2016-2107 Annual Report to Parliament on the administration of the Privacy Act

Foreword

Each fiscal year, the head of every government institution prepares and submits an annual report to Parliament on the administration of the Privacy Act.

This report is tabled in Parliament in accordance with section 72 of the Privacy Act under the direction of the minister of national revenue and the commissioner of the Canada Revenue Agency (CRA). It describes how the CRA administered and fulfilled its obligations under the Privacy Act between April 1, 2016, and March 31, 2017. The report also discusses emerging trends, program delivery, and areas of focus for the year ahead.

The Privacy Act

The Privacy Act came into force on July 1, 1983. It protects the privacy of individuals by outlining strong requirements for collecting, retaining, using, disclosing, and disposing of personal information held by government institutions. It provides individuals (or their authorized representatives) with a right of access to their own personal information, with limited and specific exceptions, and with rights of correction or annotation or both. Individuals who are not satisfied with an institution’s handling of their personal information or any matter related to a formal request made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.

The Privacy Act’s formal processes do not replace other ways of obtaining federal government information. The CRA encourages individuals and their representatives to consider requesting information through the following informal methods:

  • the CRA website: cra-arc.gc.ca/menu-eng.html
  • the CRA’s charities and giving, A to Z index: cra-arc.gc.ca/charitiesandgiving
  • individual income tax enquiries (including requests for forms and publications): 1-800-959-8281
  • Canada child benefit, the GST/HST credit, and related provincial and territorial programs, child disability benefit, and children’s special allowances enquiries: 1-800-387-1193
  • TTY (teletypewriter for persons who are deaf or hard of hearing or who have a speech impairment): 1-800-665-0354

Overview of the Canada Revenue Agency

The Canada Revenue Agency (CRA) administers tax laws for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories, and other government bodies (at their request and on a cost-recovery basis) to administer non-harmonized taxes and other services. Overall, the CRA promotes compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.

The minister of national revenue is accountable to Parliament for all of the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.

The Canada Revenue Agency Act provides for the establishment of a board of management consisting of 15 directors appointed by the Governor in Council. They include the chair, the commissioner and chief executive officer, a director nominated by each province, one director nominated by the territories, and two directors nominated by the Government of Canada. Under the provisions of the Canada Revenue Agency Act, the Board of Management oversees the organization and administration of the CRA, including the management of its resources, services, property, personnel, and contracts. In fulfilling this role, the Board of Management brings a forward-looking strategic perspective to the CRA’s operations, fosters sound management practices, and is committed to efficient and effective service delivery.

As the CRA’s chief executive officer, the commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the minister’s delegated authority. The commissioner is accountable to the Board of Management for managing the CRA, supervising employees, and implementing policies and budgets. Moreover, the commissioner must assist and advise the minister with respect to legislated authorities, duties, functions, and Cabinet responsibilities.

The CRA is made up of 13 functional branches and five regional offices across the country.

Branches

  • Appeals
  • Assessment, Benefit, and Service
  • Audit, Evaluation, and Risk
  • Collections and Verification
  • Domestic Compliance Programs
  • Finance and Administration
  • Human Resources
  • Information Technology
  • International, Large Business, and Investigations
  • Legal Services
  • Legislative Policy and Regulatory Affairs
  • Public Affairs
  • Strategy and Integration

Regions

  • Atlantic
  • Ontario
  • Prairie
  • Quebec
  • Pacific

 

Chief Privacy Officer

The assistant commissioner, Public Affairs Branch, is the CRA’s chief privacy officer. The chief privacy officer has a broad mandate for overseeing privacy at the CRA. To fulfill this mandate, the chief privacy officer:

  • oversees decisions related to privacy, including privacy impact assessments
  • champions personal privacy rights, including managing internal privacy breaches, according to legislation and policy
  • reports to the CRA’s senior management on the state of privacy management at the CRA at least twice a year

Access to Information and Privacy Directorate

The Access to Information and Privacy Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the Directorate:

  • responds to requests and enquiries under the Access to Information Act and the Privacy Act
  • provides advice and guidance to CRA employees on requests for, and the proper management and protection of, personal information under the CRA’s control
  • co-ordinates the privacy impact assessment processes within the CRA, including giving expert advice to CRA employees on privacy implications, risks, and options for avoiding or reducing risks
  • gives training and awareness sessions on the Access to Information Act and the Privacy Act and the practices and requirements for managing personal information
  • communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints, and audits
  • fulfills corporate planning and reporting obligations such as the CRA’s annual reports to Parliament on the administration of the Access to Information Act and the Privacy Act

The director of the Access to Information and Privacy Directorate has the full delegated authority of the minister of national revenue under the Access to Information Act and the Privacy Act. The director also manages and co-ordinates the access to information and privacy program, leads strategic planning and development initiatives, and supports the assistant commissioner, Public Affairs Branch, and chief privacy officer.

The Directorate is made up of two main divisions: processing; and program support and training (within the Directorate and CRA-wide). In addition to its Headquarters office in Ottawa, there is an office in Vancouver and an office in Montréal. In fiscal year 2016–2017, an equivalent of 134 full-time employees administered the Access to Information Act and the Privacy Act.

The following chart shows the structure of the Access to Information and Privacy Directorate.

Image described below
Image description

First row Director, Access to Information and Privacy (ATIP) Directorate

Middle row, first box Assistant Director, ATIP Processing, Corporate and Complex Case Division

Middle row, second box Assistant Director, ATIP Processing Strategic Compliance Division

The two areas of responsibility of the Assistant Director, ATIP Processing Strategic Compliance Division are listed in the two boxes below, they are: Tax Compliance Section and Operations / Training Manuals Section.

Middle row, third box Assistant Director, ATIP Processing Legislative and HQ Operational Case Division

The two areas of responsibility of the Assistant Director, ATIP Processing Legislative and HQ Operational Case Division are listed in the two boxes below, they are: Legislative Case Section and HQ Operations Section

Middle row, fourth box Assistant Director, ATIP Processing Regional Operations Case Division – Vancouver

Middle row, fifth box Assistant Director, ATIP Processing Regional Operations Case Division –Montréal

Middle row, sixth box Assistant Director, Program Support and Training Division

The two areas of responsibility of the Assistant Director, Program Support and Training Division are listed in the two boxes below, they are: Governance and Corporate Reporting Section and Business Processes Section

Access to Information and Privacy oversight review committee

The Access to Information and Privacy Oversight Review Committee is an assistantcommissionerlevel committee, chaired by the chief privacy officer. The Committee was established to ensure horizontal consultation, collaboration, and decisionmaking on emerging access to information and privacy issues at the CRA. Among other responsibilities, the Committee identifies measures to support more effective administration of access to information and privacy matters and champions related activities.

Delegation of responsabilities under the Privacy Act

As head of the CRA, the minister of national revenue is responsible for how the CRA administers and complies with the Privacy Act, the Privacy Regulations, and the related Treasury Board of Canada Secretariat policy instruments. Section 73 of the Privacy Act gives the minister the authority to designate one or more officers or employees of the CRA to exercise or perform all, or part, of the minister’s powers, duties, and functions under the Act.

The CRA’s current delegation order for the Privacy Act was signed by the Minister of National Revenue on January 14, 2016. It identifies specific provisions of the Privacy Act and its regulations that the Minister has delegated to various positions within the CRA.

The access to information and privacy director and assistant directors, as well as the managers of the processing units, approve responses to requests under the Privacy Act. Delegations are also extended to the commissioner, the deputy commissioner, and the assistant commissioner, Public Affairs Branch, and chief privacy officer.

Image described below
Image description

I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to section 73 of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.

This designation replaces all previous delegation orders

Diane Lebouthillier
Minister of National Revenue

Signed in Ottawa, Ontario, Canada this 14th day of January, 2016

Schedule: Privacy Act

The CRA positions that are authorized to perform the powers, duties, and functions given to the minister of national revenue as head of a government institution under the provisions of the Privacy Act and its regulations are the following:

Commissioner

  • Full authority

Deputy commissioner

  • Full authority

Assistant commissioner, Public Affairs Branch, and chief privacy officer

  • Full authority

Director, Access to Information and Privacy Directorate, Public Affairs Branch

  • Full authority

Assistant directors, Access to Information and Privacy Directorate, Public Affairs Branch

  • Full authority with the exception of paragraphs 8(2)(j) and (m) and subsection 8(5)

Managers, Access to Information and Privacy Directorate, Public Affairs Branch

  • Subsection 9(1); sections 14 and 15; paragraphs 17(2)(b) and 17(3)(b); subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; subsections 33(2),
    35(1) and 35(4) of the Privacy Act; and section 9 of the Privacy Regulations.

Interpretation and explanation of appendix A – Statistical report

Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the 2016–2017 reporting period (April 1, 2016, to March 31, 2017). The following explains and interprets the statistical information.

Requests under the Privacy Act

During the reporting period the CRA received 3,174 new requests under the Privacy Act. This is an increase of 126 requests (4%) over last year’s total of 3,048 requests. Including the 770 requests carried forward from 2015–2016, the CRA had 3,944 active requests in its inventory.

The following table shows the number of privacy requests the CRA received and completed, as well as the number of pages processed over the past five fiscal years.

Fiscal year Requests received Requests completed Pages processed
2014-2015 2,533 2,313 636,207
2015-2016 3,048 2,723 476,832
2016-2017 3,174 3,400 1,086,917
2012-2013 1,980 1,936 775,563
2013-2014 1,548 1,553 624,430

Other requests

Beyond the 3,174 requests received under the Privacy Act, the CRA processes a significant volume of other requests. The additional volume affects operations, since resources must be diverted to manage this workload.

External and Internal consultations

In 2016–2017, the Access to Information and Privacy Directorate closed five external consultation requests from other government institutions and organizations. A total of 209 pages were reviewed to respond to these requests. For more details, including disposition and completion times, see Part 6 of Appendix A.

                                                                                   

The CRA received over three times
more internal privacy consultations
this fiscal than in 2012-2013.

Furthermore, 254 internal privacy consultation requests were
completed in 2016–2017, a 19% increase over the previous reporting
period. To respond to these requests, the ATIP Directorate
reviewed a total of 5,311 pages. These requests are informal
reviews for the purposes of complying with the CRA’s informal
disclosure prerequisites and do not fall under the Privacy Act.

The following table shows the increase in internal privacy consultation requests received over the past five years.

Image described below
Image description

Internal Privacy Consultation Trends

In 2012-2013, 92 internal Privacy Consultation were received 82 were completed. 1,145 pages were processed

In 2013-2014, 121 internal Privacy Consultation were received 125 were completed. 3,297 pages were processed

In 2014-2015, 230 internal Privacy Consultation were received 220 were completed. 3,772 pages were processed

In 2015-2016, 202 internal Privacy Consultation were received 213 were completed. 5,837 pages were processed

In 2016-2017, 253 internal Privacy Consultation were received 254 were completed. 5,311 pages were processed

 

General enquiries

The Directorate’s Program Support and Training Division responded to 4,468 emails and 914 telephone enquiries received through the general enquiries mailbox and 1-800 line. The enquiries concerned a wide range of matters, including: how to submit an access to information or privacy request; the status of a request; and enquires that were redirected because the information requested is not kept by the CRA, such as requests about social insurance numbers.

Disposition of completed requests

During the reporting period, the Access to Information and Privacy Directorate completed 3,400 requests under the Privacy Act.

  • 1,484 were fully disclosed (43.7%)
  • 1,301 were disclosed in part (38.3%)
  • 4 were exempted in their entirety (0.1%)
  • 0 was excluded in its entirety (0%)
  • 39 resulted in no existing records (1.1%)
  • 545 were abandoned by requesters (16%)
  • 27 were neither confirmed nor denied (0.8%)

  

The CRA completed a record number of privacy requests in 2016-2017. 

For more details, see Table 2.1 of Appendix A.

Exemptions

The Privacy Act allows an institution to refuse access to specific information. For example, information about individuals other than the requester cannot be disclosed if the individual has not given his or her consent. Exemptions are applied by analysts to support nondisclosure in these cases.

In 2016–2017, the CRA applied the following exemptions, in full or in part, for 1,305 (38%) of the 3,400 requests closed during the reporting period:

  • section 19 – Personal information obtained in confidence (40 requests)
  • section 21 – International affairs and defence (5 requests)
  • section 22 – Law enforcement and investigation (485 requests)
  • section 26 – Information about another individual (1,111 requests)
  • section 27 – Solicitor-client privilege (159 requests)

Exclusions

The Privacy Act does not apply to information that is already publicly available, such as government publications and material in libraries and museums. It also excludes material such as Cabinet confidences.

In 2016–2017, the CRA applied one exclusion for information that was publicly available.

Format of information released

Requesters can choose to receive their response package in paper, CD, or DVD format. Persons with disabilities may also request information in alternative formats, such as braille, although no such requests were received this fiscal year. Providing documents electronically significantly reduces manual processes and paper consumption.

  

In 2016-2017, of the 2,785 requests for which information was disclosed in full or in part, 2,211 requests (79%) were released in electronic format.

Requests for translation

Records are normally released in the language in which they exist. However, records may be translated to an official language when requested and when the institution considers it in the public interest to do so.

All four requests for translation received in 2016–2017 were accepted.

Corrections and notations

Under the Privacy Act, an individual may request that any factual errors or omissions in their personal information be corrected.

