Health Canada Privacy Act Annual Report 2010-2011

Health Canada
2011

Table of Contents

Introduction

I. Privacy Act

The Privacy Act (the Act) gives individuals the right of access to information about themselves held by the federal government with certain specific and limited exceptions. The Act protects an individual's privacy by setting out provisions related to the collection, retention, accuracy, disposal, use and disclosure of personal information.

The Privacy Act requires (in section 72) the head of every federal government institution to submit an annual report to Parliament on the administration of the Act following the close of each fiscal year. This report describes how Health Canada has taken collective action to raise the awareness of its employees with regards to their privacy responsibilities. The report covers the fiscal year 2010-2011.

II. About Health Canada

Health Canada was established to help the people of Canada maintain and improve their health. Health Canada is also committed to improving the lives of all of Canada's people and to making this country's population among the healthiest in the world as measured by longevity, lifestyle and effective use of the public health care system.

Health Canada develops implements and enforces regulations, legislation, policies, programs, services and initiatives and works with other federal partners, the provinces and territories. As administrator of the Canada Health Act, Health Canada ensures that the principles of Canada's universal health care are respected, allowing Canadians to be confident in the services they receive from the public health care system. The Minister of Health is also responsible for direct administration of another 18 statutes including the Food and Drugs Act, the Pest Control Products Act and the Controlled Drugs and Substances Act.  Health Canada also provides health services to First Nations peoples and to Inuit communities.

Health Canada has regional offices in British Columbia, Alberta, Saskatchewan, Manitoba, Ontario, Quebec, and the Atlantic and Northern Regions.

For more information about Health Canada, please visit our website.

Privacy Infrastructure

I. The Access to Information and Privacy (ATIP) Division

The Access to Information and Privacy (ATIP) Division within the Planning, Integration and Management Services Directorate, Corporate Services Branch is responsible for administering the Privacy Act, as well as associated Treasury Board Policies and Directives for Health Canada.

The Privacy responsibilities of the ATIP Division include:

  • Administration of the Privacy Act on behalf of the Minister;
  • Providing advice and guidance to departmental staff on the application of the Privacy Act and TBS Policies;
  • Promoting staff awareness and providing training on the Privacy Act;
  • Coordinating and overseeing the Privacy Impact Assessment process for Health Canada;
  • Preparing Annual Report to Parliament, Management Accountability Framework (MAF); Info Source chapter;
  • Developing corporate privacy policies and practices that promote a culture of privacy awareness within Health Canada;
  • Liaising with the Privacy Commissioner, Treasury Board Secretariat, other government Federal departments and agencies, provincial ministries of health and other key stakeholders to develop Privacy policies, tools and guidelines.

Delegation of Authority

The Delegation Order is attached as Appendix A.

Requests under the Privacy Act - Statistical Figures and Interpretation and Explanation

I. Statistical Report

Health Canada's statistical report summarizing Privacy Act activity is attached as Appendix B and covers the period between April 1, 2010 and March 31, 2011.

II. Number of Access Requests and Case Load

Number of Access Requests

Health Canada received 700 new privacy requests during 2010-2011, representing an increase of approximately 49% in the number of new requests received compared to the previous fiscal year (471 new requests in 2009-2010). This increase has partially occurred because of First Nation requests for records relating to their personal medical history and residential school records.

Case Load

In addition to new requests, the Department carried over 90 requests from the previous year for a total caseload of 790 requests (91,904 pages). This marked an increase of 32% in the number of requests requiring processing compared to fiscal year 2009-2010 (598 requests total). The complexity factor remained the same due to the sensitivity of the information requested, which included medical records and labour relations documents.  The increase in the caseload has caused Health Canada to increase the number of requests carried forward from 90 last year to 147 in 2010-2011.

Completed requests were classified as follows:

All disclosed - Health Canada completed 643 requests of the total case load of 790 for 2010-2011. Of the 643 completed requests; the requesters received full disclosure of relevant records in 235 instances (36.5%).

Disclosed in part - In 129 cases (20.1%), requesters received partial disclosure of relevant records.

Nothing disclosed (exempt) - In 1 instance (0.2%) the applicant received no information because the record was exempt under the Act.

Nothing disclosed (excluded) - There were no requests that fell under this category for the reporting period.

Unable to process - Health Canada received 165 requests (25.6%) for which there were no records.

Abandoned - Applicants abandoned 112 requests (17.4%).

Transferred - 1 request (0.2%) was transferred to another federal government institution.

III. Exemptions Invoked

This section categorizes the exemptions invoked to refuse disclosure by section(s) of the Act. Note that these numbers should not be added because the same information can be denied under more than one exemption. For example, if five different exemptions were cited to deny one request, the reported total would be five.

The one request that invoked exemptions touched on the following sections of the Act:

  1. Section 26 - Personal information of other individuals
  2. Section 27 - Solicitor-client privilege

IV. Exclusions Cited

The Privacy Act does not apply to personal information that is available to the public (section 69). Nor does it apply to confidences of the Queen's Privy Council, with some exceptions (section 70). Requests containing proposed exclusions under section 70 require consultation with the Privy Council Office.

Health Canada did not exclude any information under either section 69 or 70.

V. Completion Time

Health Canada was able to respond within 30 days or less in 370 (57.5%) of completed cases. The remaining requests were completed within 31 to 60 days in 190 (29.5%) cases, 61 to 120 days in 63 (9.8%) cases and 121 or more days in 20 (3.2%) cases.

VI. Extensions

Legal extensions were invoked in 176 cases (27.4%) of the total 643 completed.

VII. Translations

There were no requests for translation of the personal information kept in Health Canada's records.

VIII. Method of Access

'Methods of Access' refer to the method in which applicants have been granted access to their records.  Applicants can be given access to their records by examination or receiving copies.

These statistics are based only on the requests where Health Canada was able to identify and process the records for the individual - in the cases where no records were disclosed, no method of access has been identified.

Copies of the original records were the preferred method of access in 359 cases.

Copies and examination of the original records were the preferred method of access in 5 cases.

IX. Corrections and Notations

There were no requests for the correction or the notation of personal information during the reporting period.

X. Costs

The ATIP Division spent a total of $481,919.16 on the processing of Privacy Act requests. Of this total: salaries accounted for $358,382.75 and administration for $123,536.41. Salaries for the fiscal year amounted to 5.43 full time positions in the ATIP Division. These figures exclude the time spent by employees of other Health Canada divisions on the processing of personal information requests. Also excluded was the time and other resources involved in the implementation of security and other measures throughout the department in order to protect the privacy of our employees, clients and other Canadians.

Training and Awareness

Health Canada pursues a variety of activities to raise its employees' understanding and awareness of their responsibilities under the Act.

The Department delivers training to those employees in need of a more detailed knowledge of the Act and their obligations. This is done through both general introductory training sessions and customized training to respond to clients' particular needs.  Content is developed and delivered by ATIP Division, with input from members of the Departmental Privacy Committee, who identify privacy awareness-building opportunities within their respective Branches and assist in the dissemination of privacy-awareness messaging.

Training of key program areas

In October 2010, Health Canada launched its first Departmental Privacy Awareness Strategy to build a privacy culture in Health Canada and thereby ensure that employees clearly understood their responsibilities in relation to the Act. The strategy integrated existing privacy initiatives and outlined goals for the next twelve months with a key component of this strategy being awareness-building.  The approach intended to increase employees' general awareness of privacy as it related to their daily duties and build in-depth understanding of privacy practices when it comes to safeguarding personal information.  Both were seen to be critical to Health Canada's mandate to protect the health and safety of Canadians. HC also identified four areas within the department with the most access to personal information and therefore at highest risk.  The four key areas are human resources, nurses, occupational health and safety, and the medical marihuana access division where the management of sensitive personal information was critical. The Privacy Awareness Strategy targeted 100% training of employees in these critical areas by October 2011. 

In 2010-2011, 23 tailored training sessions were delivered directly to 478 Health Canada employees working in these key program areas. 

General Privacy Training

Health Canada has set out a plan as part of the privacy strategy, to increase the number of employees receiving privacy awareness training by 50% before April, 2012. In 2010-2011, 11 "Privacy 101" sessions were delivered directly to 200 Health Canada employees across Branches and Regions.

In addition to general privacy training for employees, 100% of Health Canada Directors will receive tailored senior-management privacy training by November 2011.  In this regard, a specialized classroom course for Directors has been developed and tested in April 2011 to 12 participants.  The tailored course addresses privacy governance and awareness issues for executives that manage programs or direct program activities involving the collection, use, or disclosure of personal information, as required in the Directive on Privacy Practices.  On-line courses for executives, new staff, and other targeted groups are also under development.

IM/Security Privacy Training

Security and IM also provided basic privacy training as an adjunct to their specialized training regimes.  Security outlined privacy during 16 sessions, reaching an additional 162 employees.  Information Management (IM) Awareness sessions, delivered in collaboration with colleagues in Records Management and Security Management, were also used as an introduction to privacy, attracting 56 additional employees.  This approach highlights horizontal linkages between ATIP, Security, and Records Management such as records and information management practices, security considerations for the care and custody of sensitive information, and privacy best practices which inform the handling of personal information. Employees who attend these introductory sessions are subsequently, more aware of their general responsibilities with regard to safeguarding personal information at Health Canada.  These introductory sessions also serve as a platform to encourage more in-depth training in the various topics outlined in the course. Participants who have taken these sessions indicate that they left the course feeling more confident on how to identify Privacy issues, as well as, their roles and responsibilities with regards to the Privacy Act.

Privacy Awareness-building Activities

Health Canada created the "Privacy Pop Up" to kick off the Privacy awareness campaign.  The "Privacy Pop Up" ran on all Departmental employees' computers in November and December 2010.  The pop up queried employees on their level of privacy awareness and the privacy responsibilities of their current position; 8,858 employees (92% of respondents) indicated they were aware of their responsibilities under the Privacy Act.

The pop-up also encouraged employees to participate in privacy training. This innovative campaign has demonstrated HC's commitment to being responsible custodians of personal information as evidenced by steadily increased demand for introductory and specialised training sessions.

Beyond traditional classroom training Health Canada undertook other media-based activities to build general employee privacy awareness. In November 2010, the Deputy Minister and Assistant Deputy Ministers of Health Canada sent emails to all staff on the importance of privacy and their responsibility with regards to managing personal information.   The December 2010 edition of Hello HC, the departmental news magazine, published privacy-related articles and an interview with the ATIP Coordinator. 

HC also distributed regular HC Broadcast News messages (a daily newsletter sent to every HC employee via email) on the importance of privacy and employees roles in relation to the Act.  HC's Intranet site was revised over the course of the fiscal year to provide information of direct relevance to staff who deal with personal information in the course of their work, including news on current privacy issues, practical tools, and emerging trends.

Presentations on Health Canada's Privacy Strategy and policy obligations were also given to each of the Departmental Branch Executive Committees, building awareness among the majority of Health Canada's most senior executives.

Finally, on November 4, 2010, the ATIP Division hosted the second Health Canada Privacy Day Symposium. The event attracted 120 attendees from throughout the Department, the broader Federal Healthcare Partnership, other government departments, and academia and raised privacy awareness by actively engaging participants to discuss real-life issues with guest speakers. The guest speakers were leaders in their fields and hailed from academia, private and public sectors. The event was positively received and helped to raise privacy awareness among all participants.

New and/or Revised Institution-Specific Privacy Related Policies, Guidelines and Procedures that were Implemented during the Reporting Period

Summary of Departmental Changes (organization, programs, operations, or policy)

I. Enhancing Support and Sustaining Compliance

Privacy Awareness Strategy

In response to the TBS Policy Suite Renewal (PSR) and the release of new ATIP-related directives, ATIP Division launched the Departmental Privacy Awareness Strategy in October 2010. The objective of this initiative is to increase employees' general awareness of privacy and building a greater understanding of privacy practices in high risk areas where safeguarding personal information is critical.

Health Canada's Privacy Awareness Strategy has four components, each with measurable and clear targets, aimed at upholding strong privacy practices and developing a privacy culture within the Department.  The strategy focuses on those activities most imperative for the maintenance of a privacy compliant institution. They include increasing employees' general awareness of privacy, establishing governance and accountability structures for privacy activities, identifying, analyzing and mitigating privacy risks, and meeting or exceeding TBS monitoring and reporting requirements.

To date, the Privacy Awareness Strategy has led to a marked increase in employee privacy training (with ATIP Division offering introductory, targeted and tailored training options, with on-line versions under development for mid-2011), a Department-wide communications plan, and the development and implementation of a new suite of privacy tools and processes (updated privacy breach checklist, Privacy Impact Assessment [PIA]/privacy breach governance and accountability structures). These efforts are integrating privacy into the very culture of the Department, thereby raising privacy awareness and building privacy capacity among all Health Canada employees.

Health Canada is also working in support of its obligations and responsibilities under both the Privacy Act and the Access to Information Act through the creation of a focused policy group serving both the Privacy and ATI functions, increasing the Departmental capacity to monitor, report, and build awareness on both privacy and ATI.

Overall, 9,874 Health Canada staff received either privacy awareness training or were informed about the importance of safeguarding personal information. The following is a breakdown of how this occurred:

Privacy Day - 120 participants
Targeted Risk area training - 478 participants
General training - 200 staff
IM Accountable - 56 staff
Security - 162 staff
Pop-up - 8,858 employees across all of Health Canada

9,874 total Health Canada employees

Privacy Breach Management Process and Accountabilities

Privacy Breaches can happen, however, the incidence of privacy breaches can be reduced by improving awareness and promoting best practices.  Health Canada's Senior Management has taken this issue very seriously and in response the ATIP Division drafted a Privacy Breach Management Plan that identified clear roles for those involved, setting out internal procedures, communications requirements, and notification standards as per the TBS Directive on Privacy Practices. This plan also provided guidelines for reporting, managing and responding to privacy breaches for all programs in the Department.  Over the last year, a Privacy Breach Management Flowchart and Breach Reporting documents were developed. In addition a revised Privacy Breach checklist was introduced to support and give guidance to Branches.  These documents were reviewed by the Departmental Privacy Committee and were subsequently approved by the Executive Committee - Internal Services.

In response to the TBS Directives on Privacy Practices relating to Privacy Breaches, in 2010 Health Canada worked with the Federal Healthcare Partnership (FHP) to develop a Privacy Breach Management Framework to harmonize standards and practices and provide common language across the FHP member organizations on privacy breaches. Health Canada also actively participated in the FHP Privacy Community of Practice on the development of privacy breach products that were presented and positively received at the OPC's forum titled Focus on Privacy, March 15, 2011.

This Breach Management Plan has now effectively provided all of Health Canada with a suite of tools that guides and supports employees in the event of a privacy breach while providing Health Canada clients with increased protection of their personal information. 

III. Accountability

Departmental Privacy Committee (DPC)

The DPC responds to departmental privacy priorities by recommending solutions to address privacy concerns while promoting a privacy culture, through the sharing of expertise and knowledge of front-line privacy issues. The DPC is chaired by the ATIP Director and consists of director-level representatives from across Health Canada.  Since November 2009, it has met monthly and reports quarterly to Health Canada's senior management.

The DPC has been a dedicated participant in the development of a Privacy Awareness Strategy which includes tools and policy processes.  It also provides input into privacy practices, departmental privacy needs and offers advice on departmental approaches to increasing privacy awareness throughout Health Canada.

Branch Privacy Champions (BPCs)

BPCs are a key component contributing to the successful implementation of Health Canada's Privacy Strategy.  Director-General BPCs led discussions on issues surrounding privacy breaches, reporting, and the protection of personal information.  BPCs also work with their DPC counterparts to review meeting summaries/decisions and communicate privacy issues within their Branch Executives.

Senior management participation in privacy-related activities significantly contributes to Health Canada's commitment to promote privacy awareness training and create good governance practices that build the necessary accountability structures and risk assessment tools needed to support development of a strong privacy culture in Health Canada.  BPCs are informed of all privacy incidences by the ATIP Division, and receive quarterly reports on their Branch's privacy status that includes ongoing Privacy Impact Assessments, privacy inquiries and staff training numbers.

BPCs have contributed to strengthening departmental management of privacy issues through their focus on good governance practices, greater accountability for the management of personal information and the development of risk assessment practices that immediately respond to privacy breaches when they occur.  This has enhanced the capacity of branches to manage, use, store and dispose of personal information, thereby reducing the risks associated with the accidental release of personal information.

BPC responsibilities are consistent with the general responsibilities of senior managers under the TBS Directive on Privacy Practices, offering an added layer of assurance for Health Canada when it comes to safeguarding personal information. 

Executive Committee - Internal Services (EC-IS)

One of three Health Canada Executive sub-committees, the EC-IS is chaired by two Assistant Deputy Ministers and comprises Director General representatives from across Health Canada.  EC-IS approves policies and accountability documents related to privacy, such as the Departmental Privacy Strategy and the Privacy Breach Management Plan.

IV. Internal Reporting

Updates to the Executive Committee-Internal Services on a quarterly basis

EC-IS is updated quarterly on the progress of the Privacy Strategy, with ATIP Division providing status reports and seeking guidance and approval on implementation of appropriate Privacy Strategy components.

Monthly ADM Privacy Reports

ATIP Division reports monthly to the Assistant Deputy Minister, Corporate Services Branch on privacy statistics and client training efforts in relation to the implementation of the Privacy Awareness Strategy (awareness, governance, risk analysis and reporting/monitoring) and current privacy related activities in Health Canada. The monthly reports include data on training statistics, analysis of client service inquiries, statistics on breaches, and privacy impact assessments.

Other Reporting

ATI and privacy components are also recorded in senior management's monthly Departmental Dashboard and the Departmental Operational Plan as strategic priorities for the Department.

Key Issues Raised as a Result of Privacy Complaints and/or Investigations During the Reporting Period

There are no such issues to report.

Complaints and Court Applications for Reviews

I. Complaints to the Privacy Commissioner

During 2010-2011, 2 complaints under the Privacy Act were filed with the Office of the Privacy Commissioner of Canada. One complaint was well founded; no action required. The other complaint's disposition is currently outstanding. No complaints were received in relation to sections 4 to 8 of the Privacy Act - privacy breaches.

II. Applications/Appeals Submitted to the Federal Court or the Federal Court of Appeal

There were no applications or appeals submitted to the Federal Court or the Federal Court of Appeal during fiscal year 2010-2011.

III. Health Canada Responses to Recommendations raised by other Agents of Parliament (e.g. Auditor General)

There were no recommendations raised by other Agents of Parliament during fiscal year 2010-2011.

Privacy Impact Assessments Completed During the Reporting Period

ATIP Division is currently working on nine Privacy Impact Assessments. No privacy impact assessments were completed during the reporting period.

Disclosures Made Pursuant to Subsection 8(2)(M) of the Privacy Act during the Reporting Period

Sub-paragraph 8(2)(m)(i) allows for the disclosure of personal information where the head of a government institution is of the opinion that the public interest in the disclosure clearly outweighs any invasion of privacy that could result from the disclosure.

In 2010-2011 there were no disclosures of personal information pursuant to that provision of the Privacy Act.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: