Part II: Report on the Privacy Act
Annex A: Delegation of Authority (Excerpt)
Annex B: Privacy Act, Sections 8 and 9 (Excerpt)
Annex C: Statistical Report - Privacy Act
The Privacy Act (Revised Statutes of Canada, 1985, Chapter P-21) was proclaimed on July 1, 1983. The Act was amended as a result of the royal assent of the Federal Accountability Act on December 12, 2006. Certain provisions came into force on December 12, 2006, and others took effect on April 1, 2007 and September 1, 2007.
The Privacy Act extends to individuals the right of access to information about themselves held by the government, subject to specific and limited exceptions. The law also provides individuals the right to a reasonable expectation of privacy, including a basic right to exercise control over its collection, use and disclosure.
Section 72 of the Privacy Act requires that the head of every federal government institution prepare for submission to Parliament an annual report on the administration of the Act within the institution during each fiscal year.
This Annual Report provides a summary of the management and administration of the Privacy Act within Public Works and Government Services Canada (PWGSC) for the fiscal year 2007-2008.
Additional copies of these reports can be obtained by contacting:
Access to Information and Privacy (ATIP) Directorate
Public Works and Government Services Canada
Place du Portage, Phase III, 5C1
11 Laurier Street
Gatineau, Quebec
K1A 0S5
Telephone: 819-956-1820
Fax: 819-994-2119
PWGSC is the Government of Canada's principal provider of common and central services. We support the daily operations of 125 federal departments and agencies, and administer the legislative and policy requirements of 19 Acts of Parliament. Our operating environment is influenced by the priorities of government and the service demands of our client departments and agencies.
PWGSC has annual expenditures of approximately $5.2 billion and employs about 13,000 people. We provide a wide range of services such as purchasing goods and services, managing the government's accommodations and real estate portfolio including restoration of the Parliament Buildings, pay and compensation, Information Technology (IT), as well as industrial security, audit and linguistic services.
PWGSC has two strategic outcomes: Quality Services and Sound Stewardship. Our focus on Quality Services and Sound Stewardship contributes directly and indirectly to the Government of Canada's four strategic outcome areas: those related to economic, social, international and government affairs.
To better reflect the PWGSC approach to service delivery and organizational structure, the program activities that support our strategic outcomes have been grouped to highlight our key service areas:
The ATIP Directorate administers the provisions of the Privacy Act for PWGSC, including the two Special Operating Agencies, and the Office of the Procurement Ombudsman.
Under section 3 of the Privacy Act, the Minister of the Department is designated as the head of the government institution for the purposes of the administration of the Act.
The delegation instrument continued to be based on a centralized process with the Director, ATIP and the Managers, Risk and Quality Management having full delegated authority under the Privacy Act, with the exception of paragraph 8(2)(m) of the Act. The Chief, Privacy and Policy has limited delegation of authority under paragraph 14(a) (nil reply only) and section 15 of the Act (extension of time limits).
An excerpt of the Delegation of Authorities approved by the Minister of PWGSC is enclosed at Annex A.
The Director of the Cheque Redemption Control Directorate in Matane, Quebec shares administrative powers under paragraph 8(2)(e) of the Act in regard to releasing original cheques to law enforcement bodies. This provides administrative flexibility in processing requests for cheques.
The Director, ATIP, reports to the Director General of Executive Secretariat who, in turn, reports to the Assistant Deputy Minister of Corporate Services, Policy, and Communications Branch.
The responsibilities of the ATIP Directorate include the following:
The administration of the legislation by the ATIP Directorate is also facilitated at the branch, sector, and regional office levels. Each organizational branch has an ATIP Liaison Officer (normally reporting to an Assistant Deputy Minister, a Director General, or a Regional Director General) who coordinates the collection of information and provides guidance to branch managers on the operation of the Act, departmental directives and procedures.
Departmental Policy 002 links to the Privacy delegation of authority and sets out the definitions, and the roles and responsibilities of all stakeholders within PWGSC. An annex to the policy has been developed to outline the administrative attribution of powers and the departmental guidelines and procedures with respect to the disclosure of personal information pursuant to subsection 8(2) of the Privacy Act. Paragraphs (8)(2)(j) and (m) of the Act continue to be delegated by the Minister pursuant to section 73 of the Act. The policy will be updated during 2008-2009 to reflect changes made as a result of the TBS ATIP Policy Suite Renewal.
Departmental Policy 014 sets out the definitions and the roles and responsibilities of employees with respect to the protection of personal and private information in the workplace.
The Departmental ATIP Liaison Officer Handbook outlines the intent and the requirements of the Privacy Act and Treasury Board guidelines so that all staff are aware of their responsibilities with respect to the collection, use, disclosure, retention and disposal of personal information. In particular, staff are informed of their responsibilities to record and account for all uses and disclosures of personal information, by documenting all activities relating to personal information and by maintaining the relevant material on official departmental files.
Responsibility centres are also advised to consult with the ATIP Directorate before collecting any personal information and when there is any doubt concerning which rules to apply in the retention and disposal of personal information.
The ATIP Liaison Officer Handbook is produced by the ATIP Directorate and used as a guide to:
The ATIP Directorate has developed and regularly updates its ATIP Officer Desk Procedures manual, to standardize the work procedures used by office staff, facilitate the training of new staff and complement the processes of the electronic ATIP tracking system.
The amount of time devoted by ATIP Directorate staff to privacy issues, including the provision of advice, was similar to the last fiscal year.
As a member of the interdepartmental ATIP Working Group, which is chaired by TBS, the PWGSC ATIP Directorate has participated in the development of the revised Policy on Privacy Protection and the Directive on the Social Insurance Number (SIN) during the 2007-2008 fiscal year. The ATIP Policy Suite Renewal Initiative will be ongoing for the next couple of years.
The ATIP Directorate is represented on a departmental committee, the Computer Forensics Working Group, chaired by the Information Technology Security Directorate, where advice is required for the development of a process/protocol for ensuring that the IT evidence gathered during an investigation is preserved in a way that it can be admitted in a court of law.
During the last fiscal year, the ATIP Directorate has not given any presentation specific to privacy. However, a privacy overview is typically incorporated into the general ATIP information sessions. These are included in the PWGSC Annual Report on the Access to Information Act.
One Info Source group training session and 14 one-on-one briefings were also provided to 42 departmental Info Source Coordinators, managers and employees to provide advice and guidance with respect to TBS requirements for the personal information banks.
The ATIP Directorate must be notified where personal information in a PIB is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled by the Department, but where such use is not included in the statement of consistent uses published in Info Source.
One PIB was registered with the Treasury Board Secretariat in 2007-2008.
The ATIP Directorate continued to work with TBS and the PWGSC branches on the development of the following new and revised PIBs:
Central Banks (General Public)
Central Banks (Employees)
Particular Banks (General Public)
Particular Banks (Employees)
Standard Banks (General Public)
PWGSC does not have any exempt banks.
Departmental Policy 061 (Forms Management) requires that all new and revised forms that collect personal information be reviewed by the ATIP Directorate to ensure compliance with privacy legislative and policy requirements. During the 2007-2008 fiscal year, 20 requests were submitted for a compliance review and the development of the required privacy notice.
The Department processed 14 requests for the disclosure of personal information to investigative bodies during 2007-2008.
A copy of every request received under paragraph 8(2)(e) and a record of any information disclosed pursuant to the request is kept in accordance with subsection 8(4) of the Privacy Act.
During fiscal year 2007-2008, PWGSC disclosed personal information pursuant to paragraphs 8(2)(a), 8(2)(b), 8(2)(c) and 8(2)(f) of the Privacy Act. There was no disclosure made under paragraphs 8(2)(g) or 8(2)(m) of the Act.
In accordance with subsection 9(1) of the Act, the Department retains a record of any use or purpose for which the information is disclosed by the institution where the use or purpose is not identified in the relevant Personal Information Bank.
An excerpt of the Privacy Act, sections 8 and 9 is enclosed at Annex B for reference.
The following data matching and sharing activities were initiated in 2007-2008.
Use and Storage of the Social Insurance Number (SIN) for Pension Purposes
During fiscal year 2007-2008, PWGSC has been working closely with TBS on a proposal to authorize the use of the SIN for pension plan administration purposes. The use of the SIN is required to administer the legislated requirements of the Public Service Pension Plan, the Canadian Forces Pension Plan and the Royal Canadian Mounted Police (RCMP) Pension Plan. Individuals can only contribute to a maximum of 35 years among the three pension plans, and to one plan at a time for any period of service. A Memorandum of Understanding (MOU) between PWGSC, National Defence and the RCMP has been prepared and provided to TBS for their review.
Industrial Security MOUs with Foreign Nations
The Canadian and International Industrial Security Directorate is responsible for the negotiation of Industrial Security MOUs with foreign countries. Two Annexes (Protected A and Protected B Sharing of Information) were drafted for various stakeholders to review and identify privacy concerns, and provide any relevant recommendations. This initiative will be resumed in 2008-2009.
The Treasury Board of Canada approved the Privacy Impact Assessment (PIA) Policy, with an effective date of May 2, 2002. The goal of the policy is to allow government institutions to identify whether a program or a service delivery initiative, involving the collection, use or disclosure of personal information as defined in the Privacy Act, complies with the privacy principles and to help officials avoid or mitigate any identifiable risks to privacy.
The ATIP Directorate has developed a departmental PIA framework and a draft departmental PIA policy that clearly outline the review and approval process within PWGSC, as well as the roles and responsibilities of stakeholders. Project managers have followed the framework and the draft policy when conducting their PIAs.
The ATIP Directorate provides advice and guidance to PWGSC managers throughout the PIA process, including the review of draft/final PIA reports and liaison with the Office of the Privacy Commissioner.
PIAs are required when a program or service is contracted out to the private sector. Currently, when the PWGSC Legal Services unit reviews contractual terms and conditions, they inform the contracting officers to contact the ATIP Directorate to advise on the need for a PIA. The ATIP Directorate informs the contracting officers to check with their client departments and provides the name and telephone number of the client department's ATIP Coordinator. The PWGSC ATIP Directorate also advises on the requirement to include appropriate security and privacy clauses in the procurement documentation.
In collaboration with the Information Technology Services Branch, the ATIP Directorate launched its Internet site in January 2005. The site is intended to facilitate the public's understanding of the Access to Information Act, the Privacy Act and associated departmental procedures. Summaries of the results of PIA reports conducted by PWGSC are published on this web site.
In fiscal year 2007-2008, the ATIP Directorate was involved in several departmental initiatives that required the development of PIAs and Preliminary PIAs (PPIAs).
Reporting Period | PIAs1 | PPIAs | ||||
---|---|---|---|---|---|---|
Outstanding from Previous Years |
Initiated | Completed | Cancelled or Postponed |
Carry Forward to Next Fiscal Year |
||
2005-2006 | 11 | 10 | 8 | 0 | 13 | 9 |
2006-2007 | 13 | 0 | 0 | 0 | 13 | 4 |
2007-2008 | 13 | 1 | 2 | 6 | 6 | 0 |
The following PIAs were completed and sent to the Privacy Commissioner of Canada during the 2007-2008 fiscal year:
The PIAs for the following projects were cancelled or postponed due to budget restrictions, initiative not being pursued or applications being abandoned.
The following PIAs, which were initiated in 2007-2008 and previous fiscal years, were still ongoing at the end of the reporting period:
When the detailed information required for a comprehensive assessment is not yet available, a PPIA may be completed. In exceptional circumstances, a PPIA may also be undertaken (instead of a full PIA) when the proposed initiative does not seem to raise privacy issues.
There were no PPIAs initiated in the 2007-2008 fiscal year.
The following PPIAs that were initiated in the previous years were completed during 2007-2008:
The PPIAs on the following projects were still ongoing at the end of the fiscal year:
It is the practice of PWGSC to process requests formally where the information is sensitive and may be subject to an exemption or an exclusion pursuant to sections 18 through 28, 69 and 70 of the Act.
There were 67 requests filed under the Privacy Act in 2007-2008. The majority of the cases were for documents related to security clearances (20 per cent), labour relations and investigations (18 per cent), pension and pay (16 per cent), and other employment related records (13 per cent). The remaining cases were for correspondence and other personal information pertaining to the applicants (33 per cent).
Compared with the last fiscal year, PWGSC experienced a six per cent decrease in the total number of privacy requests received.
Reporting Period | Outstanding | Received | Completed | Carried Forward |
---|---|---|---|---|
2005-2006 | 4 | 62 | 64 | 2 |
2006-2007 | 2 | 71 | 67 | 6 |
2007-2008 | 6 | 67 | 67 | 6 |
In addition to the privacy requests received by PWGSC, 10 government institutions consulted with PWGSC about the disclosure of information on 13 different cases. These consultation requests are not reflected in the statistical tables at Annex C, but they account for 23 per cent of the ATIP Directorate's privacy caseload.
Applicants may obtain access to their personal information on an informal basis by contacting the manager of the program area who controls the records. In these instances, the ATIP Directorate provides assistance and advice on an "as required" basis.
Although not reflected in the statistical tables at Annex C, seven requests were submitted by management during the fiscal year for the informal review of documents prior to their proactive disclosure to the individuals concerned. A total of 715 pages were reviewed and recommended for release on an informal basis.
Of the 73 requests processed, 67 (92 per cent) were completed during the 2007-2008 reporting period. The processing of the remaining six requests (eight per cent) was not completed as of March 31, 2008.
Taking into account only those cases where the Department was able to process the request, information was released, either in whole or in part, in 72 per cent of the cases.
The completed requests are categorized as follows:
In 21 of the 67 completed cases (31 per cent), the requesters were provided with complete access to the relevant records.
In 27 instances (40 per cent), the requesters were granted partial access.
There was no request where all of the information was withheld (exempted or excluded).
After an initial review, the Department was unable to process 12 requests (18 per cent). In most instances, this was because the Department did not have any records that were relevant to the request.
Of the completed requests, five were considered to be abandoned (eight per cent). Such an action may occur at any stage of the request processing.
Although there is no provision in the legislation for transferring a request, two requests (three per cent) were transferred with the consent of the applicant and agreement of the institution of greater interest.
An individual's right of access to their personal information under the Privacy Act is limited by a number of exemptions specified in sections 18 through 28 of the legislation.
Annex C is intended to show the types of exemptions invoked to refuse access. For example, if five different exemptions were used in one request, one exemption under each relevant section would be reported for a total of five exemptions. If the same exemption was used several times for the same request, it would be reported only once.
As noted in Annex C, the majority of the exemptions invoked was under section 26 (information about another individual) of the Act.
The Act does not apply to published material or material available for purchase by the public, library or museum material preserved solely for public record, material placed in the Library and Archives Canada, or records considered to be confidences of the Queen's Privy Council, pursuant to sections 69 and 70 of the Act respectively.
As in the case of exemptions, Annex C is intended to show the types of exclusions invoked to refuse access. For example, if five different exclusions are cited in one request, one exclusion under each relevant section would be reported for a total of five. If the same exclusion was used several times for the same request, it would be reported only once.
No exclusion was cited in dealing with privacy requests.
Time extensions were required and taken on 19 cases. In three cases, there was the need to consult with other government departments. For the remaining 16 cases, meeting the original time limit would have unreasonably interfered with the operations of the institution.
Forty-four requests (66 per cent) were completed within the first 30 days, 12 (18 per cent) were completed within 31 to 60 days, and five (seven per cent) were completed between 61 and 120 days from the date of receipt by the Department. Six cases (nine per cent) required more than 120 days to process.
There was no request for the translation of information from one official language to another.
Copies of the records were given in response to 48 requests (72 per cent). It should be noted that this category reflects only those requests where the information was all disclosed or disclosed in part.
There was no request received for the correction of personal information or for a notation to be placed on a file.
Salary costs associated with privacy issues were $221,270, and operational and maintenance costs were $87,359, for a total cost of $308,629. The associated full-time equivalent resources utilization was 3.2.
Table III provides a breakdown of the complaints made to the Privacy Commissioner of Canada and of requests for judicial review made to the Federal Court of Canada, over the past three fiscal years.
Reporting Period | Complaints | Requests for Judicial Review |
---|---|---|
2005-2006 | 7 | 0 |
2006-2007 | 2 | 0 |
2007-2008 | 2 | 1 |
The ATIP Directorate saw no change in the number of complaints made to the Privacy Commissioner of Canada in the 2007-2008 fiscal year.
Of the two complaints lodged with the Office of the Privacy Commissioner during the fiscal year, both concerned the delay in providing a response to the requestor.
Three investigations were concluded relating to complaints that had been received by PWGSC in this and previous fiscal years. Two complaints were resolved to the satisfaction of the requestor and the other one was settled in the course of the investigation. Two complaint investigations were still being conducted at the end of the fiscal year.
There was one request made to the Federal Court of Canada seeking a judicial review.
Federal Court File Number T-1314-07: The applicant sought a review by the Federal Court as PWGSC failed to provide the information requested within time period established under the Privacy Act. The documents were disclosed to the applicant in September 2007 and the application has been discontinued.
For information on this Annex A: Delegation of Authorities (Excerpt),
see Annex A: Delegation of Authority (Excerpt).
8. (1) Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.
(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed
(3) Subject to any other Act of Parliament, personal information under the custody or control of the Library and Archives of Canada that has been transferred there by a government institution for historical or archival purposes may be disclosed in accordance with the regulations to any person or body for research or statistical purposes.
(4) The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. Notice of disclosure under paragraph (2)(m)
9. (1) The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11 (1) (a) (iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information.
Institution: PUBLIC WORKS AND GOVERNMENT SERVICES CANADA
Reporting period: 4/1/2007 to 3/31/2008
Received during reporting period: 67
Outstanding from previous period: 6
TOTAL: 73
Completed during reporting period: 67
Carried forward: 6
TOTAL: 67
Exemptions | Numbers |
---|---|
S. Art. 18(2) |
0 |
S. Art. 19(1)(a) |
0 |
(b) | 0 |
(c) | 0 |
(d) | 0 |
S. Art. 20 |
0 |
S. Art. 21 |
0 |
S. Art. 22(1)(a) |
1 |
(b) | 1 |
(c) | 0 |
S. Art. 22(2) |
0 |
S. Art. 23(a) |
0 |
(b) | 0 |
S. Art. 24 |
0 |
S. Art. 25 |
0 |
S. Art. 26 |
16 |
S. Art. 27 |
8 |
S. Art. 28 |
0 |
Exclusions | Numbers |
---|---|
S. Art. 69(1)(a) |
0 |
(b) | 0 |
S. Art. 70(1)(a) |
0 |
(b) | 0 |
(c) | 0 |
(d) | 0 |
(e) | 0 |
(f) | 0 |
30 days or under
TOTAL: 19
31 days or over
TOTAL: 0
Translations requested: 0
1 The number of PIAs and PPIAs for 2005-2006 and 2006-2007 have been revised to reflect those that changed from PIAs to PPIAs. (Back to note 1)