The Privacy Act (Revised Statutes of Canada, 1985, Chapter P-21) was proclaimed on July 1, 1983. The Act was most recently amended as a result of the royal assent of the Federal Accountability Act on December 12, 2006. Certain provisions came into force on December 12, 2006, and others took effect on April 1, 2007, and September 1, 2007.
The Privacy Act extends to individuals the right of access to information about themselves held by the government, subject to specific and limited exceptions. The Act also provides individuals the right to a reasonable expectation of privacy, including a basic right to exercise control over the collection, use and disclosure of their personal information.
Section 72 of the Privacy Act requires that the head of every federal government institution prepare for submission to Parliament an annual report on the administration of the Act within their institution during each fiscal year.
This Annual Report provides a summary of the management and administration of the Privacy Act within Public Works and Government Services Canada (PWGSC) for the fiscal year 2008-2009.
The Department was originally founded in 1841 and was instrumental in the building of our nation's canals, roads and bridges, the Houses of Parliament, post offices, and federal buildings across the country.
Today, the Department has evolved into a sophisticated operational arm of government that employs nearly 14,000 staff working in the National Capital and five regional offices in Halifax, Montreal, Toronto, Edmonton, and Vancouver.
The Department of Public Works and Government Services Act, passed in 1996, established the Department and set out the legal authorities for services provided. Specifically, the Act established PWGSC as a common service agency providing government departments, boards and agencies with services in support of their programs, including:
The Act also specifies that the Minister of Public Works and Government Services is the Receiver General for Canada and has the authority for the administration of services related to benefits, superannuation and pension plans as well as disbursement of pay to federal employees.
PWGSC's goal is to run a business in a way that strengthens accountability and adds value to our clients. In doing so, PWGSC:
In 2008, we improved our reporting to Parliament by streamlining our Program Activity Architecture, which consolidates the number of program activities from twenty-six to nine, and establishes the strategic outcome as follows: High-quality, central programs and services that ensure sound stewardship on behalf of Canadians and meet the program needs of federal institutions.
The PWGSC program activities, which contribute to the Department's strategic outcome, are as follows:
The Access to Information and Privacy Directorate (ATIP) administers the provisions of the Privacy Act for PWGSC, including two Special Operating Agencies, Audit Services Canada and the Translation Bureau, as well as the Office of the Procurement Ombudsman.
The Director, ATIP, reports to the Director General, Executive Secretariat, who, in turn, reports to the Assistant Deputy Minister, Corporate Services, Policy and Communications. For most of the 2008-2009 fiscal year, the ATIP Directorate has operated with five teams to manage the requests received within the Department. Overseeing these teams, and reporting to the Director, ATIP, were two Managers, Risk and Quality Management. Four of the teams were responsible for processing ATIP requests, consultations, complaints, and court cases received by the Department, while the other team was dedicated to privacy policy. The administrative functions of the ATIP Directorate were supported by an administrative assistant and three clerks.
Under section 3 of the Privacy Act, the Minister of the Department is designated as the head of the government institution for purposes of the administration of the Act. Pursuant to section 73, the Minister may delegate any of his powers, duties or functions under the Act by signing an order authorizing one or more officers or employees of the institution, who are at the appropriate level, to exercise or perform the powers, duties or functions of the head, specified in the order.
Within PWGSC this delegation instrument continued to be based on a centralized process with the Director General, Executive Secretariat, who reports to the Assistant Deputy Minister of Corporate Services, Policy and Communications Branch, the Director, ATIP, and the Managers, Risk and Quality Management, having full delegated authority under the Privacy Act, with the exception of paragraph 8(2)(m). Certain administrative functions are also delegated to the ATIP Chiefs to speed the processing of requests.
An excerpt of the Delegation of Authorities approved by the Minister of Public Works and Government Services is enclosed at Annex A: Delegation of Authority (Excerpt).
The Director, Cheque Redemption Control, in Matane, Quebec, shares administrative powers under paragraph 8(2)(e) of the Act in regard to releasing transacted cheques to law enforcement bodies. This provides administrative flexibility in processing requests for cheques issued under the authority of the Receiver General for Canada.
The responsibilities of the ATIP Directorate include the following
The administration of the Act by the ATIP Directorate is also facilitated at the branch, sector, and regional office levels of PWGSC. Each organizational branch has an ATIP Liaison Officer who coordinates the collection of information and provides guidance to branch managers on the application of the Act, as well as related departmental directives and procedures.
For the reference of all employees, departmental policies are posted on PWGSC's intranet.
Departmental Policy 002 outlines the privacy Delegation of Authority and sets out the definitions, and the roles and responsibilities of all stakeholders within PWGSC. An annex to the Policy has been developed to outline the administrative attribution of powers and the departmental guidelines and procedures with respect to the disclosure of personal information pursuant to subsection 8(2) of the Privacy Act. Paragraphs (8)(2)(j) and (m) of the Act continue to be delegated by the Minister pursuant to section 73 of the Act.
Departmental Policy 014 sets out definitions as well as the roles and responsibilities of employees with respect to the protection of personal information in the workplace.
The Departmental ATIP Liaison Officer Handbook outlines the intent and the requirements of the Privacy Act and related Treasury Board guidelines so that all staff are aware of their responsibilities for the collection, use, disclosure, retention and disposal of personal information. In particular, staff are informed of their responsibilities to record and account for all uses and disclosures of personal information, by documenting all activities relating to personal information and by maintaining the relevant material on official departmental files.
Responsibility centres are also advised to consult with the ATIP Directorate before collecting any personal information and whenever there are questions relating to the retention and disposal of personal information.
The ATIP Liaison Officer Handbook is produced by the ATIP Directorate and is posted on PWGSC's intranet as a guide to:
The ATIP Directorate has developed and regularly updates its ATIP Officer Desk Procedures manual, to standardize the work procedures used by staff, to facilitate the training of new hires and to complement the functionality of the electronic ATIP tracking system.
PWGSC is committed to the continuous improvement of its management fundamentals and has used the results of the most recent Management Accountability Framework (MAF) assessment as a benchmark. Senior management engagement has been key in building action plans that ensure ongoing improvement and monitor progress.
In 2008-2009, an action plan was developed to specifically address MAF Round V results relating to ATIP. Key objectives were: engagement of departmental executives on ATIP legislative and policy requirements as well as clarifying accountabilities of departmental stakeholders in the ATIP process; inventory of all personal information in the Department; registration of all PIBs and ensuring all relevant information holdings are described in PWGSC's Info Source chapter; piloting the revised TBS PIA process with the Office of the Procurement Ombudsman; and, undertaking awareness training sessions.
The ATIP Officer Development Program was developed in 2006 to address the Department's mid- and long-term shortage of skilled ATIP professionals by recruiting new employees at the junior level, fostering their loyalty to PWGSC, and preparing them to fill senior ATIP Officer positions at the PM-04 group and level within a three-year horizon. The Program is also intended to reduce the costs associated with the competitive staffing process and, in the long-term, the use of consultants.
As part of the ATIP Improvement Plan, and in order to develop and retain our employees, the Program was revised in 2008-2009 to include all ATIP Officers at the PM-01, -02 and/or -03 group and levels that are currently employed in the ATIP Directorate or hired through regular advertised processes. This accelerated approach to learning has been adopted by other departments as a method of addressing skills shortages in the ATIP community.
The Director, ATIP, is a member of the Interdepartmental ATIP Working Group that is chaired by TBS. In this capacity, PWGSC participated in the development of new directives on privacy requests and correction of personal information; privacy practices; and, privacy impact assessment during the 2008-2009 fiscal year.
During the fiscal year, four information sessions on privacy legislative and policy requirements were given to approximately 65 managers in the Information Technology Services, Human Resources, Acquisitions, Accounting, Banking and Compensation branches of PWGSC.
In addition, two group training sessions and several one-on-one briefings were also provided to 30 departmental Info Source coordinators, managers and employees to provide advice and guidance on TBS requirements as well as to address the gaps identified in the MAF Round V Assessment and to improve the content of PWGSC's chapter of Info Source.
Furthermore, an overview of Privacy is incorporated into the general ATIP information sessions that were delivered to approximately 450 participants during the fiscal year and are described in the PWGSC Annual Report on the Access to Information Act.
The ATIP Directorate must be notified whenever personal information in a PIB is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled by the Department, but where such use is not included in the statement of consistent uses published in Info Source.
The following eleven new and revised PIBs1 were registered with TBS in 2008-2009:
The Department also registered six new Standard PIBs developed by TBS:
The ATIP Directorate continued to work with TBS and branches of PWGSC on the development of the following new and/or revised PIBs:
Between January and March 2008, an inventory of personal information held by the Department was compiled to ensure that all personal information is appropriately described in accordance with the Privacy Act. During the next fiscal year, the ATIP Directorate will identify, develop and register any new or revised PIBs resulting from this inventory.
PWGSC does not have any exempt banks.
Departmental Policy 061 (Forms Management) requires that all new and revised forms that collect personal information be reviewed by the ATIP Directorate to ensure compliance with privacy legislative and policy requirements. During the 2008-2009 fiscal year, 48 forms were submitted for review and 46 reviews were completed. Of these forms, 38 were used in pension administration.
The Department processed seven disclosures of personal information to investigative bodies during 2008-2009.
A copy of every request received under paragraph 8(2)(e), and a record of any information disclosed pursuant to the request, is kept in accordance with subsection 8(4) of the Privacy Act.
During fiscal year 2008-2009, PWGSC disclosed personal information pursuant to paragraph 8(2)(f) of the Privacy Act. There were no disclosures made under paragraphs 8(2)(g) or 8(2)(m) of the Act.
In accordance with subsection 9(1) of the Act, the Department retains a record of any use or purpose for which the information is disclosed where that use or purpose is not identified in the relevant PIB.
An excerpt of the Privacy Act, sections 8 and 9 is enclosed at Annex B: Privacy Act, Sections 8 and 9 (Excerpt) for reference.
The following one data sharing activity was initiated in 2008-2009.
Memorandum of Understanding between the Controlled Goods Directorate and the Canadian Security Intelligence Service
The Controlled Goods Directorate (CGD) is responsible for the security assessment of foreign temporary workers and visitors who may have access to controlled goods. A Memorandum of Understanding was prepared to formalize mechanisms by which the CGD provides personal information on individuals registering under the Contolled Goods Regulations to the Canadian Security Intelligence Service to conduct security assessments.
The Treasury Board of Canada approved the Privacy Impact Assessment Policy with an effective date of May 2, 2002. The goal of the Policy is to allow government institutions to identify whether a program or a service delivery initiative, involving the collection, use or disclosure of personal information as defined in the Privacy Act, complies with privacy principles. The Policy also aims to avoid or mitigate any identifiable risks to privacy.
In 2005, the ATIP Directorate developed a departmental PIA framework and a draft departmental PIA policy that established the review and approval process within PWGSC, as well as the roles and responsibilities of stakeholders. Project managers follow this framework and draft policy when conducting PIAs. A revised policy, that will align with TBS's forthcoming PIA directive, is planned for next fiscal year.
The ATIP Directorate staff provides advice and guidance to PWGSC managers throughout the PIA process, including the review of PIA reports and liaison with the Office of the Privacy Commissioner.
Currently, when PWGSC's Legal Services unit employees review contractual terms and conditions, they inform contracting officers to seek the advice of the ATIP Directorate on the need for a PIA. The ATIP Directorate informs the contracting officers to check with their client departments and provides the name and telephone number of the responsible ATIP Coordinator. PWGSC's ATIP Directorate also advises on the requirement to include appropriate security and privacy clauses in procurement documentation.
In collaboration with the Information Technology Services Branch, the ATIP Directorate launched its Internet site in January 2005. The site is available at The Access to Information and Privacy Programs. The site is intended to facilitate the public's understanding of the Access to Information Act, the Privacy Act and associated departmental procedures. Summaries of the results of PIA reports conducted by PWGSC are published on this Web site.
The Department is modernizing its pension systems in order to generate savings and to improve how it delivers these services to current and retired public servants. Using information technology products, services and programs more effectively and efficiently is also a key priority for PWGSC. As a result, the Department must conduct PIAs for the programs and services that are substantially redesigned or transformed for electronic service delivery in a manner that affects the collection, use or disclosure of personal information. This has lead to the initiation of nine new PIAs in fiscal year 2008-2009 and the ATIP Directorate's involvement in their development.
Reporting Period | PIAs | PPIAs | ||||
---|---|---|---|---|---|---|
Outstanding from Previous Years | Initiated | Completed | Cancelled or Postponed | Carried Forward to Next Fiscal Year | ||
2006-2007 | 13 | 0 | 0 | 0 | 13 | 4 |
2007-2008 | 13 | 1 | 2 | 6 | 6 | 0 |
2008-2009 | 6 | 9 | 2 | 1 | 12 | 0 |
The following PIAs were completed and sent to the Privacy Commissioner of Canada during the 2008-2009 fiscal year:
The PIA for the following project was cancelled or postponed due to budget restrictions, initiative not being pursued or application being abandoned.
The following PIAs, which were initiated in 2008-2009 and previous fiscal years, were still ongoing at the end of the reporting period:
When the detailed information required for a comprehensive assessment is not yet available, a Preliminary PIA (PPIA) may be completed. In exceptional circumstances, a PPIA may also be undertaken, instead of a full PIA, when the proposed initiative does not appear to raise privacy issues.
There were no PPIAs completed in the 2008-2009 fiscal year.
It is the practice of PWGSC to process requests formally where the information is sensitive and may be subject to an exemption or an exclusion pursuant to sections 18 through 28, 69 and 70 of the Act.
There were 61 requests filed under the Privacy Act in 2008-2009. The majority of the cases (20 percent) were for documents related to security clearances, 18 percent labour relations and investigations, 16 percent pension and pay, and 13 percent other employment related records. The remaining cases (33 percent) were for correspondence and other personal information pertaining to the requesters.
Compared with the last fiscal year, PWGSC experienced a nine percent decrease in the total number of privacy requests received.
Table II provides the related detail.
Reporting Period | Outstanding | Received | Completed | Carried Forward |
---|---|---|---|---|
2006-2007 | 2 | 71 | 67 | 6 |
2007-2008 | 6 | 67 | 67 | 6 |
2008-2009 | 6 | 61 | 56 | 11 |
In addition to privacy requests, the Department received six privacy consultations from six different federal institutions in 2008-2009, on a total of 39 pages of records. On average, PWGSC responded to consultations within 18 days. These consultation requests are not reflected in the statistical tables at Annex C: Statistical Report - Privacy Act but do account for nine percent of the ATIP Directorate's privacy caseload.
Requesters may obtain access to their personal information on an informal basis by contacting the manager of the program area that controls the records. In these instances, the ATIP Directorate provides assistance and advice on an as required basis. Although not reflected in the statistical tables at Annex C: Statistical Report - Privacy Act, one request consisting of 364 pages was referred informally during the fiscal year prior to its proactive disclosure.
Of the 67 requests in progress, 56 requests (84 percent) were completed during the 2008-2009 reporting period. The remaining 11 requests (16 percent) were carried forward to the next fiscal year. Of this number, 8 were received in March 2009 and could not be completed before the end of the fiscal year.
Of the 56 cases where the Department completed the request, information was released either in whole or in part in 32 requests (57 percent). The 56 completed requests represent approximately 16,000 pages of records reviewed, and 7,571 pages released.
In 13 of the 56 completed cases (23 percent), the applicants were provided with full access to the relevant records. This figure is a decrease by eight percentage points from last fiscal year.
PWGSC was compelled by the exemptive and exclusionary provisions of the Privacy Act to provide applicants partial access in 19 of the 56 completed cases or 34 percent. This represents a six percentage point decrease from last fiscal year. In most instances, the information withheld relates to information about other individuals.
In 2 of the 56 completed requests (5 percent), PWGSC was compelled by the exemptive and exclusionary provisions of the Privacy Act to release no information. This represents an increase from the previous fiscal year when all completed requests resulted in disclosures.
After an initial review, the Department was unable to process 18 requests (32 percent). In all instances this was because the Department did not have any records relating to the request.
Of the completed privacy requests, 4 (7 percent) were eventually considered to be abandoned. Such an action may occur at any point in the processing of a request.
None of the 56 requests completed were transferred to another government institution in 2008-2009.
An individual's right of access to his/her personal information under the Privacy Act is limited by a number of exemptions specified in sections 18 through 28 of the legislation.
Annex C: Statistical Report - Privacy Act is intended to show the types of exemptions invoked to refuse access. For clarity purposes, if five different exemptions were used in one request, one exemption under each relevant section would be reported for a total of five exemptions. If the same exemption was used several times for the same request, it would be reported only once.
As noted in Annex C: Statistical Report - Privacy Act, information about another individual (section 26 of the Act) accounts for the majority of the exemptions applied by the Department.
Pursuant to section 69, the Act does not apply to material that is published or available for purchase, library or museum material preserved solely for public record, material deposited with the Library and Archives Canada, as well as records considered to be confidences of the Queen's Privy Council of Canada pursuant to section 70 of the Act.
As in the case of exemptions, Annex C: Statistical Report - Privacy Act is intended to show the types of exclusions invoked. Again, for the sake of clarity, if five different exclusions are cited in one request, one exclusion under each relevant section would be reported for a total of five. If the same exclusion was used several times for the same request, it would be reported only once.
No exclusions were invoked by PWGSC during the processing of privacy requests in the 2008-2009 fiscal year.
Of the 56 requests completed during the fiscal year, 13 needed to be extended in accordance with section 15 of the Privacy Act. Due to the nature of PWGSC's mandate, the records requested often contained sensitive information from another government department. As a result, in nine cases there was the need to consult with other government departments. For the remaining four cases, meeting the original time limit would have unreasonably interfered with the operations of the Department. On average, requests were completed within 38 days.
Within the first thirty days, 44 requests (79 percent) were completed, while 6 (11 percent) were completed within 31 to 60 days, and 2 (3 percent) were completed between 61 and 120 days from the date of receipt by the Department. Finally, 4 cases (7 percent) required more than 120 days to process. However, on average, privacy requests were completed within 38 days in 2008-2009 which is 12 days faster than the requests completed last year.
There were no requests for the translation of information from one official language to another.
Of the 32 requests in which information was released, the applicants received paper copies of the information in all cases.
There were no requests for the correction of personal information or for a notation to be placed on a file.
The total salary costs associated with the privacy program were $221,815, and operations and maintenance costs were $207,358, for a combined total of $429,173. The associated full-time equivalent resources utilized were estimated at 2.75 for the 2008-2009 fiscal year.
The Table III provides a breakdown of the complaints made to the Privacy Commissioner of Canada and of requests for judicial review made to the Federal Court of Canada, for which PWGSC has been informed of over the past three fiscal years.
Reporting Period | Complaints | Requests for Judicial Review |
---|---|---|
2006-2007 | 2 | 0 |
2007-2008 | 2 | 1 |
2008-2009 | 0 | 0 |
No complaints were lodged with the Privacy Commissioner of Canada against PWGSC in the 2008-2009 fiscal year.
There were no requests made to the Federal Court of Canada seeking a judicial review.
8. (1) Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.
(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed
(3) Subject to any other Act of Parliament, personal information under the custody or control of the Library and Archives of Canada that has been transferred there by a government institution for historical or archival purposes may be disclosed in accordance with the regulations to any person or body for research or statistical purposes.
(4) The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner.
Notice of disclosure under paragraph (2)(m)
9. (1) The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information.
Institution: PUBLIC WORKS AND GOVERNMENT SERVICES CANADA
Reporting period: 01/04/2008 to 31/03/2009
Received during reporting period: 61
Outstanding from previous period: 6
TOTAL: 67
Completed during reporting period: 56
Carried forward: 11
TOTAL: 56
Exemptions | Numbers |
---|---|
S. Art. 18(2) |
0 |
S. Art. 19(1)(a) |
0 |
(b) | 0 |
(c) | 0 |
(d) | 0 |
S. Art. 20 |
0 |
S. Art. 21 |
1 |
S. Art. 22(1)(a) |
3 |
(b) | 0 |
(c) | 0 |
S. Art. 22(2) |
0 |
S. Art. 23(a) |
0 |
(b) | 0 |
S. Art. 24 |
0 |
S. Art. 25 |
2 |
S. Art. 26 |
19 |
S. Art. 27 |
7 |
S. Art. 28 |
0 |
Exclusions | Numbers |
---|---|
S. Art. 69(1)(a) |
0 |
(b) | 0 |
S. Art. 70(1)(a) |
0 |
(b) | 0 |
(c) | 0 |
(d) | 0 |
(e) | 0 |
(f) | 0 |
30 days or under
TOTAL: 13
31 days or over
TOTAL: 0
Translations requested: 0
Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) through a variety of means. Institutions are therefore required to report the following information for this reporting period.
Indicate the number of:
Preliminary Privacy Impact Assessments initiated: _0___
Preliminary Privacy Impact Assessments completed: __________0____
Privacy Impact Assessments initiated: ___9_____
Privacy Impact Assessments completed: __2_______
Privacy Impact Assessments forwarded to the Office of the Privacy Commissioner (OPC): ________2________
If your institution did not undertake any of the activities noted above during the reporting period, this must be stated explicitly.
1PIB Legend:
PCU - Central Bank (General Public); PCE - Central Bank (Employees);
PPU - Particular Bank (General Public); PPE - Particular Banks (Employees);
PSU - Standard Bank (General Public); PSE - Standard Bank (Employees) (Back to note 1)