Language selection

Government of Canada / Gouvernement du Canada

Search

Public Services and Procurement Canada
2024 to 2025 Annual Report on the Privacy Act

Information contained in this publication or product may be used and reproduced, in part or in whole, and by any means, for personal or public non-commercial purposes, without charge or further permission, unless otherwise specified, provided that you do the following:

Commercial reproduction and distribution is prohibited, except with written permission from Public Services and Procurement Canada (PSPC). For more information, please contact PSPC at 1-800-622-6232.

The official symbols of the Government of Canada, including the Canada wordmark and flag symbol, may not be reproduced, whether for commercial or non-commercial purposes.

© His Majesty the King in Right of Canada, represented by the Minister of Public Services and Procurement, 2025.

Aussi disponible en français.

ISSN 2817-5689

On this page

Introduction

Public Services and Procurement Canada is pleased to present to parliament its annual report on the administration of the Privacy Act (PA). This report describes the activities that support compliance with the act for the fiscal year commencing April 1, 2024, and ending March 31, 2025, and is not intended to fulfill reporting requirements for any non-operational subsidiaries of the institution.

Section 72 of the Privacy Act requires that the head of every federal government institution submit an annual report to Parliament on the administration of the Privacy Act during the fiscal year.

Purpose of the act

The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information. The Privacy Act protects an individual’s privacy by preventing others from having unlawful access to personal information. It also grants an individual specific rights regarding the collection, use and disclosure of this information.

About Public Services and Procurement Canada

Public Services and Procurement Canada, formerly Public Works and Government Services Canada, derives its mandate from the Department of Public Works and Government Services Act of 1996, which established the department as a common service provider. The department plays an important role in the daily operations of the Government of Canada as a key provider of services for federal departments and agencies. The department supports them in the achievement of their mandated objectives in 5 service categories:

PSPC provides services across Canada through its headquarters in the National Capital Region, 5 regions, as well as offices in Europe (Geilenkirchen, Germany) and the United States (Washington, DC).

Organizational structure

The Access to Information and Privacy (ATIP) Directorate is responsible for the delegated administration of the Access to Information Act (ATIA) and the Privacy Act within PSPC. The ATIP senior director acts as the department’s ATIP coordinator. The directorate is overseen by the director general of the Corporate Secretariat and Accessibility Sector, who is also the department’s chief privacy officer.

In the 2024 to 2025 fiscal year, 16.980 full-time equivalent (FTE) employees and 0.345 FTEs casual employees administered the Privacy Act with the support of 1.000 consultant, for a total complement of 18.325 FTEs.

Access to Information and Privacy reporting structure at Public Services and Procurement Canada

Organizational chart of the Public Services and Procurement Canada Access to Information and Privacy Directorate and the Litigation Readiness and Transparency Directorate. —Text version below the chart
Text version

This organizational chart displays a hierarchy beginning with the Corporate Secretariat and Accessibility Sector at the top. Directly below are the 2 directorates responsible for the administration of the Access to Information Act and the Privacy Act: the Access to Information and Privacy Directorate and the Litigation Readiness and Transparency Directorate.

The Access to Information and Privacy Directorate is supported by the 4 following divisions:

  • the Administration Division carries out administrative functions, supports fulfillment of corporate obligations, and maintains the request processing system
  • the Operations Division processes requests received under the Access to Information Act and the Privacy Act, and liaises with the offices of the Information and Privacy commissioners to resolve complaints
  • the Privacy Management Division advises and supports the department in privacy risk management, ensuring compliance with privacy legislative and policy instruments
  • the Governance and Outreach Division develops procedures and departmental reports, delivers training, promotes awareness, and provides user support for the request processing system

Below these divisions there is another level for ATIP liaison officers, who coordinate the retrieval, review and submission of information held by their branch or region in response to ATIP requests.

The Litigation Readiness and Transparency Directorate’s Proactive Publication and Transparency Division administers part 2 of the Access to Information Act, coordinates and advances Transparency policies, guidelines, processes and practices.

During reporting period 2024 to 2025, the Proactive Publication and Transparency Division moved from the ATIP Directorate to the Litigation Readiness and Transparency Directorate, remaining under the Corporate Secretariat and Accessibility Sector and reporting to the chief privacy officer.

Service sharing agreement

In the 2024 to 2025 reporting period, PSPC had a service sharing agreement for the provision of corporate services to the Office of the Procurement Ombud (OPO) which included access to information services under section 96 of the Access to Information Act and section 73.1 of the Privacy Act.

These duties included completing Access to Information Act requests, Privacy Act requests, and related consultation requests. The ATIP Directorate was responsible for implementing measures to mitigate concerns regarding OPO’s independence and perception of conflict of interest, including segregating and limiting access to OPO files. OPO was responsible for reviewing and confirming the application of exemptions and exceptions on release packages and provided final approval prior to public release of any document.

Delegation of authority

Pursuant to section 73(1) of the Privacy Act, the minister responsible for Public Services and Procurement Canada has delegated the power, duties and functions of the administration of the act down to ATIP manager level. This excludes paragraph 8(2)(m) of the Privacy Act which is only delegated down to senior director level. Certain functions are also delegated to ATIP managers and senior officers to accelerate the processing of requests.

The most recent PSPC delegation instrument was signed on December 17, 2024, with a separate matrix for ATIP delegation. An excerpt of the delegation of authorities approved by the minister, pertaining to delegation under the Privacy Act, is attached as Annex A: Delegation of authorities chart for the Privacy Act and its regulations.

Performance for 2024 to 2025

In this section

Privacy requests

Privacy requests: Received and closed

Volume of privacy requests received and closed by fiscal year—Text version below the chart
Text version

Chart summary: Privacy requests received and closed

  • 2020 to 2021: 353 requests received, 381 requests closed
  • 2021 to 2022: 369 requests received, 366 requests closed
  • 2022 to 2023: 515 requests received, 512 requests closed
  • 2023 to 2024: 369 requests received, 391 requests closed
  • 2024 to 2025: 291 requests received, 309 requests closed

The department received 291 requests and closed 309 requests pursuant to the Privacy Act in the 2024 to 2025 reporting period. This represents a decrease of approximately 21% from the previous year for both received and closed requests. The majority of privacy requests received were related to pension, pay files, and personal records.

Privacy requests: Pages reviewed

Number of pages reviewed under the Privacy Act by fiscal year—Text version below the chart
Text version
Table 1: Pages reviewed for privacy requests (in thousands)
Fiscal year Pages reviewed
2020 to 2021 162,000
2021 to 2022 130,000
2022 to 2023 142,000
2023 to 2024 153,000
2024 to 2025 138,000

In the 2024 to 2025 reporting period, PSPC reviewed 138,138 pages for requests received under the Privacy Act.

Privacy requests: Disposition

Volume and percentage of closed privacy requests by disposition decision—Text version below the chart
Text version

Chart summary: Disposition of privacy requests

  • All disclosed: 175 requests (56.63%)
  • Disclosed in part: 90 requests (29.13%)
  • Abandoned: 12 requests (3.88%)
  • No records existed: 32 requests (10.36%)

Of all requests closed during the 2024 to 2025 reporting period, 56.63% were fully disclosed, 29.13% were disclosed in part, and 10.36% were those for which no records existed. The balance of requests, 3.88%, was abandoned.

Privacy requests: Completion times

Volume and percentage of privacy requests completed within certain timeframes—Text version below the chart
Text version

Chart summary: Completion times for privacy requests

  • Within 30 days: 209 requests (67.64%)
  • 31 to 60 days: 84 requests (27.18%)
  • 61 to 120 days: 9 requests (2.91%)
  • 121 days or more: 7 requests (2.27%)

PSPC’s overall compliance rate for 2024 to 2025 was 96.44% for requests made under the Privacy Act. This compliance rate represents all files that were completed either within the initial 30 days or within an extension period for reasons of volume or consultations. Only 11 requests (3.56%) were closed beyond legislated timelines.

The percentage of requests closed within the initial 30 days was 67.64%.

Privacy requests: Extensions

Section 15 of the Privacy Act permits the statutory time limits to be extended if consultations are necessary or if the request is for a large volume of records and processing it within the original time limits would unreasonably interfere with the operations of the department.

PSPC invoked 89 extensions during the 2024 to 2025 reporting period. Of these, 4 were required to complete consultations with internal and external stakeholders, 60 were required due to a large volume of requests which otherwise would have interfered with operations, 24 were required to process a large volume of pages and 1 was required to retrieve documents that were difficult to obtain.

Privacy requests: Exemptions

The department invoked exemptions allowed under the Privacy Act on 90 requests (29.13%), and disclosed all information in 175 requests (56.63%). The remaining 44 requests (14.24%) were either abandoned or those for which no records existed.

The majority of exemptions invoked by PSPC fell under section 26, which protects personal information and was used in 87 files (96.67%).

Of note, more than one exemption can be applied to a specific request.

Privacy requests: Exclusions

In the 2024 to 2025 reporting period, PSPC did not apply any exclusions to records requested under the Privacy Act.

Privacy requests: Active

Number of privacy active requests within and beyond legislated timelines by fiscal year—Text version below the chart
Text version
Table 2: Active privacy requests
Fiscal year Privacy requests active within legislated timelines Privacy requests active beyond legislated timelines
2020 to 2021 0 1
2021 to 2022 0 1
2022 to 2023 0 0
2023 to 2024 0 0
2024 to 2025 17 3

At the end of the 2024 to 2025 reporting period, PSPC had a total of 22 active requests pursuant to the Privacy Act that were outstanding, the majority of which (90.91%) were received during the reporting period.

Privacy requests: Factors influencing performance

The compliance rate of 96.44% highlights the dedicated efforts of the department to fulfill the responsibilities relating to the administration of the Privacy Act. Nonetheless, the following factors affected the ATIP Directorate operations during the reporting period:

Consultations requests

PSPC received 1 consultation request from another government institution relating to personal records which totaled 53 pages reviewed. The completion time was within 15 days and the recommendation was to partially disclose the information.

Complaints

Complaints received and closed

During the 2024 to 2025 reporting period, PSPC was notified of 5 new complaints received by the Office of the Privacy Commissioner of Canada (OPC), and submitted formal representations for 7 active complaints received in the current or previous reporting periods.

Volume and percentage of complaints received and closed by complaint types—Text version below the chart
Text version

Chart summary: Complaints received and closed

  • Deemed refusal: 2 complaints received (40.00%)
  • Extension: 1 complaint received (20.00%)
  • Exemption: 1 complaint received (20.00%)
  • Missing records: 1 complaint received (20.00%)

Of the 5 complaints received under provisions of the Privacy Act during the reporting period:

During the reporting period, the ATIP Directorate closed 5 complaint investigations. Of these, 3 complaints were deemed well-founded and 2 were deemed not well-founded.

Active complaints

At the end of the 2024 to 2025 reporting period, PSPC had a total of 3 active complaints with the OPC: 2 were outstanding from reporting period 2023 to 2024 and 1 from the current reporting period.

Training and awareness

Through the delivery of training and various activities, PSPC strengthened institution-wide awareness with the Privacy Act and departmental obligations.

During the 2024 to 2025 reporting period, the ATIP Directorate’s training coordinator continued to offer virtual training sessions and hybrid sessions. These delivery formats gave the ATIP Directorate the ability to reach more participants throughout the country. They also encouraged active engagement and collaboration, either virtually or in person, while promoting ATIP trainings and tools on a larger scale within the department.

PSPC delivered the following training sessions:

Through these training sessions, the ATIP Directorate informed participants of their obligations under the Privacy Act and the department’s efforts to make the government more open to everyone.

Privacy breach prevention and reporting

The ATIP Directorate offered the mandatory “Privacy Breach Prevention and Reporting” training via PSPC’s online learning platform, ALTO, to 5764 employees. This training was designed to promote awareness of internal guidelines and procedural safeguards to avoid privacy breaches, including material breaches. Training sessions provided valuable information to participants relating to their role, responsibilities, and obligations towards the requirements of privacy breach management. They also provided instructions on the necessary actions in case of a privacy breach, and preventive actions.

Policies, guidelines and procedures

During the 2024 to 2025 reporting period, the ATIP Directorate revised services standards, procedures, and mechanisms to ensure coherent and consistent practices in the processing of privacy requests. These procedures and mechanisms applied to a number of operational actions such as standardising client services and request intake, documenting requester’s consent and right of access, and managing information relating to privacy requests in the departmental information management system. In addition, guidelines and procedures were developed to support employees during the transition to the new request processing system.

To improve the administration and ensure the cohesion of the ATIP program, the ATIP Directorate held weekly management meetings to discuss emerging and ongoing operational and policy issues. These meetings were also an opportunity to promote privacy management within the directorate, and to discuss raising awareness among departmental employees.

Directive on privacy management

The departmental Directive on Privacy Management was introduced on August 16, 2022, and led to significant improvements in the management and protection of personal information across the department. Updated personal information protection measures were effectively integrated into daily operations, strengthening compliance with the Privacy Act and related policy instruments. Regular audits and feedback from internal and external stakeholders indicated greater transparency in the handling of personal information. Clear communication of privacy practices was consistently maintained, fostering trust among employees and the public. As a result, the directive allowed PSPC to meet its commitment to sound privacy management and the protection of the privacy of individuals.

PSPC reviewed the directive during the 2024 to 2025 reporting period to address modifications required by update of privacy policy instruments by the Treasury Board of Canada Secretariat (TBS), organizational changes within PSPC, and administrative changes. Many sections of the directive required modifications to ensure the accuracy of the information and alignment with TBS instruments, including references, hyperlinks, and templates. This review is expected to be completed before the end of the 2025 to 2026 reporting period.

Initiatives and projects to improve privacy

In this section

Human resources and professional development

During the 2024 to 2025 reporting period, recruitment initiatives and human resources administrative measures were undertaken to reduce the shortage of experienced employees within the privacy management and the operations divisions. Employees were promoted, and an employee affected by staff reduction in another branch was deployed to the ATIP Directorate. There was also increased effort to fill program support positions to increase productivity, reduce the administrative burden on the Operations Division, and meet departmental obligations. To facilitate the integration of newly recruited employees within the ATIP Directorate, a review of the onboarding process was initiated which includes the development of clear, standardized guidelines for privacy procedures and processes. The Operations Division’s mandates were reviewed and modified to assist in the management of competing priorities.

To provide further professional development, employees of the Operations Division were encouraged to complete the Access to Information and Protection of Personal Information Training Program - Federal Institutions offered by the Association of Access to Information and Privacy Professionals.

Information resources modernization and standardization

In reporting period 2024 to 2025, the ATIP Directorate initiated the development of a new internal service webpage on the departmental intranet to increase the visibility of privacy services and enhance privacy awareness and reporting of privacy breaches across the department. This webpage will serve as a central point for outlining privacy management services and provide employees with direct access to submit requests.

During the reporting period, a comprehensive review of over 600 departmental forms was initiated to ensure compliance with TBS policies and directives. This ongoing project involves identifying non-compliant forms, documenting the reasons for non-compliance, and outlining necessary updates. Upon completion of the review, the ATIP Directorate will collaborate with the forms owners to implement the required changes and bring departmental forms to current privacy standards.

In addition, the ATIP Directorate initiated a review and modernization of departmental privacy tools and templates, focusing on privacy service forms used to ensure that privacy practices remain current and align with the latest policy standards. This review is intended to enhance the clarity, usability, and accessibility of the tools in use throughout PSPC, thereby strengthening privacy protection mechanisms and improving service delivery.

Technological improvements

Throughout the 2024 to 2025 reporting period, PSPC collaborated with stakeholders to advance the replacement of the outdated ATIP request processing system currently in use with ATIPXpress, a modernized system designed to streamline and enhance the processing of ATIP requests.

To manage the implementation of ATIPXpress, the ATIP Directorate established a dedicated team of subject matter experts. This team worked with internal and external partners, including the vendor, to ensure project milestones and contractual requirements were met and proactively address challenges. Projects milestones achieved during the reporting period include:

A strategy for a phased launch of the system is in development. The strategy aims to progressively integrate the processing of different types of requests, including access, privacy, consultation, and informal, to ensure a smooth transition and facilitate user onboarding. This strategy will allow for the review and validation of internal processes in order to tailor them for the additional functionalities permitted by the new system. The strategy will also include planned training sessions for employees offered through a combination of vendor-led and internal sessions. These sessions will provide hands-on experience with the system’s features and functionalities to fully leverage its potential.

In the next year, the ATIP Directorate will evaluate the use of artificial intelligence functionalities to minimize the processing time of requests, and continue the configuration and installation of ATIPXpress. A soft launch is expected in fall 2025.

Summary of key issues and actions taken on complaints

During the 2024 to 2025 reporting period, deemed refusal of access was the most prevalent basis for complaints received. Depending on the nature of the complaint, PSPC contacted the OPC investigator to clarify the reasons behind the complaint, contacted the relevant office of primary interest (OPI) within PSPC to request new searches and disclosed additional records when applicable, and reviewed applied exemptions and exclusions to confirm their applicability.

The ATIP Directorate also coordinated efforts with the OPC to complete active files by requesting updates on the investigation status and providing the required information. Through this collaboration, administrative errors were corrected, accuracy of data was confirmed, and outstanding complaints were closed.

Material privacy breaches

A privacy breach is deemed material if it could reasonably create a real risk of significant harm to an individual. To guide the department's responses regarding privacy breaches, PSPC makes use of a privacy breach protocol which outlines the steps that must be followed by employees who discover a possible breach of privacy. First established in 2015 and updated in 2021, the protocol provides an enhanced toolset to assess the risks associated with the breach, and includes communications with affected individuals and implementation of mitigation measures.

During the 2024 to 2025 fiscal year, PSPC did not receive reports of material privacy breaches and none were reported to the OPC or TBS.

Privacy impact assessments

In the course of fulfilling its mandate as a common service provider to federal organizations, PSPC collects, retains, uses and discloses personal information. In accordance with the TBS Directive on Privacy Practices, the ATIP Directorate provides guidance and recommendations for the elaboration of privacy impact assessments and for any substantial modifications to the use of personal information.

During the 2024 to 2025 reporting period, PSPC completed one privacy impact assessment (PIA) for the GCSurplus program. The summary of this PIA is available on Canada.ca

GCSurplus program

The GCSurplus program facilitates the disposal of surplus Crown assets through various channels, including sales, transfers, and recycling, aiming to reduce the government's physical, financial, and environmental footprint. The privacy impact assessment was prompted by an ongoing application modernization project and the program's expansion to include new public-sector clients. While these developments may alter the program's operational scope, the core services and their associated privacy implications remain consistent.

Public interest disclosures

In accordance with subsection 8(2) of the Privacy Act, under certain circumstances, a government institution may disclose personal information under its control without the consent of the individual to whom the information relates.

Paragraph 8(2)(e) permits disclosure of personal information to a federal investigative body for the purpose of enforcing law or carrying out a lawful investigation. PSPC made 2 disclosures to an investigative body during reporting period 2024 to 2025, releasing the information of 15 individuals. The Privacy Act does not require the institution to notify the OPC.

Paragraph 8(2)(m) permits the disclosure of personal information where the disclosure is in the public interest or would benefit the individual to whom the information relates. PSPC made 2 such disclosures during reporting period 2024 to 2025. The first disclosure involved the information of 3 individuals for the purpose of assisting another government agency in the course of an investigation. The second disclosure involved the information of 3 individuals for the purpose of complying with a parliamentary committee request for information. In accordance with the Privacy Act, the OPC was notified following these disclosures.

Monitoring compliance

Through ongoing consultations on privacy management practices pursuant to the Privacy Act, PSPC’s ATIP Directorate monitored the use of personal information by departmental programs when dealing with third parties, stakeholders, and partners. The Privacy Oversight Committee supported the departmental chief privacy officer in monitoring privacy management by engaging with internal stakeholders to ensure that personal information was properly managed and protected pursuant to the Privacy Act and its related rules and regulations. The Privacy Oversight Committee also monitored departmental privacy management by ensuring that proper privacy practices and safeguards were in place and that sound risk mitigations were implemented regarding the collection, use, retention, disclosure and disposal of personal information. Privacy Oversight Committee meetings were held biannually at the director general level during the 2024 to 2025 reporting period.

Additionally, the ATIP Directorate provided advice, guidance and recommendations to internal and external stakeholders concerning sound privacy management and compliance with the Privacy Act. In accordance with the TBS’s Directive on Privacy Practices, the directorate collaborated with relevant stakeholders to ensure that appropriate privacy and security safeguards were integrated into all contracts, information-sharing agreements, and arrangements involving personal information. The level and type of safeguards protecting personal information were tailored based on factors such as sensitivity, volume, format, storage method, and potential harm from a breach.

The Privacy Management Division used a tracking system for incoming consultations on privacy management, enabling PSPC to monitor initiatives using personal information and facilitating the production of accurate statistical reports. The tracking system included recommendations resulting from breaches and privacy impact assessments, facilitating the implementation of prioritized action plans including assigned responsibilities and timelines.

The ATIP Directorate provided a weekly “snapshot” report to senior management containing statistics on the number of requests received and being processed under the act. The privacy operations manager reviewed and monitored the status of privacy requests using the request processing system and conducted weekly meetings to review active tasks and establish priorities.

The privacy operations team continued to process the intake of request by conducting research in the request processing system, contacting OPIs, and promptly clarifying requests when required. These tasks ensured that the request was as complete as possible prior to tasking, thus limiting retrieval delays. The privacy operations team evaluated the content of retrieved records ensuring that extensions could be taken within the statutory limit. To further reduce delays and alleviate operational pressures, the scanning of documents responsive to privacy requests was temporarily reassigned within the privacy operations team which allowed the Directorate’s scanning team to prioritise the scanning of access to information requests.

The data validation process ensured that data entered in the request processing system was accurate and that TBS reporting requirements were accurately documented.

Annex A: Delegation of authorities chart for the Privacy Act and its regulations

Table 3: Privacy Act and its regulations for the Department minister and senior executives
Position titles Privacy Act Privacy regulations
Minister Full Full
Deputy minister Full Full
Associate deputy minister Full Full
Table 4: Privacy Act and its regulations for the Department Policy, Planning and Communications Branch
Position titles Privacy Act Privacy regulations
Senior departmental manager Full Full
Director general Full Full
Senior director Full Full
Director Full Full
Manager Restrictedtable 4 note 1 Full
Supervisor Restrictedtable 4 note 2 Restrictedtable 4 note 3
Officer Restrictedtable 4 note 4 Not applicable

Table 4 Notes

Table 4 Note 1

Managers may fully exercise the authorities delegated under the Privacy Act, with the exception of paragraph 8(2)(m)

Return to table 4 note 1 referrer

Table 4 Note 2

Supervisors may fully exercise the authorities limited to the following sections of the Privacy Act: 14, 15, 25, 26 and 27

Return to table 4 note 2 referrer

Table 4 Note 3

Supervisors may fully exercise only section 9 of the Privacy Regulations

Return to table 4 note 3 referrer

Table 4 Note 4

Officers may fully exercise the authorities limited to the following sections of the Privacy Act: 14, 15 and 26

Return to table 4 note 4 referrer

Delegation of authority: Access to Information Act and Privacy Act

I, the Minister of the Department of Public Works and Government Services, pursuant to section 95 of the Access to Information Act and section 73 of the Privacy Act, hereby authorize every officer of the department appointed to a position identified in "Schedule 5—Matrix 16—Delegation of Authorities—Access to Information, Privacy and True Copies" including any officer appointed to such position on an acting basis, to exercise the power, duties and functions of the Minister responsible for Public Services and Procurement Canada, under the provisions of the Acts and related regulations set out in the schedule opposite each position. This designation supersedes all previous delegations of authority.

The Honourable Jean-Yves Duclos

Minister Public Services and Procurement

Signed December 17, 2024

Page details

2025-10-31