The CRA received three requests to correct personal information in 2016–2017. One of these requests was accepted; and two had notations attached to the information stating that a correction was requested but not made.

Disclosures under paragraph 8(2)(m) of the Privacy Act

Paragraph 8(2)(m) provides that personal information may be disclosed for any purpose where, in the opinion of the head of an institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or the disclosure would clearly benefit the individual to whom the information relates.

During the reporting period, there were no disclosures made under paragraph 8(2)(m) of the Privacy Act.

Completion time and extensions

The Privacy Act sets the timelines for responding to privacy requests and allows time extensions when meeting the original time limit would unreasonably interfere with operations, when there is a need to complete consultations (for example, with a government institution or third party), or if there is a need to translate or convert the records into an alternative format.

  

677 (25%) more requests were completed in 2016-2017 compared to last fiscal. 

Of the 3,400 requests closed in 2016–2017, the CRA applied extensions for 977 (29%) of them. Extensions were applied 99% of the time because of workload and meeting the original 30-day time limit would have resulted in unreasonable interference with CRA operations. The remaining 1% of extensions were applied to consult with third parties or other government institutions and to translate or convert records into alternative formats.

The following chart shows the completion times for the 3,400 requests closed in 2016–2017.

Image described below
Image description

Completion time

1,840 (54%) were completed in 30 days or under

720 (21%) were completed from 31 to 60 days

292 (9%) were completed from 61 to 120 days

548 (16%) were completed in 121 days or more

The Access to Information and Privacy Directorate completed 2,565 (75%) requests within the timelines required by law. This means that responses were provided within 30 calendar days, or within the extended deadline when an extension was taken.

Deemed refusals and complexities

A deemed refusal is a request that was closed after the deadline of 30 calendar days or, if a time extension was taken, after the extended deadline.

Of the 3,400 requests closed during the reporting period, 835 were closed after the deadline, resulting in a deemed refusal rate of 25%.

Although the CRA continues to work toward reducing its deemed refusal rate, this remains a challenge given the high volume of requests, the broad scope of many requests, and other competing priorities, including responding to consultations.

The Treasury Board of Canada Secretariat uses two criteria to define complexity: the number of pages to process; and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests.

For example, in 2016–2017, the number of pages processed was more than twice that of the previous fiscal year. Despite this increase, 677 (25%) more requests were processed this fiscal year compared to the previous fiscal year.

  

In 2016-2017, the Directorate processed an average of 320 pages per request.

To process the 3,400 requests closed during the fiscal year, the CRA processed 1,086,917 pages. Of the 2,785 requests for which records were disclosed, 955 (34%) involved processing more than 100 pages, 131 of which involved processing over 1,000 pages, and 9 of which involved processing more than 5,000 pages.

Other requests were considered complex because of the nature and sensitivity of the subject matter being processed. For more details, see Table 2.5.3 of Appendix A.

Completion time of consultations on Cabinet confidences

Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), the policies of the Treasury Board of Canada Secretariat require agencies and departments to consult with their Legal Services to determine if the information requested should be excluded. If there is any doubt, or in cases when the records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.

In 2016–2017, the CRA did not apply any exclusions for Cabinet confidences.

Costs

During 2016–2017, the Access to Information and Privacy Directorate’s direct cost to administer the Privacy Act was $5,708,045. This excludes significant support and resources from the branches and regions. For more details, see table 10.1 in Appendix A.

Operational environment

As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the Government of Canada’s largest repositories of personal information, second only to Employment and Social Development Canada. In addition, the CRA collects and manages the personal information for its workforce of approximately 40,000 individuals.

Request volume

The CRA’s Access to Information and Privacy Directorate processes among the largest volume of privacy requests and pages of all federal institutions. In fact, the CRA historically ranks among the top 10 federal institutions. According to the most recent Treasury Board of Canada Secretariat statistics, in 2015–2016 the CRA processed the sixth largest volume of pages (over 470,000) of all federal institutions and received the eighth largest number of requests.

  

In 2016-2017, the CRA processed the highest number of pages ever, more than double the amount of the previous fiscal year.

  • Requests received have increased from 1,442 and nearly 350,000 pages processed in 2007–2008, to 3,174 requests received and nearly 1.1 million pages processed in 2016–2017.
  • Since 770 requests were carried forward from the previous reporting period, the Access to Information and Privacy Directorate’s total inventory in 2016–2017 was 3,944 requests.
  • With the 3,400 requests closed in 2016–2017, the Directorate began 2017–2018 with 544 requests in its inventory.

  

The CRA began the 2017-2018 fiscal year with 226 (29%) fewer carry-forward requests than in 2016-2017.  

The following table shows the Directorate’s workload over the past 10 fiscal years.

Image described below
Image description

Workload Trends

In 2007-2008, 1,442 requests were received, 1,355 were completed. 343,364 pages were processed

In 2008-2009, 1,553 requests were received, 1,447 were completed. 393,524 pages were processed

In 2009-2010, 2,083 requests were received, 1,973 were completed. 371,766 pages were processed

In 2010-2011, 2,600 requests were received, 2,767 were completed. 725,741 pages were processed

In 2011-2012, 1,362 requests were received, 1,497 were completed. 510,503 pages were processed

In 2012-2013, 1,980 requests were received, 1,936 were completed. 775,563 pages were processed

In 2013-2014, 1,548 requests were received, 1,553 were completed. 624,430 pages were processed

In 2014-2015, 2,533 requests were received, 2,312 were completed. 636,207 pages were processed

In 2015-2016, 3,048 requests were received, 2,723 were completed. 476,832 pages were processed

In 2016-2017, 3,174 requests were received, 3,400 were completed. 1,087,173 pages were processed

Staffing

To address operational challenges, the Directorate hired more staff in the Ottawa, Montréal, and Vancouver offices as part of its staffing plan. These employees helped to process the carry-forward inventory of access and privacy requests.

Third-party review

In 2015–2016, the CRA engaged a third-party review of the Access to Information and Privacy Directorate’s privacy practices. In general, the review found the CRA’s operations to be robust. Seven recommendations were made to further enhance the CRA’s privacy management controls.

The ATIP Directorate addressed the final recommendations this fiscal year, which included the following:

  • implement a quality assurance function within the Directorate to evaluate and improve the consistency and quality of files
  • implement a process to make sure users with access to access to information and privacy network folders are approved by the data owners
  • make sure there is a periodic review (for example, quarterly) of physical access rights to areas that may contain sensitive information/data, to reduce the risk of unauthorized physical access

In 2016–2017, the CRA implemented quality assurance tools to promote consistency in file processing and to make sure that information-safeguarding procedures are followed at all times. The tools consist of:

  • a review checklist to help analysts make sure that files are being processed completely and accurately
  • an ‘order of a file’ tool to guide analysts through the expected order of paper files
  • an analysis review worksheet to serve as a communication tool between the analyst and the reviewer or manager

To support this initiative, the access to information and privacy tracking system was updated to include a quality assurance report. This report randomly selects 5% of completed access to information and privacy requests for a quality assurance review.

Foreign Account Tax Compliance Act

In 2014, Canada signed an agreement with the United States of America requiring Canadian financial institutions to report certain accounts held by American citizens to the CRA which, in turn, shares the information with the American Internal Revenue Service.

On April 14, 2016, the Minister of National Revenue appeared before the Standing Committee on Access to Information, Privacy and Ethics regarding the Foreign Account Tax Compliance Act. The Minister responded to questions regarding the transfer of Canadian taxpayer information to the Internal Revenue Service and reassured the members of the Committee that all exchanges of information are subject to strict confidentiality requirements and that the CRA has stringent safeguards in place to protect personal information.

During the fiscal year, the CRA also responded to questions from the Office of the Privacy Commissioner of Canada in connection with the administration of this agreement.

Modernization of the Privacy Act

The CRA is working closely with various stakeholders on the Government’s commitment to modernize the Privacy Act.

In October 2016, the CRA participated in a panel discussion in front of the Standing Committee on Access to Information, Privacy and Ethics to discuss how proposed changes to the Privacy Act may affect the Agency.

The CRA is an active participant on the Department of Justiceled committees and working groups created to review the proposed changes to the Act.

The CRA will make sure that any changes related to the modernization of the Privacy Act are implemented efficiently and effectively across the Agency.

Inventory reduction action plan

The CRA’s total inventory of access to information and privacy requests has grown considerably over the past several years. Between 2013–2014 and
2015–2016, the CRA was subject to a 44% increase in total requests received. This resulted in a carryforward of 770 privacy requests at the beginning
of 2016–2017.

To address this challenge, in October 2016, the CRA implemented an action plan to reduce its total access to information and privacy inventory.

A target was set to reduce the access to information and privacy carry-forward inventory by 22% (± 5 %)
by March 31, 2017.

  

The CRA succeeded in reducing its total carry-forward inventory by 26% this fiscal year.

In total, in 2016–2017, the CRA closed 3,400 privacy requests, an increase of 677 (25%) requests over the previous reporting period and the highest number ever completed. Of the 3,400 requests closed, 671 were carried forward from the previous fiscal year.

Lean continuous improvement

In 2016–2017, the CRA completed a Lean Six Sigma review of processes within the Access to Information and Privacy Directorate to identify ways to better use the Directorate’s resources, improve processes, and complete requests more efficiently. Lean is a continuous improvement methodology that maximizes efficiency and effectiveness in the lifecycle of a process.

In January 2017, the Directorate collaborated with stakeholders from across the CRA and identified more than 30 areas of potential improvement in its processes. In order to address these areas, an action plan was established with targeted time frames for completion. Five of these deliverables have been implemented to date, including streamlining the file verification process and increasing efficiencies in the intake phase.

The remaining items in the action plan will be completed or introduced in 2017–2018.

Open government

The CRA supports open government by:

  • continually expanding and enhancing its services and web presence to ensure Canadians have easy access to the information they need
  • adapting to new technology, consulting with Canadians, and seeking continuous improvements to maximize the effectiveness of CRA programs and services
  • collaborating with the Treasury Board of Canada Secretariat and other partners for ongoing support of the Government of Canada’s commitment to openness and transparency  

In 2016–2017, the Access to Information and Privacy Directorate worked closely with the Strategy and Integration Branch to identify open information activities as part of the CRA’s Open Government Implementation Plan. These activities included those linked to the Government of Canada’s plans to modernize the Privacy Act.

CRA website

In 2016–2017, the access to information and privacy webpages on the CRA website were revised to better inform taxpayers about other ways to request information beyond making an access to information or privacy request. These revisions support open government by promoting informal methods of accessing information.

The CRA will explore more ways to provide information to taxpayers through its website in 2017–2018.

Training and awareness

Training

The Access to Information and Privacy Directorate provides training to CRA employees on the requirements of, and responsibilities under, the Access to Information Act and the Privacy Act. This training is tailored to the needs of specific audiences. For instance, employees who have little or no knowledge of the subject are encouraged to take the ATIP Fundamentals course offered by the Canada School of Public Service. Subject matter experts are advised to take more specific training, such as on how to provide complete recommendations to access to information and privacy analysts when they send records in response to requests.

The CRA’s Legal Services Branch also provides specialized training on the Access to Information Act and the Privacy Act to advise CRA staff on how to prepare documents for release in CRA reading rooms, as well as on the legal interpretation of the Access to Information Act and Privacy Act for specialized CRA staff such as auditors.

In 2016–2017, over 1,000 CRA employees across Canada participated in instructor-led and online training. In total, this fiscal year:

  • 691 employees participated in 13 training sessions
  • 294 employees attended the Canada School of Public Service “ATIP Fundamentals” online course
  • 160 employees participated in specialized Legal Services training

Due to a shift from instructor-led to online training, the exact number of employees who attended online training is likely much larger since these training sessions are frequently attended by large groups of employees under a single registration.

Online training and awareness

The Directorate continues to look at innovative ways to reach wider audiences and provide more specialized training online.

For example, in March 2016, the Directorate delivered a series of webinars to access to information and privacy contacts through the National Technical Capacity Forum. These presentations were later posted in the forum for CRA employees to download as needed. In 2016–2017, these presentations were downloaded 246 times by CRA employees.

In addition, the Directorate is collaborating with the Human Resources Branch to develop a suite of 10 web-based modules that will offer specialized technical training to access to information and privacy analysts, as well as a formal disclosure KnowHow product for all employees.

Furthermore, the Directorate is supporting the Strategy and Integration Branch in the development of a KnowHow product for CRA employees that provides broad information about informal disclosure.

Both KnowHow products will provide CRA employees and their managers with easy access to information and user-friendly instructions. These products will be implemented in 2017–2018.

Raising awareness

The trust Canadians place in the CRA to protect their personal information is a cornerstone of the CRA’s work. In 2016–2017, the CRA worked on many projects to enhance employees’ awareness of their privacy-related roles and responsibilities.

For the sixth consecutive year, the CRA joined the Office of the Privacy Commissioner of Canada and many other institutions across Canada, and the world, to promote Data Privacy Day. This day highlights the effect that technology has on privacy rights and underlines the importance of valuing and protecting personal information. This year’s theme was “Respecting Privacy. Safeguarding Data. Enabling Trust.” The CRA’s activities focused on the role all CRA employees play in safeguarding personal information in their day-to-day jobs. The following activities took place during the week:

  • a video message from the Chief Privacy Officer and a trivia quiz were posted on the CRA’s intranet site
  • a login-banner promoted the theme of the week and the link to access the CRA’s privacy toolkit
  • the Chief Privacy Officer sent a message to all CRA employees promoting the week and the importance of safeguarding personal information at all times
  • the Commissioner and the Chief Privacy Officer tweeted during the week to highlight that the CRA takes the protection of personal information very seriously
  • calendars provided by the Office of the Privacy Commissioner of Canada were sent to CRA employees across the country

The Directorate also participated in the CRA’s Security Awareness Week. This event was originally launched by the Treasury Board of Canada Secretariat and has become an annual opportunity for federal institutions to discuss security topics, including those related to personal privacy (for example, identity theft). As part of Security Awareness Week, the Finance and Administration Branch organized activities for employees including security awareness sessions in February 2017. As part of these sessions, the Chief Privacy Officer shared a message with CRA employees regarding the importance of safeguarding personal information.

Beyond these events, the Access to Information and Privacy Directorate raised awareness about access to information and privacy and the role they play in supporting sound privacy management at the CRA, through monthly newsletters and quarterly teleconferences with access to information and privacy contacts in all CRA branches and regions. Additionally, the Directorate provides briefings on matters related to access to information and privacy to CRA senior management, as required.

Policies, guidelines, and procedures

The CRA continues to promote and support compliance with the Treasury Board of Canada Secretariat policies, guidelines, and procedures through its communications and training.

Directive on the Disclosure of Taxpayer and Other Information 

During the fiscal year, the CRA implemented the Directive for the Disclosure of Taxpayer and Other Information, which outlines the accountabilities of CRA officials for informal and formal disclosures across the Agency. Work was also started to supplement the Directive with additional guidance documents to expand awareness and understanding on informal disclosure responsibilities and procedures across the CRA.

In 2017–2018, the CRA will continue to explore ways to further support program areas to enhance the proactive and informal release of information.

Monitoring

The CRA’s Access to Information and Privacy Directorate produces a monthly report that captures key statistical information about the CRA’s inventory of access to information and privacy requests. This report monitors active and completed requests including the number of requests received and completed, pages received and processed, backlog inventory, complexity, and deemed refusal.

Management regularly uses this report to monitor trends, measure the Directorate’s performance, and determine any process changes needed to improve performance. Additionally, it is presented monthly to senior management at the commissioner-chaired Agency Management Committee.

In 2014–2015, the CRA implemented a privacy management dashboard and matrix to monitor the state of privacy management in the Agency. These tools are updated by program areas quarterly, and shared with the Agency Management Committee. During 2016–2017, a working group was formed to review the current dashboard and matrix. Once all input is considered, the revised tools will be implemented.

Complaints, investigations, and Federal Court cases

In 2016–2017, the CRA received 23 complaints under the Privacy Act and closed 23 complaints. This represents a 21% decrease in the number of complaints received from the previous reporting period, and a 5% increase in the number of complaints completed.

No complaints were pursued to the Federal Court.

The following chart shows the disposition of the complaints closed during the fiscal year.

Image described below
Image description

Complaint Dispositions

2 (9%) early resolution

3 (13%) discontinued

3 (13%) not well-founded

15 (65%) well-founded

For definitions of the disposition categories, go to: priv.gc.ca/cf-dc/def2_e.asp.

In addition, the Access to Information and Privacy Directorate was informed of 130 incidents of alleged or confirmed improper access, collection, use, and disclosure of personal information by the CRA. These came from a variety of sources including the Office of the Privacy Commissioner of Canada, individuals, and the CRA’s Security and Internal Affairs Directorate.

Outstanding from
previous fiscal year
Received during
fiscal year
Completed during
fiscal year
Closing
inventory
52 130 78 104

Effectively managing privacy breaches is critical in maintaining public confidence in the integrity of the CRA. The CRA takes all breaches very seriously and continues to strengthen its controls and sanctions for unauthorized access and disclosure (for details, see “Managing Privacy Breaches”).

Managing Privacy Breaches

Integrity in the workplace is the cornerstone of the CRA’s culture. The CRA supports its employees in doing the right thing by providing clear guidelines and tools to ensure privacy, security, and the protection of CRA programs and data. This includes:

  • the CRA Code of Ethics and Conduct
  • mandatory security training
  • increasing integrity awareness through communications and tools
  • annual updates to the CRA integrity framework
  • the anonymous internal fraud and misuse reporting line
  • monitoring access through the National Audit Trail System
  • Reliability + personnel security screening

Despite the many controls in place, privacy breaches sometimes occur. When they do, the CRA investigates and reports material breaches to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Affected individuals are also notified in accordance with policy requirements, and remedial measures are taken to mitigate risk of recurrence.

In its 2015–2016 annual report to Parliament, the Office of the Privacy Commissioner of Canada recognized that the CRA had improved its privacy breach procedures to support timely reporting of incidents. This process is described below.

Privacy breach management is a shared responsibility between the Access to Information and Privacy Directorate and the Security and Internal Affairs Directorate in the Finance and Administration Branch and is governed by an information-sharing protocol.

Under the protocol, the Security and Internal Affairs Directorate must inform the Access to Information and Privacy Directorate of significant privacy breaches through its early notification process. It must also advise the Directorate that it is launching an investigation into an alleged privacy breach as a result of employee misconduct and within 30 days of the end of an investigation.

The Agency security officer decides whether affected individuals should be notified according to Treasury Board of Canada Secretariat requirements, and the Access to Information and Privacy Directorate must confirm that it agrees with this decision. When the Directorate disagrees with a decision about notifying affected individuals, the director refers the case to the chief privacy officer for a final decision.

During 2016–2017, the Office of the Privacy Commissioner of Canada determined that the CRA had 10 material privacy breach incidents. This is 10 less than the previous reporting period and a significant decrease from the 37 reported in 2014–2015.

Of the 10 material privacy breach incidents:

  • 8 related to unauthorized access to taxpayer information by CRA employees
  • 1 related to unauthorized disclosure of taxpayer information
  • 1 related to the loss of information (see below)

In January 2017, an incident involving the loss of an encrypted DVD containing taxpayer information destined for the Government of Yukon by a third-party courier service generated public attention. The encrypted DVD contained the tax information of approximately 28,000 taxpayers who were residents of the Yukon Territory, or paid taxes there, for the 2014 tax year.

Upon becoming aware of the incident, the CRA immediately began an investigation, the results of which confirmed that the CRA had complied with internal and Government of Canada policies and procedures governing physical security, encryption, password protection, and the use of third-party couriers. Nevertheless, the CRA has instituted several measures to further safeguard information being transmitted to provinces, territories, or other government institutions.

The Office of the Privacy Commissioner of Canada was satisfied with the actions taken by the Agency in relation to this incident. 

Privacy Impact Assessments

In 2013, the CRA developed an Agency-wide privacy impact assessment (PIA) plan by reviewing all new and modified programs and activities involving personal information to assess their privacy-related risks. The plan focused on completing program-level PIAs to ensure risks were captured, assessed, and appropriately mitigated horizontally across programs. As part of this plan, the CRA completed a significant number of PIAs, including 22 during this reporting period.

During the reporting period, a significant number of other initiatives were reviewed to assess potential privacy concerns. This necessitated the review of documents such as privacy assessment determination questionnaires, threat and risk assessments, and written collaborative arrangements.

In line with the Treasury Board of Canada Secretariat’s Directive on Privacy Impact Assessment, the CRA releases summaries of completed privacy impact assessments on its website: cra.gc.ca/gncy/prvcy/pia-efvp/menu-eng.html.

  

In 2016-2017, the CRA completed the highest number of privacy impact assessments in Agency history - over five times more than the previous fiscal year.

The following are the summaries of the 22 privacy impact assessments completed and sent to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat for review in 2016–2017:

Business Refund Set-Off Program

The Business Refund Set-Off Program lets the CRA set off corporation income tax refunds, GST/HST refunds, and specialty business return refunds to other federal agencies and departments, Crown corporations, and provincial and territorial departments that participate in the program in accordance with legislation administered by the CRA.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-brsp-eng.html

Disability Tax Credit Program

The disability tax credit is a non-refundable tax credit that helps persons with disabilities, or their supporting persons reduce the amount of income tax they may have to pay. An individual may claim the disability amount on their personal income tax and benefit return once they are approved by the CRA as eligible for the program.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-dtcp-eng.html

Children’s special allowance

The children’s special allowance is a tax-free monthly payment for a child who is under the age of 18; physically resides in Canada; and is maintained by a registered agency. A registered agency includes: a federal, provincial, or territorial government department; an agency appointed by a province or territory to administer a provincial or territorial law for the protection and care of children; a group foster home or institution; or an institution licensed or otherwise approved by a province or territory to have the custody and care of children.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-csa-eng.html

Goods and services tax / harmonized sales tax (GST/HST) credit

The GST/HST credit is a tax-free quarterly payment that helps individuals and families with low or modest incomes offset all or part of the GST/HST that they pay.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-gstcrc-eng.html

Canada child benefit

As part of the federal government’s plan to give more Canadian families money to raise their children, the Canada child tax benefit, universal child care benefit, and national child benefit supplement programs, were replaced with an enhanced Canada child benefit program as of July 2016 (for the 2015 benefit year).

For the privacy impact assessment summary, go to:  cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-ccb-eng.html

Collections and verification business intelligence

Business intelligence information enables the Collections and Verification Branch to administer and measure programs and services. The use of business intelligence ensures program areas are more agile in addressing emerging risks and challenges and, at the same time, providing better service to taxpayers by implementing new compliance strategies and initiatives based on taxpayer behaviours.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-cvbi-eng.html

Scientific Research and Experimental Development Program

The Scientific Research and Experimental Development Program is a federal tax incentive program administered by the CRA. It is designed to encourage Canadian businesses of all sizes and in all sectors to conduct scientific research and experimental development in Canada.

Under the program, the CRA delivers scientific research and experimental development tax incentives to qualifying businesses that prepare their tax claims in line with Canada’s tax laws and CRA policies and procedures.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-sredp-eng.html

International and Large Business Income Tax Audit and Examination Program

The International and Large Business Income Tax Audit and Examination Program covers the income tax compliance of the largest and most complex business entities. Audits involve international tax, offshore compliance, and aggressive tax planning.

The privacy impact assessment for this program also covers the administration of the third-party penalty provisions of the Income Tax Act and the Excise Tax Act.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-ilbitae-eng.html

Criminal Investigations Program

The Criminal Investigations Program plays a crucial role in protecting Canada’s tax base by investigating persons suspected of evading tax. CRA investigators get information from CRA systems, interviews, surveillance, search warrants, production orders, exchanges with other government agencies and departments, and public sources such as the Internet, court records, and the media.

This privacy impact assessment describes the Criminal Investigations Program in general, and identifies new or significantly modified initiatives, serious crime measures, and the RCMP public safety portal.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-cip-eng.html

Working income tax benefit advance payments

The working income tax benefit is a refundable tax credit for low-income individuals and families who have working income earned from employment or business. Eligible individuals and families may apply for this benefit before filing an income tax and benefit return by completing Form RC201, Working Income Tax Benefit Advance Payments Application. 

This privacy impact assessment covers the administration of advance payments of the working income tax benefit, including compliance activities such as detecting fraud and investigating possible abuses within the benefits and credits program.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-wtb-eng.html

Authentication and credential management services V2

The CRA has been a major stakeholder in the Government of Canada Cyber-Authentication Renewal Initiative. As part of the initiative, the CRA provides its own authentication and credential management service for individuals, business owners, and representatives to use when they access the CRA’s online services.

The CRA and Employment and Social Development Canada (ESDC) have identified an opportunity to work jointly in order to increase user uptake through their respective digital channels via a convenient link between ESDC’s My Service Canada Account and the CRA’s My Account. Individuals may now log in once to access services at either organization without the need to log in or validate their identities twice.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/acms2-eng.html

Trust Accounts Examination Program

The Trust Accounts Examination Program is responsible for the CRA’s examination of employers' books and records to ensure proper deducting, sending, and reporting of income tax (federal and provincial), GST/HST, Canada Pension Plan contributions, employment insurance premiums, employer-provided benefits, and unreported income.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-tae-eng.html

Employer Compliance Audit Program

The Employer Compliance Audit Program is responsible for the CRA’s auditing of employers' books and records to ensure the proper reporting of employment income and taxable benefits and certain taxable benefits to shareholders, the withholding and remitting of payroll-source deductions, as well as the proper characterization of workers.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-eca-eng.html

Film and Media Tax Credits Program

Film and media tax credits are federal and provincial tax incentives designed to encourage the film and media production industry in Canada. More specifically, they are designed to encourage the hiring of Canadians in the film and media production industry, since most of the tax credits are labour-based.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-fmtcp-eng.html

CRA Anonymous Internal Fraud and Misuse Reporting Line

This initiative provides individuals with an anonymous way to report suspicions of fraudulent activity engaged in by CRA employees. Individuals can contact the CRA Anonymous Internal Fraud and Misuse Reporting Line or use a web-based system administered by an independent third party contractor.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-aifmrl-eng.html

Business intelligence and compliance risk assessments

Personal information provided to the CRA is used in the context of business intelligence and compliance risk assessment activities to identify and assess risks of non-compliance. Cases identified through these exercises are forwarded to various program areas such as International and Large Business, Small and Medium Enterprises, GST/HST Audit, and Scientific Research and Experimental Development, for more processing (that is, audits and related enforcement activities).

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-bicra-eng.html

Income verification services

To qualify for certain provincial, territorial, and federal income assistance programs including drug cost assistance, housing, and student loans and grants, applicants must give proof of income.

With the applicant’s consent, the CRA will send proof of income to the partner government organizations electronically so that they quickly receive the information needed to decide if the applicant qualifies for assistance.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-ivs-eng.html

Business intelligence research and development environment

The CRA has identified the requirement to create a research and development environment where researchers and analysts can conduct research and develop strategies to identify, predict, and address non-compliance, and/or improve service to taxpayers and benefit recipients. To facilitate this, the CRA proposed a co-ordinated Agency-wide approach with the implementation of a business intelligence appliance intended to support this environment by providing a central Agency-wide infrastructure for using, sharing, and managing data. Procedures and processes will be in place for the quality, integrity, and safeguarding of data, including personal data.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-birde-eng.html

Part XIII Non-Resident Withholding Program

This privacy impact assessment is about the withholding, remitting, reporting, and filing obligations under Part XIII of the Income Tax Act, as well as the various elections and requests for refunds that are submitted by businesses, third parties, and individuals.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-pxiiinrwp-eng.html

Small and Medium Enterprises Income Tax Audit and Examinations

This initiative is intended to provide functional leadership, policy development, and program direction to audits, reviews, and examinations by field operations. To help field operations to deliver established strategies and achieve planned results, CRA Headquarters, in collaboration with the CRA regions, ensures that audit staff have the tools and skills needed, monitors the program, and makes changes or recommendations for change to policies, procedures, activities, and legislation where necessary.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-smt-eng.html

Collections - Government Programs

This privacy impact assessment identifies and assesses privacy risks to personal information relating to the CRA’s collection activities for government program debts. This assessment is about the CRA’s collection activities, processes, recommendations, and decisions regarding collection actions taken in relation to debts with Employment and Social Development Canada.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-cgp-eng.html

Employer Accounts Program

The CRA and Employment and Social Development Canada jointly administer the Canada Pension Plan and the Employment Insurance Act.

This privacy impact assessment identifies and assesses privacy risks to personal information relating to the Employer Accounts Program activities, which include making sure that Canada Pension Plan contributions and employment insurance premiums are deducted, remitted, and reported as required by legislation.

For the privacy impact assessment summary, go to: cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-mpccts-eng.html

Collaboration with Oversight Bodies and Other Organizations

The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat, and other organizations to strengthen privacy at the CRA.

Office of the Privacy Commissioner of Canada audit

In 2012–2013, the Office of the Privacy Commissioner of Canada completed an audit of the CRA’s privacy management framework as a follow-up to its February 2009 audit, “Privacy Management Frameworks of Selected Federal Institutions.”

In 2015–2016, when the Office of the Privacy Commissioner of Canada followed up on the progress regarding the recommendations in the audit, the CRA reported that, based on the Privacy Commissioner’s criteria for full implementation, seven of the nine recommendations were fully implemented. The recommendation relating to CRA’s audit logging system was completed during 2016–2017. The remaining recommendation concerning identity and access management controls will be fully implemented in 2017–2018.

In its 2015–2016 annual report to Parliament, the Office of the Privacy Commissioner of Canada recognized that the CRA has fully implemented or substantially implemented all recommendations in the Office’s 2013 audit regarding section 37 of the Privacy Act.

Treasury Board of Canada Secretariat

The CRA strengthened its relationship with the Treasury Board of Canada Secretariat throughout the fiscal year by:

  • consulting with the Treasury Board of Canada Secretariat Information and Privacy Policy Division on a wide-range of subjects, such as policy and legal interpretation
  • participating in access to information and privacy community meetings

Office of the Taxpayers’ Ombudsman

In 2017, as a follow-up to the Taxpayers’ Ombudsman’s 2012 Acting on ATIP report, the Assistant Commissioner of the Public Affairs Branch and senior management from the Strategy and Integration Branch met with the Taxpayers’ Ombudsman to inform her of the CRA’s efforts in responding to the recommendations in the report. The CRA has taken decisive steps to address all recommendations in this report.

Conclusion

The CRA takes privacy and the safeguarding of personal information very seriously. In 2016–2017, the CRA continued to make significant progress in addressing challenges by: implementing the inventory reduction plan; introducing processing efficiencies through the Lean method; and responding to recommendations from oversight bodies to enhance privacy processes.

  • further promoting the use of informal disclosure
  • promoting continuous improvement initiatives, including applying Lean methodology and monitoring progress
  • continuing to focus on reducing access to information and privacy inventory through the inventory reduction plan
  • monitoring files through the quality assurance process
  • enhancing awareness about privacy-related issues through new and innovative tools
  • revising the privacy management dashboard and matrix to ensure the CRA’s privacy management framework is sound
  • implementing a revised privacy impact assessment plan and working closely with program areas to make sure privacy impact assessments are completed as required

Appendix A – Statistical report

Statistical Report on the Privacy Act

Name of institution: Canada Revenue Agency
Reporting period: April 1, 2016 to March 31, 2017

PART 1 – Requests under the Privacy Act

Number of requests

  Number of requests
Total 3,944
Closed during reporting period 3,400
Carried over to next reporting period 544
Received during reporting period 3,174
Outstanding from previous reporting period 770

PART 2 – Requests closed during the reporting period

2.1    Disposition and completion time

Disposition
of requests
 

 Completion time
1 to 15
days
16 to 30
days
31 to 60
days
61 to 120
days
121 to 180
days
181 to 365
days
More than
365 days
Total 
All exempted 0 1 1 0 0 2 0 4
All excluded 0 0 0 0 0 0 0 0
No records exist 12 16 3 7 1 0 0 39
Request abandoned 471 33 10 9 4 9 9 545
Neither confirmed nor denied 27 0 0 0 0 0 0 27
Total  795 1,045 720 292 105 282 161 3,400
All disclosed 258 724 366 98 13 21 4 1,484
Disclosed in part 27 271 340 178 87 250 148 1,301

2.2    Exemptions 

Section
 
Number of
requests 
Section
 
Number of
requests
Section
 
Number of
requests 
19(1)(b) 0 22(1)(a)(iii) 5 24(a) 0
19(1)(c) 29 22(1)(b) 461 24(b) 0
19(1)(d) 1 22(1)(c)
1 25 0
19(1)(e) 0 22(2) 0 26 1,111
19(1)(f) 0 22.1 0 27 159
20 0 22.2 0 28 0
21 5 22.3 1    
18(2) 0 22(1)(a)(i) 4 23(a) 0
19(1)(a) 10 22(1)(a)(ii) 13 23(b) 0

2.3    Exclusions 

Section
 
Number of
requests
Section
 
Number of
requests
Section
 
Number of
requests
69.1 0 70(1)(b) 0 70(1)(f) 0
    70(1)(c) 0 70.1 0
69(1)(a) 1 70(1) 0 70(1)(d) 0
69(1)(b) 0 70(1)(a) 0 70(1)(e) 0

2.4    Format of information released 

Disposition Paper Electronic Other formats
Total 574 2,211 0
All disclosed 412 1,072 0
Disclosed in part 162 1,139 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed

Disposition of
requests
Number of
pages processed
Number of
pages disclosed
Number of
requests
All exempted 1,623 0 4
All excluded 0 0 0
Request abandoned 3,067 0 545
Neither confirmed nor denied 0 0 27
Total  1,086,917 606,793 3,361
All disclosed 62,661 62,661 1,484
Disclosed in part 1,019,566 544,132 1,301

2.5.2    Relevant pages processed and disclosed by size of requests 

Disposition
of requests

 
less than
100 pages
processed
101 - 500
pages
processed
505 - 1000
pages
processed
1001 - 5000
pages
processed
More than
5000 pages
processed
Number of
requests
Pages
disclosed
Number of
requests
Pages
disclosed
Number of
requests
Pages
disclosed
Number of
requests
Pages
 disclosed
Number of
requests
Pages
 disclosed
 
All exempted 4 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 541 0 1 0 3 0 0 0 0 0
Neither confirmed nor denied 27 0 0 0 0 0 0 0 0 0
Total  2,402 63,748 667 149,632 161 113,304 122 209,959 9 70,150
All disclosed 1,379 41,544 101 16,963 3 2,263 1 1,891 0 0
Disclosed in part 451 22,204 565 132,669 155 111,041 121 208,068 9 70,150

2.5.3    Other complexities 

Disposition
 
Consultation
required
Legal advice
sought
Interwoven
information
Other
 
Total
 
All exempted 0 0 0 0
All excluded 0 0 0 0
Request abandoned 0 2 2 12 16 
Neither confirmed or denied 0 0 0 0
Total  8 7 28 62 105 
All disclosed 0 4 17 25 46 
Disclosed in part 8 1 9 25 43 

2.6        Deemed refusals

2.6.1     Reasons for not meeting statutory deadline

Number of requests
closed past the
statutory deadline
 

 Principal reason
Workload External
consultation
Internal
consultation
Other
835 793 1 0 41

2.6.2    Number of days past deadline 

Number of days
past deadline
Number of requests
past deadline where no
extension was taken
Number of requests past
deadline where an
extension was taken
Total
 
31 to 60 days 67 28 95
61 to 120 days 74 32 106
121 to 180 days 87 27 114
181 to 365 days 175 76 251
More than 365 days 62 61 123
Total  528 307 835
1 to 15 days 42 60 102
16 to 30 days 21 23 44

2.7    Requests for translation 

Translation requests Accepted Refused Total
Total 4 0 4
English to French 4 0 4
French to English 0 0 0

Part 3 – Disclosures under subsection 8(2) and 8(5)

Disclosures under subsection 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Part 4 – Requests for correction of personal information and notations

Requests for correction of personal information and notations

Disposition for correction requests received Number
Total 3
Notations attached 2
Requests for correction accepted 1

Part 5 – Extensions

5.1     Reasons for extensions and disposition of requests

Disposition of
requests
15(a)(i)
Interference with
operations
15(a)(ii) consultation 15(b)
translation or
conversion
Section 70 Other 
All exempted 3 0 0 0
All excluded 0 0 0 0
No records exist 5 0 0 0
Request abandoned 22 0 0 0
Total  964 0 5 8
All disclosed 356 0 0 0
Disclosed in part 578 0 5 8

5.2    Length of extensions 

Length of
extensions
15(a)(i)
Interference
with operations
15(a)(ii) consultation 15(b)
Translation or
conversion
Section 70 Other 
Total 964 0 5 8
1 to 15 days 16 0 0 1
16 to 30 days 948 0 5 7

Part 6 – Consultations received from other institutions and organizations

6.1 Consultations received from other government institutions and organizations
 

Consultations
 
Other government
institutions
Number of
pages to review
Other
organizations
Number of
pages to review
Total 5 209 0 0
Closed during the
reporting period
5 209 0 0
Pending at the end of
the reporting period
0 0 0 0
Received during
reporting period
5 209 0 0
Outstanding from the
previous reporting period
0 0 0 0

6.2    Recommendations and completion time for consultations received from other Government institutions

Recommendations

 
Number of days required to complete consultation requests
1 to 15
days
16 to 30
days
31 to 60
days
61 to 120
days
121 to 180
days
181 to 365
days
More than
365 days

Total
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 3 0 0 0 0 0 0 3
Total  4 1 0 0 0 0 0 5
Disclose entirely 1 0 0 0 0 0 0 1
Disclose in part 0 1 0 0 0 0 0 1

6.3    Recommendations and completion time for consultations received from other organizations

Recommendation

 
Number of days required to complete consultation requests
1 to 15
days
16 to 30
days
31 to 60
days
61 to 120
days
121 to 180
days
181 to 365
days
More than
365 days
Total 
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other organization 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0

Part 7 – Completion time of consultations on Cabinet confidences

7.1    Requests with Legal Services

Number of
days

 
Less than 100
pages processed
101 - 500 pages
processed
501 -1000 pages
processed
1001 - 5000 pages
processed
More than 5000 pages
processed
Number of
requests
Pages
disclosed
Number of
requests
Pages
disclosed
Number of
requests
Pages
disclosed
Number of
requests
Pages
disclosed
Number of
requests
Pages
disclosed
 
61 to 120 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0
Total  0 0 0 0 0 0 0 0 0
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0

7.2    Requests with Privy Council Office



Number of days
Less than 100
pages processed
101 - 500 pages
processed
501 - 1000 pages
processed
1001 - 5000 pages
processed
More than 5000
pages processed
Number of  requests Pages
disclosed
Number of  requests Pages
disclosed
Number of requests Pages disclosed Number of requests Pages
disclosed
Number of requests Pages
disclosed
 
31 to 60 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0
Total  0 0 0 0 0 0 0 0 0
1 to 15 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0

Part 8 – Complaints and investigations notices received

Section 31 Section 33 Section 35 Court action Total
23 0 23 0 46

Part 9 – Privacy impact assessments (PIAs)

Number of PIAs completed 22

Part 10 – Resources related to the Privacy Act

10.1    Costs

Expenditures Amounts $
Goods and Services $478,925
  • Professional services contracts
$268,444  
  • Other
$210,481  
Total  $5,708,045
Salaries $5,042,457
Overtime $186,663

10.2    Human Resources 

Resources Person years dedicated to privacy activities
Regional staff 0.00
Consultants and agency personnel 1.50
Students 0.50
Total 72.00
Full-time employees 70.00
Part-time and casual employees 0.00
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: