Annual Report to Parliament on the Administration of the Privacy Act – 2017-18
Table of contents
- Introduction
- Institutional Mandate and Organization
- Delegated authority
- Access to Information and Privacy Division structure
- Words of recognition
- Dedicated to Access to Information and Privacy excellence
- Interpretation of the Statistical Report—requests for Personal Information and Consultations
- Institutional Access to Information and Privacy training and awareness activities
- Access to Information and Privacy Policy Instruments, Procedures and Initiatives
- Complaints and Audits
- Parliamentary affairs
- Breaches
- Privacy impact assessments
- Ongoing PIA files
- Next steps for the year ahead
- Annex A—Partner organizations
- Annex B—Delegated authority
- Annex C—Statistical report
Annual Report to Parliament on the Administration of the Privacy Act – 2017-18 (Shared Services Canada)
© Her Majesty the Queen in Right of Canada, as represented by the Minister responsible for Shared Services Canada, 2018
Cat. No. P115-4E-PDF
ISSN 2369-4599
Annual Report to Parliament on the Administration of the Privacy Act - 2017-18 (PDF Version, 1.3 MB)
Free PDF download available
Introduction
Privacy Act
The Privacy Act came into effect on July 1, 1983. The Privacy Act protects the privacy of individuals with respect to their personal information held by government institutions. It establishes the rules for the collection, use, disclosure, retention and disposal of such information. It also provides individuals with a right to be given access to, and to request a correction of, their personal information.
Section 72 of the Privacy Act (the Act) requires that the head of every government institution submit an annual report to Parliament on the administration of the Act within the institution for the past fiscal year. It is under this provision that the present annual report is tabled in Parliament.
The present annual report describes how Shared Services Canada (SSC) administered the Privacy Act for the period from April 1, 2017 to March 31, 2018.
Institutional Mandate and Organization
Shared Services Canada (SSC) was created on August 4, 2011 to transform how the Government of Canada manages its information technology (IT) infrastructure. SSC delivers email, data centre, network and workplace technology device services to departments and agencies in a consolidated and standardized manner to support the delivery of Government of Canada programs and services. With a whole-of-government approach to IT infrastructure services, SSC is generating economies of scale to deliver more efficient, reliable and secure IT infrastructure services. SSC also provides certain optional technology services to other organizations on a cost-recovery basis.
The Shared Services Canada Act recognizes that the Government of Canada wishes to standardize and streamline, within a single shared services entity, certain administrative services that support government institutions. Through orders-in-council (OIC), the Department received specific responsibilities in the area of IT infrastructure services.
SSC’s focus is to maintain and improve IT service delivery across the Government of Canada, enhance security, and implement government-wide solutions to transform IT infrastructure to improve value for money and services to Canadians.
SSC is working with the information and communications technology sector to deliver an enterprise-wide email system, consolidate and modernize government data centres, and transform telecommunications services. Budget 2013 further expanded SSC’s mandate, adding the consolidation of government-wide procurement of software and hardware for workplace technology devices (e.g., printers, desktop and laptop computers).
SSC contributes to the achievement of other critically important Government of Canada initiatives, including border security, benefit payments and weather forecasting, as well as the vision of the future Public Service as articulated in Blueprint 2020. In addition, SSC works collaboratively with Government of Canada cyber security agencies to improve cyber and IT security.
As of September 1, 2015, OIC 2015-1071 provides SSC with the authority to offer any or all of its services to any federal government entity on a voluntary basis, as well as to another Canadian jurisdiction or a foreign government, as long as there are no additional costs incurred or additional resources allocated by SSC. The OIC also expands the mandatory nature of a sub-set of SSC services related to email, data centres and networks to a range of new clients. Most small departments and agencies previously not served, or served only on an optional basis, are set out as mandatory clients for this sub-set of services.
Delegated authority
In August 2015, pursuant to section 73 of the Privacy Act, the President authorized the delegation instrument by reconfirming full powers, duties and functions under the Act to levels down to and including the Director of the Access to Information and Privacy (ATIP) Protection Division, hereafter referred to as the ATIP Division (see Annex B).
ATIP Division structure
During the reporting period, the ATIP Division structure remained the same as reported in previous reports, with a director and two deputy directors, each overseeing teams of analysts for the Operations side as well the Policy and Governance side. While an average of 21 person years were dedicated to the ATIP program, just over six person years were dedicated to the administration of the Privacy Act. These person years include full-time equivalents, casual employees, and students.
The Operations team within the ATIP Division is responsible for processing requests under the Privacy Act and its accompanying piece of legislation, the Access to Information Act. This includes liaising with subject-matter experts within SSC, performing a line-by-line review of records requested, and conducting external consultations as required to balance the public’s right of access and the government’s need to safeguard certain information in limited and specific cases. The Operations team provides briefings for the senior management team as required on matters relating to requests and institutional performance. This team is also the main point of contact with the Offices of the Privacy and Information Commissioners of Canada with respect to the resolution of complaints related to requests under both Acts.
The Policy and Governance team within the ATIP Division provides policy advice and guidance to SSC’s senior management team on access to information and the protection of personal information. This team also develops ATIP policy instruments, processing products and tools. It is responsible for assisting program officials when they conduct privacy impact assessments (PIA) and draft personal information-sharing agreements to ensure that privacy legislation and policy requirements are respected. It also liaises with employees and prepares and delivers training and awareness sessions throughout SSC. In addition, the team co-ordinates SSC’s annual reporting requirements and publishes SSC’s Info Source chapter.Footnote 1 Lastly, it is the main point of contact with the Offices of the Privacy and Information Commissioners of Canada with respect to various audits, reviews, systemic investigations and privacy breaches.
Words of recognition
The SSC ATIP Division was founded on experience and guided by service excellence. This is a testament to work and commitment by the former Acting Director General and Chief Privacy Officer (Monique McCulloch).
Till her recent retirement, Monique McCulloch had been the only Director of the Access to Information and Privacy Division at SSC since its creation in August of 2011. The creation of a new federal government department is uncommon, let alone a unique IT department such as SSC.
Since her appointment as Director of ATIP, Ms. McCulloch not only built the ATIP Division from the ground up, she also led her team in the creation and implementation of instrumental policies, including five directives as well as nine accompanying standards. Together, these policies ensure the collection, use, retention, disclosure and disposal of personal information respects the Privacy Act and related policy instruments throughout the initiation, analysis, design, development, implementation and post-implementation phases of all its program or service delivery activities within SSC. The ATIP Division’s success since its creation led to the division receiving the 2017 Excellence in Access to Information Award from The Chief Information Officer Council Community. This award recognized Ms. McCulloch’s leadership across the Government of Canada in developing and implementing Comprehensive governance and accountability relating to personal information handling practices as well as in facilitating timely access in the unique landscape of information holdings that exist between SSC and partners.
Over the course of her 35 year career, Ms. McCulloch has facilitated and changed the way the public is able to access government records as well as steadfastly adding rigor to the protection of personal information in a complex evolving IT environment. Her dedication and strong leadership, coupled with her vast experience, are truly remarkable. Ms. McCulloch retired from the federal government at the end of April. Shared Services Canada and the federal ATIP community have been most fortunate to have had such a dedicated and competent person. She will be missed and the SSC ATIP Division wish her the very best in this next stage of her life.
Dedicated to ATIP excellence
The ATIP Division is responsible for developing, coordinating, implementing and monitoring compliance with effective ATIP-related policies, guidelines, systems and procedures across SSC. This enables SSC to meet the requirements and to fulfill its obligations under the Privacy Act and its accompanying piece of legislation, the Access to Information Act.
The main activities of the ATIP Division are as follows:
- Receiving, coordinating and processing requests under the Privacy Act and the Access to Information Act
- Responding to consultations from other government institutions regarding SSC information under consideration for release
- Developing and maintaining SSC-specific policy instruments in support of access and privacy legislation
- Developing and delivering ATIP awareness and training across SSC so that employees and management understand their roles and responsibilities
- Supporting a network of ATIP liaison officers across SSC who assist with requests by coordinating the retrieval of records and recommendations from within their branch or region
- Monitoring institutional compliance with both Acts and their regulations, as well as relevant procedures and policies
- Preparing annual reports to Parliament on the administration of the Acts, as well as other material that may be required by central agencies
- Developing the SSC ATIP Logic Model which is a representation of how the ATIP program is intended to work and what we set out to accomplish. SSC ATIP is the first ATIP Division to accomplish this task which meets Treasury Board of Canada Secretariat (TBS) Policy
- Representing SSC in dealings with TBS, and the Offices of the Privacy and Information Commissioners of Canada regarding the application of both Acts as they relate to SSC
- Supporting SSC in meeting its commitments to openness and transparency through the proactive disclosure of information and the release of information via informal avenues, such as the Open Government portal
- Supporting the Corporate Secretariat’s Business Process Transformation by simplifying the access to information request process to ensure timeliness and quality review of the information
- Monitoring ATIP tasking performance and reporting to senior management on a monthly basis; and
- Participating in whole-of-government initiatives for the federal ATIP community
The administration of the Acts by the ATIP Division is facilitated at the branch and directorate level of SSC. Each organizational branch and directorate has an ATIP Liaison Officer who coordinates the collection of requested records and information and provides guidance to branch and directorate managers on the application of the Acts.
Interpretation of the Statistical Report—Requests for Personal Information and Consultations
The Statistical Report (Annex C) on the administration of the Privacy Act provides a summary of the personal information requests and consultations processed during the 2017–2018 reporting period.
