ARCHIVED - Health Canada Privacy Act Annual Report 2009-2010

Health Canada
2010
ISBN: 978-1-100-16142-6 (PDF Version)
Cat. No.: H1-9/3-2-2010E (PDF Version)
HC Pub.: 110012 (PDF Version)

Table of Contents

Introduction

I. Privacy Act

The Privacy Act (the Act) gives individuals the right of access to information about themselves held by the federal government with certain specific and limited exceptions. The Act protects an individual's privacy by setting out provisions related to the collection, retention, use and disclosure of personal information.

The Privacy Act requires (in section 72) the head of every federal government institution to submit an annual report to Parliament on the administration of the Act following the close of each fiscal year. This report describes how Health Canada fulfilled its privacy responsibilities during the fiscal year 2009-2010.

II. About Health Canada

Health Canada was established to help the people of Canada maintain and improve their health. Health Canada is also committed to improving the lives of all Canadians and making this country's population among the healthiest in the world as measured by longevity, lifestyle and effective use of the public health care system.

Health Canada develops, implements and enforces regulations, legislation, policies, programs, services and initiatives and works with other federal partners, the provinces and territories. As administrator of the Canada Health Act, Health Canada ensures that the principles of Canada's universal health care are respected, allowing Canadians to be confident in the services they receive from the public health care system. The Minister of Health is also responsible for direct administration of another 18 statutes including the Food and Drugs Act, the Pest Control Products Act and the Controlled Drugs and Substances Act. Health Canada also provides health services to First Nations peoples and to Inuit communities.

Health Canada has regional offices in British Columbia, Alberta, Saskatchewan, Manitoba, Ontario, Quebec, Atlantic and Northern Region.

For more information about Health Canada, please visit our website at www.health.gc.ca

In January 2009, Health Canada launched "Improving Together", an initiative aimed at transforming the way we work as a department to build a more collaborative organization. Each of the nine initiatives that comprise Improving Together is directly linked to a departmental activity: Science; Policy; Internal Services; Regulatory activities; Communications and consultation; New partnership models for First Nations and Inuit; Regional activities; Compliance and enforcement; Grants and contributions.

Even though these initiatives do not specifically address the administration of the Privacy Act, the efficiencies that will result in the areas of consolidation, collaboration, coordination, work organization, and the strengthening of the procedures for the development of Memoranda to Cabinet are expected to support a stronger Departmental privacy regime.

Privacy Infrastructure

I. The Access to Information and Privacy (ATIP) Division

The Access to Information and Privacy (ATIP) Division within the Planning, Integration and Management Services Directorate, Corporate Services Branch is responsible for administering the Privacy Act, as well as associated Treasury Board Policies and Directives for Health Canada.

The responsibilities of the ATIP Division include:

  • responding to privacy requests;
  • monitoring trends in national and international privacy issues to provide informed advice to departmental clients;
  • representing the federal health perspective on privacy and electronic health records;
  • ensuring that Health Canada's personal information holdings are published in Info Source;
  • coordinating and overseeing the Privacy Impact Assessment process for Health Canada;
  • analysing privacy practices in the healthcare sector;
  • advising program managers of the requirements of the Privacy Act for the collection, retention, use, and disclosure of personal information;
  • reviewing proposed legislation, regulations and policies to determine specific or additional privacy issues;
  • promoting staff awareness and providing training on the Privacy Act;
  • developing corporate privacy policies and practices to protect and guide access to personal information;
  • working with the Privacy Commissioner, other government departments and agencies, provincial ministries of health and other key stakeholders.

II. Delegation of Authority

The Delegation Order is attached as Appendix A.

Requests under the Privacy Act - Statistical Figures and Interpretation and Explanation

I. Statistical Report

Health Canada's statistical report summarizing Privacy Act activity is attached as Appendix B and covers the period between April 1, 2009 and March 31, 2010.

II. Number of Access Requests and Case Load

Number of Access Requests

Health Canada received 471 new privacy requests during 2009-2010, and carried over 89 requests from the previous year. This represents a reduction of approximately 20% in the number of requests received compared to the previous fiscal year (592 new requests in 2008-2009).

Case Load

The total caseload of 598 requests marked a 11% reduction in the number of requests requiring processing compared to fiscal year 2008-2009, but the complexity factor remained the same, due the sensitivity of the information requested which includes medical records and labour relations documents. Thanks to the reduction in the caseload, Health Canada was able to reduce its number of carried forward requests from 127 to 89 for attention in 2010-2011.

Completed requests were classified as follows:

All disclosed - Of the 509 completed requests; the requesters received full disclosure of relevant records in 199 instances (39.1%).

Disclosed in part - In 135 cases (26.5%), requesters received partial disclosure of relevant records.

Nothing disclosed (excluded) - In 2 instances (0.4%) the applicant received no information because the record was excluded under the Act.

Nothing disclosed (exempt) - No request fell under this category for the reporting period.

Unable to process - Health Canada received 123 requests (24.2%) for which there were no records.

Abandoned - Applicants abandoned 50 requests (9.8%).

Transferred - No request fell under this category for the reporting period.

III. Exemptions Invoked

This section categorizes the exemptions invoked to refuse disclosure by section(s) of the Act. Note that these numbers should not be added because the same information can be denied under more than one exemption. For example, if five different exemptions were cited to deny one request, the reported total would be five.

The most frequently cited exemptions are:

  1. Section 19 - Information obtained in confidence
  2. Section 22 - Law enforcement and investigation
  3. Section 26 - Personal information of other individuals
  4. Section 27 - Solicitor-client privilege
  5. Section 28 - Medical information

IV. Exclusions Cited

The Privacy Act does not apply to personal information that is available to the public (section 69). Nor does it apply to confidences of the Queen's Privy Council, with some exceptions (section 70). Requests containing proposed exclusions under section 70 require consultation with the Privy Council Office.

Health Canada did not exclude any information under either section 69 or 70.

V. Completion Time

Health Canada was able to respond within 30 days or less in 239 (47 percent) of completed cases. The remaining requests were completed within 31 to 60 days in 140 (28 percent) cases, 61 to 120 days in 92 (18 percent) cases and 121 or more days in 38 (7 percent) cases.

VI. Extensions

Legal extensions were invoked in 151 cases (30 percent).

VII. Translations

There was only one request for the translation (from English to French) of the personal information kept in Health Canada's records.

VIII. Method of Access

'Methods of Access' refers to the method that applicants have chosen to access their records. Applicants can choose to receive copies of their records or to examine the records at a Health Canada facility.

These statistics are based only on the requests where Health Canada was able to identify and process the records for the individual - in the cases where no records could be were disclosed, no method of access has been identified.

Copies of the original records was the preferred method of access in all cases (334).

IX. Corrections and Notations

There were no requests for the correction or the notation of personal notation during the reporting period.

X. Costs

The ATIP Division spent a total of $502,517.30 on the processing of Privacy Act requests. Of this total: salaries accounted for $319,859.50 and administration for $182,657.80. Salaries for the fiscal year amounted to 5.02 full time positions in the ATIP Division. These figures exclude the time spent by the employees of the other Health Canada divisions on the processing of personal information requests as well as the time and other resources that were involved in the implementation of the security and other measures throughout the department in order to protect the privacy of our employees, clients and other Canadians.

XI. Training and Awareness

Health Canada pursues a variety of activities to raise its employees' understanding and awareness of their responsibilities under the Act.

The Department delivers targeted training to those employees in need of a more detailed knowledge of the Act and their obligations; this is done via monthly general introductory training sessions, and via specialized training to respond to clients' particular needs.

More specifically, the privacy training activities included:

  • Privacy: It's all about us: A one-hour course raising awareness of the importance of privacy when delivering Health Canada programs and services;
  • Lunch and Learn sessions for ATIP staff to broaden their knowledge and understanding of administration of the legislation;
  • Tailored training sessions on privacy issues as they relate to specific departmental centres of expertise.

In 2009-2010, 20 sessions were delivered directly to 172 Health Canada employees across Branches and Regions.

In addition, Information Management (IM) Awareness sessions, delivered with colleagues in Records Management and Security Management, were used as an introduction to ATIP, attracting 124 additional employees. This approach highlights horizontal linkages between ATIP, Security, and Records Management. Employees who attend these sessions leave more aware of their responsibilities and more able to responsibly handle information at Health Canada.

Beyond traditional classroom training, and to place a greater emphasis on the development of broad-based privacy awareness while maximizing scarce resources, Health Canada is developing a privacy awareness-building strategy, which looks to increase the use of non-classroom approaches.

The Departmental Privacy Committee meets monthly and provides leadership and advice on horizontal privacy issues for the Department. To this end, Committee members provide input into the Departmental privacy awareness-building strategy and determine privacy awareness-building opportunities within their respective Branches.

ATIP staff participated via information kiosks at several Department-wide events, handing out information brochures and responding to questions. As part of the long term privacy awareness-building Communication strategy, ATIP updated its privacy intranet site, and created and promoted a privacy wiki, which includes information on current privacy issues, emerging trends and encourages privacy awareness via quizzes and trivia.

This strategy supplements traditional classroom learning and will continue to raise awareness and foster development of a privacy-sensitive corporate culture.

XII. New and/or Revised Institution-Specific Privacy Related Policies, Guidelines and Procedures that were Implemented during the Reporting Period

The ATIP Division and the Departmental Privacy Committee initiated the development of a Departmental Privacy Management Framework that will better structure privacy accountability within the Department to ensure compliance with Treasury Board of Canada Secretariat (TBS) Directives on privacy protection.

XIII. Key Issues Raised as a Result of Privacy Complaints and/or Investigations During the Reporting Period

There are no such issues to report.

XIV. Privacy Impact Assessments Completed During the Reporting Period

No privacy impact assessments were completed during the reporting period.

XV. Disclosures Made Pursuant to Subsection 8(2)(M) of the Privacy Act during the Reporting Period

Sub-paragraph 8(2)(m)(i) allows for the disclosure of personal information where the head of a government institution is of the opinion that the public interest in the disclosure clearly outweighs any invasion of privacy that could result from the disclosure.

In 2009-2010 there were no disclosures of personal information pursuant to that provision of the Privacy Act.

Complaints and Court Applications for Reviews

I. Complaints to the Privacy Commissioner

During 2009-2010, 7 complaints under the Privacy Act were filed with the Office of the Privacy Commissioner of Canada. 0 complaints were received in relation to sections 4 to 8 of the Privacy Act - privacy breaches. The disposition of those complaints was as follows:

  • 1 Well Founded; no action required
  • 1 Resolution Mediated; remedial action taken
  • 4 No findings received from OIC to date
  • 1 Dismissed; no action required

II. Applications/Appeals Submitted to the Federal Court or the Federal Court of Appeal

There were no applications or appeals submitted to the Federal Court or the Federal Court of Appeal during fiscal year 2009-2010.

III. Health Canada Responses to Recommendations raised by other Agents of Parliament (e.g. Auditor General)

There were no recommendations raised by other Agents of Parliament during fiscal year 2009-2010.

Enhancing Support and Sustaining Compliance

Senior management at Health Canada fully supports the development and implementation of a Privacy Management Framework; this will enable a more effective management of privacy within Health Canada and facilitate compliance with TBS Policy and Directives obligations.

In March 2010, the Senior Management Board-Operations endorsed development of the Framework, providing a path forward for privacy. Focusing on improved accountability, the Framework will include clear roles and responsibilities for Branches and ATIP, improved monitoring of personal information, procedures to address privacy breaches, a revised Privacy Impact Assessment process, options for renewed privacy governance, and more targeted awareness building and training for officials responsible for privacy information.

Page details

Date modified: