Language selection

Government of Canada / Gouvernement du Canada

Search

2024-2025 Annual Report on the Privacy Act

PDF version: Annual report on the Privacy Act, 2024-2025 (PDF, 659 KB)

Table of Contents

Introduction

Immigration, Refugees and Citizenship Canada (IRCC) is pleased to present to Parliament its annual report on the administration of the Privacy Act (PA).

The purpose of the PA is to safeguard individuals’ personal information held by federal institutions, and to provide them with the right to access that information. This report, submitted to Parliament in accordance with section 72 of the PA, outlines how IRCC fulfilled its responsibilities during the reporting period from April 1, 2024, to March 31, 2025.

IRCC was created to facilitate the entry of temporary residents, manage the selection, settlement integration of newcomers, grant citizenship and issue passports to eligible citizens. IRCC’s mandate is derived from the Department of Citizenship and Immigration Act. The Minister of IRCC is responsible for the Citizenship Act of 1977 and shares responsibility with the Minister of Public Safety for the Immigration and Refugee Protection Act. Effective July 2, 2013, the primary responsibility for Passport Canada and the administration of the Canadian Passport Order and the Order Respecting the Issuance of Diplomatic and Special Passports moved from the Department of Foreign Affairs and International Trade to IRCC.

IRCC does not have non-operational (“paper”) subsidiaries at the end of the reporting period.

I. Overview of IRCC’s ATIP program

During the 2024-2025 reporting period, the IRCC ATIP program received a total of 270,528 ATIP requests. This includes 101,541 requests submitted under the PA, representing a 45% increase compared to the previous reporting period. Despite the substantial growth in PA requests, the program continued to improve its processes by building upon and refining existing strategies, which contributed to an overall improvement in its compliance rate.

Organizational structure

The IRCC ATIP program is structured around its main lines of business. As shown in Figure 1 below, the program is administered by three divisions: the Client Records Division, the Corporate Records, Complaints and Informals Division, and the Privacy Program Management Division. The Director of the Corporate Records, Complaints, and Informals Division also holds the title of ATIP Coordinator.

These three divisions report directly to the Director General of the Access and Privacy Management Branch within the Corporate Services and Chief Human Resources Officer Sector. The Director General also fulfills the role of Chief Privacy Officer (CPO) and provides strategic leadership and guidance on privacy initiatives across IRCC. This includes advising senior management on complex privacy issues, promoting privacy awareness throughout the Department, and reporting to senior leadership on the overall privacy program and compliance status.

At the end of the reporting period, the IRCC ATIP program had a total of 170 full-time employees.

Figure 1: Structure of the ATIP Program
Organizational chart described below.
Text version: Structure of the ATIP Program

  • Corporate Services and Chief Human Resources Officer Sector

    • Access and Privacy Management Branch

      • Client Records Division
      • Corporate Records, Complaints and Informals Division
        • Innovation and Support Unit
      • Privacy Program Management Division
        • Privacy Policy and Planning Unit
        • Privacy Guidance and Assessments Unit
        • Incident Management Unit

Client Records Division

The Client Records Division consists of 96 employees responsible for managing all requests for client immigration records at IRCC. This includes overseeing the entire process from initial receipt to the issuance of final responses. Additionally, the division manages disclosures under paragraphs 8(2)(d), (e), and (f) of the PA. The majority of access to information and privacy requests received by IRCC relate to client records and are processed within this division.

Corporate Records, Complaints and Informals Division

The Corporate Records, Complaints, and Informals Division is responsible for processing requests for departmental records. Supported by a team of 40 employees, the division also handles informal requests for information and oversees ATIP corporate reporting within IRCC. Additionally, it manages complaints submitted to the Offices of the Information Commissioner and the Privacy Commissioner, with the objective of ensuring timely and effective resolution of the issues raised.

Privacy Program Management Division

The Privacy Program Management Division (PPMD) has a total of 27 employees and is tasked with overseeing all facets of IRCC’s privacy program. This includes developing privacy policies, tools, and guidance documents, as well as providing expertise and insights on privacy-related issues. The division conducts privacy assessments, offers support, manages and reports on privacy breaches, and handles disclosures under paragraph 8(2)(m) of the PA. Furthermore, it is responsible for governance planning and reporting related to the privacy program.

The Division consists of three distinct teams:

In addition to these designated employees responsible for implementing ATIP legislation, approximately 550 ATIP liaison officers across the Department support the program’s operations by coordinating record collection, reviewing materials, and offering branch-specific recommendations. While these officers are integral to the program’s operations, their funding is managed through their respective program areas.

During the reporting period, IRCC had no service agreements under section 73.1 of the PA.

Delegation order

The Minister of IRCC is responsible for administering requests made to the Department under the Access to Information Act (ATIA) and the PA. In accordance with section 95(1) of the ATIA and section 73 of the PA, the Minister delegates authority to departmental senior management, including the ATIP Coordinator to carry out the Minister’s powers, duties, or functions under the Acts.

For more information, refer to “Annex A: Copy of the signed delegation order in effect  March 31, 2025”, and “Annex B: Copy of the Delegation of Authority under the Access  to Information Act and Regulations in effect March 31, 2025”.

II. Performance

During this reporting year, IRCC received 101,541 requests under the PA, an increase from 69,720 requests in the previous year. This significant rise reflects an ongoing upward trend in the number of individuals seeking access to their immigration records under the PA. This trend correlates with the coming into force of the Privacy Act Extension Order, No. 3, in 2022, which expanded the right of access to personal information under the PA to individuals outside of Canada.

To maintain consistent service standards and fulfill program commitments, the IRCC ATIP program adjusted its processes to review 2.1 million pages of documents under the PA. These efforts resulted in the successful processing of 98,367 requests, representing a 45% increase compared to the previous period, in line with the higher volume of new PA requests received.

Compliance rate and completion times

The compliance rate for PA requests, measured as the proportion of requests responded to within the legislated timeframes, was 87%. This indicates an improvement from the previous reporting period’s rate of 82%. As illustrated in Table 1, more than 75% of IRCC’s PA requests were processed and completed within 30 days.

Table 1: Completion Times for Closed Privacy Requests
Completion time
(days)		 Number of requests closed Percentage of requests closed
1 to 15 2,846 2.9%
16 to 30 71,308 72.5%
31 to 60 17,717 18.0%
61 to 120 1,426 1.4%
121 to 180 449 0.5%
181 to 365 324 0.3%
More than 365 4,297 4.4%
Total 98,367 100%

Active requests from previous reporting periods

At the end of the reporting period, IRCC was managing a total of 19,698 open requests carried over from prior periods. Of these, 18,154 requests (92%) were received during the last two reporting periods. This further highlights the impact of the Extension Order on the number of PA requests received in recent years.

Table 2: Active Requests from Previous Reporting Periods
Fiscal year open privacy requests were received Open requests that are within legislated timelines as of March 31, 2025 Open requests that are beyond legislated timelines as of March 31, 2025 Total
2024-2025 8,405 6,801 15,206
2023-2024 0 2,948 2,948
2022-2023 0 1,543 1,543
2021-2022 0 1 1
2020-2021 0 0 0
Earlier years 0 0 0
Total 8,405 11,293 19,698

Reasons for extensions

Section 15 of the PA allows for the extension of statutory time limits when consultations are required, or the request involves a substantial volume of records that cannot be processed within the original timeframe without reasonably interfering with the operations of the Department.

When necessary, IRCC carries out internal consultations to ensure the proper exercise of discretion, particularly for, but not limited to, requests that may involve litigation, investigations, or security concerns. IRCC claimed the following extensions in accordance with section 15:

Disposition of completed requests

As Table 3 shows, IRCC released records in their entirety for 37% of all completed requests and applied one or more exemptions to 54% of the completed requests. The remaining requests were abandoned, had no existing records, or the existence of records could neither be confirmed nor denied as doing so could reveal information that is protected under the PA.

Table 3: Disposition of Completed Requests
Disposition Requests Percentage
All disclosed 36,618 37%
Disclosed in part 52,934 54%
All exempted 1 0%
All excluded 0 0%
No records exist 363 0%
Request abandoned 7,921 8%
Neither confirmed nor denied 530 1%
Total 98,367 100%

The following exemptions were most frequently used by IRCC:

Consultations received from other government departments and institutions

Other government departments and institutions consulted IRCC 37 times under the PA. Of these, 35 consultations were completed during the reporting period. The number of days IRCC took to complete these consultations is detailed in Table 4 below; overall, the IRCC ATIP program responded to 32 consultation requests (91%) within 30 days.

Table 4: Completion Times for Consultations
Completion time (days) Consultations
1 to 15 25
16 to 30 7
31 to 60 2
61 to 120 1
121 to 180 0
181 to 365 0
More than 365 0
Total 35

Summary of key issues and actions taken on complaints

IRCC received a total of 132 notices of new complaints during the 2024-2025 reporting period. Compared to the number of new PA requests received, the volume of complaints represents approximately 0.13%. The majority of these complaints (80%) pertain to processing delays.

The IRCC ATIP program completed the processing of 99 complaints. 93 cases were recorded as discontinued, abandoned, or resolved. 2 complaints related to processing delays were well-founded, and the IRCC ATIP program addressed these concerns by finalizing the processing and providing responses to the requesters.

Table 5: Disposition of Closed Complaints
Complaint type Received Closed Discontinued or abandoned Not well-founded Well-founded Resolved No finding issued
Delay 106 76 9 0 2 65 0
Extension 0 0 0 0 0 0 0
Refusal 5 7 1 1 0 5 0
Missing record 1 5 0 0 0 3 2
Exemption 7 6 0 1 0 5 0
Miscellaneous 3 4 0 0 0 4 0
Not specified 1 1 0 0 0 1 0
Total 132 99 10 2 2 83 2

Active complaints from previous reporting periods

The number of active complaints from prior reporting periods remained stable. At the end of the current reporting period, IRCC was managing 55 active PA complaints compared to 47 outstanding PA complaints at the conclusion of the previous reporting period.

Table 6: Active Complaints from Previous Reporting Periods
Reporting period Number of complaints carried over
2024-2025 22
2023-2024 8
2022-2023 24
2021-2022 1
Total 55

III. Training programs and awareness initiatives

IRCC is dedicated to promoting continuous learning and professional development among its employees. Through comprehensive training programs and awareness initiatives, the Department aims to cultivate an organizational culture that prioritizes and demonstrates a strong commitment to privacy protection.

Privacy course catalogue and sessions given

PPMD’s training curriculum is currently under review as the Division continues to solidify its role within the Department. As a result, some training courses were not offered this reporting year. The updated curriculum will feature enhanced content with a stronger focus on proactive privacy management, the principles of privacy by design, fundamental privacy principles for safeguarding personal information, and the roles and responsibilities related to the handling of personal information.

The Privacy Breaches at IRCC (CC4540) e-module was included in the training sessions delivered during this reporting year and will remain available throughout the transition period. Additionally, all employees responsible for completing PIAs were required to complete a new Privacy Impact Assessment (PIA) training course prior to initiating any drafting activities. Currently in its pilot phase, this training provides an overview of the IRCC PIA process, key expectations, roles and responsibilities, and guides participants through the completion of the new mandatory TBS PIA template. These training courses were attended by 1,079 non-ATIP participants.

Table 7: Privacy Training Sessions and Participants
Course name Platform privacy training Number of sessions Number of participants
Privacy Breaches at IRCC (CC4540) e-Module Privacy 1,056 1,056
Privacy Impact Assessment (PIA) – Pilot In person/virtual Privacy 6 23
Total participants trained 1,079

In addition to PPMD’s standard training program, the Incident Management Unit within PPMD continues to offer targeted in-person sessions for program officials, particularly in areas with high demand or in response to specific privacy concerns. The Division also publishes articles on the IRCC internal webpage to keep Department employees informed of Privacy Implementation Notices issued by TBS.

ATIP course catalogue and sessions given

The specialized Training Project and ATIP Support Team within the Innovation and Support Unit has developed a comprehensive training and awareness curriculum that covers various aspects of the access to information and privacy regimes. Certain courses and modules address responsibilities related to protecting personal information, including the collection and responsible use of this type of information. As detailed in Table 8, the ATIP program conducted 152 training sessions, reaching to 4,016 employees, the majority of whom were non-ATIP employees.

Table 8: Formal and Informal ATIP Training Sessions and Participants
Course name Platform Access or privacy training Number of sessions Number of participants

Protecting and Giving Access to Information at IRCC (CC5540)
Mandatory for all new employees

 Online Both Self-paced 1,111
Total
Formal training ATIP Privacy Breach (CC4540) In person/ virtual Privacy 14 506
ATIP Training for Middle Managers and Executives (CC4440) Both 14 163
Protect, Secure, and Manage Information (CC4416) Privacy 3 45
Understanding and Managing ATIP Requests (CC4340) Access 13 195
ATIP 101 (CC4425) Both 12 187
Appropriate Access to and Use of Personal Information (CC4426) Privacy 0 0
Privacy 101 (CC4427) Privacy 6 205
Exemptions and Exclusions 101 (CC4429) Access 9 271
Information Sharing (CC4430) Privacy 0 0
Officers Decision notes (CC4448) Other 32 744
Total 103 3,427
Informal training One-on-One ATIP Liaison Training/CRCI Administrative Process In person/ virtual Access 20 108
How to fill-out the Response to ATIP Request Form (RAR) Access 0 0
Exemptions and Exclusions 102 Access 0 0
Refresher on “How to provide records to ATIP” Access 8 98
Customized Training (other) Both 21 383
Total 49 589
Total formal and informal training 152 4,016
Total participants trained 4,016

IV. Material privacy breaches

The Policy on Privacy Protection defines a privacy breach as “the improper or unauthorized collection, use, disclosure, retention or disposition of personal information.” A material privacy breach is a privacy breach that could reasonably be expected to create a real risk of significant harm to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

PPMD monitors all privacy breaches closely and has established notification protocols and remedial measures to effectively address each situation. Additionally, PPMD:

This reporting period, IRCC notified the OPC and TBS of 12 material privacy breaches. Senior officials were frequently engaged in addressing material breaches to facilitate communication within the Department, raise awareness of relevant issues, and strengthen the departmental response to serious breaches. The majority of the incidents had a minor impact and affected a limited number of individuals.

V. Privacy Impact Assessments (PIAs)

To fulfil its mandate and effectively deliver its programs, activities and services, IRCC collects, uses, retains and discloses personal information. In accordance with the “Appendix C: Standard on Privacy Impact Assessment” in the Directive on Privacy Practices, the Department undertakes PIAs to ensure compliance with the PA, its Regulations and related policy instruments. These assessments also serve to identify potential privacy risks in both new and existing departmental programs, initiatives, or projects involving personal information.

Summaries of PIAs conducted during the 2024-2025 reporting period are provided below; for comprehensive summaries, refer to Privacy Impact Assessment Summaries.

IRCC Learning Management System

This PIA assesses a substantial modification to the management of employee personal information related to training and development activities. The change involves the implementation of a cloud-based Learning Management System and associated database. The objective of this modification is to standardize departmental tools and processes for delivering training programs and to consolidate learning data to support more effective reporting. Risks associated with this change were identified, and corresponding mitigation strategies were recommended to the responsible program officials.

Administration and verification of Letters of Acceptance and provincial or territorial Attestation Letters

This PIA evaluates a substantial modification to the International Students Program for the implementation of a new intake cap for international Study Permit applications. This modification seeks to establish an information sharing process with Designated Learning Institutions for the purpose of validating letters of acceptance, thereby supporting accurate tracking and management of intake limits. Associated risks were identified, and appropriate mitigation recommendations were provided to the responsible program officials.

VI. Public interest disclosures

Paragraph 8(2)(m) of the PA states that personal information may be disclosed when, in the opinion of the head of an institution, the public interest in disclosure clearly outweighs any potential invasion of privacy that could result from the disclosure or when such disclosure would clearly benefit the individual to whom the information relates.

IRCC authorized the disclosure of personal information in 19 instances under paragraph 8(2)(m) of the PA during the reporting period, as outlined in Table 9 below.

Table 9: Summary of Public Interest Disclosures Under 8(2)(m) of the PA
Nature of disclosure Disclosures authorized where at least one individual’s personal information was disclosed Individuals affected OPC notification in accordance with subsection 8(5)
Disclosure of contact information of individuals to the Public Health Agency of Canada to notify individuals of confirmed or potential exposure to Tuberculosis 11 159 The OPC was notified before the disclosure in all cases
Disclosure of contact information of individuals to the Public Health Agency of Canada to notify individuals of confirmed or potential exposure to a zoonotic infectious disease 1 9 The OPC was notified before the disclosure took place
Disclosure of an individual’s date of birth and location of birth to the Public Trustee of Manitoba for the purpose of tracing and notifying the becoming heir of an estate 1 1 The OPC was notified before the disclosure took place
Disclosure of chronology of interaction with Government of Canada, immigration application history and departmental processing to the Standing Committee on Public Safety and National Security (SECU) in relation to individuals alleged terrorism related activities 2 3 The OPC was notified before the disclosure in all cases
Disclosure of an individual’s history of immigration into Canada to the media (general public) for the purpose of showing respect and considerations to the Canadian public that were voicing significant concerns about the number of individuals they fear are entering Canada with ties to terrorism organizations 1 1 The OPC was notified before the disclosure took place
Disclosure of citizenship status details to the media (general public) for the purpose of demonstrating to the public that the Canadian immigration process is working as intended after media attention on a prominent figure 1 2 The OPC was notified before the disclosure took place
Disclosure to a service provider organization (SPO) funded under the Resettlement Assistance Program for an individual’s immigration records relating to inadmissibility concerns under sections 34(1)(c) and 34(1)(d) 1 1 The OPC was notified before the disclosure took place
Disclosure of Canadian passport information to Global Affairs Canada and subsequently to the Government of Guatemala for the purposes of bringing a group of women and children to safety 1 147 The OPC was notified before the disclosure took place.
Total 19 323

VII. Policies, guidelines, and procedures

The guidance, feedback, and recommendations provided by PPMD during this reporting period primarily focused on ensuring compliance with the PA and promoting the adoption of best practices in these specific areas:

To effectively support these objectives, the following measures were implemented or have been planned by PPMD.

Privacy Breach Reporting

Following an internal audit conducted by IRCC’s Internal Audit and Evaluations branch, a Management Response and Action Plan was developed to strengthen internal procedures for handling privacy breaches.

In response, PPMD updated its “Privacy Breach Report Form” to improve clarity, offer more detailed guidance within the instructions section, and specify additional information required from the reporting program officials. Additionally, PPMD simplified the reporting process for program officials by streamlining the notification process for suspected privacy breaches. An accessible feature, referred to as the “easy button,” was incorporated into IRCC’s intranet page to enhance visibility and provide convenient access to PPMD’s privacy incident notification form. These updates will facilitate the Incident Management Unit in developing a thorough understanding of each potential or confirmed breach, allowing them to provide appropriate expertise and targeted support to the branches.

Privacy Impact Assessment (PIA) Review Process

PPMD created a new PIA review process intended to improve both the quality and timeliness of the assessments. The new process divides the assessment into three phases, each with specified minimum review timeframes and expectations:

Annual review of the IRCC Privacy Policy Suite

The IRCC Privacy Policy Suite comprises a set of privacy policy documents developed in accordance with TBS’s Access to Information and Privacy Policy Suite. This collection includes a Privacy Framework, Privacy Policy, Mandatory Procedures for Managing Privacy Breaches, and a Privacy Toolkit, which provides various tools, guidelines, procedures, and checklists to support privacy compliance and management.

An annual review of the content within the IRCC Privacy Policy Suite was scheduled for this reporting period; however, the review was postponed due to competing priorities, operational demands, and ongoing departmental reorganization. A thorough review of IRCC’s privacy policy instruments is scheduled to take place during the 2025-2026 period.

Guidelines for Obtaining Consent

PPMD is developing new Guidelines for Obtaining Consent, that will provide detailed guidance on seeking consent from individuals under the PA. These guidelines aim to ensure compliance with IRCC’s obligations while incorporating relevant best practices for privacy protection. IRCC anticipates publishing these guidelines as part of its Privacy Toolkit in fiscal year 2025-2026.

VIII. Monitoring compliance

IRCC employs standardized and comprehensive reporting and monitoring methods to ensure compliance, foster accountability, and facilitate continuous process improvement.

Time taken to process PA requests

All requests and complaints are systematically documented to monitor processing times, and the intake data is closely monitored by program officials. IRCC Managers and Team Leaders within the IRCC ATIP program routinely oversee responses to internal taskings, monitor extensions claimed for processing requests, and track ongoing internal and external consultations to proactively address potential issues.

Relevant data is collected from the ATIP case management system on a daily, weekly, biweekly, and quarterly basis. This data encompasses request volumes and processing outcomes, compliance rates, backlog levels, and other key performance indicators. The information is integrated into various reports tailored for different leadership levels: daily updates for managers, weekly reports for directors and the Director General and Chief Privacy Officer, and biweekly reports for Deputy Ministers. Additionally, quarterly reports are provided to Assistant Deputy Ministers, along with a monthly compliance report outlining sector and branch responses to internal ATIP taskings. A quarterly privacy breach dashboard, summarizing breach volumes and trends across IRCC, is also shared with all Assistant Deputy Ministers within the Department.

While the primary purpose of the IRCC ATIP program’s statistical reporting is to ensure compliance, the program utilizes this data to analyze workflow efficiency, address ongoing challenges, and identify emerging trends in ATIP requests.

Privacy protections in contracts, agreements and arrangements

IRCC contracts include key provisions, and its information-sharing agreements and arrangements are designed to ensure robust protection of individuals’ personal information.

Contracts

IRCC contracts and contractual agreements incorporate a clause emphasizing the contractor’s obligation to adhere to the requirements of the PA, as outlined in the Contract General Terms and Conditions:

“ Canada has an obligation to ensure that Canadian statutes, regulations and Treasury Board policies on privacy protection are respected by contractors when Canada contracts out parts of its activities, including mail services. These obligations, known as the Code of Fair Conduct, are contained in sections 4 to 7 of the Privacy Act, Revised Statutes of Canada 1985, chapter P-21. Organizations collecting, using or disclosing personal information in carrying out commercial activities are also under the obligation to ensure that personal information is protected in accordance with Canada’s own obligation and, in addition, the Personal Information Protection and Electronic Documents Act, Statutes of Canada 2000, chapter 5.”

Contractors are required to certify that they have reviewed the applicable requirements for personal information protection and will handle all personal data in a manner consistent with, and that does not impede the application of the PA and TBS policies on privacy protection. Contractors are expected to supply accurate certification information, as IRCC depends on this documentation when awarding contracts.

Failure to adhere to these contractual obligations, including certification requirements, or the discovery of misrepresentations during IRCC’s verification process, may lead the Department to determine that the contract is in default, potentially resulting in termination of the contract in accordance with the applicable default provisions.

Information-sharing agreements and arrangements

IRCC’s Departmental “Directive on Information Sharing for ISAs” mandates that all information sharing activities comply with the requirements of the ATIA and the PA, ensuring a balanced approach between transparency, public accessibility, and the safeguarding of personal information.

Once drafted, ISAs undergo a thorough review process prior to signature. Any necessary revisions are subsequently incorporated to ensure full compliance with the requirements specified in sections 4.2.33 to 4.2.37 of the TBS Directive.

IX. Initiatives and projects to improve privacy

The majority of IRCC’s ATIP requests, including an increasing number submitted under the PA, pertain to client immigration records. The initiatives listed below, whether underway or completed, aim to enhance information accessibility for clients, optimize service delivery through technological advancements and system upgrades, and reinforce privacy protections for both internal and external services.

Privacy Risk Assessment (PRA)

IRCC completed its first Privacy Risk Assessments (PRAs) in relation to the development and deployment of new technologies and systems as part of the Digital Platform Modernization (DPM) initiative.

PRAs are conducted to integrate a “privacy by design” approach into the development and design of systems, technologies, and data models. This process is initiated during the early stages of project development and is revisited with each significant release to ensure ongoing compliance and proactive privacy protection. These assessments function as a technology-focused complement to ongoing program-level Privacy Impact Assessments, aiming to identify potential risks associated with the management of personal information prior to deployment. During this reporting year, 2 Privacy Risk Assessments were completed for the first two releases of the new online account.

IRCC’s new Online Account

As part of an enhanced online experience for clients being gradually rolled out through IRCC’s Digital Platform Modernization (DPM) initiative, a new online account is being implemented that includes functionality to allow clients to have increased access to information.

Enhancements include near real-time application status updates, access to officer decision notes, and summarized communications of information and documents received at the time of submission of clients’ application. Clients will also have the ability to view and update details of their profile information through this secure account, as well as access a message centre that maintains a record of correspondences and communications exchanged with IRCC.

During the reporting period, IRCC introduced its new online account to subset of eligible temporary resident visa (TRV) clients in June 2024, and then to Canadians wishing to renew their passports online in December 2024. Between launch and the end of the reporting period, approximately 43,000 clients have used the new online account to apply for a service.

The Department recognizes that all IRCC clients, and their representatives, will benefit from the new online account and the functionality it brings. Roll-out to additional client groups is continuing throughout 2025 and 2026.

Proactive release of Officer Decision Notes (ODN)

The Officer Decision Notes (ODN) initiative directly supports IRCC’s strategy to make it easier for clients to access information about their immigration application by eliminating the need for clients to submit an ATIP request to obtain officer notes related to the refusal of an application. This is a key initiative to improve openness and transparency for our clients, and responds directly to feedback from clients, immigration representatives, and parliamentarians, who have consistently identified the need for greater clarity, timely information, and faster access to refusal explanations.

Starting in 2025-2026, ODNs will gradually become available to select Temporary Resident (Study Permit/Work Permit/Temporary Residence Visa) applicants. The release of ODNs will incrementally be rolled out to additional lines of businesses.

Client correspondence project

The Client Correspondence Unit (CCU) was created to review IRCC’s written correspondence in order to provide more clear, concise and simple language that will better meet client needs. All revisions to client-facing communications are informed by usability testing feedback obtained from both clients and officers, as well as inputs from Subject Matter Experts and IRCC Legal Services.

The CCU has supported the review and improvement of over 50 written communications, with the majority of these revised documents now implemented and actively in circulation. To date, 3 key pieces of client correspondence often sought after by ATIP clients have been revised: the Temporary Resident Refusal Letter, the Study Permit Refusal Letter, and the Work Permit refusal Letter. Additionally, the top 14 refusal grounds for Study Permits and the top 15 refusal grounds for Work Permits have also been revised and drafted with an emphasis on reducing complex legal language. The revised Study Permit and Work Permit Refusal Letters are scheduled to be launched in 2025-2026.

TBS ATIP Online Request Service (ATIP Online)

During this reporting period, the IRCC ATIP program migrated requests for corporate records from IRCC’s internal platform to the TBS ATIP Online platform. This platform streamlines the process for submitting ATIP requests and facilitates timely responses from the federal government. IRCC’s objective is to reduce the volume of outstanding requests before onboarding requests for immigration records—the largest category of requests received by IRCC—onto the TBS platform.

Since the migration, requests under the ATIA and the PA have been received through both the TBS ATIP Online platform and the IRCC departmental platform, depending on the nature of the records requested. This transition has presented some operational challenges, including cases where requesters have inadvertently submitted requests to the incorrect platform or to both platforms concurrently. Additional efforts have been undertaken to redirect requests to the appropriate channels and to ensure timely processing. While the transition to the ATIP Online platform is still in progress, requesters will continue submitting their requests for client immigration records via the IRCC ATIP online request portal.

Technological assistance and upgrades

IRCC is utilizing emerging technologies to supports its ATIP processing activities. This includes the deployment of automated solutions to handle routine tasks, allowing the Department to extend operational hours beyond traditional business times. These systems facilitate strategic resource allocation for decision-making processes, enhance data accuracy and timeliness, and minimize disruptions to ongoing operations.

In prior reporting periods, the Department successfully implemented Robotic Process Automation (RPA) to manage high-volume, routine tasks such as data entry and file management. As part of this initiative, a Bot was developed to streamline the processing of informal requests, specifically for previously released documents. The Bot monitors a designated email inbox and automatically processes requests upon receipt. During this reporting period, the RPA has significantly increased the capacity of the ATIP program, allowing for the automatic processing of over 12,000 informal requests, with many requesters receiving documents within minutes.

The IRCC ATIP program is also evaluating the potential for replacing its case management software. The objective is to improve the program’s operational effectiveness while ensuring seamless integration with existing systems and processes, including the RPA.

Moving forward

During the reporting period, IRCC focused on developing new reporting tools and internal notification procedures for privacy breaches and suspected privacy incidents. PPMD also reviewed the IRCC Digital Platform Modernization (DPM) Privacy Risk Assessments to oversee the integration of personal information protection into project planning and implementation phases.

Looking ahead, PPMD plans to conduct a thorough review and update of the IRCC Privacy Policy Suite and revise its training program, ensuring the effective delivery of all required departmental training. The Department will also continue to advance ongoing initiatives and support new efforts aimed at improving service delivery and ensuring compliance with the PA.

IRCC aligns its funding with the targets in the Immigration Levels Plan, including adjusting staffing levels and processing capacity accordingly. In consideration of the reduction to the Immigration Levels Plan as of 2025-2026, as well as in alignment with the Government of Canada’s Budget Rationalization exercise, over the next three years, IRCC will reduce its current and projected workforce by approximately 3,300 positions; it is estimated that about 80% of these reductions can be achieved by reducing staffing commitments and our temporary workforce. This will have varying impacts across all sectors and branches of IRCC, including to the ATIP program, which has a significant proportion of temporary resources supporting the program. IRCC takes its responsibilities under the Access to Information and Privacy legislations seriously, and we remain committed to openness, transparency, and accountability to the public.

Annexes

Annex A: Copy of the signed delegation order in effect March 31, 2025

Annex B: Copy of the Delegation of Authority under the Privacy Act and the Privacy Regulations in effect March 31, 2025

Annex C: Statistical Report on the Administration of the Privacy Act

Annex D: Supplemental Statistical Report on the Access to Information Act and the Privacy Act

Annex A: Copy of the signed delegation order in effect March 31, 2025

Delegation of Authority image described below.
Text version: Delegation of Authority

Official Document

Immigration, Refugees and Citizenship of Canada

Delegation of Authority

Access to Information Act and Privacy Act

I, Minister of Immigration, Refugees and Citizenship, pursuant to section 95 of the Access to Information Act and section 73 of the Privacy Act, hereby authorize the officer and employee of Immigration, Refugees and Citizenship whose position or classification is set out in the attached Schedule to carry out those of my powers, duties or functions under the Acts that are set in the Schedule in relation to that officer and employee.

Dated at Ottawa

This 14 day of May 2024

Marc Miller, P.C., M.P.
Minister of Immigration, Refugees and Citizenship

Annex B: Copy of the Delegation of Authority under the Privacy Act and the Privacy Regulations in effect March 31, 2025

Delegation of Authority under the Privacy Act and the Privacy Regulations

Full delegation
Privacy Act
Position Delegation
Deputy Minister Full Authority
Assistant Deputy Minister, Corporate Services Full Authority
Director General, Access and Privacy Management

Full Authority, except the following section of the Privacy Act:

  • 8(2)(j) – disclosure for research purposes
Director, ATIP Operations Division

Full Authority, except the following sections of the Privacy Act:

  • 8(2)(j) – disclosure for research purposes
  • 8(2)(m)(i) – disclosure in the public interest
  • 8(2)(m)(ii) – disclosure for the benefit of the individual
  • 8(5) – notice of disclosure under 8(2)(m)
  • 9(4) – consistent uses
  • 10 – personal information banks
  • 51(2) – special rules for hearings
Assistant Director, ATIP Operations Division

Full Authority, except the following sections of the Privacy Act:

  • 8(2)(j) – disclosure for research purposes
  • 8(2)(m)(i) – disclosure in the public interest
  • 8(2)(m)(ii) – disclosure for the benefit of the individual
  • 8(5) – notice of disclosure under 8(2)(m)
  • 9(4) – consistent uses
  • 10 – personal information banks
  • 51(2) – special rules for hearings
  • 72(1) – report to parliament
Partial delegation
Privacy Act
Position Delegation
Director General and Chief Data Officer, Research and Evaluation

Authority limited to the following section of the Privacy Act:

  • 8(2)(j) – disclosure for research purposes
Director, Access to information and Privacy Innovation and Support Division

Authority limited to the following section of the Privacy Act:

  • 71(2) – report to Parliament
Director, Privacy Program Management Division

Authority limited to the following sections of the Privacy Act:

  • 8(2)(m)(i) – disclosure in the public interest
  • 8(2)(m)(ii) – disclosure for the benefit of the individual
  • 8(5) – notice of disclosure under 8(2)(m)
  • 9(1) – record of disclosures to be retained
  • 9(4) – consistent uses
  • 10 – personal information to be included in personal
  • 33(2) – right to make representation
  • 72(1) – report to parliament
Assistant Director, Privacy Program Management Division

Authority limited to the following sections of the Privacy Act:

  • 8(5) – notice of disclosure under 8(2)(m)
  • 33(2) – right to make representation
PM-05, Privacy Program Management Division

Authority limited to the following sections of the Privacy Act:

  • 33(2) – right to make representation
Partial Delegation
Description Section PM-05
(client)		 PM-05
(corp.)		 PM-04
(client)		 PM-04
(corp.)		 PM-03
(client)		 PM-03
(corp.)
Disclosure for research purposes 8(2)(j) No No No No No No
Disclosure in the public interest 8(2)(m)(i) No No No No No No
Disclosure to the benefit of the individual 8(2)(m)(ii) No No No No No No
Copies of requests under 8(2)(e) to be retained 8(4) Yes Yes No No No No
Notice of disclosure under 8(2)(m) 8(5) No No No No No No
Record of disclosures to be retained 9(1) No No No No No No
Consistent uses 9(4) No No No No No No
Personal information banks 10 No No No No No No
Notice where access requested 14 Yes Yes Yes Yes Yes Yes
Extension of time limits 15 Yes Yes Yes No Yes No
Where access is refused 16 No No No No No No
Language of access 17(2)(b) No No No No No No
Access in alternative format 17(3)(b) No No No No No No
Exemption – Exempt bank 18(2) Yes Yes No No No No
Exemption – Information obtained in confidence 19(1) Yes Yes Yes No No No
Exemption – Where authorized to disclose 19(2) Yes Yes Yes No No No
Exemption – Federal-provincial affairs 20 Yes Yes No No No No
Exemption – International affairs, and defence 21 Yes Yes Yes Yes No No
Exemption – Law enforcement and investigation 22 Yes Yes Yes No No No
Exemption – Public Servants Disclosure Protection Act 22.3 No No No No No No
Exemption – Security clearances 23 Yes Yes Yes No Yes No
Exemption – Individuals sentenced for an offence 24 Yes Yes No No No No
Exemption – Safety of individuals 25 Yes Yes Yes No Yes No
Exemption – Information about another individual 26 Yes Yes Yes Yes Yes No
Exemption – Protected information – solicitors, advocates and notaries 27 Yes No Yes No No No
Exemption – Medical record 28 Yes Yes Yes No No No
Right to make representation 33(2) No lim. No No No No
Access to be given 35(4) No lim. No No No No
Special rules for hearings 51(2) No No No No No No
Annual Report to Parliament 72(1) No No No No No No
Privacy Regulations
Description Section Director
ATIP
OPS		 Assistant
Director
ATIP
OPS		 PM-05
(client)		 PM-05
(corp.)		 PM-04
(client)		 PM-04
(corp.)		 PM-03
(client)		 PM-03
(corp.)
Examination of records 9 Yes Yes Yes Yes Yes Yes Yes Yes
Correction of personal information 11(2) Yes Yes Yes Yes No No No No
Notification of refusal to correct personal information 11(4) Yes Yes Yes Yes No No No No
Disclosure: medical information 13(1) Yes No No No No No No No
Disclosure: medical information – examine in person 14 Yes No No No No No No No

Legend

ATIP OPS
ATIP Operations Division
(client)
Client records
(corp.)
Corporate records
PM-05
Senior ATIP & Privacy Advisor positions
PM-04
ATIP & Privacy Advisor positions
PM-03
ATIP & Privacy Analyst positions
lim.
Authority limited to the Senior ATIP & Privacy Advisor, Complaints Team Leader

Annex C: Statistical Report on the Administration of the Privacy Act

Name of institute: Immigration, Refugees and Citizenship Canada
Reporting period: 2024-04-01 to 2025-03-31

Section 1: Requests under the Privacy Act

1.1 Number of requests received

Number of Requests
Received during reporting period 101,541
Outstanding from previous reporting periods 16,520

Outstanding from previous reporting periods

 11,230 N/A

Outstanding from more than one reporting period

 5,290 N/A
Total 118,061Table Footnote *
Closed during reporting period 98,367
Carried over to next reporting period 19,698

Carried over within legislated timeline

 8,405 N/A

Carried over beyond legislated timeline

 11,293 N/A

1.2 Channels of requests

Channel Number of Requests
Online 100,332
E-mail 720
Mail 489
In person 0
Phone 0
Fax 0
Total 101,541

Section 2: Informal requests

2.1 Number of informal requests

Number of Requests
Received during reporting period 0
Outstanding from previous reporting periods 0

Outstanding from previous reporting periods

 0 N/A

Outstanding from more than one reporting period

 0 N/A
Total 0
Closed during reporting period 0
Carried over to next reporting period 0

2.2 Channels of informal requests

Channel Number of Requests
Online 0
E-mail 0
Mail 0
In person 0
Phone 0
Fax 0
Total 0

2.3 Completion time of informal requests

Completion Time (Days) Total
1 to 15 16 to 30 31 to 60 61 to 120 121 to 180 181 to 365 More than 365
0 0 0 0 0 0 0 0

2.4 Pages released informally

Number of Requests Pages Released
Less than 100 0 0
100 to 500 0 0
501 to 1,000 0 0
1,001 to 5,000 0 0
More than 5,000 0 0

Section 3: Requests closed during the reporting period

3.1 Disposition and completion time

Disposition Completion Time (Days) Total
1 to 15 16 to 30 31 to 60 61 to 120 121 to 180 181 to 365 More than 365
All disclosed 80 28,599 6,714 359 134 109 623 36,618
Disclosed in part 66 39,528 10,613 894 275 185 1,373 52,934
All exempted 0 0 0 0 1 0 0 1
All excluded 0 0 0 0 0 0 0 0
No records exist 44 133 128 28 5 2 23 363
Request abandoned 2,471 2,733 261 128 29 22 2,277 7,921
Neither confirmed nor denied 185 315 1 17 5 6 1 530
Total 2,846 71,308 17,717 1,426 449 324 4,297 98,367

3.2 Exemptions

Section 18 exemptions
Section 18 Number of Requests
18(2) 0
Section 19 exemptions
Section 19 Number of Requests
19(1)(a) 2,520
19(1)(b) 3
19(1)(c) 3
19(1)(d) 2
19(1)(e) 0
19(1)(f) 0
Section 20 exemptions
Section 20 Number of Requests
20 0
Section 21 exemptions
Section 21 Number of Requests
21 18,253
Section 22 exemptions
Section 22 Number of Requests
22(1)(a)(i) 1
22(1)(a)(ii) 1
22(1)(a)(iii) 0
22(1)(b) 12,386
22(1)(c) 6
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
Section 23 exemptions
Section 23 Number of Requests
23(a) 0
23(b) 0
Section 24 exemptions
Section 24 Number of Requests
24(a) 0
24(b) 0
Section 25 exemptions
Section 25 Number of Requests
25 236
Section 26 exemptions
Section 26 Number of Requests
26 36,300
Section 27 exemptions
Section 27 Number of Requests
27 5
27.1 0
Section 28 exemptions
Section 28 Number of Requests
28 2

3.3 Exclusions

Section 69 exclusions
Section 69 Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
Section 70 exclusions
Section 70 Number of Requests
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

3.4 Format of information released

Format Number of Requests
Paper 128
Electronic

E-record

 89,424

Data set

 0

Video

 0

Audio

 0
Other 0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper, e-record, and dataset formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
2,123,344 1,885,515 98,004
3.5.2 Relevant pages processed per request disposition for paper, e-record, and dataset formats by size of requests
Disposition Pages Processed
Less than 100 101 to 500 501 to 1,000 1,001 to 5,000 More than 5,000
No. of Requests Pages Processed No. of Requests Pages Processed No. of Requests Pages Processed No. of Requests Pages Processed No. of Requests Pages Processed
All disclosed 36,465 508,421 150 22,764 3 1,970 0 0 0 0
Disclosed in part 51,084 1,184,644 1,725 284,548 91 63,595 34 54,873 0 0
All exempted 1 8 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 7,920 2,402 1 119 0 0 0 0 0 0
Neither confirmed nor denied 530 0 0 0 0 0 0 0 0 0
Total 96,000 1,695,475 1,876 307,431 94 65,565 34 54,873 0 0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of minutes processed Number of minutes disclosed Number of requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Minutes Processed
Less than 60 60 to 120 More than 120
No. of
Requests		 Minutes Processed No. of
Requests		 Minutes Processed No. of
Requests		 Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of minutes processed Number of minutes disclosed Number of requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Minutes Processed
Less than 60 60 to 120 More than 120
No. of
Requests		 Minutes Processed No. of
Requests		 Minutes Processed No. of
Requests		 Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0

3.6 Closed requests

3.6.1 Requests closed within legislated timelines
Number of Requests Percentage of Requests
Closed within legislated timelines 85,988 87.415

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines
Number of Requests
Requests closed past the legislated timelines 12,379
Principal reason

Interference with operations/workload

 12,379

External consultation

 0

Internal consultation

 0

Other

 0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Total
No Extension Taken Extension Taken
1 to 15 5,271 2 5,273
16 to 30 637 1 638
31 to 60 910 0 910
61 to 120 738 3 741
121 to 180 332 1 333
181 to 365 288 3 291
More than 365 4,065 128 4,193
Total 12,241 138 12,379

3.8 Requests for translation

Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 4: Disclosures under subsections 8(2) and 8(5)

Number
Paragraph 8(2)(e) 285
Paragraph 8(2)(m) 19
Subsection 8(5) 19
Total 323

Section 5: Requests for correction of personal information and notations

Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 6: Extensions

6.1 Reasons for extensions

Number
Number of Extensions Taken 144
15(a)(i) Interference with operations

Further review required to determine exemptions

 0

Large volume of pages

 0

Large volume of requests

 2

Documents are difficult to obtain

 0
15(a)(ii) Consultation

Cabinet Confidence Section (Section 70)

 10

External

 132

Internal

 0
15(b) Translation purposes or conversion 0

6.2 Length of extensions

Length of Extensions (days) 15(a)(i) Interference with Operations 15(a)(ii) Consultation 15(b) Translation Purposes or Conversion
Further Review Required Large Number of Pages Large Volume of Requests Documents are Difficult to Obtain Cabinet Confidence (Section 70) External Internal
1 to 15 0 0 0 0 0 0 0 0
16 to 30 0 0 2 0 10 132 0 0
31 or greater N/A N/A N/A N/A N/A N/A N/A 0
Total 0 0 2 0 10 132 0 0

Section 7: Consultations received from other institutions and organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 37 1,593 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 37 1,593 0 0
Carried during the reporting period 35 1,578 0 0
Carried over within negotiated timelines 2 15 0 0
Carried over beyond negotiated timelines 0 0 0 0

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendation Completion Time (Days) Total
1 to 15 16 to 30 31 to 60 61 to 120 121 to 180 181 to 365 More than 365
Disclosed entirely 8 3 1 1 0 0 0 13
Disclosed in part 17 4 1 0 0 0 0 22
Exempted entirely 0 0 0 0 0 0 0 0
Excluded entirely 0 0 0 0 0 0 0 0
Consult other institutions 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 25 7 2 1 0 0 0 35

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Recommendation Completion Time (Days) Total
1 to 15 16 to 30 31 to 60 61 to 120 121 to 180 181 to 365 More than 365
Disclosed entirely 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
Exempted entirely 0 0 0 0 0 0 0 0
Excluded entirely 0 0 0 0 0 0 0 0
Consult other institutions 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion time of consultations on cabinet confidences

8.1 Requests with Legal Services

Number of Days Pages Processed
Less than 100 100 to 500 501 to 1,000 1,001 to 5,000 More than 5,000
No. of
Requests		 Pages Disclosed No. of
Requests		 Pages Disclosed No. of
Requests		 Pages Disclosed No. of
Requests		 Pages Disclosed No. of
Requests		 Pages Disclosed
1 to 15 7 0 0 0 0 0 0 0 0 0
16 to 30 6 0 1 0 0 0 0 0 0 0
31 to 60 3 0 3 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 16 0 4 0 0 0 0 0 0 0

8.2 Requests with Privy Council Office

Number of Days Pages Processed
Less than 100 100 to 500 501 to 1,000 1,001 to 5,000 More than 5,000
No. of
Requests		 Pages Disclosed No. of
Requests		 Pages Disclosed No. of
Requests		 Pages Disclosed No. of
Requests		 Pages Disclosed No. of
Requests		 Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Complaints and investigations notices received

Number
Section 31 132
Section 33 25
Section 35 1
Court action 0
Total 158

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy Impact Assessments

Number of PIAs Completed Number of PIAs Modified
Privacy Impact Assessments 2 0

10.2 Institution-specific and Central Personal Information Banks

Personal Information Banks Active Created Terminated Modified
Institution-specific 21 1 11 11
Central 0 0 0 0
Total 21 1 11 11

Section 11: Privacy breaches

11.1 Material privacy breaches

Number of Breaches
Material privacy breaches reported to TBS 12
Material privacy breaches reported to OPC 12

11.2 Non-material privacy breaches

Number of Breaches
Non-material privacy breaches 8,033

Section 12: Resources related to the Privacy Act

12.1 Allocated costs

Expenditures Amount
Salaries $2,390,227
Overtime $45,159
Goods and Services $16,145

Professional services contracts

 $0 N/A

Other

 $16,145 N/A
Total $2,451,531

12.2 Human resources

Resources Person Years Dedicated to Privacy Activities
Full-time employees 21.289
Part-time and casual employees 5.318
Regional staff 0.000
Consultants and agency personnel 0.000
Students 0.508
Total 27.115

Annex D: Supplemental Statistical Report on the Access to Information Act and the Privacy Act

Name of institute: Immigration, Refugees and Citizenship Canada
Reporting period: 2024-04-01 to 2025-03-31

Section 1: Requests carried over and active complaints under the Access to Information Act

1.1 Requests carried over to the next reporting period

Fiscal Year Received Within Legislated Timelines as of March 31, 2025 Beyond Legislated Timelines as of March 31, 2025 Total
2024-2025 14,019 13,808 27,827
2023-2024 5 7,652 7,657
2022-2023 0 6,005 6,005
2021-2022 1 30 31
2020-2021 0 1 1
2019-2020 0 0 0
2018-2019 0 0 0
2017-2018 or earlier 0 0 0
Total 14,025 27,496 41,521

1.2 Open complaints with the Information Commissioner of Canada

Fiscal Year Received Total
2024-2025 117
2023-2024 19
2022-2023 4
2021-2022 4
2020-2021 1
2019-2020 0
2018-2019 2
2017-2018 or earlier 1
Total 148

Section 2: Requests carried over and active complaints under the Privacy Act

2.1 Requests carried over to the next reporting period

Fiscal Year Received Within Legislated Timelines
as of March 31, 2025		 Beyond Legislated Timelines
as of March 31, 2025		 Total
2024-2025 8,405 6,801 15,206
2023-2024 0 2,948 2,948
2022-2023 0 1,543 1,543
2021-2022 0 1 1
2020-2021 0 0 0
2019-2020 0 0 0
2018-2019 0 0 0
2017-2018 or earlier 0 0 0
Total 8,405 11,293 19,698

2.2 Active complaints with the Privacy Commissioner of Canada

Fiscal Year Received Total
2024-2025 22
2023-2024 8
2022-2023 24
2021-2022 1
2020-2021 0
2019-2020 0
2018-2019 0
2017-2018 or earlier 0
Total 55

Section 3: Social Insurance Number

Has your institution begun a new collection or a new consistent use of the Social Insurance Number in 2024-2025?

No

Section 4: Universal access under the Privacy Act

How many requests were received from foreign nationalsFootnote * outside of Canada in 2024-2025?

53,988

Page details

2025-11-03