Overview of Workload (Annex C, Parts 1 and 2, Table 2.5.1, Table 2.6.2)
During the reporting period, the ATIP Division received 90 requests under the Privacy Act and carried forward zero requests from the previous reporting period. There was one consultation under the Privacy Act received from other government institutions. The ATIP Division processed 85 requests and, as such, 5 Privacy Act requests will be carried over to the next reporting year.
The number of requests received under the Privacy Act during this reporting period decreased slightly compared to the previous reporting period (in which 111 requests had been received). Out of 11,728 pages processed by the ATIP Division, 6,281 were deemed relevant to the Privacy Act requests and were either disclosed in whole or in part.
Although requests under the Privacy Act decreased by 19 percent the pages processed increased by 82 percent while the pages disclosed in whole or in part more than doubled with an increase of 109 percent.
The ATIP Division ensures that it monitors on a weekly basis its turnaround times in processing requests and tracks the timeliness of their completion. In this reporting period, all Privacy Act requests processed were completed within legislated timelines.
Requests Received (Annex C, Part 1)
During the reporting period, 90 requests were received under the Privacy Act. No requests from the previous reporting period were carried forward, for a total of 90 requests requiring action for this reporting period.
Disposition of Requests Completed (Annex C, Part 2, Table 2.1)
By the end of the reporting period, 85 requests were completed and 5 requests will be carried over to the next reporting period. Of these, 24 requests were disclosed in part and seven were released in their entirety. It should be noted as well that eight requests were abandoned and 46 requests yielded no responsive records as they were for the most part misdirected.
Completion Time (Annex C, Part 2, Table 2.1)
The Privacy Act sets the timelines for responding to privacy requests. It also allows for extensions in cases where responding to the request requires the review of a large volume of information or extensive consultations with other government institutions or other third parties. Of the 85 completed requests, 88 percent were completed by the 30-day deadline. The remaining 12 percent of the requests received were completed within the lawful time extension of 30 additional days.
Exemptions Invoked (Annex C, Part 2, Table 2.2)
The Privacy Act allows, and in some instances requires, that some personal information be exempted and not released. For example, personal information may be exempted when it relates to law enforcement investigations, another individual besides the requester, or when it is subject to solicitor-client privilege.
During the reporting period, 23 requests required that information be withheld because it related to another individual, and was therefore exempted under section 26 of the Privacy Act. Only one request required an exemption to be applied to information subject to solicitor-client privilege under section 27 of the Act.
Exclusions Cited (Annex C, Part 2, Table 2.3)
The Privacy Act does not apply to information that is already publicly available, such as government publications and material in libraries and museums. It also excludes material such as Cabinet confidences.
There were no exclusions cited in the requests completed during the reporting period.
Disclosure of Personal Information Pursuant to Paragraphs 8(2)(e) and (m) (Annex C, Part 3)
Paragraph 8(2)(e) of the Privacy Act allows the head of the institution to disclose personal information without the consent of the affected individual where such information is requested in writing by a designated investigative body for law enforcement purposes. During the reporting period, SSC made no disclosures of personal information under this provision.
Paragraph 8(2)(m) of the Privacy Act allows the head of the institution to disclose personal information without the consent of the affected individual in cases where, in the opinion of the head, the public interest outweighs any invasion of privacy that could result from the disclosure or when it is clearly in the best interest of the individual to disclose. During the reporting period, SSC made one disclosure of personal information under this provision. Subsection 8(5) of the Privacy Act obliges the head of the institution to notify the Office of the Privacy Commissioner of Canada prior to, or if not practical, forthwith on, any disclosure under paragraph 8(2)(m). As SSC made one disclosure of personal information under that provision, there was a notification made to the Office of the Privacy Commissioner of Canada as required under subsection 8(5) of the Act.
Extensions (Annex C, Part 5, Table 5.1)
Extensions permissible under section 15 of the Privacy Act were invoked for 10 requests.
Consultations (Annex C, Part 6)
During the reporting period, SSC received one consultation under the Privacy Actfrom other government institutions and reviewed 29 pages.
Costs (Annex C, Part 10)
According to the information provided by SSC’s Finance Division in April 2018, during the reporting period, the ATIP Division spent a total of $427,981 for the administration of the Privacy Act, of which $380,268 was spent on salaries and $47,713 was spent on goods and services.
Comparative Review
| Fiscal Year | Requests Received | Total Pages Processed |
|---|---|---|
| 2011-12 | 0 | 0 |
| 2012-13 | 6 | 869 |
| 2013-14 | 71 | 16,403 |
| 2014-15 | 72 | 2,601 |
| 2015-16 | 123 | 6,268 |
| 2016-17 | 111 | 6,428 |
| 2017-18 | 90 | 11,728 |
Since the creation of SSC, there has been a steady increase in number of requests and volume of pages processed by the ATIP Division. It should be also noted that the number of pages processed has increased significantly.
