Health Canada - Privacy Act - Annual Report 2011-2012
Table of Contents
- Privacy Infrastructure
- Delegation of Authority
- Requests under the Privacy Act - Statistical Figures and Interpretation and Explanation
- I. Statistical Report
- II. Number of Privacy Requests and Case Load
- III. Disposition of Requests Completed
- IV. Exemptions Invoked
- V. Exclusions Cited
- VI. Completion Time
- VII. Extensions
- VIII. Translations
- IX. Format of Information Released.
- X. Corrections and Notations
- XI. Costs
- Training and Awareness
- New and/or Revised Institution-Specific Privacy Related Policies, Guidelines and Procedures that were Implemented during the Reporting Period
- Key Issues Raised as a Result of Privacy Complaints and/or Investigations during the Reporting Period
- I. Complaints to the Privacy Commissioner
- II. Types of Complaints and their Dispositions Completed in 2011-2012
- III. Applications/Appeals Submitted to the Federal Court or the Federal Court of Appeal
- IV. Health Canada Responses to Recommendations raised by other Agents of Parliament (e.g. Auditor General)
- Privacy Impact Assessments Completed During the Reporting Period
- Disclosures made Pursuant to Subsection 8(2)(E) of the Privacy Act during the Reporting Period
- Disclosures made Pursuant to Subsection 8(2)(M) of the Privacy Act during the Reporting Period
I. Privacy Act
The Privacy Act (the Act) gives individuals the right of access to information about themselves held by the federal government with certain specific and limited exceptions. The Act protects an individual's privacy by setting out provisions related to the collection, retention, accuracy, disposal, use and disclosure of personal information.
The Privacy Act requires (in section 72) the head of every federal government institution to submit an annual report to Parliament on the administration of the Act following the close of each fiscal year. This report describes how Health Canada has taken collective action to raise the awareness of its employees with regards to their privacy responsibilities. The report covers the fiscal year 2011-2012.
II. About Health Canada
Health Canada was established to help the people of Canada maintain and improve their health. Health Canada is also committed to improving the lives of all of Canada's people and making this country's population among the healthiest in the world as measured by longevity, lifestyle and effective use of the public health care system.
Health Canada develops implements and enforces regulations, legislation, policies, programs, services and initiatives and works with other federal partners, the provinces and territories. As administrator of the Canada Health Act, Health Canada ensures that the principles of Canada's universal health care are respected, allowing Canadians to be confident in the services they receive from the public health care system. The Minister of Health is responsible for direct administration of another 18 statutes including the Food and Drugs Act, the Pest Control Products Act and the Controlled Drugs and Substances Act. Health Canada also provides health services to First Nations peoples and to Inuit communities.
Health Canada has regional offices in British Columbia, Alberta, Saskatchewan, Manitoba, Ontario, Quebec, and the Atlantic and Northern Regions.
For more information about Health Canada, please visit our website.
The issue of privacy and the appropriate management of personal information, including personal health information, are extremely important for Canadians and Health Canada. The Department takes its role in the management of personal information seriously and has taken steps to raise awareness and implement processes to comply with the Privacy Act.
Public trust in Health Canada's handling of information, particularly personal information is critical to the development and management of its program, policies and services. That trust is built on integrity, transparency and openness.
I. The Access to Information and Privacy (ATIP) Division
The Access to Information and Privacy (ATIP) Division within the Planning, Integration and Management Services Directorate, Corporate Services Branch is responsible for administering the Privacy Act, as well as associated Treasury Board Policies and Directives for Health Canada.
The Privacy responsibilities of the ATIP Division include:
- Responding to privacy requests;
- Providing advice and guidance to departmental staff on the application of the Privacy Act and TBS Policies;
- Promoting staff awareness and providing training on the Privacy Act;
- Monitoring trends in national and international privacy issues to provide informed advice to departmental clients;
- Coordinating and overseeing the Privacy Impact Assessment process for Health Canada;
- Analysing privacy practices in the health sector;
- Ensuring that Health Canada's personal information holdings are published in Info Source;
- Preparing Annual Report to Parliament, Management Accountability Framework (MAF);
- Developing corporate privacy policies and practices that promote a culture of privacy awareness within Health Canada;
- Liaising with the Privacy Commissioner, Treasury Board Secretariat, other government Federal departments and agencies, provincial ministries of health and other key stakeholders to develop Privacy policies, tools and guidelines.
Delegation of Authority
The Delegation Order is attached as Appendix A.
Requests under the Privacy Act - Statistical Figures and Interpretation and Explanation
I. Statistical Report
Health Canada's statistical report summarizing Privacy Act activity is attached as Appendix B and covers the period between April 1, 2011 and March 31, 2012.
II. Number of Privacy Requests and Case Load
a) Requests under the Privacy Act
Health Canada received 681 new privacy requests during 2011-2012, representing a decrease of approximately 3% in the number of new requests received compared to the previous fiscal year (700 new requests in 2010-2011).
Bar chart showing the number of new Privacy requests received and number of outstanding requests by fiscal year from 2007-2008 to 2011-2012. 2007-2008: New requests = 284, Outstanding requests = 19
Privacy Requests Received and Outstanding By Fiscal Year
2008-2009: New requests = 592, Outstanding requests = 84
2009-2010: New requests = 471, Outstanding requests = 127
2010-2011: New requests = 700, Outstanding requests = 90
2011-2012: New requests = 681, Outstanding requests = 147
Bar chart showing the number of new Privacy requests received and number of outstanding requests by fiscal year from 2007-2008 to 2011-2012.
2007-2008: New requests = 284, Outstanding requests = 19
b) Case Load
In addition to new requests (681), the Department carried over 147 requests from the previous year for a total caseload of 828 requests (148,882 pages). This marked an increase of 4.8% in the number of requests requiring processing compared to fiscal year 2010-2011 (790 requests total). The complexity factor remained the same due to the sensitivity of the information requested, which included medical records and labour relations documents. The number of requests carried forward decreased 36%, from 147 last year to 94 in 2011-2012.
Bar chart showing the number of Privacy requests completed and the number of pages reviewed, in hundreds, by fiscal year from 2007-2008 to 2011-2012. 2007-2008: Requests completed = 219, Pages reviewed = 380
Privacy Requests Completed and Pages Reviewed By Fiscal Year
2008-2009: Requests completed = 550, Pages reviewed = 534
2009-2010: Requests completed = 509, Pages reviewed = 479
2010-2011: Requests completed = 643, Pages reviewed = 919
2011-2012: Requests completed = 734, Pages reviewed = 1488
Bar chart showing the number of Privacy requests completed and the number of pages reviewed, in hundreds, by fiscal year from 2007-2008 to 2011-2012.
2007-2008: Requests completed = 219, Pages reviewed = 380
c) Consultations Received from Other Government Institutions
Other government institutions are defined as federal institutions other than Health Canada who are subject to the Privacy Act. Health Canada has completed 14 consultations from these federal institutions: Canadian Boarder Service Agency, Canadian Food Inspection Agency represented the top two Departments that consulted with Health Canada.
Consultation Pages Received
The consulting institutions request Health Canada's input on documents they are considering for release in response to their processing of access to information requests. From theses 14 completed consultations, Health Canada's ATIP office processed 116 pages of records. The graph below illustrated the numbers of pages processed by the ATIP office.
Pie chart showing the number of pages for consultations reviewed from other federal institutions in fiscal year 2011-2012. ACAI = 21
Number of Pages for Consultations Reviewed From Other Federal Institutions
Transport Canada = 14
EFPC = 8
GRC = 23
TPSGC = 13
MAECI = 9
BCP = 1
Passport Canada = 4
ASFC = 23
Pie chart showing the number of pages for consultations reviewed from other federal institutions in fiscal year 2011-2012.
ACAI = 21
III. Disposition of Requests Completed
Completed requests were classified as follows:
All disclosed - Health Canada completed 734 requests of the total case load of 828 for 2011-2012. Of the 734 completed requests; the requesters received full disclosure of relevant records in 318 instances (43.3%). In 2010-2011, Health Canada completed 643 requests of the total case load of 790. Of the 643 completed requests; the requesters received full disclosure of relevant records in 235 instances (36.5%)
Disclosed in part - In 154 cases (21.0%), requesters received partial disclosure of relevant records. In 2010-2011, there were 129 disclosed in part records (20.1%).
All exempted - There were no requests that fell under this category for the reporting period. In 2010-2011, there was 1 all exempted record (0.2%).
All excluded - There were no requests that fell under this category for this reporting period nor for 2010-2011.
No records exist - In 182 instances (24.8%) were informed the requesters that Health Canada had no records. In 2010-2011, the Department received 165 requests (25.6%) for which there were no records.
Request abandoned - Applicants abandoned 80 requests (10.9%). In 2010-2011, there were 112 requests abandoned by applicants (17.4%).
IV. Exemptions Invoked
This section categorizes the exemptions invoked to refuse disclosure by section(s) of the Act.
|Exemptions||Number of Times Applied|
|Section 26 - Personal information of other individuals||152|
|Section 22 - Testing or auditing, procedures or techniques||6|
|Section 27 - Solicitor-client privilege||3|
V. Exclusions Cited
The Privacy Act does not apply to personal information that is available to the public (section 69). Nor does it apply to confidences of the Queen's Privy Council, with some exceptions (section 70). Requests containing proposed exclusions under section 70 require consultation with the Privy Council Office.
Health Canada did not exclude any information under either section 69 or 70.
VI. Completion Time
Health Canada closed 734 privacy requests and was able to respond within 30 days or less in 556 (75.7%) cases. The remaining requests were completed within 31 to 60 days in 115 (15.7%) cases, 61 to 120 days in 52 (7.1%) cases and 121 or more days in 11 (1.5%) cases.
Bar graph showing the completion time of requests in fiscal years 2010-2011 and 2011-2012 In fiscal year 2010-2011 there were 370 requests completed within 30 days; In fiscal year 2011-2012 there were 556 requests completed within 30 days;
Completion Time of Requests
In fiscal year 2010-2011 there were 190 requests completed between 31 and 60 days;
In fiscal year 2010-2011 there were 63 requests completed between 61 and 120 days;
In fiscal year 2010-2011 there were 20 requests completed after 121 days;
In fiscal year 2011-2012 there were 115 requests completed between 31 and 60 days;
In fiscal year 2011-2012 there were 52 requests completed between 61 and 120 days;
In fiscal year 2011-2012 there were 11 requests completed after 121 days;
Bar graph showing the completion time of requests in fiscal years 2010-2011 and 2011-2012
In fiscal year 2010-2011 there were 370 requests completed within 30 days;
In fiscal year 2011-2012 there were 556 requests completed within 30 days;
Legal extensions were invoked in 143 cases (19.5%) of the total 734 completed.
There were no requests for translation of the personal information kept in Health Canada's records.
IX. Format of Information Released
This section refers to the format in which applicants have received their records. Applicants received records in paper format in 341 instances while electronic files were the "format of choice" in 131 cases. The remaining completed requests were not released as no records existed or were abandoned by the requester.
X. Corrections and Notations
There were no requests for the correction or the notation of personal information during the reporting period.
The ATIP Division spent a total of $502,985.00 on the processing of Privacy Act requests. Of this total: salaries accounted for $283,219.00 and administration for $219,766.00. Salaries for the fiscal year amounted to 4.26 full time employees dedicated to processing privacy requests. In addition, 10.9 full time employees with an approximate overhead cost of $54,500.00 contributed to support the ATIP office in the areas of administration, reporting, monitoring, management and policy.
These figures exclude the time spent by employees of other Health Canada divisions on the processing of personal information requests. Also excluded was the time and other resources involved in the implementation of security and other measures throughout the department in order to protect the privacy of our employees, clients and other Canadians.
Training and Awareness
As a key component of the Privacy Awareness Strategy, Health Canada pursued a variety of activities to raise its employees' understanding and awareness of their responsibilities under the Act.
The Department delivers training to those employees in need of a more detailed knowledge of the Act and their obligations. This is done through both general introductory training sessions and customized training to respond to clients' particular needs. Content is developed and delivered by ATIP Division, with input from members of the Departmental Privacy Committee, who identify privacy awareness-building opportunities within their respective Branches and assist in the dissemination of privacy-awareness messaging.
a) Training of key program areas
In October 2010, Health Canada launched its first Departmental Privacy Awareness Strategy to build a privacy culture in Health Canada and thereby ensure that employees clearly understood their responsibilities in relation to the Act. Groups of employees within the Department were targeted due to the large volume of sensitive personal information under their control. These groups were considered at high risk of inappropriate disclosure of personal information. Two phases of the training component of the Privacy Awareness Strategy were launched in 2010-2011 and completed in February 2012. The intent was to increase employees' general awareness of privacy as it related to their daily duties and build in-depth understanding of privacy practices when it comes to safeguarding personal information.
||October 2010||1,281 total trained by October 2011|
||February 2011||479 total trained by February 2012|
|III||This phase is planned for launch in the 2012-2013 reporting period.|
From 2010 to 2012, 1,760 employees from the above targeted groups received in-class training or completed Health Canada's on-line training module.
Health Canada's privacy web based training module entitled Privacy: The Basics was launched in August 2011. This e-learning course provides employees with the basic introduction to their roles and responsibilities surrounding the safeguarding of personal information. The course was designed to increase employees' awareness of privacy legislation, policies and directives that govern the privacy practices. Upon completion of the module, participants are tested and if successful receive a certificate. The Department uses this module as a means to deliver privacy training to its regional employees.
Health Canada's executives have received a specialized classroom course that addressed privacy governance and awareness issues for managers of programs or direct program activities involving the collection, use, or disclosure of personal information, as required in the Directive on Privacy Practices. Twenty (20) sessions were delivered to 234 EX level employees.
b) General Privacy Training
In addition to the above mentioned targeted groups, 27 "Privacy 101" sessions were delivered to 896 Health Canada employees representing a 78% increase during this reporting period.
c) Training for ATIP Analysts
Health Canada's Access to Information and Privacy Division continues to use their core competencies tool to assist in determining the training needs of their staff. Customized training was developed and provided to Health Canada's ATIP Analysts.
- Privacy Basics for ATIP professionals
- Class of Records, Personal Information Banks and Info Source in an Privacy Context
- Initiation to Permissible Disclosures of Personal Information under the Privacy Act
- Information Management Basics
Training was also delivered through the Treasury Board Secretariat and the Canada School of Public Service.
d) IM / Security Privacy Training
Security and IM also provided basic privacy training as an adjunct to their specialized training regimes. Security outlined privacy during 3 sessions, reaching an additional 31 employees. A series of 21 information management training sessions were delivered to 245 employees. These sessions consisted of information management awareness which focused on the basics of security classification and privacy implication, with particular attention to the fundamental rationale which identifies the level of harm. These introductory sessions serve as a platform to encourage more in-depth training in the various topics outlined in the course.
e) Privacy Awareness Activities
Health Canada's Third Annual Privacy Day Symposium
In January 2012, Health Canada hosted an all-day symposium on privacy linked to International Data Protection Day. Building on previous successes, the Department focused on the theme of the interoperability in the sharing of personal information and the associated inter-jurisdictional implications. The guest speakers chosen were well versed with these topics, recognized as leaders in their respective fields and hailed from academia, diplomatic core, private and public sectors. The Privacy Day Symposium registered a total of 190 participants, which represents a 65% increase in registration compared to the previous year. The majority of the participants were Health Canada employees, of which 22% of the audience consisted of executives and managers. This improvement can be directly attributed to the quality of speakers along with reaching out the regions and Other Government Departments.
f) Outreach Activities
Health Canada delivers front-line health care services to first nation communities residing in remote areas. This provides unique challenges for the Department as communications with many of these remote locations are limited to mail and satellite phone. In order to ensure that all Health Canada employees working in isolated communities have full knowledge of their roles and responsibilities in regards to the Privacy Act, the ATIP Division has produced a privacy awareness DVD which was distributed to nursing stations in remote areas and viewed by more than 300 health care practitioners.
The ATIP Coordinator was also asked to deliver Privacy training at the Public Health Agency of Canada as part of a one day training session on information management and security to 26 participants.
HC also distributed a total of 5 HC Broadcast News messages (a daily newsletter sent to every HC employee via email) on the importance of privacy and employees roles in relation to the Act.
New and/or Revised Institution-Specific Privacy Related Policies, Guidelines and Procedures that were Implemented during the Reporting Period
I. Enhancing Support and Sustaining Compliance
Privacy Awareness Strategy
In October 2010, ATIP Division launched its initial Departmental Privacy Awareness Strategy with the objective of increasing employees' general awareness of privacy while building a greater understanding of privacy practices in high risk areas where safeguarding personal information is critical. Phase I of the Strategy was implemented during this reporting year 2011-2012. Health Canada's Privacy Awareness Strategy had four components, each with measurable and clear targets, aimed at upholding strong privacy practices and developing a privacy culture within the Department. The strategy focuses on those activities most imperative for the maintenance of a privacy compliant institution. They included increasing employees' general awareness of privacy, establishing governance and accountability structures for privacy activities, identifying, analyzing and mitigating privacy risks, and meeting or exceeding TBS monitoring and reporting requirements. Phase II of the Privacy Awareness Strategy will be launched in 2012-2013.
Overall, 3,122 HC staff received either privacy awareness training or were informed about the importance of safeguarding personal information. The following is a breakdown:
Privacy Day - 190 participants
Targeted Risk area training - 1,760 participants
General training - 896 staff
IM Sessions - 245 staff
Security - 31 staff
3,122 total Health Canada employees
As illustrated in the previous section of this report, Health Canada successfully trained 100% the targeted groups identified in 2010-2011 and has made significant progress in developing general awareness of its employees on privacy.
Departmental Privacy Committee (DPC)
The DPC offers an opportunity for collaboration to integrate privacy policies and practices on department-wide business lines, as well as identifies Departmental privacy priorities. It provides guidance on emerging and on-going horizontal privacy issues. Since November 2009, it has met monthly and reports quarterly to Health Canada's senior management. The Committee provides input into privacy practices, departmental privacy needs and offers advice on departmental approaches to increasing privacy awareness throughout Health Canada.
The DPC is the primary privacy committee for Health Canada and is chaired by the ATIP Coordinator with director-level representatives from all branches across the Department. This committee is the first level of approval and makes recommendation to senior management through the Executive Committee of Internal Services on matters related to privacy. The Departmental Privacy Committee operates within Health Canada's overall governance.
Executive Committee - Internal Services (EC-IS)
One of three Health Canada Executive sub-committees, the EC-IS is chaired by two Assistant Deputy Ministers and comprises Director General representatives from across Health Canada. EC-IS approves policies and accountability documents related to privacy, such as the Departmental Privacy Strategy and the Privacy Breach Management Plan.
c) Risk Analysis
The objective outlined in the strategy was to implement policies, systems and procedures to identify, analyze and mitigate privacy risks and improve the departmental business processes. During this reporting period, all new and modified personal information collections submitted to ATIP underwent appropriate risk analysis. The personal information banks were updated accordingly.
d) Monitoring and Reporting
The Privacy Strategy identified monitoring and reporting targets to improve the Department's response and prevention of privacy breaches. A series of breach management tools have received wide distribution within the Department to ensure that breaches are reported to the ATIP Division within 48 hours. Weekly reporting on breaches was provided to the Executive Committee of Business Planning. In order to ensure appropriate risk analysis and mitigation, the ATIP Division reviewed Memorandum to Cabinets and Treasury Board Submissions to identify privacy concerns. This offered additional means for the Department to mitigate potential privacy breaches. In 2012-2013, Health Canada began reporting on the monthly Departmental Dashboard privacy breaches.
Key Issues Raised as a Result of Privacy Complaints and/or Investigations during the Reporting Period
There are no such issues to report.
I. Complaints to the Privacy Commissioner
During 2011-2012, 5 complaints under the Privacy Act were filed with the Office of the Privacy Commissioner of Canada. Four complaints were carried over from the previous fiscal year.
A total of 6 complaints were closed in this reporting period. Four complaints related to time extensions or deemed refusals and 2 complaints were recorded in relation to sections 4 to 8 (use and disclosure of personal information) of the Privacy Act.
The findings from the OPC as a result of those complaints are as follows: 4 were well founded, 1 not well founded and 1 was discontinued.
|Received in 2011-2012||5|
|Outstanding from 2010-2011||4|
|Closed in 2011-2012||6|
|Carried Over to 2012-2013||3|
II. Types of Complaints and their Disposition Completed in 2011-2012
|Subject of Complaint||Number||Final Disposition by OPC|
|Time Extension||1||• 1 Well Founded; remedial action taken|
|Deemed Refusal (delay)||3||
|Use and Disclosure||2||
III. Applications/Appeals Submitted to the Federal Court or the Federal Court of Appeal
There were no applications or appeals submitted to the Federal Court or the Federal Court of Appeal during fiscal year 2011-2012.
IV. Health Canada Responses to Recommendations raised by other Agents of Parliament (e.g. Auditor General)
There were no recommendations raised by other Agents of Parliament during fiscal year 2011-2012.
Privacy Impact Assessments Completed During the Reporting Period
In 2011-2012, Health Canada completed two (2) Privacy Impact Assessments.
1) Transfer of the Health Canada Human Resources Database to People Soft
The PIA focused on phase 1 of a Shared System Initiative to replace Health Canada's Human resources Advantage Database and the "Attendance and Leave" module with Agriculture and Agri-Food Canada's People Soft Position Management Workforce Administration, Base Benefits and Leave Self-Service. The PIA was submitted to the Office of the Privacy Commissioner of Canada in March 2012 and a summary will be posted on Health Canada's Website.
2) Office of Consumer and Public Involvement (OCAPI) - Patient and Consumer Participation Pool
The Patient and Consumer Participation Pool, is a pilot project of Health Canada's Health Products and Food Branch (HPFB). Health Canada is piloting the project as a way to establish access to the valued advice of patients, consumers and caregivers in the consultations it undertakes on health products and food. The Patient and Consumer Participation Pool will be used by HPFB programs who are seeking individuals with particular parameters for their consultations. The pilot phase will run until March 31, 2013, after which time the program will be reviewed. The PIA was submitted to the Office of the Privacy Commissioner of Canada in March 2012 and a summary will be posted on Health Canada's Website.
Disclosures made Pursuant to Subsection 8(2)(E) of the Privacy Act during the Reporting Period
Subsection 8(2)(e) allows for the disclosure of personal information to an investigative body scheduled in the Privacy Act for the purpose of carrying out a lawful investigation. Four (4) disclosures of personal information pursuant s. 8(2)(e) were made to the Department of National Defence administrative investigation during this reporting period.
Disclosures made Pursuant to Subsection 8(2)(M) of the Privacy Act during the Reporting Period
Subsection 8(2)(m) allows for the disclosure of personal information where the head of a government institution is of the opinion that the public interest in the disclosure clearly outweighs any invasion of privacy that could result from the disclosure. In 2011-2012 there were no disclosures of personal information pursuant to that provision of the Privacy Act.
Report a problem or mistake on this page
- Date modified: