Annual report on the administration of the Privacy Act, 2024 to 2025 - Employment and Social Development Canada
On this page
- 1. Executive Summary
- 2. Introduction
- 3. Organizational context
- 4. Employment and Social Development Canada's privacy regime
- 5. Policies, procedures, and initiatives
- 6. Performance overview
- 7. Complaints, investigations, and court actions
- 8. Public interest disclosures
- 9. Material privacy breaches
- 10. Training and awareness activities
- Annex A - Privacy Act Delegation Order
- Annex B - Summaries of completed privacy impact assessments
- Annex C - Statistical reports
Alternate formats
Large print, braille, MP3 (audio), e-text and DAISY formats are available on demand by ordering online or calling 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105.
-
List of tables
- Table 1: Number of active requests that are outstanding from previous fiscal years
- Table 2: Number of Privacy Act requests where an extension was invoked
- Table 3: Consultation requests received from other Government of Canada institutions and other organizations
- Table 4: Percentage of completed requests for which records were "all disclosed", and percentage for which records were "disclosed in part"
- Table 5: Number of active complaints that are outstanding from previous fiscal years
- Table 6: Number of disclosures by reason
- Table 7: Description of material breaches and action plans
1. Executive Summary
Advancing Trust, Transparency, and Digital Modernization at Employment and Social Development Canada (2024 to 2025)
Employment and Social Development Canada (ESDC) is responsible for developing, managing, and delivering social programs and services, including some of Canada's largest, such as Employment Insurance (EI), the Canada Pension Plan (CPP), and the Passport Program. Given its mandate, ESDC collects and controls a large volume of personal information, involving a range of collection, use, retention, and disclosure activities, as well as coordination with an array of partners and stakeholders. Privacy management continues to be a core component in delivering ESDC's programs and priorities, whether through program delivery, validation of the identity of individuals, conducting research and analysis, or carrying out integrity operations.
Strengthening access to privacy services
In 2024 to 2025, ESDC reaffirmed its commitment to the Government of Canada's Trust and Transparency Strategy by advancing a proactive approach to access to information and privacy. Guided by the leadership of the Corporate Secretary and Chief Privacy Officer, ESDC's Access to Information and Privacy (ATIP) Operations Division and Privacy Management Division (PMD), in collaboration with regional partners, successfully managed a growing volume of requests while maintaining high service standards and by providing strong privacy management support.
During the year, ESDC received 22,451 privacy requests, an increase of 3.2% from the previous year, and achieved an 82.8% compliance rate, as a measure of the percentage of all files that were closed either within the initial 30 days or during an extension period. In addition, the Department processed a record volume of 2.21 million pages for exemptions and exclusions, of which 2.07 million pages were disclosed. In terms of record disposition and disclosure, ESDC processed 4,753 requests in which all aspects of a record were disclosed, accounting for 20.3% of all requests.
To reduce reliance on formal requests and improve client service, ESDC continued to promote digital self-service options, including My Service Canada Account (MSCA) and Canada Revenue Agency My Account. These platforms empower Canadians to access their personal information directly, supporting a more efficient and user-friendly experience.
Embedding Privacy in Digital Transformation and Artificial Intelligence Governance
The Department takes pride in delivering programs and services to Canadians at key stages of their lives. As a steward of large volumes of personal information, ESDC continues to embed privacy protection into all aspects of program delivery, research, and digital innovation. In 2024-2025, the Department expanded privacy training and awareness, ensuring staff are equipped to manage personal information responsibly and ethically.
In preparation for the implementation of the Artificial Intelligence (AI) Strategy for the Federal Public Service 2025-2027, particular emphasis has been placed on supporting the responsible use of artificial intelligence. ESDC prioritized privacy-by-design in AI initiatives. The PMD, in collaboration with the Chief Data Officer Branch, conducted assessments to identify and mitigate privacy risks, ensuring that AI adoption remains transparent, accountable, and human-centric.
Another major transformation initiative, the Benefits Delivery Modernization (BDM) program, is reshaping how the Government of Canada delivers benefits, placing Canadians at the centre of service design. Through BDM, Canadians can expect a simplified and user-friendly digital interface, a single sign-in experience, increased access to self-service, reduced wait times, streamlined applications, and faster benefit payments. To ensure privacy-by-design principles are embedded in BDM's architecture, ESDC has dedicated privacy resources to work closely with the project team. Privacy advice is integrated into the design process, and detailed privacy impact assessments (PIA) are conducted for each release.
Looking Ahead
Modernization of ATIP operations is anticipated to drive long-term efficiencies in the coming years, enhancing ESDC's ability to respond to information requests more effectively. ESDC is on a path towards a more proactive stance on ATIP management, in addition to an ongoing commitment to continuous improvement in service delivery, all while adapting to the evolving needs of Canadians in a rapidly changing digital landscape.
By aligning with the Government of Canada's principles of openness, accountability, and responsible innovation, ESDC is well-positioned to meet the evolving needs of Canadians in a dynamic digital landscape.
2. Introduction
Presentation of the report
Section 72 of the Privacy Act requires the head of a federal institution to submit an annual report to Parliament on the administration of the Act following the end of every fiscal year. This is ESDC's annual report to Parliament on the administration of the Privacy Act for the 2024-2025 fiscal year.
There are no ESDC wholly owned subsidiaries or non-operational institutions on which to report.
Purpose of the Privacy Act
The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution, and to provide individuals with a right of access to that information.
These rights of protection and access are in accordance with the principles that individuals should have a right to know why their information is collected by the Government, how it will be used, how long it will be kept and who will have access to it.
About ESDC
The Department of Employment and Social Development Canada, commonly referred to as ESDC, is the Government of Canada's department responsible for developing, managing, and delivering social programs and services. The mission of ESDC, including the Labour Program and Service Canada, is to build a strong and more inclusive Canada, to support Canadians in helping them live productive and rewarding lives and to improve quality of life for Canadians. ESDC's fulfills its mission by:
- developing policies that ensure Canadians can use their talents, skills and resources to participate in learning, work and their community
- delivering programs that help Canadians move through life's transitions, from school to work, from one job to another, from unemployment to employment, and from the workforce to retirement
- providing income support to seniors, families with children and those unemployed due to job loss, illness or caregiving responsibilities
- helping Canadians with distinct needs, such as Indigenous people, persons with disabilities, travellers and recent immigrants
- ensuring labour relations stability by providing mediation services
- promoting a fair and healthy workplace by enforcing minimum working conditions, promoting decent work and employment equity, and fostering respect for international labour standards
- delivering programs and services on behalf of other departments and agencies; and
- supporting the digital delivery of Government of Canada programs and services
ESDC is led by one Minister, supported by five deputy ministers responsible for its day-to-day operations, budget, and program development.
With over 41,000 employees, ESDC is one of the largest departments within the Government of Canada. Operating across Canada, 73% of its employees work outside the National Capital Region.
Organization of ESDC (as of March 31, 2025)
Mission: The mission of Employment and Social Development Canada, including the Labour Program and Service Canada, is to build a strong and more inclusive Canada, to support Canadians in helping them live productive and rewarding lives and to improve Canadians' quality of life.
Minister:
- Minister of Jobs and Families
Deputy Ministers:
- Deputy Minister of Employment and Social Development Canada
- Associate Deputy Minister of Employment and Social Development and Chief Operating Officer for Service Canada
- Deputy Minister of Labour and Associate Deputy Minister of Employment and Social Development
- Senior Associate Deputy Minister of Employment and Social Development
- Business Lead, Benefits Delivery Modernization, Employment and Social Development Canada
Employment and Social Development
Responsible for policy development and program design and management for:
- Old Age Security
- Canada Pension Plan
- Canada Student Financial Assistance Program
- Canada Education Savings Program
- Canada Service Corps
- Canada Apprenticeship Strategy
- Employment Insurance Program
- Enabling Fund for Official Languages Minority Communities
- Foreign Credential Recognition Program
- Indigenous Skills and Employment Training Program
- Labour Market Transfer Agreements
- Opportunities Funds for Persons with Disabilities
- Skills and Partnership Fund
- Youth Employment Skills Strategy Program
- Canadian Dental Care Plan
Branches:
- Income Security and Social Development Branch
- Learning Branch
- Skills and Employment Branch
- Strategic and Service Policy Branch
Labour Program
Responsible for labour issues affecting federally regulated industries in Canada, including:
- Managing the Government of Canada's relationships with its international, federal, provincial, and territorial partners, and with unions and employers
- Providing mediation and conciliation services to unions and employers in the federally regulated private sector
- Promoting respect for international labour standards with Canada's international partners
- Leading the administration of labour legislation and regulations in the areas of workplace safety, labour standards, employment equity, and federal workers' compensation
Branches:
- Compliance, Operations and Program Development Branch
- Policy, Dispute Resolution, and International Affairs Branch
Service Canada
Provides Canadians with services and information in person, online, by phone and by mail and is a single point of access to ESDC and other Government of Canada programs. It is responsible for providing:
- Benefits and program delivery
- Service Canada Centres (SCC)
- Scheduled outreach sites
- SCC Passport Services sites
- My Service Canada Account
- Community outreach
- Telephone operations
- Digital presence (eSIN and Canada.ca)
- Identity management
- Program integrity operations
- Temporary Foreign Worker Program
Branches:
- Service Canada Transition Office
- Benefits Delivery Modernization
- Canadian Digital Service
- Integrity Services Branch
- Program Operations Branch
- Integrated Services Strategy and Operations Branch
- Temporary Foreign Workers Program Branch
- Integrated Service Delivery Organization
- Atlantic Region
- Québec Region
- Ontario Region
- Western and Territories Region
Internal Enablers
- Chief Data Officer Branch
- Chief Financial Officer Branch
- Human Resources Services Branch
- Innovation, Information and Technology Branch
- Legal Services Branch
- Public Affairs and Stakeholder Relations Branch
- Internal Audit and Enterprise Risk Management Branch
3. Organizational context
ESDC's Corporate Secretary and Chief Privacy Officer
ESDC's Corporate Secretariat Branch is responsible for issuing and overseeing the implementation of the Department's privacy management policy and providing privacy advice and guidance. It also processes ESDC's privacy requests in the National Capital Region. These activities are conducted by the ATIP Operations Division, with functional support from ESDC's four regional branches, and the PMD (see Figure 2). During fiscal year 2024-2025, ESDC prepared for organizational changes to support the anticipated introduction of new ATIPXPress processing software and national workload management, which are expected to launch in the coming year.
The Corporate Secretary heads the branch and is ESDC's designated Chief Privacy Officer (CPO). The CPO is the Department's functional authority on all privacy matters, including privacy request processing and the management of personal information. The CPO provides strategic privacy policy advice and maintains ESDC's privacy management program, which includes the assessment of privacy risks, determination of compliance with privacy legislation, policies, and standards, and the delivery of privacy training, all of which are crucial in implementing a privacy-by-design approach.
Access to Information and Privacy Operations Division
The ATIP Operations Division administers the Access to Information Act and the privacy request components of the Privacy Act for ESDC. It leads and advises on the processing of all ESDC requests under the Access to Information Act, performs line-by-line reviews of records requested under the acts, and delivers training and awareness sessions to departmental employees on their administration. The Director of ATIP Operations is ESDC's designated ATIP Coordinator.
During the fiscal year, the responsibility of processing requests continued to be shared between the ATIP Operations Division and the Department's four regional branches: Atlantic, Ontario, Quebec, and Western and Territories. The ATIP Operations Division was responsible for coordinating ATIP activities in ESDC's branches and regions, which include:
- responding to Access to Information Act requests;
- responding to specific Privacy Act requests;
- providing functional guidance to the regions about the operational and
- reporting components of the privacy function;
- delivering general and tailored training sessions to employees on the
- administration of both acts;
- leading modernization efforts; and
- reviewing Open Government publications for compliance with the acts.
The ATIP Operations Division is composed of an intake unit and ATIP processing teams. At the end of the 2024-2025 fiscal year, there were approximately 31 ATIP Operations employees.
Text description of Figure 1
Corporate Secretary and Chief Privacy Officer's office
- ATIP Operations Division:
- ATIP Intake
- ATIP Processing
- Privacy Management Division:
- Compliance Review and Advice
- Policy and Risk Assessments
- Incident Management and Legal Disclosures
- Strategic Advice and Planning
- Additionally, the structure shows regional ATIP Operations, which include:
- Western and Territories Region ATIP Operations
- Ontario Region ATIP Operations
- Québec Region ATIP Operations
- Atlantic Region ATIP Operations
Regional privacy operations
During the 2024-2025 fiscal year, the regional branches played a key role in fulfilling the Department's Privacy Act responsibilities. There were approximately 58 employees in the regions with ATIP processing duties. A network of liaison officers and managers within each region supports the processing of privacy requests and provides advice and guidance directly to program areas while coordinating with ATIP Operations Division.
Privacy Management Division
The PMD is ESDC's centre for privacy policy expertise and is the Department's focal point for authoritative privacy advice. In addition, the PMD:
- leads the horizontal implementation of departmental privacy policies and initiatives;
- conducts risk assessments;
- provides privacy compliance guidance;
- reviews proposed information-sharing agreements and draft contracts;
- responds to court and law enforcement requests for documents;
- administers public interest disclosures;
- plays a key role in the management and prevention of privacy breaches; and
- supports privacy training and awareness activities.
In doing so, the Division leverages privacy-by-design approaches that integrate privacy considerations in the early stages of new programs, projects, and initiatives. As the Department's privacy centre of expertise, the PMD provides strategic privacy policy and analytical advice to the CPO and ESDC's senior leaders.
The Division is organized into four functional groups consisting of a privacy policy and risk assessment unit, a privacy compliance and advisory services unit, an incident management and legislative disclosures unit, and a small strategic advisory and planning unit. At the end of the 2024-2025 fiscal year, the PMD had 36 employees.
Service Agreement with Accessibility Standards Canada
ESDC has a memorandum of understanding to provide ATIP services for Accessibility Standards Canada, an independent departmental corporation in the Department's portfolio. Established under the Accessible Canada Act, Accessibility Standards Canada is mandated to contribute to the realization of a Canada without barriers on or before January 1, 2040. Privacy services that are provided include request processing, annual reporting advice and statistics, liaison functions, and training. ESDC also furnishes, when required, analysis and advice for PIAs, information-sharing arrangements, disclosures, contracting, legislative and policy compliance, and the management of security incidents involving personal information.
4. Employment and Social Development Canada's privacy regime
Legal framework for privacy
ESDC operates within one of the most complex privacy regimes in the federal government, requiring the effective application and navigation of a myriad of privacy laws and policies. Its legal obligations are set out in the Privacy Act and in the personal information protection provisions found in the Department of Employment and Social Development Act (DESDA). Moreover, with the many collaborative efforts with which ESDC is involved to deliver national programs and services, legal interoperability with Government of Canada organizations, the provinces and territories, and municipal governments is always an important requirement.
The Privacy Act is the federal law that protects personal information under the control of federal public-sector institutions. Extending from the Charter of Rights and Freedoms, the Act is a key foundation piece for preserving the privacy interests of individuals in Canada. It sets the rules for the Government's management of personal information by providing a framework that establishes the requirements for federal institutions on how they can collect, use, retain, and disclose personal information.
The collection and use of personal information by federal institutions are based on lawful authority or legal authorization. Federal institutions can only collect or use personal information with a sufficiently direct connection to legally authorized programs and activities.
Personal information under the control of a government institution cannot be disclosed without the consent of the individual, except in specific circumstances. These include uses that are consistent with the purpose of the original collection, when authorized by federal legislation, to comply with legal instruments, such as subpoenas and court orders, in circumstances where there is a clear benefit to the individual, and where there is a public interest that outweighs the invasion of privacy. Importantly, the Act gives individuals the right to request access to their own personal information held by a federal institution and the right to request a correction to their information when it is inaccurate. The Privacy Act also establishes the Privacy Commissioner, an independent agent of Parliament who oversees the Act's implementation and has powers to receive and investigate complaints.
The administration of the Act by federal institutions, including ESDC, is supplemented by policies and directives. These are issued by the President of the Treasury Board or an authorized delegate.
In addition to the Privacy Act, the management of personal information by ESDC is undertaken in accordance with the statutory obligations in the Department's enabling legislation. DESDA describes the rules for personal information controlled by ESDC and is applied in tandem with the Privacy Act. DESDA sets out the requirements for:
- making personal information available to other federal institutions, provincial and territorial authorities or international partners for administrative and integrity purposes;
- making personal information available in the public interest and for law enforcement;
- making available the information contained in the Social Insurance Register;
- using personal information for internal policy analysis, research, and evaluation purposes; and
- making personal information available for research or statistical analysis.
Where the Department delivers services to the public on behalf of other federal institutions and jurisdictions, or when delivering select services for the Government of Canada, the partner's privacy regime, normally the Privacy Act, will apply instead of DESDA.
Privacy Act Delegation Order
Section 73 of the Privacy Act empowers the head of an institution to delegate any of the powers, duties, or functions assigned to that person by the Act to employees of that institution, typically through a delegation order. This instrument assigns the powers, duties, and functions for the administration of the Act that have been delegated by the head of the institution and to whom that delegation has been assigned.
The current Privacy Act Delegation Order, which was approved by the Minister of Employment and Social Development in March 2024, is reproduced in Annex A.
Departmental Policy on Privacy Management
The Departmental Policy on Privacy Management supports a robust privacy regime for the protection and judicious use of personal information by ESDC. Supplementing Treasury Board Secretariat (TBS) policies, directives, and standards, the ESDC policy contextualizes these privacy obligations for the Departmental operating context. It codifies the requirements for the management and protection of personal information, articulates clear and universal privacy policy principles, and specifies roles and responsibilities for the management of personal information, including discrete functional responsibilities and accountabilities. The policy also sets out ESDC's Privacy Management Framework, outlined below, designates the CPO, and establishes the Department's privacy governance mechanisms.
The expected results from the application of the Departmental Policy on Privacy Management include the sound management and safeguarding of personal information by the Department; the implementation of robust practices for the identification, assessment, and management of risks to personal information; and the establishment of clear accountabilities with effective governance structures and mechanisms to protect and manage personal information under ESDC's stewardship.
Privacy Management Framework
ESDC's Privacy Management Framework promotes a proactive approach for the management of personal information by fostering the integration of privacy practices in all departmental functions and privacy by design into the program, system, and business process architecture. The Framework consists of five elements:
- governance and accountability: Roles and responsibilities for privacy are clearly defined;
- Stewardship of personal information: Appropriate privacy protections are implemented to properly manage personal information throughout its life cycle;
- Assurance of compliance: Formal processes and practices are in place to ensure adherence to privacy specifications, policies, standards, and laws;
- Effective risk management: Structured and coordinated risk identification and assessments are conducted to limit the probability and impact of negative events; and
- Culture, training, and awareness: Privacy training and awareness activities that sustain a privacy-aware organization that values the protection and stewardship of personal information.
The Framework is a clear and succinct foundational element for establishing and operating a comprehensive privacy program in the Department.
Privacy governance at ESDC
ESDC uses a committee structure to support privacy governance, risk oversight, and decision-making. The Department's primary governance body for privacy and the safeguarding of personal information is the Data and Privacy Committee (DPC), which is co-chaired by the CPO and the Chief Data Officer. The DPC is mandated to provide oversight on the management of personal information entrusted to the Department and the management of enterprise data resources. The DPC supports the implementation and maintenance of ESDC's data strategy and privacy management programs, provides oversight on risk management processes for the management of data and personal information, and promotes a departmental culture that recognizes that data is a business asset that should be maximized while respecting the privacy rights of Canadians.
The DPC reports to the Assistant Deputy Minister-level Enterprise Management Committee (EMC). The EMC serves as the Department's horizontal oversight and decision-making body for the implementation of enterprise strategies, plans, policies, and guidelines related to the management of risk, data, information, technology, and security, as well as corporate finances and resources.
5. Policies, procedures, and initiatives
The breadth and scale of ESDC's activities mean that it is responsible for managing one of the largest personal information holdings in the Government of Canada. The delivery of programs and services by the Department involves the collection, use, and disclosure of large amounts of data. Often, detailed, and sensitive personal information is required to determine program eligibility or to deliver benefits and services. Along with its broad mandate and the responsibility to manage immense volumes of personal information, ESDC must operate within a complex privacy legal regime that includes not only the Privacy Act and DESDA but also involves the specific statutory requirements of the Department's federal and provincial government partners.
Throughout 2024-2025, ESDC continued to use and promote a proactive, risk-based approach to privacy management and sought to adapt its activities and processes to the needs of the changing privacy landscape. It applied its privacy lens to the large number of departmental initiatives, some of which will involve the large-scale collection, use, and disclosure of personal information.
Privacy assessments and compliance reviews
In accordance with the TBS Directive on PIAs, ESDC must conduct a PIA before establishing any new or substantially modified program or activity involving the administrative use of personal information. PIAs are used to identify and assess privacy risks, as well as to develop plans to reduce or eliminate those risks. Among federal institutions, ESDC is an innovator in the methods used to conduct privacy assessments. For example, to support its privacy by design approach, ESDC employs a suite of tools, which includes full PIAs, Privacy Analyses for Information Technology Solutions (PAITS), and privacy protocols when personal information is not used for an administrative purpose. PAITS is an assessment methodology that is focused on an IT solution or system and is used to identify privacy risks and assess impacts on privacy in the solution's design, procurement, or acquisition stages.
In 2024-2025, ESDC completed 12 PIAs and prepared significant updates for 2 others. Of particular note, this included a PIA of Old Age Security (OAS) on BDM. BDM aims to replace aging legacy systems with a single modern and secure platform for OAS, Employment Insurance (EI) and Canada Pension Plan (CPP). The OAS program was the first to be onboarded to the new BDM platform. Copies of the PIA reports were provided to TBS and the Office of the Privacy Commissioner (OPC). Information on these assessments is found in Annex B of this report and on ESDC's website at Privacy impact assessments.
Several privacy protocol reviews for the Department's policy analysis, research, and evaluation activities were also conducted. This past fiscal year, seven such reviews were completed for these initiatives involving non-administrative uses of personal information, compared to 10 during 2023-2024.
DESDA and its related regulations set out strict parameters for making personal information that is under the control of the Department availableFootnote 1. ESDC's privacy policy requires that all such information sharing agreements or arrangements with federal institutions, other orders of government, and service delivery providers are verified. Information Sharing Agreements are an essential tool for effective privacy management at ESDC.
These instruments are assessed to ensure they have the necessary terms and conditions for the use, disclosure, protection, and disposal of personal information. Moreover, the implementation of information-sharing agreements requires the endorsement of the appropriate privacy authority designated in the DESDA Delegation Order, which is normally the CPO or the Executive Director of PMD. Similarly, all procurement documents are required by policy to be examined by PMD to verify compliance with statutory and privacy policy requirements. This past fiscal year, 48 information-sharing agreements and 157 procurement instruments were reviewed in detail.
The Internal departmental demand for other types of privacy services remains high. For example, initial reviews of programs and projects, along with the privacy analysis of software applications generated large volumes of service requests. ESDC completed 95 such reviews in 2024-2025. The number of general privacy inquiries and requests for service from internal clients totalled 263 during the reporting period. ESDC also prepared 84 privacy notices and consent forms.
Notable examples of some of the PIAs conducted during the fiscal year are provided below:
Benefits Delivery Modernization Program
In the last two fiscal years, the Department completed three privacy assessments related to OAS on BDM, as follows: Release 1 focused on migration of the International Operations Foreign Benefits and Liaison work to the new Cúram platform, Release 2 focused on supporting OAS applications requiring the assistance of a Social Security Agreement, and Release 3 for the implementation to support all OAS clients (Domestic Eligibility and Entitlement Rules) and the full implementation of the End-to-End OAS Solution. Releases 2 and 3 took place simultaneously and were deployed in March 2025, building on Release 1 as the foundation.
To ensure that privacy by design principles are maintained in BDM's architecture and implementation, ESDC has dedicated significant privacy resources to work closely with the program team. Privacy advice is being integrated into the BDM design, while detailed privacy analyses and risk assessments are conducted for individual program components.
The canadian Dental Care Plan
ESDC completed three PIAs for the Canadian Dental Care Plan (CDCP). A privacy notice statement explaining the program's handling of personal information and privacy rights was also prepared for clients.
The CDCP is administered by Health Canada in collaboration with ESDC through Service Canada, the Canada Revenue Agency (CRA), and a third-party contractor. The CDCP helps ease financial barriers to accessing oral health care for up to nine million uninsured Canadian residents with an annual family income of less than $90,000. ESDC's primary roles are to administer member applications and renewals, provide information on eligibility, and deliver client support for applicants via various communication channels.
Canadian Digital Service
In 2023, the Canadian Digital Service (CDS) joined ESDC as an initiative. CDS aims to enhance whole-of-government service delivery by building digital products for use across government that address common needs for delivering services to the public, offering digital expertise, and improving the public's experience on Canada.ca. From a privacy perspective, the strategic vision for this initiative is to ensure that services are protected, secure and reduce the risk of fraud, while remaining a digital service enabler for the Government of Canada.
In addition to its core digital products, such as GC Notify, GC Forms, and GC Design System, CDS is also building an enterprise digital credential program that is focussed on modernizing the Government of Canada's authentication and credential management infrastructure through two new enterprise software products: GC Sign in and GC Issue and Verify. GC Sign in will provide a single, secure user-friendly way to sign in to federal services. GC Issue and Verify will allow government departments to issue and verify digital versions of physical credentials they already provide today, like work permits and boating licenses. These products will be optional, privacy-focussed and designed for accessibility.
New Treasury Board Secretariate Policy and Directives
In October 2024, TBS issued its revised Policy on Privacy Protection and Directive on Privacy Practices, which introduced significant changes to the requirements around PIAs, privacy protocols, risk mitigations, personal information banks, privacy definitions and privacy considerations for programs among others. These included new mandatory templates for PIAs, new guidelines for privacy protocols making them mandatory, ensuring institutions utilizing personal information for an administrative purpose have a personal information bank in place, mandatory annual review of risks identified in previously completed PIAs to ensure mitigation measures are implemented, new definitions for a substantial modification, as well as a program or activity and the mandatory requirement that institutions demonstrate that privacy considerations are incorporated at the design stage of programs and activities.
ESDC launched a review of its own templates and procedures to ensure that they were aligned to the new policy requirements. New ESDC templates were established to meet policy requirements and bi-annual risk follow-up exercises for the Department are conducted on an ongoing basis.
The updates to the Directive on Privacy Practices also included new and more precise mandatory direction related to contacts, agreements and arrangements. This direction is supported by the Guidance on Preparing Information Sharing Agreements Involving Personal Information - Canada.ca. ESDC manages and extensive number of programs and engages in extensive information sharing. To provide assurances that Information Sharing Agreements (ISA) are effectively managed and compliant with TBS policy, ESDC's Internal Audit and Enterprise Risk Management Branch conducted an audit in 2024 on ESDC's ISAs.
The audit aimed to enhance the management of ISAs and Information Sharing Agreements by focusing on four key criteria: Roles and Responsibilities, Guidance and Support, Agreements and Expertise, and Management Oversight. The goal was to provide assurance to senior management regarding the effectiveness of ISA management and compliance with TBS policy.
Following the audit, the Internal Audit and Enterprise Risk Management Branch made five key recommendations related to updating departmental policies, guidance and templates, updating existing ISAs to align to TBS requirements, enhance methods for assessing risk and improve the ISA repository. These recommendations aim to bolster ISA management and ensure adherence to relevant policies, ultimately enhancing information-sharing practices within the Department.
ESDC has developed an ISA Management Action Plan (to address and implement the above recommendations. An overarching departmental policy is in development that will clarify responsibilities for all stakeholders involved in the ISA process. New tools are also in development which will improve ESDC's risk-based approach when assessing future ISAs with plans to apply these tools retroactively to previously completed ISAs. This project will be ongoing until 2028 with plans of implementing key deliverables by the end of 2025.
ATIP Modernization
ESDC continues to modernize its ATIP infrastructure and processes to create a modern regime to meet the needs of the evolving ATIP landscape and increasing volume of requests. The modernization program consists of three key areas that gained momentum in 2024-2025:
- Implementation of the new ATIPXpress processing system and integration with Treasury Board Secretariat's ATIP Online Request Service (AORS) portal;
- Centralized resources and standardized procedures; and
- Enhanced client service and transparency measures.
It is anticipated that these modernization efforts will be completed by 2026, and benefits will be realized over the course of the next three fiscal years. While use of new tools, such as Artificial Intelligence (AI), will support efficiency gains moving forward, potential use of AI to support processing ATIP request will however not lead to the replacement of specialized trained ATIP officers.
ESDC's Privacy and Artificial Intelligence Initiatives
ESDC continues to explore opportunities to leverage AI as a tool in the effective and efficient achievement of its mandate, and privacy considerations are taken seriously in this endeavor. Departmental governance is in place to ensure compliance with TBS's recent Directive on Automated Decision Making. During the fiscal year, ESDC update its Privacy Checklist and PIA templates to include AI considerations for the projects that use this technology. PIAs have been conducted to assess and advise on privacy considerations.
Timeframe monitoring
Given the Department's decentralized approach to processing privacy requests, it currently does not employ centrally directed monitoring of the time taken to process personal information requests, limits to inter-institutional consultations, or reviews of frequently requested types of information. ESDC's regional offices manage most of the privacy requests (personal information requests and requests for the correction of personal information) for the Department and prepare periodic reports concerning new requests, workload, and status updates regarding on-time performance for privacy requests. Performance reports are generated by the regional offices on a monthly, quarterly, and yearly basis.
As the Department continues to modernize the privacy request function, standardization and compliance monitoring will be a major focus so that Canadians receive consistent, reliable access to information and privacy responses.
6. Performance overview
This section provides key statistics and analysis on ESDC's request processing performance during the 2024-2025 fiscal year. Most of the charts and tables below provide four-year comparisons that show the Department's trends for that metric in administering requests under the Privacy Act. The Department's detailed statistical report on its administration of the Privacy Act is found in Annex C. Please note that some totals may exceed 100% due to rounding.
Requests by calendar days taken to complete
The on-time compliance rate is the percentage of requests responded to within their legislative timelines, including requests for which the Department invoked legislative extensions. Last fiscal year, ESDC's compliance rate for closing requests within 30 days (or 60 days after an extension) continued to improve, increasing from 74% in 2023-2024 to 83% in 2024-2025.
Text description of Figure 2
The image represents a graphical representation of the number Privacy Act requests processed within and beyond legislative timeframes for the past 4 years.
For 2021 to 2022
- 58% of requests were processed within legislative timeframes, 42% were processed beyond
For 2022 to 2023
- 70.8% of requests were processed within legislative timeframes, 29.2% were processed beyond.
For 2023 to 2024
- 73.5% of requests were processed within legislative timeframes, 26.5% were processed beyond
For 2024 to 2025
- 82.8% of requests were processed within legislative timeframes, 17.2% were processed beyond
Completion times
The majority of completion times are within 30 days, as noted in Figure 4. The large volume of requests received by ESDC continues to be the primary reason for extensions.
Text description of Figure 3
The image represents a graphical representation of the number of calendar days taken to complete requests received under the Privacy Act for the past 4 years.
For 2021 to 2022
- 8,130 (46%) were completed in 30 calendar days
- 5,009 (29%) were completed in 31 to 60 calendar days
- 4,438 (25%) were completed in 61 or more calendar days
For 2022 to 2023
- 12,257 (56%) were completed in 30 calendar days
- 5,694 (28%) were completed in 31 to 60 calendar days
- 3,370 (16%) were completed in 61 or more calendar days
For 2023 to 2024
- 12,410 (60%) were completed in 30 calendar days
- 4,421 (21%) were completed in 31 to 60 calendar days
- 3,942 (19%) were completed in 61 or more calendar days
For 2024 to 2025
- 14,105 (60%) were completed in 30 calendar days
- 5,811 (25%) were completed in 31 to 60 calendar days
- 3,472 (15%) were completed in 61 or more calendar days
Active requests
As of April 1, 2025, there were 1,706 active requests carried over from the previous reporting periods, of which 1,636, or 96%, were on track to be processed within the legislated deadlines.
| Fiscal year during which the open request was received | Open requests that are Within Legislated Timelines as of March 31, 2025 | Open requests that are Beyond Legislated Timelines as of March 31, 2025 | Total |
|---|---|---|---|
| 2024 to 2025 | 1,634 | 29 | 1,663 |
| 2023 to 2024 | 0 | 10 | 10 |
| 2022 to 2023 | 0 | 11 | 11 |
| 2021 to 2022 | 2 | 12 | 14 |
| 2020 to 2021 | 0 | 7 | 7 |
| 2019 to 2020 | 0 | 1 | 1 |
| Totals | 1,636 | 70 | 1,706 |
Reasons for extensions
Institutions may apply for an extension beyond the original 30-day statutory time limit in cases where meeting the statutory date is not feasible. The Privacy Act sets timelines for responding to privacy requests and allows for extensions, up to a maximum of 30 days, in any of the following cases:
- when complying with the timeline would interfere with operations because of:
- a review being required to determine exemptions or exclusions;
- a large volume of pages requiring review;
- a large volume of requests; or
- the documents being difficult to obtain
- when a consultation is required; and
- when documents must be translated.
In 2024-2025, there were 3,890 large-volume requests and two requests requiring internal consultations among others detailed below, which could not reasonably be conducted within the initial 30 days. These requests resulted in ESDC invoking 3,947 extensions. This total is significantly higher compared to the previous fiscal year when the Department invoked 1,323 extensions.
| Privacy ActSection | Reason for extension | Number of requests for extension |
|---|---|---|
| 15(a)(i) Interference with operations | Further review required to determine exemptions | 4 |
| Large volume of pages | 30 | |
| Large volume of requests | 3,890 | |
| Documents are too difficult to obtain | 9 | |
| 15(a)(ii) Consultation | Cabinet Confidence (section 70) | 0 |
| External | 7 | |
| Internal | 2 | |
| 15(b) Translation purposes or conversion | Translation or conversion | 5 |
| Total | 3,947 | |
Consultations received from other Government of Canada institutions and organizations
ESDC received seven external consultation requests during the 2024-2025 fiscal year, which required the review of 82 pages. These requests originated from Government of Canada institutions and other organizations. The Department closed eight requests for consultations, five of which were completed within 30 days. Four requests resulted in the recommendation to disclose the records in their entirety. The other three were recommended to disclose in part. One request carried over from the previous reporting period was also completed.
| Types of consultation | 2021 to 2022 | 2022 to 2023 | 2023 to 2024 | 2024 to 2025 |
|---|---|---|---|---|
| Consultation requests received under the Privacy Act | 3 | 11 | 3 | 7 |
| Additional pages reviewed under the Privacy Act | 127 | 215 | 25 | 82 |
| Privacy Act requests for consultations closed | 5 | 12 | 2 | 8 |
| Privacy Act requests for consultations closed within 30 days | 1 | 8 | 0 | 5 |
Disposition of completed requests
During 2024-2025, the number of requests that were "all disclosed" was 4,753, representing 20.3% of completed requests, compared with 4,035 and 19.4% in the previous fiscal year. Out of the 23,388 completed requests last fiscal year, only seven files were exempted in their entirety, and none were excluded.
| Disposition | 2021 to 2022 Number of Requests | 2021 to 2022 Percent Age of Total | 2022 to 2023 Number of Requests | 2022 to 2023 Percent Age of Total | 2023 to 2024 Number of Requests | 2023 to 2024 Percent Age of Total | 2024 to 2025 Number of Requests | 2024 to 2025 Percent Age of Total |
|---|---|---|---|---|---|---|---|---|
| All disclosed | 1,880 | 10.7% | 2,969 | 13.9% | 4,035 | 19.4% | 4,753 | 20.3% |
| Disclosed in part | 12,058 | 68.6% | 13,633 | 63.9% | 11,157 | 53.7% | 12,793 | 54.7% |
| All exempted | 4 | 0.0% | 2 | 0.0% | 5 | 0.0% | 7 | 0.0% |
| All excluded | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| No records exist | 3,235 | 18.4% | 3,539 | 16.6% | 4,313 | 20.8% | 4,395 | 18.8% |
| Request abandoned | 400 | 2.3% | 1,178 | 5.5% | 1,262 | 6.1% | 1,440 | 6.2% |
| Neither confirmed nor denied | 0 | 0.0% | 0 | 0.0% | 1 | 0.0% | 0 | 0.0% |
| Totals | 17,577 | 100.0% | 21,321 | 100.0% | 20,773 | 100.0% | 23,388 | 100.0% |
Active complaints
As of April 1, 2025, there were 71 active complaints that still need to be processed, 43 of which were submitted to the Information Commissioner of Canada and 28 to the Privacy Commissioner of Canada.
| Fiscal year during which the complaint was received | Active complaints with the Information Commissioner of Canada as of March 31, 2025 | Active complaints with the Privacy Commissioner of Canada as of March 31, 2025 | Total |
|---|---|---|---|
| 2024 to 2025 | 20 | 4 | 24 |
| 2023 to 2024 | 16 | 4 | 20 |
| 2022 to 2023 | 6 | 9 | 15 |
| 2021 to 2022 | 1 | 10 | 11 |
| 2020 to 2021 | 0 | 1 | 1 |
| Totals | 43 | 28 | 71 |
7. Complaints, investigations, and court actions
Under the Privacy Act, individuals may lodge complaints to the OPC about the processing of their requests if they were refused access to their personal information or if they feel there was an undue delay. They can also lodge complaints about personal information handling practices, including the collection, use, or disclosure of their personal information.
Complaints
During the 2024-2025 fiscal year, the OPC accepted 29 complaints about the Department. These included six complaints related to the denial of access to personal information, one complaint concerning the improper collection of personal information, and nine complaints about the Department's handling of time extensions for processing requests. Additionally, there was one complaint alleging contraventions of section 4 to 8 of the Privacy Act, and 12 complaints related to the improper use and disclosure of personal information. Of the complaints received during the reporting period, 17 were resolved through the early resolution process, while five were found to be well-founded. By the end of the reporting period, a total of 28 remained open: four from 2024-2025, four from 2023-2024, and 20 carried over from 2020-2023.
Of complaints deemed to be well founded, two were conditionally resolved, and three were well-founded and resolved.
No privacy complaints were deliberated in the courts during the reporting period.
GCKey Investigations
In August 2020 the federal government publicly announced that fraudulent actors using stolen usernames and passwords had gained access to certain CRA online accounts and other departments' online accounts accessible via the Government of Canada's centralized "GCKey" authentication service and CRA's own login portal. The cyber-attacks focused on accessing and modifying personal information held by CRA and ESDC for financial gain. The attacks successfully compromised the sensitive personal information of tens of thousands of Canadians.
In February 2024, the OPC tabled a special report that outlined recommendations A through F to rectify and prevent a breach of this magnitude from occurring in the future. ESDC accepted all of the recommendations and has since implemented most recommendations and with full implementation expected by fall 2025. ESDC remains committed to safeguarding and protecting the personal information of Canadians through improved authentication measures going forward.
8. Public interest disclosures
Disclosures in the public interest are made by ESDC under subsection 37(1) of DESDA instead of under paragraph 8(2)(m) of the Privacy Act. All such disclosures are reported to the OPC.
During the 2024-2025 fiscal year, the Department made 427 public interest disclosures. ESDC carried out 355 disclosures in its regional branches, most of which resulted from incidents involving individuals who threatened to harm themselves or others. In situations where there is an immediate threat to the safety and security of individuals, Service Canada employees have the delegated authority to make the disclosure. Given the urgency of these incidents, the OPC was notified after the disclosure was made.
The disclosure of personal Information was approved in an additional 72 cases (PMD disclosures). In most of these instances, personal information was made available to locate an individual, such as a missing person, or for a police investigation. The OPC was notified regarding the PMD disclosures before the disclosures were made.
The reasons for these disclosures and the totals for each are described in the following table.
| Reason for disclosures | Number of disclosures |
|---|---|
| Regional disclosures (imminent threats) | 355 |
| PMD disclosures (72) | |
| Locate an individual (next of kin, estate related, locate an heir, missing person) | 63 |
| Police/Criminal investigation/Wanted individual | 4 |
| Other | 5 |
| Total | 427 |
9. Material privacy breaches
A privacy breach is defined by TBS policy as "the improper or unauthorized access to, creation, collection, use, disclosure, retention or disposal of personal information." A privacy breach is "material" when it "could reasonably be expected to create a real risk of significant harm to an individual." Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
During the 2024-2025 fiscal year, the Department reported 402 material breaches to the OPC and TBS, a 10% increase from the number of incidents in the previous fiscal year (364). In 382 cases, the breach consisted of lost, misdirected, or stolen passports and passport application documents, of which the Canada Post Corporation took responsibility for 329 incidents. ESDC was responsible for the other 53 incidents.
The Department continuously applies administrative, technical, and physical measures to reduce privacy breaches. Importantly, through ESDC's privacy training and awareness activities, employees are informed and trained in the handling of personal information, including appropriate use and safeguarding protocols.
Table 7 provides a breakdown of the material breaches by cause and a brief description of follow-up measures.
| Number of material breaches | Nature of information breached | Communication and notification | Actions undertaken in response |
|---|---|---|---|
| 18 | Personal information incorrectly shared with third-party individuals via telephone, email, or mail; and/or Documents containing personal information of clients were lost or stolen. | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
| 2 | Employees who made unauthorized access into departmental systems of client information (mostly discovered as part of internal audits conducted on the departmental systems). | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
| 329 | Passports, passport applications, and documents included with passport applications, lost, stolen, or misdirected, where Canada Post Corporation was responsible for the breach. | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
| 53 | Passports, passport applications, and documents included with passport applications, lost, stolen, or misdirected because of an internal ESDC error. | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
| Total Number of Material Breaches: 402 | |||
10. Training and awareness activities
Online privacy training
ESDC has a comprehensive training program to increase knowledge and awareness of appropriate personal information management practices throughout the Department. All employees must maintain a valid two-year certification in Stewardship of Information and Workplace Behaviours (SIWB), which addresses privacy, the handling of personal information, security, access to information, information management, and values and ethics. It is a component of the Department's Essential Training Curriculum and is delivered online. At the end of the reporting period, 6,176 employees had attained SIWB certification during the fiscal year.
To complement SIWB certification, ESDC has additional privacy-relevant online courses in its training catalogue. The "Access to Information and Privacy (ATIP): It's Everybody's Business" course gives employees the knowledge required to protect, use, and disclose personal information daily and teaches them to prevent breaches by seeking guidance or by using good judgment in a timely manner. In the last fiscal year, 4,672 employees completed the course.
New employees take the "Doing Things Right and Doing the Right Thing: Putting the Departmental Code of Conduct into Action" course, which has a significant privacy component. The course helps participants understand the application of ethical behaviour in the workplace and how to use that knowledge to guide them in their day-to-day work and decision-making. The course was taken by 4,683 employees during the 2024-2025 fiscal year.
In-person and virtual training and awareness
Throughout the reporting period, the Department continued to deliver practical, easy-to-understand, and readily available privacy information and guidance to employees to reinforce the application of appropriate personal information handling and safeguarding practices, as well as to provide general knowledge on the philosophical and legislative underpinnings of privacy. The highlight of these activities were privacy-themed information events, and a series of specialized knowledge talks delivered during Privacy Awareness Week in January 2024. In support of Privacy Act request processing, specialized training was provided to key departmental stakeholders and ATIP Operations staff. Overall, 2,823 ESDC employees attended, either in-person or by video, 31 privacy training and awareness sessions offered during 2024-2025. Additionally, a new training module was developed called "Privacy Notice Statements and Consent." This training helps participants understand when to use privacy notices and consent statements. The Department will continue to leverage opportunities for learning going forward in coordination with the Innovation Information and Technology Branch, the Integrity Service Branch and the Chief Data Officer Branch.
Annex A - Privacy Act Delegation Order
The Minister of Employment and Social Development, pursuant to section 73 of the Privacy Act and section 11 of the Department of Employment and Social Development Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister as the head of the Department of Employment and Social Development, under the provisions of the aforementioned Acts and related regulations set out in the schedule opposite each position.
This designation replaces all previous designation orders.
Dated, at the City of Gatineau, this 6th day of March 2024.
Original signed by the Honourable Randy Boissonnault, Minister of Employment and Social Development
Department of Employment and Social Development
Department of Employment and Social Development
Privacy Act - Delegated Authorities
| Description | Section | Delegated Authority |
|---|---|---|
| Retention of a record of requests and disclosed records to investigative bodies under section 8(2)(e) of the Privacy Act. | 8(4) |
|
| Retention of records of uses of personal information | 9(1) |
|
| Notification of the Privacy Commissioner of any new consistent uses of personal information and ensure use is included in the next statement of consistent uses set forth in the Index | 9(4) |
|
| Include personal information in personal information banks | 10 |
|
| Respond to request for access within 30 days and give written notice and, if access to be given, give access. | 14 |
|
| Extension of the 30-day time limit to respond to a privacy request. | 15 |
|
| Decision on whether to translate a response to a privacy request in one of the two official languages. | 17(2)(b) |
|
| Decision on whether to convert personal information to an alternate format | 17(3)(b) |
|
| Decision to refuse to disclose personal information contained in an exempt bank. | 18(2) |
|
| Decision to refuse access to personal information that was obtained in confidence from the government of a foreign state or institution, an international organization of states or an institution thereof, the government of a province or institution thereof, a municipal or regional government established by or pursuant to an act of the legislature of a province or an institution of such a government, or the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act or the council of a participating in First Nation as defined in the First Nations Jurisdiction over Education in British Columbia Act | 19(1) |
|
| Authority to disclose personal information referred to in section 19(1) if the government, organization or institution described in section 19(1) consents to the disclosure or makes the information public. | 19(2) |
|
| Refuse to disclose personal information that may be injurious to the conduct of federal-provincial affairs | 20 |
|
| Refuse to disclose personal information that may be injurious to international affairs or the defence of Canada or one of its allies. | 21 |
|
| Refuse to disclose personal information prepared by an investigative body, information injurious to the enforcement of a law, or information injurious to the security of penal institutions | 22 |
|
| Refuse to disclose personal information created for the Public Servants Disclosure Protection Act. | 22.3 |
|
| Refuse to disclose personal information prepared by an investigative body for security clearance. | 23 |
|
| Refuse to disclose personal information that was collected by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board while the individual was under sentence if the conditions in the section are met | 24 |
|
| Refuse to disclose personal information that could threaten the safety of individuals | 25 |
|
| Refuse to disclose personal information about another individual and shall refuse to disclose such information where disclosure is prohibited under section 8 | 26 |
|
| Refuse to disclose personal information that is subject to solicitor-client privilege. | 27 |
|
| Refuse to disclose personal information relating to the individual's physical or mental health where the disclosure is contrary to the best interests of the individual | 28 |
|
| Receive notice of investigation by the Privacy Commissioner | 31 |
|
| Right to make representations to the Privacy Commissioner during an investigation | 33(2) |
|
| Receive Privacy Commissioner's report of findings of an investigation and give notice of action taken | 35(1) |
|
| Provision of addition personal information to a complainant after receiving a 35(1)(b) notice. | 35(4) |
|
| Receive Privacy Commissioner's report of findings of investigation of exempt bank | 36(3) |
|
| Receive report of Privacy Commissioner's findings after compliance investigation | 37(3) |
|
| Request that a court hearing, undertaken with respect to certain sections of the Act, be held in the National Capital Region. | 51(2)(b) |
|
| Request and be given right to make representations in section 51 hearings | 51(3) |
|
| Prepare annual report to Parliament | 72(1) |
|
Privacy Regulations - Delegated Authorities
| Description | Section | Delegated Authority |
|---|---|---|
| Allow examination of the documents (Reading Room) | 9 |
|
| Notification of Correction | 11(2) |
|
| Correction refused; notation placed on file | 11(4) |
|
| Disclosure to a medical practitioner or psychologist | 13(1) |
|
| Disclosure in the presence of a medical practitioner or psychologist | 14 |
|
Annex B - Summaries of completed privacy impact assessments
ESDC completed PIAs over the course of the 2024-2025 fiscal year and significantly updated two previously completed assessments. In addition to standard PIAs, ESDC uses (PAITS, which is a customized PIA focused on an IT solution or system. The purpose of a PAITS is to identify privacy risks and assess impacts on privacy in the solution's design, procurement, or acquisition stages. Its conclusions give assurances to senior management that the protection of personal information has been considered prior to implementation and outlines a mitigation action plan to resolve identified risks. PAITS satisfy departmental and TBS requirements for the fulfillment of PIAs. Of the completed PIAs, five were PAITS. ESDC conducts bi-annual privacy risk follow-up exercises to ensure risks and compliance issues are fully addressed and in a timely manner.
Information on ESDC's PIAs is found on the Department's PIA website.
Canadian Dental Care Plan - Phase 2
The 2023 federal budget proposes providing $13 billion over five years, starting in 2023-2024, and $4.4 billion ongoing, to Health Canada to implement the new CDCP. The CDCP will provide dental coverage for uninsured Canadians with an annual family income of less than $90,000. ESDC is a service delivery partner with one of its roles being an assessor of eligibility. The assessment examines the privacy risks and strategies related to the management and protection of personal information collected in the form of online CDCP applications. The PIA identified two medium risks and no compliance issues.
Integrated Labour System: Federal Mediation and Conciliation Service
The Integrated Labour System was a modernization initiative within the Labour Program to consolidate existing electronic systems, tools and data of various business lines into one central system. This PIA was completed to identify the privacy risks related to Federal Mediation Conciliation Service's collection, use, disclosure, and safeguarding of personal information. The PIA identified five medium risks, two low risks, and three compliance issues.
Canada-Ukraine Transitional Assistance Initiative
The Canada-Ukraine Transitional Assistance Initiative (CUTAI) is a service delivery managed by Service Canada on behalf of Immigration, Refugees and Citizenship Canada. The CUTAI provides Ukrainian nationals fleeing the war in Ukraine with a one-time payment ($3,000 CAD for adults or $1,500 CAD for minors) to assist them during their stay in Canada. The CUTAI expired on June 30, 2024. This initiative involves collecting information from Immigration, Refugees and Citizenship Canada on potential applicants and managing payments. The assessment examines the privacy risks and strategies related to the management and protection of personal information handled by the CUTAI. The PIA identified one medium risk, one insignificant risk as well as one compliance issue.
Canada Pension Plan Program Return to Work Pilot
Canada Pension Plan's Disability Benefits (CPPD) program's suite of return-to-work (RTW) supports are intended to facilitate the transition for beneficiaries who wish to attempt to return to work. The Pilot will run until March 2026 and is expected to engage approximately 750 CPPD RTW clients. The personal information collected will also be used for non-administrative purposes to evaluate outcomes and to inform policy. The assessment identifies privacy risks associated with the collection and use of personal information in the CPPD RTW Pilot which involves a decision-making process that affects certain individuals. There were no privacy risks or privacy-related compliance issues uncovered by this PIA.
Secure Portal for Verified Partners in Children Services Annex to the Electronic Social Insurance Number (PAITS)
The Secure Portal for Verified Partners in Children Services under ESDC will allow authorized and verified Children and Family Services delegated staff across Canada to apply or request confirmation of a Social Insurance Number (SIN), on behalf of children in their care. This PAITS ensures privacy protection measures were considered in the collection of personal information. The analysis focused on the enhancement of the web-based portal for Children and Family Services delegated staff. The PAITS identified one medium risk and one compliance issue.
Cúram (PAITS)
The BDM program was created by ESDC to transform and modernize the service delivery of benefits and services to Canadians. The OAS Release 1 Foreign Benefits and Liaisons is the first to onboard on the BDM Cúram platform. Foreign Benefits and Liaisons form will transfer client information between Canada and foreign country. This privacy analysis for IT solutions identifies the privacy risks associated with the implementation of the core benefit platform, Cúram, to support the onboarding of OAS Release 1 Foreign Benefits and Liaisons. The PAITS identified a total of four medium risks and one compliance issue.
Assault-Style Firearms Compensation Program Phase 1 - Business
The "Assault-Style Firearms Compensation Program Phase 1 - Business" is a multi-institutional PIA led by Public Safety Canada and supported by its partners, the Royal Canadian Mounted Police and ESDC/Service Canada. This PIA aims to facilitate the self-declaration of assuault-style firearm owners; the collection, validation, and destruction of assault-style firearms; and issuing compensation.
Emergency Management Application System (PAITS)
The Emergency Management Application System (EMAS) serves to support ESDC's emergency management and business continuity activities. The EMAS solution will operate as a cloud-based Software as a Service that is accessible across ESDC. A copy of employee personal contact information will be transmitted from ESDC's primary system for digital Human Resources services (PeopleSoft) to EMAS. The assessment examines the privacy risks related to the management and protection of personal information that will be transmitted to and stored in the cloud-based EMAS solution hosted by a third party. The PAITS identified one compliance issue, which has since been resolved.
Integrated Service Strategy and Operations' Pensions Trusted Digital Repository (PAITS)
The Integrated Service Strategy and Operations' Pensions Trusted Digital Repository (PTDR) project will replace the current digital pensions file storage solution-shared drives-with Microsoft 365 SharePoint Online. The PAITS has been completed to identify the privacy risks related to the PTDR, which will involve the configuration of a third-party cloud-based solution to collect and store pensions application information. This PAITS focused on the PTDR that will provide secure storage for the digitized applications and support documents. The PAITS identified two medium privacy risks and one low privacy risk.
Prescribed Presence in the Workplace - Low Onsite Connectivity Monitoring
ESDC will be implementing individual-level, low onsite connectivity monitoring of employees. Using existing ESDC systems, this activity is designed to support managers in verifying employee compliance with the TBS Direction on Prescribed Presence in the Workplace. The assessment examines the privacy risks and strategies related to the management and protection of personal information. The PIA identified two medium risks and one low risk. In addition, there was one compliance issue.
Enhancement to the fraud monitoring capacity as part of the modernization of the Enterprise Cyber Authentication Solution
The Innovation Information and Technology Branch is modernizing the Enterprise Cyber Authentication Solution through the Tech Debt initiative. This initiative addresses the gap between current and required technology, mitigating service delivery risks by upgrading network capacity and updating hardware and software. It ensures ESDC's technology supports existing systems and the new BDM platform, while establishing disaster recovery solutions to minimize service disruptions for Canadians. The Integrity Services Branch seeks authorization to collect and store Internet Protocol (IP) addresses to enhance protection against fraudulent activities. This will help identify the source of online transactions and logins. The goal is to improve IP address storage for accurate data analysis, better tracking, detailed reporting, and real-time activity representation for MSCA users. The assessment examines the privacy risks and strategies related to the management and protection of personal information associated with specific activities, including authentication, account creation, mapping, remapping, etc.; the collection of the telemetry data (IP address, session ID, User Agent, time and date, and the user's windows size); and the safeguarding of the telemetry data.
Social Insurance Number on My Service Canada Account - Release 2 and 3 (PAITS)
The Social Insurance Number on My Service Canada Account (SINOM) project provides real-time SIN confirmation to clients. SINOM expanded the current SIN-based registration requirements to enable clients who do not have a SIN to register for MSCA using their Birth Registration Number or Unique Client Identifier. SINOM is using a phased implementation approach. In August 2023, it launched its first minimum viable product (MVP 1), allowing digital viewing of SINs on MSCA while still mailing SIN Confirmation Letters. Release 2, in January 2024, offered clients the option of a digital-only SIN during eSIN applications, removing the automatic mailing of confirmation letters. Release 3, planned for May 2025, will provide the SIN Confirmation Letter on MSCA, along with security enhancements and system upgrades. In line with the TBS Directive on Privacy Impact Assessment, the original PAITS for MVP 1 was completed to identify privacy risks related to SINOM's use of personal information in the MSCA registration and authentication process. An addendum was created to document activities for Releases 2 and 3 and to assess any new privacy risks or issues. The PAITS addendum identified one medium risk in relation to Release 3.
Annex C - Statistical reports
ESDC Statistical Report on the Privacy Act, 2024 to 2025
Name of institution: Employment and Social Development Canada
Reporting period: 2024-04-01 to 2025-03-31
Section 1 Requests under the Privacy Act
| Detail | Number of Requests |
|---|---|
| Received during reporting period | 22,451 |
| Outstanding from previous reporting period | 2,643 |
| Outstanding from previous reporting periods | 2,595 |
| Outstanding from more than one reporting period | 48 |
| Total | 25,094 |
| Closed during reporting period | 23,388 |
| Carried over to next reporting period | 1,706 |
| Carried over within legislated timeline | 1,636 |
| Carried over beyond legislated timeline | 70 |
| Source | Number of Requests |
|---|---|
| Online | 7,795 |
| 3,610 | |
| 4,408 | |
| In person | 25 |
| Phone | 20 |
| Fax | 6,593 |
| Total | 22,451 |
Section 2 Informal Requests
| Detail | Number of Requests |
|---|---|
| Received during reporting period | 4,342 |
| Outstanding from previous reporting period | 1,073 |
| Outstanding from previous reporting periods | 1,064 |
| Outstanding from more than one reporting period | 9 |
| Total | 5,415 |
| Closed during reporting period | 3,949 |
| Carried over to next reporting period | 1,466 |
| Source | Number of Requests |
|---|---|
| Online | 744 |
| 695 | |
| 1,630 | |
| In person | 3 |
| Phone | 48 |
| Fax | 1,222 |
| Total | 4,342 |
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total |
|---|---|---|---|---|---|---|---|
| 1,052 | 482 | 349 | 337 | 251 | 1,291 | 187 | 3,949 |
| Less Than 100 Pages Released | 100-500 Pages Released | 501-1,000 Pages Released | 1,001-5,000 Pages Released | More Than 5,000 Pages Released | |||||
|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Released | Number of Requests | Pages Released | Number of Requests | Pages Released | Number of Requests | Pages Released | Number of Requests | Pages Released |
| 2,708 | 63,612 | 1,074 | 226,744 | 107 | 77,107 | 58 | 94,017 | 2 | 12,532 |
Section 3 Requests Closed During the Reporting Period
| Disposition of Requests | Completion Time | |||||||
|---|---|---|---|---|---|---|---|---|
| 0 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| All disclosed | 1,361 | 1,692 | 1,141 | 543 | 6 | 5 | 5 | 4,753 |
| Disclosed in part | 1,798 | 4,010 | 4,181 | 2,733 | 19 | 32 | 20 | 12,793 |
| All exempted | 0 | 4 | 2 | 0 | 0 | 1 | 0 | 7 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 1,491 | 2,448 | 380 | 74 | 0 | 1 | 1 | 4,395 |
| Request abandoned | 973 | 328 | 107 | 24 | 1 | 2 | 5 | 1,440 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 5,623 | 8,482 | 5,811 | 3,374 | 26 | 41 | 31 | 23,388 |
| Section | Number of Requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 0 |
| 19(1)(b) | 0 |
| 19(1)(c) | 0 |
| 19(1)(d) | 0 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 0 |
| 21 | 0 |
| 22(1)(a)(i) | 6 |
| 22(1)(a)(ii) | 0 |
| 22(1)(a)(iii) | 0 |
| 22(1)(b) | 42 |
| 22(1)(c) | 1 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 0 |
| 22.4 | 0 |
| 23(a) | 1 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 2 |
| 25 | 1 |
| 26 | 12,815 |
| 27 | 84 |
| 27.1 | 0 |
| 28 | 1 |
| Section | Number of Requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
| Paper | Electronic: E-record | Electronic: Data set | Electronic: Video | Electronic: Audio | Other |
|---|---|---|---|---|---|
| 3,678 | 13,851 | 7 | 0 | 27 | 7 |
3.5 Complexity
| Number of Pages Processed | Number of Pages Disclosed | Number of Requests |
|---|---|---|
| 2,212,302 | 2,078,409 | 18,993 |
| Disposition | Less than 100 Pages Processed | 101 to 500 Pages Processed | 501 to 1,000 Pages Processed | 1,001 to 5,000 Pages Processed | More than 5,000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Processed | Number of Requests | Pages Processed | Number of Requests | Pages Processed | Number of Requests | Pages Processed | Number of Requests | Pages Processed | |
| All disclosed | 4,275 | 89,227 | 469 | 76,737 | 7 | 5,437 | 2 | 2,288 | 0 | 0 |
| Disclosed in part | 7,046 | 307,930 | 5,160 | 1,046,508 | 409 | 274,236 | 165 | 292,593 | 13 | 111,623 |
| All exempted | 5 | 57 | 1 | 169 | 0 | 0 | 1 | 2600 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 1,436 | 273 | 1 | 236 | 2 | 1,311 | 1 | 1,077 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 12,762 | 397,487 | 5,631 | 1,123,650 | 418 | 280,984 | 169 | 298,558 | 13 | 111,623 |
| Number of Minutes Processed | Number of Minutes Disclosed | Number of Requests |
|---|---|---|
| 4,109 | 4,096 | 27 |
| Disposition | Less than 60 Minutes Processed |
60-120 Minutes Processed |
More than 120 Minutes Processed |
|||
|---|---|---|---|---|---|---|
| Number of Requests | Minutes Processed | Number of Requests | Minutes Processed | Number of Requests | Minutes Processed | |
| All disclosed | 3 | 102 | 1 | 115 | 1 | 257 |
| Disclosed in part | 8 | 249 | 2 | 120 | 12 | 3,266 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 11 | 351 | 3 | 235 | 13 | 3,523 |
| Number of Minutes Processed | Number of Minutes Disclosed | Number of Requests |
|---|---|---|
| 0 | 0 | 0 |
| Disposition | Less than 60 minutes processed |
60-120 minutes processed |
More than 120 minutes processed |
|||
|---|---|---|---|---|---|---|
| Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 |
| Disposition | Consultation Required | Legal Advice Sought | Interwoven Information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 3 | 39 | 42 |
| Disclosed in part | 6 | 0 | 272 | 602 | 880 |
| All exempted | 1 | 0 | 0 | 0 | 1 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 1 | 0 | 0 | 42 | 43 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 8 | 0 | 275 | 683 | 966 |
3.6 Closed Requests
| Detail | Requests Closed within Legislated Timelines |
|---|---|
| Number of requests closed within legislated timelines | 19,356 |
| Percentage of requests closed within legislated timelines (%) | 82.76038994 |
3.7 Deemed Refusals
| Number of Requests Closed Past the Legislated Timelines | Principal Reason: Interference with Operations / Workload | Principal Reason: External Consultation | Principal Reason: Internal Consultation | Principal Reason: Other |
|---|---|---|---|---|
| 4,032 | 4,027 | 0 | 0 | 5 |
| Number of Days Past Legislated Timelines | Number of Requests Past Legislated Timelines Where No Extension Was Taken | Number of Requests Past Legislated Timelines Where an Extension WasTaken | Total |
|---|---|---|---|
| 1 to 15 days | 366 | 42 | 408 |
| 16 to 30 days | 657 | 9 | 666 |
| 31 to 60 days | 2,772 | 8 | 2,780 |
| 61 to 120 days | 92 | 5 | 97 |
| 121 to 180 days | 19 | 3 | 22 |
| 181 to 365 days | 24 | 9 | 33 |
| More than 365 days | 13 | 13 | 26 |
| Total | 3,943 | 89 | 4,032 |
| Translation Requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 5 | 0 | 5 |
| Total | 5 | 0 | 5 |
Section 4 Disclosures under Subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
Section 5 Requests for Correction of Personal information and Notations
| Disposition for Correction Requests Received | Number |
|---|---|
| Notations attached | 10 |
| Requests for correction accepted | 3 |
| Total | 13 |
Section 6 Extensions
| Number of Requests Where an Extension Was Taken | 15(a)(i) Interference with Operations | 15 (a)(ii) Consultation | 15(b) Translation Purposes or Conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidence Section (Section 70) | External | Internal | ||
| 3,947 | 4 | 30 | 3,890 | 9 | 0 | 7 | 2 | 5 |
| Length of Extensions | 15(a)(i) Interference with Operations | 15 (a)(ii) Consultation | 15(b) Translation Purposes or Conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidence Section (Section 70) | External | Internal | ||
| 1 to 15 days | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 days | 4 | 30 | 3,890 | 9 | 0 | 7 | 2 | 5 |
| 31 days or Greater | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 4 | 30 | 3,890 | 9 | 0 | 7 | 2 | 5 |
Section 7 Consultations Received from Other Institutions and Organizations
| Consultations | Other Government of Canada Institutions | Number of Pages to Review | Other Organizations | Number of Pages to Review |
|---|---|---|---|---|
| Received during the reporting period | 7 | 78 | 0 | 0 |
| Outstanding from the previous reporting period | 1 | 4 | 0 | 0 |
| Total | 8 | 82 | 0 | 0 |
| Closed during the reporting period | 8 | 82 | 0 | 0 |
| Carried over within negotiated timelines | 0 | 0 | 0 | 0 |
| Carried over beyond negotiated timelines | 0 | 0 | 0 | 0 |
| Recommendation | Number of Days Required to Complete Consultation Requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| Disclose entirely | 1 | 2 | 1 | 0 | 0 | 0 | 0 | 4 |
| Disclose in part | 2 | 0 | 1 | 0 | 0 | 0 | 0 | 3 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 1 |
| Total | 3 | 2 | 2 | 0 | 0 | 1 | 0 | 8 |
| Recommendation | Number of Days Required to Complete Consultation Requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 8 Completion Time of Consultations on Cabinet Confidences
| Number of days | Fewer than 100 Pages Processed | 100 to 500 Pages Processed | 501 to 1,000 Pages Processed | 1,001 to 5,000 Pages Processed | More than 5,000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Number of days | Fewer than 100 Pages Processed | 100 to 500 Pages Processed | 501 to 1,000 Pages Processed | 1,001 to 5,000 Pages Processed | More than 5,000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 9 Complaints and investigations Notices Received
| Section 31 | Section 33 | Section 35 | Court Action | Total |
|---|---|---|---|---|
| 29 | 3 | 5 | 0 | 37 |
Section 10 Privacy Impact Assessments and Personal Information Banks
| Number of PIAs Completed | 11 |
|---|---|
| Number of PIAs Modified | 1 |
| Personal Information Banks | Active | Created | Terminated | Modified |
|---|---|---|---|---|
| Institution-specific | 64 | 2 | 0 | 8 |
| Central | 0 | 0 | 0 | 0 |
| Total | 64 | 2 | 0 | 8 |
Section 11 Privacy Breaches
| Number of Material Privacy Breaches Reported to TBS | 402 |
|---|---|
| Number of Material Privacy Breaches Reported to OPC | 402 |
| Number of Non-material Privacy Breaches | 1,072 |
|---|
Section 12 Resources Related to the Privacy Act
| Expenditures | Amount |
|---|---|
| Salaries | $7,427,275 |
| Overtime | $344,028 |
| Goods and services | $176,849 |
Goods and services: Professional services contracts |
$155,647 |
Goods and Services: Other |
$21,202 |
| Total | $7,948,151 |
| Resources | Person years dedicated to privacy activities |
|---|---|
| Full-time employees | 24.515 |
| Part-time and casual employees | 0.970 |
| Regional staff | 61.187 |
| Consultants and agency personnel | 0.020 |
| Students | 1.866 |
| Total | 88.558 |
Supplemental Statistical Report on the Access to Information Act and the Privacy Act
Name of Institution: Employment and Social Development Canada
Reporting Period: 2024-04-01 to 2025-03-31
Section 1 Open Requests and Complaints Under the Access to Information Act
| Fiscal Year Open Requests Were Received | Open Requests that are Within Legislated Timelines as of March 31, 2025 | Open Requests that are Beyond Legislated Timelines as of March 31, 2025 | Total |
|---|---|---|---|
| Received in 2024-2025 | 184 | 44 | 228 |
| Received in 2023-2024 | 7 | 64 | 71 |
| Received in 2022-2023 | 2 | 66 | 68 |
| Received in 2021-2022 | 7 | 41 | 48 |
| Received in 2020-2021 | 4 | 38 | 42 |
| Received in 2019--2020 | 5 | 21 | 26 |
| Received in 2018-2019 | 0 | 3 | 3 |
| Received in 2017-2018 | 0 | 1 | 1 |
| Received in 2016-2017 | 0 | 0 | 0 |
| Received in 2015-2016 or earlier | 0 | 0 | 0 |
| Total | 209 | 278 | 487 |
| Fiscal Year Open Complaints Were Received by Institution | Number of Open Complaints |
|---|---|
| Received in 2024-2025 | 20 |
| Received in 2023-2024 | 16 |
| Received in 2022-2023 | 6 |
| Received in 2021-2022 | 1 |
| Received in 2020-2021 | 0 |
| Received in 2019-2020 | 0 |
| Received in 2018-2019 | 0 |
| Received in 2017-2018 | 0 |
| Received in 2016-2017 | 0 |
| Received in 2015-2016 or earlier | 0 |
| Total | 43 |
Section 2 Open Requests and Complaints Under the Privacy Act
| Fiscal Year Open Requests Were Received | Open Requests that are Within Legislated Timelines as of March 31, 2025 | Open Requests that are Beyond Legislated Timelines as of March 31, 2025 | Total |
|---|---|---|---|
| Received in 2024-2025 | 1,634 | 29 | 1,663 |
| Received in 2023-2024 | 0 | 10 | 10 |
| Received in 2022-2023 | 0 | 11 | 11 |
| Received in 2021-2022 | 2 | 12 | 14 |
| Received in 2020-2021 | 0 | 7 | 7 |
| Received in 2019-2020 | 0 | 1 | 1 |
| Received in 2018-2019 | 0 | 0 | 0 |
| Received in 2017-2018 | 0 | 0 | 0 |
| Received in 2016-2017 | 0 | 0 | 0 |
| Received in 2015-2016 or earlier | 0 | 0 | 0 |
| Total | 1,636 | 70 | 1,706 |
| Fiscal Year Open Complaints Were Received by Institution | Number of Open Complaints |
|---|---|
| Received in 2024-2025 | 4 |
| Received in 2023-2024 | 4 |
| Received in 2022-2023 | 9 |
| Received in 2021-2022 | 10 |
| Received in 2020-2021 | 1 |
| Received in 2019-2020 | 0 |
| Received in 2018-2019 | 0 |
| Received in 2017-2018 | 0 |
| Received in 2016-2017 | 0 |
| Received in 2015-2016 or earlier | 0 |
| Total | 28 |
Section 3: Social Insurance Number
| Did Your Institution Receive Authority for a New Collection ora New Consistent Use of the SIN in 2024-2025? | Yes |
|---|
Section 4: Universal Access under the Privacy Act
| How Many Requests Were Received from Confirmed Foreign Nationals Outside of Canada in 2024-2025? | 126 |
|---|