Institutional ATIP training and awareness activities
For this reporting period, the ATIP Division continued embedding and fostering a culture of ATIP excellence across SSC, with a focus on developing and delivering training and awareness activities that result in openness and transparency for avoiding obstruction of ATIP legislation and privacy breaches.
In order to ensure that all SSC employees, regardless of their position or level, are made aware of their responsibilities related to ATIP and that they gain an in-depth understanding of the related best practices and principles, SSC launched, in collaboration with the Canada School of Public Service (CSPS), the online Access to Information and Privacy Fundamentals course (I015) on July 14, 2016. While this course is optional for all federal public service employees through the CSPS website, its completion has been made mandatory for all SSC employees. For this reporting period, approximately 697 SSC employees successfully completed the course I015 - Access to Information and Privacy Fundamentals.
The ATIP division operated without an ATIP training facilitator for a large portion of this reporting period, yet still successfully delivered fourteen internal training and awareness sessions, to approximately 244 participants, which included SSC Executives, Managers and employees at all levels.
In order to assess and continually improve the effectiveness of its training activities, the ATIP Division welcomed feedback directly from participants regarding their training experience. Based on the feedback received, these sessions have all been very well received and participants have indicated their high satisfaction with these sessions, which has resulted in requests for additional awareness sessions for new staff in the coming fiscal year.
It should be noted that while significant training has been delivered to ATIP Liaison Officers and subject matter experts in our offices of primary interest, ATIP Analysts working in the ATIP Division have also taken the necessary measures to continually gain new knowledge and remain informed in relation to both legislation and emerging trends. Furthermore, our ATIP Analysts have attended ATIP community meetings, conferences, and ATIP-related training sessions offered through various means, including certification training through the International Association of Privacy Professionals.
Training for the ATIP Liaison officer network
As the primary point of contact for a branch or directorate, an ATIP Liaison Officer must have an in-depth understanding of the ATIP process and a heightened understanding of the legislation. During this reporting period, the ATIP Division delivered two training sessions specifically tailored to our ATIP Liaison Officers and their delegates, to a total of approximately 17 participants. There were fewer participants in these sessions than in the previous reporting period, largely owing to the more extensive Liaison Officer training sessions delivered last year (to 42 participants over five sessions). It should also be noted that during this current reporting period, many ATIP Liaison Officers and their delegates, new to SSC, participated in ATIP awareness sessions targeting offices of primary interest and their subject matter experts.
During the next reporting period, the ATIP office plans to schedule a series of meetings with the Liaison Officers, their delegates, and offices of primary interest subject matter experts to discuss specific issues in processing requests received. These meetings will enable the ATIP Division to continue to maintain and build strong working relationships with our offices of primary interest and to refine its processes in order to deliver the best service possible to its internal and external clients.
ATIP training for subject matter experts in offices of primary interest
During the reporting period, the ATIP Division delivered nine office of primary interest training sessions targeting various branches within SSC: Data Centre Services, Networks and End User, Corporate Services, Audit and Evaluation and Project Management and Delivery, to a total of approximately 126 participants. Furthermore, a total of five sessions opened to all SSC subject matter experts was delivered to approximately 108 participants. A total of 14 sessions totaling 234 employees.
ATIP awareness for SSC Executives
During this reporting period, no awareness sessions were delivered specifically to Executives, due to the fact that last reporting period two sessions were provided to SSC Executives which totaled 80 participants; however, for this reporting period, 13 SSC Executives participated in awareness sessions for our offices of primary interest and subject matter experts, which focused on general ATIP awareness and the communication of SSC ATIP policy instruments.
ATIP in the Government of Canada
The Director of SSC’s ATIP Division also continues to deliver, for the CSPS, the courses entitled, Access to Information in the Government of Canada (I701) and Privacy in the Government of Canada (I702), which are intended for federal public servants.
Collaboration with the ATIP community
During the reporting period, the Director of SSC’s ATIP Division presented SSC’s ATIP policy instruments to participants at the Access to Information and Privacy Practitioners’ Meeting. Such meetings bring together ATIP analysts from across the federal ATIP community, and serve as an opportunity for the community members to exchange ideas on issues related to the field and to be updated on developing trends. SSC’s ATIP policy instruments were made available to the ATIP community for other departments to leverage for their own purposes.
For this reporting period, the ATIP Division developed a self-paced processing guide for each office of primary interest to use as a tool for responding to their individual Info Source chapters.
Info Source at SSC
Info Source is a publication that lists and describes the information holdings of all federal departments and is a reference tool that assists individuals in submitting requests.
For this reporting period, the ATIP Division developed a self-paced processing guide for each office of primary interest to use as a tool for responding to their individual Info Source chapters.
ATIP training for GCDOCS coaches
GCDOCS is the secure information repository used by SSC (up to Protected B). It enables employees to create, save and share documents digitally within SSC.
The ATIP Division, in collaboration with SSC’s Information Management Quality Control (IMQC) team, have developed a hands-on information session on GCDOCS, which is compulsory for any potential privacy breaches that resulted from improper permissions and access restrictions to a record in GCDOCS. During this reporting period, this training served as a reminder to 68 SSC employees of the best practices related to information management and security when handling personal information and of the privacy and security considerations related to access permissions when creating, saving and sharing documents in GCDOCS —considerations to be shared within their own work groups (the “need to know” principle).
Right to Know Week
In 2017, Right to Know (RTK) Week took place from September 26 to October 2 in Canada. Initiated in Bulgaria on September 28, 2002, International Right to Know Day is intended to raise awareness of an individual’s right to access government information while promoting freedom of information as an essential feature of both democracy and good governance. SSC advanced awareness of RTK Week by highlighting it in its weekly bulletin to employees.
Remaining informed
The Policy and Governance team of the ATIP Division conducts a media scan, on a daily basis, for any articles that may be relevant to the field of ATIP and to SSC. These scans, which are shared with the Corporate Secretariat and colleagues within Security, help employees remain aware of ongoing issues in the field and emerging trends.
ATIP Policy Instruments, Procedures and Initiatives
ATIP Management framework
While SSC continues to be a pioneer in the ATIP Community while revising its ATIP policy instruments as needed, during the reporting period, it also published the following - SSC ATIP Logic Model and Performance Indicators, which was approved by Senior Management in March 2016. They are described below:
- SSC ATIP Logic Model — This model is a representation of how the ATIP program is intended to work and what we set out to accomplish. The model links outcomes with processes and the roles and responsibilities that govern our Division. It outlines the relationship between resources, activities and results as they relate specifically to our Division and desired outcomes. This Logic Model essentially demonstrates a concise representation of each element of the operation and the value it generates as part of a larger process.
- Performance Indicators — The indicators were developed to monitor the efficiency with which the ATIP Division processes various requests. The statistics provide a synopsis of the actual performance relative to the established standards and guidelines. The collection of this data will assist the ATIP Division in identifying areas of improvement so as to deliver a more effective service.
SSC Enterprise services—Functional direction 6.0
SSC updated its Functional Direction during the reporting period. It provides guidance and principles to follow for aligning existing services during the transition to enterprise services. Through an associated communiqué, the Senior Assistant Deputy Minister of Strategy at SSC emphasized that it was essential that the Functional Direction be applied consistently by all operational teams for sourcing and deploying SSC services.
Privacy-by-design is a concept that was included in the updated version of the Functional Direction. The sixth governing principle states that during the project initiation phase, necessary security and privacy controls for all projects must be incorporated and remain in place throughout the life cycle of the project, that is, from initiation to implementation.
“Duty to Assist” principle
The ATIP Division’s process under the Privacy Act is based on the “duty to assist” principle, which is defined in the TBS Directive on Privacy Requests and Correction of Personal Information as follows:
- Process requests without regard for the identity of the applicant
- Offer reasonable assistance throughout the request process
- Provide information on the Privacy Act, including information on the processing of requests and the right to complain to the Information Commissioner of Canada
- Inform the applicant as appropriate and without undue delay when the request needs to be clarified
- Make every reasonable effort to locate and retrieve the requested records under the control of the institution
- Apply limited and specific exemptions to the requested records
- Provide accurate and complete responses
- Provide timely access to the requested information
- Provide records in the format and official language requested, as appropriate
- Provide an appropriate location within the institution to examine the requested information
SSC’s ATIP process is further supported by best practices within the federal ATIP community, which enable SSC to meet the challenges of responding in a timely manner to Privacy Act requests for access and consultations.
ATIP process manual
During the reporting period, the ATIP Division continued to update its procedural manual to guide ATIP staff in processing requests received under the Privacy Act and its accompanying piece of legislation, the Access to Information Act. The manual provides information about the types of documents processed and how they should be handled pursuant to the Acts. The manual serves as a reference tool for ATIP staff and is designed to ensure consistent application of the Acts and related policy instruments. Further, the manual supports SSC’s “duty to assist” all applicants, so that all reasonable effort is made to help applicants receive complete, accurate and timely responses in accordance with the legislation.
SSC has developed internal procedures and guidelines to ensure appropriate monitoring of and reporting on ATIP requests, as well as compliance with TBS policies and guidelines. They provide important checks and balances required to maintain full compliance.
Control of records and partner organizations
Given SSC’s mandate, there are challenges surrounding the roles and responsibilities under the Privacy Act. Section 16 of the Shared Services Canada Act states that:
“…for the purposes of the Privacy Act, personal information that is collected by other government institutions […] that is, on behalf of those institutions or organizations, contained in or carried on Shared Services Canada’s information technology systems is not under the control of Shared Services Canada.”
Given the unique relationship between SSC and its partner organizations, from time to time the partner organizations may require SSC’s assistance to access their data residing on the SSC IT infrastructure. When all efforts by partners to retrieve records internally have been unsuccessful, the primary contact within SSC to facilitate partner access to their data is SSC’s Security Operations Centre (SOC). The SOC’s assistance may be requested in the following cases, if attempts by partner organizations have been unsuccessful:
- When partners receive ATIP requests for their records (records under their control residing on the SSC IT infrastructure)
- When partners are subject to court orders, subpoenas, warrants or any other binding order made by a person or body with jurisdiction to compel the production of records
- When a lawful investigation (administrative or criminal) requires the retrieval of records residing on the SSC IT infrastructure
As previously indicated, the related policy has been shared on several occasions with SSC’s partner organizations through various forums where SSC’s Director of ATIP has given presentations on the matter. It is also available to partner organizations on SSC’s Serving Government website.
Info Source update
Info Source: Sources of Federal Government and Employee Information provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. It provides individuals as well as current and former employees of the government with relevant information to assist them in accessing personal information about them held by government institutions subject to the Privacy Act and exercising their rights under the Privacy Act.
TBS requires that government institutions publish their own Info Source chapter on their Internet site. During the reporting period, SSC completed its review of its Info Source chapter and met all legislative and TBS mandatory requirements. In fact, SSC received notification from TBS that the 2016-2017 update was deemed excellent.
Complaints and Audits
Complaints
SSC was not subject to any complaints under the Privacy Act during the reporting period.
Audits
During the reporting period, no audits involving SSC were completed by the Office of the Privacy Commissioner of Canada pursuant to section 37 of the Privacy Act.
Parliamentary affairs
During the period under review, three order paper questions were placed by members of Parliament with respect to the following: contingency plans for ATIP requests processed during a postal disruption, ATIP requests received and processed within the threshold and ATIP reported privacy breaches. SSC provided its written responses. Upon request, these responses are available to the public via the Library of Parliament.
Breaches
During the reporting period, no material breach occurred or reported to the Office of the Privacy Commissioner of Canada.
Privacy impact assessments
Summaries of completed PIAs are posted on SSC’s Internet site: Publications—Access to Information and Privacy.
In keeping with the guidance from the Office of the Privacy Commissioner of Canada and the Treasury Board Directive on Privacy Impact Assessment, privacy risks identified in PIAs are aligned with the 10 universal privacy principles found in the Canadian Standards Association’s Model Code for the Protection of Personal Information. In addition, privacy and security controls are required to be in place during the life cycle of projects at SSC, as recommended through SSC’s Functional Direction 6.0.
During the reporting period, SSC completed the PIA for the Electronic Procurement and Payment system (also known as P2P). It is important to note that the PIA was completed during the 2016-17 fiscal year, however the executive summary was published and the PIA document was sent to TBS and OPC in the 2017-18 fiscal year.
Ongoing PIA files
SSC continues to work on initiated PIAs and privacy risk checklists for projects such as the following:
- Videoconferencing Enterprise Service
- Workplace Communication Service Internet Protocol Telephony (including Voice over Internet Protocol)
- Hosted Contact Centre Service
- Government of Canada Internal Centralized Authentication Service
- Government of Canada Managed Security Services
- Conflict of Interest and Disclosure System
- Emergency Attendance Report System
- Workplace Technology Devices—Printing Products Procurement Project
- Data Centre Consolidation
- Enterprise Mobile Device Management
SSC continues to monitor the mitigation strategies identified in all PIA actions plans.
Next steps for the year ahead
SSC’s ATIP Division will continue to be innovative in its administration of the Privacy Act and take part in SSC internal services transformation initiatives as well as federal ATIP community initiatives. The ATIP Division is committed to further supporting SSC as it instils a culture of service excellence and moves toward an efficient and modern paperless environment.
At the end of the reporting period, the ATIP Division was mapping its information holdings against SSC’s 2017–18 Program Alignment Architecture. This initiative will assist in further defining SSC’s information holdings for the purpose of enhancing the clarity of its Info Source chapter.
The ATIP Division will continue to foster the development of knowledge tools for the ATIP Liaison Network as well as to provide ATIP training and awareness opportunities for executives, managers and employees across the Department. Meetings will be scheduled with liaison officers, their delegates and office of primary interest subject matter experts for the purpose of discussing issues related to the processing of requests, to further awareness and refine processes. The liaison officers play a crucial role in ensuring the Department fulfills its legislative requirement and, this being the case, their involvement, expertise, and collaboration are invaluable.
Finally, it should also be noted that the ATIP Division has developed a Logic Model and performance measurement indicators in relation to its ATIP Management Framework and its 14 policy instruments, which consist of desired outcomes, performance indicators and targets. This exercise will enable the ATIP Division to gauge the efficacy of its policy instruments. The Logic Model was posted to the SSC Intranet in the summer of 2017.
Annex A—Partner organizations
- Agriculture and Agri-Food Canada
- Atlantic Canada Opportunities Agency
- Canada Border Services Agency
- Canada Economic Development for Quebec Regions
- Canada Revenue Agency
- Canada School of Public Service
- Canadian Food Inspection Agency
- Canadian Heritage
- Canadian Northern Economic Development Agency
- Canadian Nuclear Safety Commission
- Canadian Space Agency
- Correctional Service Canada
- Department of Finance Canada
- Department of Justice Canada
- Employment and Social Development Canada
- Environment and Climate Change Canada
- Federal Economic Development Agency for Southern Ontario
- Financial Transactions and Reports Analysis Centre of Canada
- Fisheries and Oceans Canada
- Global Affairs Canada
- Health Canada
- Immigration and Refugee Board of Canada
- Immigration, Refugees and Citizenship Canada
- Indigenous and Northern Affairs Canada
- Infrastructure Canada
- Innovation, Science and Economic Development Canada
- Library and Archives Canada
- National Defence
- National Research Council Canada
- Natural Resources Canada
- Parks Canada
- Privy Council Office
- Public Health Agency of Canada
- Public Safety Canada
- Public Service Commission of Canada
- Public Services and Procurement Canada
- Royal Canadian Mounted Police
- Statistics Canada
- Transport Canada
- Treasury Board of Canada Secretariat
- Veterans Affairs Canada
- Western Economic Diversification Canada
Annex B—Delegated authority
Privacy Act Designation Order
The President of Shared Services Canada, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons acting in those positions, to exercise the powers and perform the duties and functions of the President of Shared Services Canada as the head of a government institution under all sections of the Privacy Act. This designation is effective immediately upon being signed.
SCHEDULE
- Chief Operating Officer
- Senior Assistant Deputy Minister and Chief Financial Officer, Corporate Services
- Corporate Secretary and Chief Privacy Officer
- Director, Access to Information and Privacy Protection Division
Ron Parker
Ottawa,
Annex C—Statistical report
Name of institution: Shared Services Canada
Reporting period: 2017-04-01 to 2018-03-31
Part 1: Requests Under the Privacy Act
| Number of Requests | |
|---|---|
| Received during reporting period | 90 |
| Outstanding from previous reporting period | 0 |
| Total | 90 |
| Closed during reporting period | 85 |
| Carried over to next reporting period | 5 |
Part 2: Requests Closed During the Reporting Period
2.1 Disposition and completion time
| Disposition of Requests | Completion Time | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 5 | 2 | 0 | 0 | 0 | 0 | 0 | 7 |
| Disclosed in part | 2 | 12 | 9 | 1 | 0 | 0 | 0 | 24 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 45 | 1 | 0 | 0 | 0 | 0 | 0 | 46 |
| Request abandoned | 8 | 0 | 0 | 0 | 0 | 0 | 0 | 8 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 60 | 15 | 9 | 1 | 0 | 0 | 0 | 85 |
2.2 Exemptions
| Section | Number of Requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 0 |
| 19(1)(b) | 0 |
| 19(1)(c) | 0 |
| 19(1)(d) | 0 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 0 |
| 21 | 0 |
| Section | Number of Requests |
|---|---|
| 22(1)(a)(i) | 0 |
| 22(1)(a)(ii) | 0 |
| 22(1)(a)(iii) | 0 |
| 22(1)(b) | 0 |
| 22(1)(c) | 0 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 0 |
| Section | Number of Requests |
|---|---|
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 0 |
| 26 | 23 |
| 27 | 1 |
| 28 | 0 |
2.3 Exclusions
| Section | Number of Requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| Section | Number of Requests |
|---|---|
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| Section | Number of Requests |
|---|---|
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
2.4 Format of information released
| Disposition | Paper | Electronic | Other formats |
|---|---|---|---|
| All disclosed | 6 | 1 | 0 |
| Disclosed in part | 3 | 21 | 0 |
| Total | 9 | 22 | 0 |
2.5 Complexity
2.5.1 Relevant pages processed and disclosed
| Disposition of Requests | Number of Pages Processed | Number of Pages Disclosed | Number of Requests |
|---|---|---|---|
| All disclosed | 163 | 102 | 7 |
| Disclosed in part | 11565 | 6179 | 24 |
| All exempted | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 8 |
| Neither confirmed nor denied | 0 | 0 | 0 |
| Total | 11728 | 6281 | 39 |
2.5.2 Relevant pages processed and disclosed by size of requests
| Disposition | Less Than 100 Pages Processed |
101-500 Pages Processed |
501-1000 Pages Processed |
1001-5000 Pages Processed |
More Than 5000 Pages Processed |
|||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| All disclosed | 7 | 102 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 10 | 425 | 8 | 1302 | 2 | 682 | 4 | 3770 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 8 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 25 | 527 | 8 | 1302 | 2 | 682 | 4 | 3770 | 0 | 0 |
2.5.3 Other complexities
| Disposition | Consultation Required | Legal Advice Sought | Interwoven Information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 1 | 0 | 5 | 0 | 6 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 0 | 5 | 0 | 6 |
2.6 Deemed refusals
2.6.1 Reasons for not meeting statutory deadline
| Number of Requests Closed Past the Statutory Deadline | Principal Reason | |||
|---|---|---|---|---|
| Workload | External Consultation | Internal Consultation | Other | |
| 0 | 0 | 0 | 0 | 0 |
2.6.2 Number of days past deadline
| Number of Days Past Deadline | Number of Requests Past Deadline Where No Extension Was Taken | Number of Requests Past Deadline Where An Extension Was Taken | Total |
|---|---|---|---|
| 1 to 15 days | 0 | 0 | 0 |
| 16 to 30 days | 0 | 0 | 0 |
| 31 to 60 days | 0 | 0 | 0 |
| 61 to 120 days | 0 | 0 | 0 |
| 121 to 180 days | 0 | 0 | 0 |
| 181 to 365 days | 0 | 0 | 0 |
| More than 365 days | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
2.7 Requests for translation
| Translation Requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
Part 3: Disclosures Under Subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 1 | 1 | 2 |
Part 4: Requests for Correction of Personal Information and Notations
| Disposition for Correction Requests Received | Number |
|---|---|
| Notations attached | 0 |
| Requests for correction accepted | 0 |
| Total | 0 |
Part 5: Extensions
5.1 Reasons for extensions and disposition of requests
| Disposition of Requests Where an Extension Was Taken | 15(a)(i) Interference With Operations |
15(a)(ii) Consultation |
15(b) Translation or Conversion |
|
|---|---|---|---|---|
| Section 70 | Other | |||
| All disclosed | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 |
| No records exist | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 |
5.2 Length of extensions
| Length of Extensions | 15(a)(i) Interference with operations |
15(a)(ii) Consultation |
15(b) Translation purposes |
|
|---|---|---|---|---|
| Section 70 | Other | |||
| 1 to 15 days | 0 | 0 | 0 | 0 |
| 16 to 30 days | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 |
Part 6: Consultations Received From Other Institutions and Organizations
6.1 Consultations received from other Government of Canada institutions and other organizations
| Consultations | Other Government of Canada Institutions | Number of Pages to Review | Other Organizations | Number of Pages to Review |
|---|---|---|---|---|
| Received during the reporting period | 1 | 29 | 0 | 0 |
| Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
| Total | 1 | 29 | 0 | 0 |
| Closed during the reporting period | 1 | 29 | 0 | 0 |
| Pending at the end of the reporting period | 0 | 0 | 0 | 0 |
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
| Recommendation | Number of Days Required to Complete Consultation Requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
6.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 7: Completion Time of Consultations on Cabinet Confidences
7.1 Requests with Legal Services
| Number of Days | Fewer Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed |
1001-5000 Pages Processed |
More than 5000 Pages Processed |
|||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests |
Pages Disclosed | Number of Requests |
Pages Disclosed | Number of Requests |
Pages Disclosed | Number of Requests |
Pages Disclosed | Number of Requests |
Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
| Number of Days | Fewer Than 100 Pages Processed | 101‒500 Pages Processed | 501-1000 Pages Processed |
1001-5000 Pages Processed |
More than 5000 Pages Processed |
|||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests |
Pages Disclosed | Number of Requests |
Pages Disclosed | Number of Requests |
Pages Disclosed | Number of Requests |
Pages Disclosed | Number of Requests |
Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 8: Complaints and Investigations Notices Received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 |
Part 9: Privacy Impact Assessments (PIAs)
| Number of PIA(s) completed | 1 |
Part 10: Resources Related to the Privacy Act
10.1 Costs
| Expenditures | Amount | |
|---|---|---|
| Salaries | $380,268 | |
| Overtime | $0 | |
| Goods and Services | $47,713 | |
|
$0 | |
|
$47,713 | |
| Total | $427,981 | |
10.2 Human Resources
| Resources | Person Years Dedicated to Privacy Activities |
|---|---|
| Full-time employees | 5.52 |
| Part-time and casual employees | 0.00 |
| Regional staff | 0.00 |
| Consultants and agency personnel | 0.00 |
| Students | 0.50 |
| Total | 6.02 |
Note: Enter values to two decimal places.
Free PDF download
To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet:
Page details
- Date modified: