Annual Report to Parliament on the Administration of the Privacy Act - 2013–2014

 

Introduction

Privacy Act

The l40Privacy Act came into effect on July 1, 1983. The Act protects the privacy of individuals with respect to their personal information held by government institutions, by establishing the rules for the collection, use, disclosure, retention and disposal of such information. It also provides individuals with a right to be given access to, and to request a correction of, their personal information.

Section 72 of the l41Privacy Act requires that the head of every government institution submit an annual report to Parliament on the administration of the Act within the institution for the past fiscal year. It is under this provision that the present annual report is tabled in Parliament.

The present annual report describes how Shared Services Canada (SSC) administered the l42Privacy Act for the period from April 1, 2013, to March 31, 2014.

Institutional Mandate and Organization

Mandate

SSC is a federal department created on August 4, 2011, to transform how the Government of Canada manages its information technology (IT) infrastructure. SSC’s mandate was reinforced on June 29, 2012, with the passage by Parliament of the Shared Services Canada Act.

SSC’s focus is to maintain and improve IT services delivery across the Government of Canada, generate and reinvest savings, enhance security, and implement government-wide solutions to transform IT infrastructure to improve services to Canadians.

SSC reports to Parliament through the Minister of Public Works and Government Services and is responsible for delivering mandated email, data centre and network services to the partner departments (“Partner Organizations”, see Annex A) in a consolidated and standardized manner to support the delivery of Government of Canada programs and services. SSC also provides certain optional technology-related services to government organizations on a cost-recovery basis. Budget 2013 further expanded SSC’s mandate, adding the consolidation of government-wide procurement of software and hardware for workplace technology devices.

In addition, SSC contributes to the achievement of other critically important and transformational Government of Canada initiatives such as the Perimeter Security Defence Project, the Transformation of Pay Administration initiative and the vision of the public service of the future as articulated in Blueprint 2020. As an IT security service delivery organization, SSC works collaboratively with other Government of Canada cyber security agencies to support the cyber security strategy.

Organization

SSC has four branches, each responsible for supporting one of the four elements of SSC’s business model:

  • Plan and Design – Transformation, Service Strategy and Design Branch
  • Build – Projects and Client Relationships Branch
  • Operate – Operations Branch
  • Manage – Corporate Services Branch

Although the branches are responsible for delivering on the priorities within each of their business lines, one of SSC’s strengths is the synergies that occur when the various branches work together to deliver IT infrastructure services to SSC’s Partner Organizations.

Delegated Authority

In April, 2012, pursuant to section 73 of the l43Privacy Act, the President of SSC delegated full powers, duties and functions under the Act to levels down to and including the Director of the Access to Information and Privacy Protection (ATIP) Division. The SSC Delegation Order for the l44Privacy Act is included in Annex B.

Mandate

SSC is a federal department created on August 4, 2011, to transform how the Government of Canada manages its information technology (IT) infrastructure. SSC’s mandate was reinforced on June 29, 2012, with the passage by Parliament of the Shared Services Canada Act.

SSC’s focus is to maintain and improve IT services delivery across the Government of Canada, generate and reinvest savings, enhance security, and implement government-wide solutions to transform IT infrastructure to improve services to Canadians.

SSC reports to Parliament through the Minister of Public Works and Government Services and is responsible for delivering mandated email, data centre and network services to the partner departments (“Partner Organizations”, see Annex A) in a consolidated and standardized manner to support the delivery of Government of Canada programs and services. SSC also provides certain optional technology-related services to government organizations on a cost-recovery basis. Budget 2013 further expanded SSC’s mandate, adding the consolidation of government-wide procurement of software and hardware for workplace technology devices.

In addition, SSC contributes to the achievement of other critically important and transformational Government of Canada initiatives such as the Perimeter Security Defence Project, the Transformation of Pay Administration initiative and the vision of the public service of the future as articulated in Blueprint 2020. As an IT security service delivery organization, SSC works collaboratively with other Government of Canada cyber security agencies to support the cyber security strategy.

Dedicated to Access to Information and Privacy Excellence

The ATIP Division is responsible for developing, coordinating, implementing and monitoring compliance with effective ATIP-related policies, guidelines, systems and procedures across SSC. This enables SSC to meet the requirements, and to fulfill its obligations, under the l45Privacy Act, and its accompanying piece of legislation, the l1Access to Information Act.

The main activities of the ATIP Division are:

  • Receiving, coordinating and processing requests under the l46Privacy Act and the l2Access to Information Act;
  • Developing SSC-specific policy instruments in support of access and privacy legislation;
  • Developing and delivering ATIP awareness and training across SSC so that employees and management understand their roles and responsibilities;
  • Supporting a network of ATIP Liaison Officers across SSC who assist with requests by coordinating the retrieval of records and recommendations from within their branch or region;
  • Monitoring institutional compliance with both Acts and maintaining regulations and relevant procedures and policies;
  • Preparing annual reports to Parliament and other statutory reports, as well as other material that may be required by central agencies;
  • Responding to consultations from other government institutions regarding SSC information under consideration for release;
  • Representing SSC in dealings with the Treasury Board of Canada Secretariat, and the Information and Privacy Commissioners of Canada regarding the application of both Acts as they relate to SSC;
  • Supporting SSC in meeting its commitments to openness and transparency through the proactive disclosure of information and the release of information via informal avenues; and
  • Participating in whole-of-government initiatives for the federal ATIP Community.

ATIP Division Structure

During the period covered by this report, the ATIP Division structure had 14 full-time positions: the Director, two Deputy Directors, one Team Leader, eight analysts and two administrative officers. The ATIP Division maintained an average of 12.34 full-time equivalents (FTEs), 3.85 of whom were dedicated to the administration of the l47Privacy Act . By the end of the reporting period, the ATIP Division had 13 positions staffed.

ATIP Division Structure

ATIP Division Structure

The Operations Unit within the ATIP Division is responsible for processing requests under the l48Privacy Act and its accompanying piece of legislation, the l3Access to Information Act. This includes liaising with subject-matter experts within SSC, performing a line-by-line review of records requested and conducting external consultations as required to balance between the public’s right of access and the government’s need to safeguard certain information in limited and specific cases. The Operations Unit provides briefings for the senior management team as required on matters relating to requests and institutional performance. This unit is also the main point of contact with the Offices of the Privacy and Information Commissioners of Canada with respect to the resolution of complaints related to requests under both Acts.

The Policy and Governance Unit within the ATIP Division provides policy advice and guidance to SSC’s senior management team on access to information and the protection of personal information. This unit is responsible for assisting program officials when they draft personal information sharing agreements and conduct privacy impact assessments to ensure that privacy legislation is respected. It also liaises with employees and prepares and delivers training and awareness sessions throughout SSC. In addition, the unit coordinates SSC’s annual reporting requirements and publishes SSC’s Info Sourcespace chapterFootnote 1 Lastly, it is the main point of contact with the Offices of the Privacy and Information Commissioners of Canada with respect to various audits, reviews, systemic investigations and privacy breaches.

Interpretation of the Statistical Report

The Statistical Report (Annex C) and its Supplementary Report (Annex D) on the l10Privacy Act provide a summary of the personal information requests and consultations processed during the 2013 –2014 reporting period. The Supplementary Report also gives the number of completed Privacy Impact Assessments, if any.

Overview of Workload (Annex C, Part 1; Part 6, Table 6.1)

During the reporting period, the ATIP Division received 69 requests under the l11Privacy Act and one consultation from another government institution, in addition to one request carried forward from the previous reporting period.

It should be noted that, while the volume of requests under the l12Privacy Act during this reporting period had increased significantly compared to the previous reporting period (in which only 5 requests had been received), there were many instances when SSC received requests that were intended for other institutions and therefore had to be redirected.

Also of note is the fact that during this reporting period, the number of pages processed by the ATIP Division increased by five times, from 868 pages processed in the 2012–2013 to 16,402 pages processed in 2013–2014, and the number of pages released increased by fifteen times, from 550 pages released in 2012–2013 to 8,350 pages released in 2013–2014.

The ATIP Division closely tracks, on a weekly basis, its turnaround times in processing requests and monitors the timeliness of their completion. In this reporting period, all processed l13Privacy Act requests were completed within legislated timelines.

Requests Received (Annex C, Part 1; Part 2, Table 2.1)

During this reporting period, 69 requests were received under the l14Privacy Act. One request from the previous reporting period was carried forward, for a total of 70 requests requiring action for this reporting period.

Sixty-nine (69) requests were completed before the end of the reporting period.

Disposition of Requests Completed (Annex C, Part 2, Table 2.1)

Of the 69 requests completed, 3 led to the full disclosure of the requested documents, 19 had exemptions applied to parts of the records prior to their release, 2 had exemptions applied to the records in their entirety, 4 were closed with no relevant records having been located, 35 related to records under the control of other government institutions and were redirected accordingly, and the remaining 6 were abandoned by the requesters.

As explained above, this reporting period saw an unusually high number of requests that were abandoned or where no records existed. These irregularities are due to the early days of the Access to Information and Privacy (ATIP) Online Request pilot project, which initially covered only three institutions, including SSC, thereby resulting in SSC receiving numerous requests intended for other institutions. As more institutions continue to come on board the project, SSC is seeing a significant decrease in misdirected requests.

Completion Time (Annex C, Part 2, Table 2.1)

The l15Privacy Act sets the timelines for responding to privacy requests. It also provides for extensions in cases where responding to the request within the original time limit would unreasonably interfere with the operations of the government institution or where consultations are necessary but cannot be reasonably completed within the original time limit. Of the 69 requests, 56, or over 80%, were completed within the 30-day deadline established by the Act, with the remaining 13 requests completed within lawful time extensions.

Exemptions Invoked (Annex C, Part 2, Table 2.2)

In 18 instances, some information was withheld because it related to another individual and was therefore exempted under section 26 of the l16Privacy Act. In 5 instances, some information was withheld because it was subject to solicitor-client privilege and was therefore exempted under section 27 of the l17Privacy Act. In another 5 instances, some information was withheld because it had been determined that its disclosure could reasonably be expected to threaten the safety of individuals, and was therefore exempted under section 25 of l18Privacy Act. In 4 instances, some information was withheld because it had been determined that its disclosure could reasonably be expected to be injurious to the enforcement of a law of Canada or a province or the conduct of lawful investigations, and was therefore exempted under paragraph 22(1)(b) of the l19Privacy Act. Lastly, in 3 instances , some information was withheld because it had been determined that the information had been created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.

Exclusions Cited (Annex C, Part 2, Table 2.3)

No exclusions were cited in the requests completed during the reporting period.

Disclosure of Personal Information Pursuant to Paragraphs 8(2)(e) and (m) (Annex C, Part 3)

Paragraph 8(2)(e) of the l20Privacy Act allows the head of the institution to disclose personal information without the consent of the affected individual where such information is requested in writing by a designated investigative body for law enforcement purposes. During the reporting period, SSC made no disclosures of personal information under this provision.

Paragraph 8(2)(m) of the l21Privacy Act allows the head of the institution to disclose personal information without the consent of the affected individual in cases where, in the opinion of the head, the public interest outweighs any invasion of privacy that could result from the disclosure or when it is clearly in the best interest of the individual to disclose. During the reporting period, SSC made no disclosures of personal information under this provision.

Extensions (Annex C, Part 5, Table 5.1)

Extensions permissible under section 15 of the Act were claimed for 13 requests. In 9 cases, the extensions were sought because of the requirement to review large volumes of information. In the remaining 4 instances, extensions to the prescribed time limits were sought in order to consult with other government institutions.

Consultations (Annex C, Part 6)

During the reporting period, SSC received one consultation from another government institution. SSC’s ATIP Division completed the consultation within 15 days.

Costs (Annex C, Part 8)

According to information provided by SSC’s Finance Division in April 2014, during the reporting period, the ATIP Division spent $306,652.00 on salaries, $1,176.00 on overtime, and $61,845.00 on goods and services, including professional service contracts, for the administration of the l22Privacy Act.

Breaches, Complaints and Audits

Privacy Breaches

On June 19, 2013, an SSC employee reported the release of a Telework Arrangement and Grievance Memorandum of Settlement to another employee. Although the affected employee’s full name and Personal Record Identifier were not included in the disclosed documents, there was other personal information released sufficient to identify the individual.

SSC carefully reviewed the facts surrounding the incident and determined that an administrative error on June 12, 2013, led to the inadvertent disclosure of the personal information to a co-worker.

On July 12, 2013, SSC contacted the employee and advised the employee of the right to make a complaint. The employee was assured in writing that SSC was taking corrective measures to protect and appropriately handle personal information to avoid a recurrence of such an incident in the future. The employee was also advised of the right to bring a complaint to the Office of the Privacy Commissioner of Canada regarding the matter. On the same day, SSC also proactively notified the Office of the Privacy Commissioner of Canada of the incident and of the fact that corrective measures were being taken to ensure that appropriate safeguards of personal information are in place.

Complaints

SSC was not the subject of any complaints under the l23Privacy Act.

Audits

On February 7, 2014, SSC was notified that it was one of 20 government institutions selected for an audit examination by the Office of the Privacy Commissioner of Canada. The audit, to be carried out pursuant to section 37 of the Privacy Act, will examine the frameworks in place governing the use of portable electronic storage devices and the potential impact of such devices on the privacy of Canadians, in order to address concerns about privacy and the security controls of portable storage devices. 

At the end of the reporting period, SSC was awaiting the Terms of Reference for the audit.

Access to Information and Privacy Procedures, Policies and Initiatives

During this reporting period, SSC continued to work toward embedding a culture of privacy excellence. SSC finalized its policy instruments designed to establish procedures for managing privacy breaches, delivered on mandatory privacy training and updated the inventory of its personal information holdings in Info Source vis-à-vis its 2013–2014 Program Alignment Architecture.

The ATIP Division’s process under the l24Privacy Act is based on the “duty to assist” principle, defined in the TBS Directive on Privacy Requests and Correction of Personal Information as follows:

  1. Process requests without regard for the identity of the applicant;
  2. Offer reasonable assistance throughout the request process;
  3. Provide information on the l25Privacy Act, including information on the processing of requests and the right to complain to the Privacy Commissioner of Canada;
  4. Inform the applicant as appropriate and without undue delay when the request needs to be clarified;
  5. Make every reasonable effort to locate and retrieve the requested personal information under the control of the institution;
  6. Apply limited and specific exemptions to the requested personal information;
  7. Provide accurate and complete responses;
  8. Provide timely access to the requested personal information;
  9. Provide personal information in the format and official language requested, as appropriate; and
  10. Provide an appropriate location within the institution to examine the requested personal information.

SSC’s ATIP process is further supported by best practices within the federal ATIP Community, which enable SSC to meet the challenges of responding in a timely manner to l26Privacy Act requests for access and consultations.

SSC also adheres to the following privacy principles:

  • Accountability: an institution is responsible for personal information under its control.
  • Collection: information should be collected fairly and lawfully; it should be necessary and relevant.
  • Consent: the individual must have knowledge of the collection, use or disclosure of personal information in order to be able to consent to it, except when inappropriate (e.g., lawful investigations).
  • Use: personal information is used in line with the purposes of its collection, except when the individual consents or it is required by law.
  • Disclosure: personal information should be disclosed in line with the purpose of its collection, except when the individual consents or it is required by law.
  • Retention: personal information is retained only as long as necessary.
  • Accuracy: personal information should be accurate, complete and up-to-date so as to serve its purpose.
  • Safeguards: security safeguards should be appropriate to the sensitivity of the information.
  • Openness of information: an institution should make specific information readily available to individuals about its policies and practices on the management of personal information.
  • Individual access: an individual should be able to access his or her personal information under the control of the institution.
  • Challenging compliance: an individual should be able to challenge compliance with any of the above principles by contacting the ATIP Division.

Control of Records and Partner Organizations

Given SSC’s mandate, there are challenges surrounding the roles and responsibilities under the l27Privacy Act. Section 16 of the l200Shared Services Canada Act states that “for the purposes of the l28Privacy Act, personal information that is collected by other government institutions as defined in that Act or by other organizations and that is, on behalf of those institutions or organizations, contained in or carried on Shared Services Canada’s information technology systems is not under the control of Shared Services Canada.”

The ATIP Division processes only the records that relate to SSC departmental business. The Partner Organizations continue to be responsible for the creation, maintenance, use, disclosure and disposal of their electronic information holdings and their access rights have not changed.

While SSC does not have control and ownership over the Partner Organizations’ records stored in the shared IT infrastructure, given the responsibilities and thus the shared interest, consultations with the Partner Organizations is an important part of SSC’s processing of requests. Further, a process has been established to enable Partner Organizations to conduct searches of their data held on any SSC server where such searches are necessary in order to properly respond to a l29Privacy Act request. In such cases, the ATIP Division of the relevant Partner Organization is required to contact its institutional Chief Information Officer who is the primary point of contact between the Partner Organization and the SSC portfolio lead.

Initial Contact with Requesters

As part of the intake process, the ATIP Operations Team Leader reviews all incoming personal information requests to ensure that they are complete and clear. As appropriate, the requester is contacted and offered the possibility of clarifying the request.

This process provides several benefits. It provides a better service to the requester by clearly determining the scope of the requested information, thereby potentially reducing the processing time. It also makes more efficient use of institutional resources by eliminating the need to search for, retrieve, review and possibly consult on records that are not desired.

ATIP Process Manual

During the reporting period, the ATIP Division created a procedural manual to guide ATIP staff in processing requests received under the l30Privacy Act and its accompanying piece of legislation, the l4Access to Information Act. The manual provides information about the types of documents processed and how they should be handled pursuant to the Acts. The manual serves as a reference tool for ATIP staff and is designed to ensure consistent application of the Acts and related policy instruments. Further, the manual supports SSC’s “duty to assist” all applicants, so that all reasonable effort is made to help applicants receive complete, accurate and timely responses in accordance with the legislation.

SSC has developed internal procedures and guidelines to ensure appropriate monitoring of and reporting on ATIP requests, as well as compliance with the Treasury Board of Canada Secretariat's policies and guidelines. They provide important checks and balances required to maintain SSC’s continued 100% compliance rate.

New Cabinet Confidences Process

The l31Privacy Act indicates that certain types of materials are excluded from its application, including confidences of the Queen’s Privy Council of Canada (commonly referred to as Cabinet confidences). The Supreme Court of Canada has recognized that Cabinet confidentiality is essential to good government. The Court has explained that, “[t]he process of democratic governance works best when Cabinet members charged with government policy and decision-making are free to express themselves around the Cabinet table unreservedly.”Footnote 2

The Treasury Board of Canada Secretariat, with a view to improving the administration of the ATIP Program across the government, worked with the Privy Council Office and the Department of Justice to revise the procedure used in the ATIP Community to process requests for Cabinet confidences. These joint efforts have resulted in a revised process for the determination of Cabinet confidences in the ATIP Program, which came into effect on July 1, 2013. Rather than ATIP Offices going directly to the Privy Council Office in all instances, the new process requires ATIP Offices to consult with their institutional legal services units where requested information has been identified as likely constituting a Cabinet confidence.

In cases where there is doubt as to whether information is a Cabinet confidence, or when otherwise required, the Office of the Counsel to the Clerk of the Privy Council must be consulted.

During the reporting period, in order to align with the new process, SSC’s ATIP Division established a Service Level Agreement with its institutional Legal Services Unit for the provision of a review of records and recommendations on records that may contain information subject to the Cabinet confidences exclusion. This Service Level Agreement allows for an efficient business process related to Cabinet confidences, thereby ensuring that SSC meets the requirements of the revised process and fulfills its obligations under the l32Privacy Act.

Info Source Modernization Initiative

Info Source: Sources of Federal Government and Employee Information provides information about the functions, programs, activities and related information holdings of government institutions subject to the l5Access to Information Act and the l33Privacy Act. It provides individuals and current and former employees of the government with relevant information to assist them in accessing personal information about them held by government institutions subject to the l34Privacy Act and exercising their rights under the l35Privacy Act.

The Treasury Board of Canada Secretariat requires that the government institutions publish their own Info Source chapter on their Internet site. During the reporting period, SSC completed the first review of its Info Source chapter, including a review of previously published Personal Information Banks and the creation of a new Personal Information Bank for External Credential Management Services. During the reporting period, the Treasury Board of Canada Secretariat highlighted SSC’s Info Source chapter to institutions as a good example for reference purposes.

ATIP Online Requests Initiative

The Government of Canada is modernizing service to Canadians while increasing its open information environment. To improve service quality and ease of access for citizens and to reduce processing costs for institutions, the Government of Canada is beginning to transform platforms supporting the administration of ATIP. On April 9, 2013, the Access to Information and Privacy (ATIP) Online Request service was launched allowing Canadians, for the first time, to submit and pay for ATIP requests online.

In its initial pilot phase, the ATIP Online Request service allowed clients to submit requests and fees online to Citizenship and Immigration Canada, SSC and the Treasury Board of Canada Secretariat. Given the successful implementation of this pilot initiative, the service has been expanded to include other government institutions.

With SSC’s mandate to transform how the Government of Canada manages its IT infrastructure, it was a natural fit for SSC to participate in the initiative led by the Treasury Board of Canada Secretariat to create an online mechanism for submitting ATIP requests. Throughout the reporting period, SSC was an active participant in the development of the requirements, the functional model and the risk analysis of the pilot project.

Whole of Government ATIP Software Solution

The vast majority of institutions subject to ATIP legislation use specialized file tracking and document redaction systems. The last multi-institutional contract for such systems was awarded in March of 2009 and cannot provide all of the functionalities desired by ATIP practitioners. The Treasury Board of Canada Secretariat has taken the lead in the procurement of a next -generation ATIP software solution. This new solution will be offered to all Government of Canada institutions subject to ATIP legislation.

SSC is participating in two TBS-led interdepartmental working groups defining business requirements for the Government of Canada ATIP software solution.

ATIP Community Development Initiative

The ATIP Division has also been actively engaged with the ATIP Community Development Initiative, which is working to create generic organizational models and work descriptions to help standardize the ATIP work across the federal public service. A new SSC-led working group was assembled at the beginning of the reporting period, and the project is moving into its final stages. Throughout the process there have been many consultations with the community at large and other stakeholders, including the Public Service Alliance of Canada.

From the beginning of the process, the ATIP Community Development Initiative consulted with various institutions in the development of the generic work descriptions. Working groups and focus groups composed of representatives from all levels of the ATIP Community and Human Resources were established to ensure the active sharing of experience and knowledge.

As the initiative moves forward, competency profiles at the policy and operational levels will also be developed. TBS is planning to validate the generic work descriptions in 2014–2015.

ATIP Management Framework

During the reporting period, the ATIP Division began drafting an ATIP Management Framework, which sets out a comprehensive governance and accountability structure that, among other things, reflects SSC’s responsibilities under the l86Privacy Act with respect to its collection, use, disclosure, retention and disposal of personal information. This framework, to be approved and implemented in 2014 –2015, will explain how SSC is organized in terms of its structures, policies, systems and procedures for, among other things, managing privacy risks, assigning privacy responsibilities, coordinating privacy work and ensuring compliance with the l36Privacy Act, the l6Access to Information Act, related Treasury Board of Canada Secretariat policies and directives, and internal ATIP-related policies.

The Framework will focus on:

  • A strategy on ATIP Training and Awareness – outlines how ATIP training will be delivered to all SSC employees to improve their ability to carry out their roles while respecting the requirements of the l37Privacy Act and the l7Access to Information Act.
  • A process for managing privacy breaches – sets out the steps to be followed in the event of a privacy breach in each of the three possible scenarios:

    1. information under the control of SSC;
    2. information under the control of a Partner Organization; and
    3. where an enterprise service involving personal information has been outsourced to a third party service provider.
  • A process for conducting Privacy Impact Assessments – establishes SSC’s process for conducting Privacy Impact Assessments for new or substantially modified programs and activities involving personal information in order to attain compliance with the l38Privacy Act and related policy instruments. This established process is aimed at minimizing and mitigating, through Privacy Impact Assessments, potential privacy risks associated with new or substantially modified programs or activities.
  • A process for monitoring ATIP compliance – supports SSC in monitoring compliance with SSC-specific policy instruments designed to manage privacy risks and foster access to information in records under its control.

Institutional ATIP Training Activities

As the ATIP Division continued its efforts toward embedding a culture of privacy excellence across SSC, it focused on ATIP training activities, such as delivering training for the institutional ATIP Liaison Officers and mandatory privacy training in other areas of SSC. In order to assess the effectiveness of its training activities, the ATIP Division also devised a comprehensive evaluation form for participants to provide feedback regarding their training experience.

A total of 21 sessions were delivered to approximately 280 participants.

ATIP Overview for Administrative Assistants

During the reporting period, the ATIP Division delivered a training session providing an overview of SSC’s ATIP procedures, including the ATIP Liaison Officer process. The session also covered privacy obligations as they relate to email attachments and distribution lists.

Privacy Training for the Administrative Coordinators’ Committee

The ATIP Division delivered a training session with a special emphasis on email communications and the use of a workflow product for managing and tracking some types of correspondence.

Privacy in the Human Resources Environment

In the previous reporting period, the Human Resources and Workplace Directorate was offered some targeted training for Human Resources staff given the nature of their work. This reporting period saw the continuation of this training, specifically tailored to focus on privacy rights and obligations, including information on ATIP legislation and the ATIP process.

The Director of the ATIP Division delivered a training session to the Human Resources and Workplace Management team. During the reporting period, an additional six sessions were delivered to Human Resources professionals by Senior ATIP Analysts.

ATIP Training for ATIP Liaison Officers

The ATIP Liaison Officer process established by SSC provides a single gateway into each of the branches and directorates in order to streamline the ATIP tasking process. As the primary point of contact for a branch or directorate, an ATIP Liaison Officer must have an in-depth understanding of the ATIP process and a heightened understanding of the legislation. The ATIP Division developed a three-hour training session and reference material to address the specific needs of the ATIP Liaison Officers. The ATIP Division continues to offer training to new ATIP Liaison Officers and their alternate members in order to support this important network.

ATIP Training for Managers

Given the nature of its work providing IT services to SSC’s Partner Organizations, the Operations Branch approached the ATIP Division for some targeted training for managers and Directors General throughout the branch. A two-hour training program was developed with a focus on the ATIP process at SSC and the concept of control of information in the SSC context. Nine sessions were delivered in the reporting period.

ATIP Training for Subject Matter Experts

As the number and complexity of requests submitted to SSC increases, several program areas have requested training on the ATIP process. A 2.5-hour training program was developed with a focus on the legislative context, SSC’s internal process and best practices for responding to ATIP requests. During the reporting period, a session was delivered to institutional security employees. This training will continue to be delivered across SSC in the next reporting period.

Self-Directed ATIP Training

During the reporting period, the ATIP Division initiated the development of online ATIP training products for SSC employees. An introductory module on the management of personal information is planned for release via SSC’s Learning Academy during the 2014–2015 reporting period with other modules in the planning stages.

ATIP in the Government of Canada

The Director of SSC’s ATIP Division also delivered for the Canada School of Public Service the 3-day ATIP course in both January and February 2014. The course is entitled “Access to Information and Privacy in the Government of Canada” (Course I703) and is targeted at participants from across the federal public service.

Institutional ATIP Awareness Activities

SSC’s ATIP Division and Security and Information Management Directorate play a key role in managing SSC’s information holdings. Together, they are developing an integrated approach to fostering awareness, delivering training and providing tools to employees and managers. Various integrated awareness initiatives were well received by staff and championed by SSC’s senior management during the reporting period.

Privacy and Security Awareness Plan – Employee Consultation

As part of its ongoing efforts to raise awareness on privacy and security, SSC held an employee consultation on the Privacy and Security Awareness Plan from March 25 to April 12, 2013.

The Plan proposes a list of activities designed to increase employees’ understanding of the important role that they play in privacy, information management and security. The activities identified in the plan will occur throughout the year and are opportunities to engage all staff.

On July 12, 2013, the Senior Assistant Deputy Minister and Chief Financial Officer of Corporate Services communicated a summary of the consultation to SSC employees. 
Some of the proposed activities in the Plan include:

  • Blogging on privacy and security awareness
  • Focus on privacy and security awareness in the employee newsletter
  • Lunch-and-learn events and/or armchair/on-line sessions
  • Development of information materials to be used by managers and champions’ communities

Right to Know (RTK) Week

Initiated in Bulgaria in 2002, International RTK Week is intended to raise awareness about people’s right to access government information while promoting freedom of information as an essential feature of both democracy and good governance. In 2013, the Canadian RTK Week took place from September 23 to 28. SSC published an article on its extranet site to promote this event.

Information Management Week

SSC’s first Information Management Week took place from September 30 to October 4, 2013. Activities were scheduled to help employees gain a better understanding of Information Management tools, resources and best practices. The ATIP Division participated in a series of information sessions, where guest speakers discussed the impact of proper Information Management practices on the ATIP process.

Data Privacy Day

On January 28, 2014, Canada, along with many countries around the world, celebrated Data Privacy Day. Recognized by privacy professionals, corporations, government officials, academics and students around the world, Data Privacy Day highlights the impact that technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.

SSC promoted this day by issuing a message from the Chief Privacy Officer throughout the Department challenging employees to a mini-quiz based on the new Treasury Board of Canada Secretariat Policy on Acceptable Network and Device Use. The Data Privacy Day content was available to public servants on SSC’s extranet site.

Security Awareness Week

Security Awareness Week is an annual event held the second week of February. The Security Awareness Week held during the reporting period was a success thanks to ongoing departmental efforts and the continued support of the Government of Canada security community and inter-departmental groups, such as the Security Awareness Working Group.

A departmental working group looking at Security, Information Management, Communications and ATIP developed many awareness products for Security Awareness Week, which are featured on SSC’s extranet site. In early 2014, Communications also promoted the event in the February 6 issue of SSC’s weekly newsletter, SSC Weekly. The issue featured a message from the Chief Information and Security Officer concerning the responsibility that every employee has for departmental security, under the theme “Security is in YOUR hands!” Three learning events marking Security Awareness Week included sessions on Information Technology, Threat Environment, and Case Studies in Security.

Privacy Impact Assessments

Summaries of completed Privacy Impact Assessments are posted on SSC’s Internet site: l199Publications – Access to Information and Privacy.

In 2013–2014, no Privacy Impact Assessments were completed and forwarded to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. However, during the reporting period, SSC initiated several projects and continued to work on the previously initiated projects requiring consideration for, or preparation of, Privacy Impact Assessments. These projects are:

  1. Email Transformation Initiative
  2. Data Centre Consolidation
  3. Internal Credential Management (MyKey)
  4. PeopleSoft
  5. Telecom Voice over IP (VoIP)
  6. Employee Experience and Skills Management
  7. Conflict of Interest System & EForms
  8. Security Information Event Management
  9. Employee Performance and Learning Agreement ( EMPLA) Digitization (led by TBS)
  10. Electronic Procurement and Payment
  11. Privilege Management Infrastructure / Internal Credential and Access Management (ICAM)
  12. Workplace Technology Devices (including Department of Justice WTD Managed Service Pilot)
  13. Unisys – Mainframe Legacy Application Migration Project
  14. Email Employee Placement Form
  15. Videoconferencing Enterprise Service
  16. High Performance Computing
  17. Data Warehouse Project
  18. Workplace Communication Service IP Telephony
  19. Integrated Communications and Support Services (ICSS) / Virtual Contact Centre (VCC)
  20. Distributed Computing / Perspective Premium Software

Next Steps for the Year Ahead

SSC’s ATIP Division appreciates the opportunity to be engaged in the development of a relatively new institution. It will continue to be innovative in its administration of the l39Privacy Act. The ATIP Division is committed to further supporting SSC as it instils a culture of service excellence and moves toward an efficient and modern paperless environment.

During the next reporting period, SSC’s ATIP Division will continue to foster a culture that protects individuals’ privacy, by introducing the ATIP Management Framework and its accompanying policy instruments, setting out:

  • A strategy for ATIP Training and Awareness;
  • A process for managing privacy breaches, including reporting and notification tools to assist in breach handling;
  • A process for conducting Privacy Impact Assessments;
  • A process for preventing obstruction of access to personal information at SSC; and
  • A process for monitoring ATIP compliance across SSC

In addition, the ATIP Division will map its information holdings against SSC’s 2014–2015 Program Alignment Architecture. This initiative will define SSC’s information holdings in order to provide clarity to its Info Source chapter and will also assist requesters by directing their requests to the appropriate institution.


Annex A – Partner Organizations

  1. Aboriginal Affairs and Northern Development Canada
  2. Agriculture and Agri-Food Canada
  3. Atlantic Canada Opportunities Agency
  4. Canada Border Services Agency
  5. Canada Economic Development for Quebec Regions
  6. Canada Revenue Agency
  7. Canada School of Public Service
  8. Canadian Food Inspection Agency
  9. Canadian Heritage
  10. Canadian Northern Economic Development Agency
  11. Canadian Nuclear Safety Commission
  12. Canadian Space Agency
  13. Citizenship and Immigration Canada
  14. Correctional Service Canada
  15. Department of Finance Canada
  16. Department of Justice Canada
  17. Employment and Social Development Canada
  18. Environment Canada
  19. Federal Economic Development Agency for Southern Ontario (FedDev Ontario)
  20. Financial Transactions and Reports Analysis Centre of Canada
  21. Fisheries and Oceans Canada
  22. Foreign Affairs, Trade and Development Canada
  23. Health Canada
  24. Immigration and Refugee Board of Canada
  25. Industry Canada
  26. Infrastructure Canada
  27. Library and Archives Canada
  28. National Defence
  29. National Research Council Canada
  30. Natural Resources Canada
  31. Parks Canada
  32. Privy Council Office
  33. Public Health Agency of Canada
  34. Public Safety Canada
  35. Public Service Commission of Canada
  36. Public Works and Government Services Canada
  37. Royal Canadian Mounted Police
  38. Statistics Canada
  39. Transport Canada
  40. Treasury Board of Canada Secretariat
  41. Veterans Affairs Canada
  42. Western Economic Diversification Canada

Annex B – Delegation Order

Privacy Act Designation Order

The President of Shared Services Canada, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons acting in those positions, to exercise the powers and perform the duties and functions of the President of Shared Services Canada as the head of a government institution under all sections of the Privacy Act. This designation is effective immediately upon being signed.

SCHEDULE

  1. Chief Operating Officer
  2. Senior Assistant Deputy Minister and Chief Financial Officer
    Corporate Services
  3. Director General
    Corporate Secretariat
  4. Director
    Access to Information and Privacy Protection Division

Signed on April 2nd, 2012
Liseanne Forand

Ottawa


Annex C – Statistical Report on the Privacy Act

TBS/SCT 350–63

Name of institution: Shared Services Canada
Reporting period: 2013–04–01 to 2014–03–31

Part 1 – Requests under the Privacy Act

1.1 Number of Requests
  Number of Requests
Received during reporting period 69
Outstanding from previous reporting period 1
Total 70
Closed during reporting period 69
Carried over to next reporting period 1

Part 2 – Requests closed during the reporting period

2.1 Disposition and completion time
Disposition of requests Completion Time
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than
365 days
Total
All disclosed 0 3 0 0 0 0 0 3
Disclosed in part 2 4 11 2 0 0 0 19
All exempted 1 1 0 0 0 0 0 2
All excluded 0 0 0 0 0 0 0 0
No records exist 39 0 0 0 0 0 0 39
Request abandoned 6 0 0 0 0 0 0 6
Total 48 8 11 2 0 0 0 69

2.2 Exemptions
Section Number of requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 4
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 3
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 18
27 5
28 0
2.3 Exclusions
Section Number of requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

2.4 Format of information released
Disposition Paper Electronic Other formats
All disclosed 3 0 0
Disclosed in part 6 13 0
Total 9 13 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed
Disposition of requests Number of pages processed Number of pages disclosed Number of requests
All disclosed 273 137 3
Disclosed in part 16129 8213 19
All exempted 0 0 2
All excluded 0 0 0
Request abandoned 0 0 6

2.5.2 Relevant pages processed and disclosed by size of requests
Disposition Less than
100 pages processed
101–500 pages
processed
501-1000 pages
processed
1001-5000 pages
processed
More than 5000
pages processed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
All disclosed 1 2 2 135 0 0 0 0 0 0
Disclosed in part 5 241 9 1902 0 0 4 5838 1 232
All exempted 2 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Abandoned 6 0 0 0 0 0 0 0 0 0
Total 14 243 11 2037 0 0 4 5838 1 232

2.5.3 Other complexities
Disposition Consultation required Legal Advice
Sought
Interwoven
Information
Other Total
All disclosed 0 0 0 0 0
Disclosed in part 5 0 0 0 5
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Abandoned 0 0 0 0 0
Total 5 0 0 0 5

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline
Number of requests closed
past the statutory deadline
Principal Reason
Workload External
consultation
Internal
consultation
Other
0 0 0 0 0

2.6.2 Number of days past deadline
Number of days
past deadline
Number of requests past
deadline where no extension
was taken
Number of requests past
deadline where an extension
was taken
Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0

2.7 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Part 3 – Disclosures under subsection 8(2)

Paragraph 8(2)(e) Paragraph 8(2)(m) Total
0 0 0

Part 4 – Requests for correction of personal information and notations

  Number
Requests for correction received 0
Requests for correction accepted 0
Requests for correction refused 0
Notations attached 0

Part 5 – Extensions

5.1 Reasons for extensions and disposition of requests
Disposition of requests
where an extension was taken
15(a)(i)
Interference with
operations
15(a)(ii)
Consultation
15(b)
Translation or
conversion
Section 70 Other
All disclosed 0 0 0 0
Disclosed in part 9 0 4 0
All exempted 0 0 0 0
All excluded 0 0 0 0
No records exist 0 0 0 0
Request abandoned 0 0 0 0
Total 9 0 4 0

5.2 Length of extensions
Length of extensions 15(a)(i)
Interference with operations
15(a)(ii)
Consultation
15(b)
Translation purposes
Section 70 Other
1 to 15 days 0 0 0 0
16 to 30 days 9 0 4 0
Total 9 0 4 0

Part 6 – Consultations received from other institutions and organizations

6.1 Consultations received from other government institutions and organizations
Consultations Other
government institutions
Number of
pages to review
Other
organizations
Number of
pages to review
Received during the reporting period 1 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 1 0 0 0
Closed during the reporting period 1 0 0 0
Pending at the end of the reporting period 0 0 0 0

6.2 Recommendations and completion time for consultations received from other government institutions
Recommendation Number of days required to complete consultation requests
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
Disclose entirely 1 0 0 0 0 0 0 1
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 1 0 0 0 0 0 0 1

6.3 Recommendations and completion time for consultations received from other organizations
Recommendation Number of days required to complete consultation requests
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7 – Completion time of consultations on Cabinet confidences

Number of days Number of responses received Number of responses received past deadline
1 to 15 0 0
16 to 30 0 0
31 to 60 0 0
61 to 120 0 0
121 to 180 0 0
181 to 365 0 0
More than 365 0 0
Total 0 0

Part 8 – Resources related to the Privacy Act

8.1 Costs
Expenditures Amount ($)
Salaries $306,652
Overtime $1,176

Goods and Services

$61,845
  • Contracts for privacy impact assessments
$0  
  • Professional services contracts
$33,195
  • Other
$28,650
Total   $369,673

8.2 Human Resources
Resources Dedicated full-time Dedicated part-time Total
Full-time employees 0.00 3.85 3.85
Part-time and casual employees 0.00 0.73 0.73
Regional staff 0.00 0.00 0.00
Consultants and agency personnel 0.00 0.38 0.38
Students 0.00 0.00 0.00
Total 0.00 4.96 4.96

Annex D – Supplementary Report

Previously released ATI package released informally
Institution Number of informal releases of previously released ATI packages
Shared Services Canada 59

 

Completed Privacy Impact Assessments (PIAs)
Institution Number of Completed PIAs
Shared Services Canada nil

 

Completion Time of Consultations on Cabinet Confidences under the ATIA – Requests with Legal Services
Number of Days Fewer Than 100
Pages Processed
101–500
Pages Processed
501–1,000
Pages Processed
1,001–5,000
Pages Processed
More Than 5,000
Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 3 32 0 0 0 0 0 0 0 0
61 to 120 7 40 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 10 72 0 0 0 0 0 0 0 0

 

Completion Time of Consultations on Cabinet Confidences under the ATIA – Requests with Privy Council Office
Number of Days Fewer than 100
pages processed
101–500
pages processed
501–1,000
pages processed
1,001–5,000
pages processed
More than 5,000
pages processed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 2 4 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 2 4 0 0 0 0 0 0 0 0

 

Completion Time of Consultations on Cabinet Confidences under the PA – Requests with Legal Services
Number of Days Fewer than 100
pages processed
101–500
pages processed
501–1,000
pages processed
1,001–5,000
pages processed
More than 5,000
pages processed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

 

Completion Time of Consultations on Cabinet Confidences under the PA - Requests with Privy Council Office
Number of Days Fewer than 100
pages processed
101–500
pages processed
501–1,000
pages processed
1,001–5,000
pages processed
More than 5,000
pages processed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
Number
of requests
Pages
disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0


Free PDF download

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet:

Page details

Date modified: