 | 6 | 2 | 3 | 1,262 |
| Neither confirmed nor denied | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| Total | 5,673 | 6,737 | 4,421 | 3,752 | 83 | 88 | 19 | 20,773 |
| Section | Number of requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 0 |
| 19(1)(b) | 0 |
| 19(1)(c) | 0 |
| 19(1)(d) | 0 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 0 |
| 21 | 0 |
| 22(1)(a)(i) | 3 |
| 22(1)(a)(ii) | 1 |
| 22(1)(a)(iii) | 1 |
| 22(1)(b) | 35 |
| 22(1)(c) | 0 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 0 |
| 22.4 | 0 |
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 3 |
| 26 | 11,327 |
| 27 | 84 |
| 27.1 | 0 |
| 28 | 2 |
| Section | Number of requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
| Paper | Electronic | Other | |||
|---|---|---|---|---|---|
| E- record | Data set | Video | Audio | ||
| 3,885 | 11,310 | 11 | 0 | 17 | 4 |
3.5 Complexity
| Number of pages processed | Number of pages disclosed | Number of requests |
|---|---|---|
| 1,917,178 | 1,766,175 | 16,460 |
| Disposition | Less than 100 pages processed | 101 to 500 pages processed | 501 to 1,000 pages processed | 1,001 to 5,000 pages processed | More than 5,000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| All disclosed | 3,656 | 78,439 | 377 | 65,442 | 2 | 1,241 | 0 | 0 | 0 | 0 |
| Disclosed in part | 6,470 | 267,290 | 4,174 | 834,834 | 325 | 217,613 | 169 | 306,159 | 19 | 136,124 |
| All exempted | 5 | 91 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 1,245 | 1,208 | 15 | 2,989 | 0 | 0 | 2 | 5,874 | 0 | 0 |
| Neither confirmed nor denied | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 11,377 | 347,028 | 4,566 | 903,139 | 327 | 218,854 | 171 | 312,033 | 19 | 136,124 |
| Number of minutes processed | Number of minutes disclosed | Number of requests |
|---|---|---|
| 1,486 | 1,319 | 17 |
| Disposition | Less than 60 minutes processed |
60- 120 minutes processed |
More than 120 minutes processed |
|||
|---|---|---|---|---|---|---|
| Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
| All disclosed | 4 | 132 | 3 | 222 | 1 | 196 |
| Disclosed in part | 3 | 110 | 3 | 303 | 3 | 523 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 7 | 242 | 6 | 525 | 4 | 719 |
| Number of minutes processed | Number of minutes disclosed | Number of requests |
| 0 | 0 | 0 |
| Disposition | Less than 60 minutes processed |
60- 120 minutes processed |
More than 120 minutes processed |
|||
|---|---|---|---|---|---|---|
| Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 |
| Disposition | Consultation required | Legal Advice sought | Interwoven information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 3 | 0 | 0 | 0 | 3 |
| Disclosed in part | 203 | 0 | 0 | 0 | 203 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 1 | 0 | 0 | 0 | 1 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 207 | 0 | 0 | 0 | 207 |
3.6 Closed requests
| Detail | Requests closed within legislated timelines |
|---|---|
| Number of requests closed within legislated timelines | 15,269 |
| Percentage of requests closed within legislated timelines (%) | 73.5 |
3.7 Deemed refusals
| Number of requests closed past the legislated timelines | Principal Reason | |||
|---|---|---|---|---|
| Interference with Operations / Workload | External consultation | Internal consultation | Other | |
| 5,504 | 5,495 | 0 | 0 | 9 |
| Number of days past legislated timelines | Number of requests past legislated timeline where no extension was taken | Number of requests past legislated timelines where an extension was taken | Total |
|---|---|---|---|
| 1 to 15 days | 879 | 25 | 904 |
| 16 to 30 days | 944 | 12 | 956 |
| 31 to 60 days | 2,111 | 7 | 2,118 |
| 61 to 120 days | 1,393 | 4 | 1,397 |
| 121 to 180 days | 58 | 5 | 63 |
| 181 to 365 days | 45 | 8 | 53 |
| More than 365 days | 4 | 9 | 13 |
| Total | 5,434 | 70 | 5,504 |
| Translation requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
Section 4 Disclosures under subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
Section 5 Requests for correction of Personal information and Notations
| Disposition for correction requests received | Number |
|---|---|
| Notations attached | 9 |
| Requests for correction accepted | 2 |
| Total | 11 |
Section 6 Extensions
| Number of requests where an extension was taken | 15(a)(i) Interference with operations | 15 (a)(ii) Consultation | 15(b) Translation purposes or conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidence Section (Section 70) | External | Internal | ||
| 1,323 | 0 | 0 | 1,302 | 0 | 0 | 0 | 18 | 3 |
| Length of extensions | 15(a)(i) Interference with operations | 15 (a)(ii) Consultation | 15(b) Translation purposes or conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidence Section (Section 70) | External | Internal | ||
| 1 to 15 days | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 days | 0 | 0 | 1,302 | 0 | 0 | 0 | 18 | 3 |
| 31 days or greater | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 1,302 | 0 | 0 | 0 | 18 | 3 |
Section 7 Consultations Received from Other Institutions and Organizations
| Consultations | Other Government of Canada institutions | Number of pages to review | Other organizations | Number of pages to review |
|---|---|---|---|---|
| Received during the reporting period | 3 | 25 | 0 | 0 |
| Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
| Total | 3 | 25 | 0 | 0 |
| Closed during the reporting period | 2 | 21 | 0 | 0 |
| Carried over within negotiated timelines | 1 | 4 | 0 | 0 |
| Carried over beyond negotiated timelines | 0 | 0 | 0 | 0 |
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| Disclose entirely | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 1 |
| Disclose in part | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 1 | 1 | 0 | 0 | 0 | 2 |
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 8 Completion Time of Consultations on Cabinet Confidences
| Number of days | Fewer than 100 pages processed | 100 to 500 pages processed | 501 to 1,000 pages processed | 1,001 to 5,000 pages processed | More than 5,000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Number of days | Fewer than 100 pages processed | 100 to 500 pages processed | 501 to 1,000 pages processed | 1,001 to 5,000 pages processed | More than 5,000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 9 Complaints and Investigations notices received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 37 | 0 | 41 | 0 | 78 |
Section 10 Privacy Impact Assessments and Personal Information Banks
| Number of PIAs completed | 16 |
|---|---|
| Number of PIAs modified | 2 |
| Personal Information Banks | Active | Created | Terminated | Modified |
|---|---|---|---|---|
| Institution-specific | 63 | 0 | 2 | 35 |
| Central | 0 | 0 | 0 | 0 |
| Total | 63 | 0 | 2 | 35 |
Section 11 Privacy Breaches
| Number of material privacy breaches reported to TBS | 364 |
|---|---|
| Number of material privacy breaches reported to OPC | 364 |
| Number of non-material privacy breaches | 1,228 |
|---|
Section 12 Resources related to the Privacy Act
| Expenditures | Amount | |
|---|---|---|
| Salaries | $9,198,000 | |
| Overtime | $488,353 | |
| Goods and services | $225,523 | |
|
$203,440 | N/A |
|
$22, 083 | |
| Total | $9,911,844 | |
| Resources | Person years dedicated to privacy activities |
|---|---|
| Full-time employees | 34.876 |
| Part-time and casual employees | 0.192 |
| Regional staff | 64.743 |
| Consultants and agency personnel | 0.706 |
| Students | 1.277 |
| Total | 101.793 |
Supplemental statistical report on the Access to Information Act and the Privacy Act
Name of institution: Employment and Social Development Canada
Reporting period: April 1, 2023 to March 31, 2024
Section 1 Open Requests and Complaints Under the Access to Information Act
| Fiscal Year Open Requests Were Received | Open Requests that are Within Legislated Timelines as of March 31, 2024 | Open Requests that are Beyond Legislated Timelines as of March 31, 2024 | Total |
|---|---|---|---|
| Received in 2023 to 2024 | 176 | 81 | 257 |
| Received in 2022 to 2023 | 5 | 95 | 100 |
| Received in 2021 to 2022 | 7 | 54 | 61 |
| Received in 2020 to 2021 | 4 | 49 | 53 |
| Received in 2019 to 2020 | 5 | 31 | 36 |
| Received in 2018 to 2019 | 0 | 6 | 6 |
| Received in 2017 to 2018 | 0 | 2 | 2 |
| Received in 2016 to 2017 | 0 | 1 | 1 |
| Received in 2015 to 2016 | 0 | 0 | 0 |
| Received in 2014 to 2015 or earlier | 0 | 0 | 0 |
| Total | 197 | 319 | 516 |
| Fiscal Year Open Complaints Were Received by Institution | Number of Open Complaints |
|---|---|
| Received in 2023 to 2024 | 32 |
| Received in 2022 to 2023 | 8 |
| Received in 2021 to 2022 | 4 |
| Received in 2020 to 2021 | 0 |
| Received in 2019 to 2020 | 2 |
| Received in 2018 to 2019 | 0 |
| Received in 2017 to 2018 | 0 |
| Received in 2016 to 2017 | 0 |
| Received in 2015 to 2016 | 0 |
| Received in 2014 to 2015 or earlier | 0 |
| Total | 46 |
Section 2 Open Requests and Complaints Under the Privacy Act
| Fiscal Year Open Requests Were Received | Open Requests that are Within Legislated Timelines as of March 31, 2023 | Open Requests that are Beyond Legislated Timelines as of March 31, 2023 | Total |
|---|---|---|---|
| Received in 2023 to 2024 | 1,786 | 790 | 2,576 |
| Received in 2022 to 2023 | 0 | 20 | 20 |
| Received in 2021 to 2022 | 2 | 15 | 17 |
| Received in 2020 to 2021 | 0 | 8 | 8 |
| Received in 2019 to 2020 | 0 | 2 | 2 |
| Received in 2018 to 2019 | 0 | 0 | 0 |
| Received in 2017 to 2018 | 0 | 0 | 0 |
| Received in 2016 to 2017 | 0 | 0 | 0 |
| Received in 2015 to 2016 | 0 | 0 | 0 |
| Received in 2014 to 2015 or earlier | 0 | 0 | 0 |
| Total | 1,788 | 835 | 2,623 |
| Fiscal Year Open Complaints Were Received by Institution | Number of Open Complaints |
|---|---|
| Received in 2023 to 2024 | 6 |
| Received in 2022 to 2023 | 4 |
| Received in 2021 to 2022 | 1 |
| Received in 2020 to 2021 | 1 |
| Received in 2019 to 2020 | 0 |
| Received in 2018 to 2019 | 0 |
| Received in 2017 to 2018 | 0 |
| Received in 2016 to 2017 | 0 |
| Received in 2015 to 2016 | 0 |
| Received in 2014 to 2015 or earlier | 0 |
| Total | 12 |
Section 3: Social Insurance Number
| Did your institution receive authority for a new collection or new consistent use of the SIN in 2023 to 2024? | Yes |
|---|
Section 4: Universal Access under the Privacy Act
| How many requests were received from confirmed foreign nationals outside of Canada in 2023 to 2024? | 51 |
|---|
Page details
- Date modified: