2007-2008 Annual Report to Parliament on the Privacy Act

PDF Version

December 2008

Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 995-8210, 1-800-282-1376
Fax (613) 947-6850
TDD (613) 992-9190

---

Table of Contents

1. Introduction
2. Mandate / Mission of the OPC
3. Organizational Structure
4. Privacy Commissioner, ad hoc / Complaint Mechanism
5. ATIP Unit Activities
6. Privacy Act Statistical Report and Interpretation
7. Report on the Privacy Impact Assessment (PIA) Policy
8. Disclosures of Personal Information
9. Privacy-Related Policies
10. Appendix A – Privacy Act Delegation Order
11. Appendix B – Statistical Report on the Privacy Act

Introduction

The Privacy Act took effect on July 1, 1983. This Act imposes obligations on federal government departments and agencies to respect the privacy rights of individuals by limiting the collection, use and disclosure of personal information. The Act also gives individuals the right of access to their personal information and the right to request the correction of that information.

Section 72 of the Act requires that the head of every federal government institution submit an annual report to Parliament on the administration of the Act within their institutions during the fiscal year.

When the Federal Accountability Act received Royal Assent on December 12, 2006, the Office of the Privacy Commissioner (OPC) along with other Agents of Parliament were added to the Schedule of the Privacy Act. So, while not initially subject to the Act, the OPC became so on April 1, 2007.

While this change has been—and continues to be—a learning experience for the OPC as a whole, we are fully supportive of greater transparency and accountability on the part of government and its institutions. In fact, shortly after taking office in 2003, the Privacy Commissioner maintained that although not yet subject to the Privacy Act, the OPC would conduct itself as though it were.

We did not receive any requests from individuals for access to their personal information prior to April 1, 2007 but we did receive a number of requests for other information which we processed using the Access to Information Act as a guide.

Due to the nature of the work we do—and as our investigation files contain extensive personal information—we expected that once formally subject to the Privacy Act, we would receive a large number of requests for the contents of those files. However, as our statistics show, that has not been the case. While perhaps somewhat surprising, the situation nevertheless afforded us the opportunity to build the administrative side of the ATIP Unit, create ATIP policies and procedures, and ensure that the ATIP Unit staff had all of the training they required.

For the past 25 years the OPC has been overseeing federal government institutions’ compliance with the Privacy Act and, in doing so, we have at times been quite critical of their personal information management practices. With the passing of the Federal Accountability Act we now find ourselves on the ‘other side of the fence’. Admittedly, it is sometimes difficult to look inwards but, in this case, we wholeheartedly welcome our complete and formal inclusion into the Privacy Act family. Not only are we committed to fulfilling the mandate given the OPC under the Act, we are wholly committed to ensuring that we fully adhere to the Act with respect to the proper handling of the personal information which is under our control.

The OPC is therefore pleased to submit our first Annual Report which describes how we fulfilled our responsibilities under the Privacy Act during the fiscal year 2007-2008.

Mandate / Mission of the OPC

The OPC is mandated to oversee compliance with the Privacy Act, which covers the personal information handling practices of federal government departments and agencies, and with the Personal Information Protection and Electronic Documents Act (PIPEDA) which is Canada’s private sector privacy law. Our mission is to protect and promote the privacy rights of individuals by, among other things:

• Investigating complaints and incidents under the Privacy Act and PIPEDA concerning the handling of personal information;
• Issuing reports to federal government institutions and private sector organizations which may contain recommendations designed to assist them in remedying situations and preventing errors in handling personal information;
• Assessing compliance with Privacy Act and PIPEDA obligations through audit and review activities, and publicly reports on findings;
• Reviewing and advising on Privacy Impact Assessments (PIAs) that deal with new or existing government initiatives;
• Providing legal and policy expertise to help guide Parliament’s review of evolving legislation in order to ensure respect for individuals’ right to privacy;
• Assisting Parliamentarians, individuals and organizations who are seeking information and guidance with respect to personal information handling practices;  
• Promoting public awareness and compliance with the two Acts and fostering understanding of privacy rights and obligations;
• Monitoring trends in privacy practices, identifying systemic privacy issues to be addressed by federal government institutions and private sector organizations and promoting integration of best practices; and
• Working closely with privacy stakeholders from other Canadian and international jurisdictions in order to address global privacy issues arising from ever-increasing trans-border data flows.

The OPC’s focus is on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In some unresolved cases, the Commissioner may take the matter to Federal Court.

Organizational Structure

The Privacy Commissioner is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is assisted by two Assistant Privacy Commissioners, one responsible for the Privacy Act and the other responsible for PIPEDA.

The OPC is comprised of seven distinct branches: Research, Education and Outreach; Communications; Audit and Review; Legal Services and Policy; Human Resources; Corporate Services, and; Investigations and Inquiries.

The Access to Information and Privacy (ATIP) Unit falls under the Corporate Services Branch. ATIP is headed by a Director who is supported by one Senior Analyst. This fiscal year, the ATIP Unit also used the services of an experienced ATIP analyst on a part time contract basis.

Under section 73 of the ATIA the Privacy Commissioner, as the head of the OPC, delegated her authority to the Director General of Corporate Services and to the ATIP Director with respect to the application of the ATIA and its Regulations. A copy of that Delegation Order is attached as Appendix A.

Privacy Commissioner, ad hoc / Complaint Mechanism

When the Federal Accountability Act received Royal Assent on December 12, 2006, it did not contain a mechanism under which Privacy Act complaints against the OPC would be investigated. Clearly, it is entirely inappropriate that the OPC to investigate its own actions with respect to its administration of the Privacy Act.

Indeed, the issue was raised in the Department of Justice Discussion Paper on Strengthening the Access to Information Act which was released on April 11, 2006.  The Paper encouraged the House of Commons Committee on Access to Information, Privacy and Ethics to offer suggestions on an appropriate design of a mechanism, the appointment process and the qualifications of the selected individual.

On May 30, 2006 the Privacy Commissioner appeared before the House of Commons Legislative Committee and said:

Finally, I bring to your attention what I see as a serious omission in Bill C-2: the absence of a mechanism to investigate access or privacy complaints against the Information and Privacy Commissioners. I would hope that the provisions in Bill C-2 making the two Commissioners subject to both Acts will not come into force until an alternative complaint investigation process is properly established to deal with these new types of situations.

The Commissioner then appeared before the Standing Committee on Legal and Constitutional Affairs on September 21, 2006 during which she voiced her expectation that changes to the Privacy Act should not come into force until an appropriate mechanism was in place. This was reiterated in her written Submission to the Committee.

In its October 26, 2006 Report to the House on C-2, the Senate Committee endorsed the Privacy Commissioner’s view and stated, “We join with the Privacy Commissioner in urging the Government to delay the entry into force of these measures until an appropriate mechanism to address this situation is identified and in place.” 

We fully expected that our concern would be addressed by the government, but the Federal Accountability Act remains silent. After a year, we find ourselves in the extremely difficult position of having to create and maintain our own mechanism, one which hopefully gives individuals confidence that investigations against the OPC are being conducted independently of the OPC. This is difficult to say the least, given that the OPC ultimately decides who will be the Privacy Commissioner, ad hoc and since the OPC is absorbing all of the costs associated with the process.

In September 2007 the Honorable Peter de C. Cory accepted to be engaged as Privacy Commissioner, ad hoc to receive and investigate complaints concerning the OPC pursuant to section 29 of the Privacy Act. The Privacy Commissioner delegated the majority of her powers, duties and functions as set out in sections 29 through 35 and section 42 of the Act to Mr. Cory in order that he could carry out his investigations. Mr. Cory also accepted to be engaged as Information Commissioner ad hoc so as to investigate ATIA complaints filed concerning the Office of the Information Commissioner (OIC).

It was quickly recognized that it would be inappropriate for the investigator conducting Privacy Act investigations against the OPC to work within the offices of the OPC—a view shared by the OIC with respect to the investigator conducting ATIA complaints against that Office. Therefore, the OPC and the OIC entered into an agreement whereby we would each provide secured office space for the other’s investigator along with locked cabinets, stand-alone computers, etc.

Mr. Cory’s services are no longer available to us. The OPC has therefore engaged the Honourable Andrew W. MacKay, former Judge of the Federal Court. His biography may be found at http://cas-ncr-nter03.cas-satj.gc.ca/portal/page/portal/fc_cf_en/MacKay.

ATIP Unit Activities

Although the OPC was not subject to the Privacy Act until April 1, 2007, the ATIP Unit was staffed in February 2007 in order to begin the process of setting up the Unit and to handle a number of informal requests that the OPC had already received under the Access to Information Act.

Given that the OPC was newly subject to ATIP responsibilities, the early focus was on administrative work that needed to be done. One of the first requirements was to ensure that information about the OPC was provided to the Treasury Board Secretariat. In early May 2007 all of the OPC’s Sources of Federal Employee Information – Standard Personal Information Banks (PIBs) and Sources of Federal Government Information – Standard Banks were registered with the Secretariat. The Secretariat was also provided initial information about the OPC to be included in Info Source such as background information, the OPC’s responsibilities, descriptions of and contacts for each OPC Branch, and the location of the OPC reading room. A review of all of the OPC’s record holdings was then undertaken to ensure that all non-standard bank information would be included in the next edition of Info Source.

The ATIP Unit has written an “Access to Information Process and Compliance Manual” which is available to all staff on the OPC Intranet site and to the public on the OPC website as well. This manual describes all of the steps taken by the ATIP Unit in receiving and responding to requests under both the Privacy Act (ATIA) and the Privacy Act. It provides extensive information for staff on a wide variety of subjects including responsibilities of staff to retrieve information, legislative time constraints, exemptions and exclusions, the complaint and investigation process. The manual also provides extensive information concerning the proper collection, retention, use, disclosure and disposition of personal information.

No specific Privacy Act training has been given to staff to date although we certainly intend to do so soon. However, it is important to note that the vast majority of OPC staff are already extremely sensitized to privacy issues and the requirements of government institutions covered by the Privacy Act concerning the protection of personal information given the nature of our work. In assessing training needs in our new “Atipable” environment, we quickly realized that most OPC employees were not as fully informed as to their ATIA responsibilities; therefore, priority training was given with respect to the ATIA. While preparing specific Privacy Act training, in the meantime the OPC’s “Access to Information Process and Compliance Manual” provides clear guidance as to the proper handling of personal information.

The ATIP Director sits on the OPC’s Policy Development Committee and has taken a collaborative role in the planning, development and updating of OPC policies, procedures and directives in order to ensure that the Privacy Act is respected.

In 2007 the Information and Privacy Policy Division of the Chief Information Officer Branch within the Treasury Board Secretariat began the process of renewing the Access to Information and Privacy policies and guidelines. The OPC’s ATIP Director is part of the Secretariat’s Policy Renewal Working Group and, as such, participated in a number of meetings during the fiscal year.

Throughout the year the ATIP Unit has been active in providing advice to all OPC staff with respect to personal information handling practices. The ATIP Unit has also supported the Information Management function by providing input concerning proper information handling practices and has been involved in discussions with Library and Archives Canada personnel concerning retention schedules for OPC records and information.

Concurrently, the OPC’s ATIP Senior Analyst assisted another federal government institution by sitting on several competition boards for the recruitment of ATIP analysts.

Finally, the OPC has included a section on its website entitled “Access to Information and Privacy” which provides the public with information about the Privacy Act, including how to request access to information that is under the control of the OPC.

Privacy Act Statistical Report and Interpretation

The OPC’s statistical Report on the Privacy Act is attached at Appendix B.

The OPC received 45 formal requests under the Privacy Act for the fiscal year. Of those, 23 sought access to personal information under the control of other government institutions and therefore—with the consent of the requesters—they were re-directed to those institutions for processing (Citizenship and Immigration; the RCMP; the Canada Revenue Agency; National Defence; Correctional Service Canada; the Canada Post Corporation; Canadian Heritage; Service Canada; and the Canadian Firearms Centre).

Of the 22 requests for personal information under the OPC’s control, the ATIP Unit had responded to all of them by the end of the reporting year. While the OPC did not receive as many requests as anticipated, the 22 requests constituted 4,451 pages of information. No time extensions were taken and all were completed within the statutory time limits.

Section 22.1 of the Privacy Act was added to the Act as a result of the Federal Accountability Act. This provision requires that the OPC protect the information that we obtained during the course of our investigations or audits even once the matter and all related proceedings have been concluded.

Of the 22 Privacy Act requests completed, 10 were for the contents of Privacy Act or PIPEDA investigation files. In two of those instances all of the information was withheld as one case was before the Court, and as all appeal mechanisms with respect to the other had not yet been exhausted. In the remaining cases our investigations and all related proceedings were closed. So, the information in those files was processed and released to the requesters subject to applicable exemptions.

Of the 22 requests received for access to OPC information, one (1) was submitted by a lawyer while the remainder were submitted by individuals.

The exemption provision invoked most often was section 22.1 with respect to information the OPC received or created during the course of an investigation, followed closely by section 26 concerning the personal information of other individuals.

The OPC received notice of two complaints of denial of access made to the Privacy Commissioner ad hoc, both of which were filed by one individual. While the Privacy Commissioner ad hoc has concluded that both complaints are “not well-founded”, they are not included in our statistical report. The findings were rendered on April 2, 2008 and therefore will be included in our report for fiscal year 2008-2009.

As of the writing of this report, no applications have been submitted to the Federal Court following the Privacy Commissioner ad hoc’s findings.

In addition to processing its own Privacy Act requests, the OPC was also consulted three times by two government institutions with respect to eleven 11 documents. In each case, the OPC had no objection to the disclosure of the information they contained.

Report on the Privacy Impact Assessment (PIA) Policy

The Privacy Impact Assessment Policy which came into effect on May 2, 2002, requires that the Treasury Board Secretariat monitor compliance with the Policy. Given this responsibility, institutions are asked to include pertinent statistics in their annual reports on the administration of the Privacy Act.

The OPC has not conducted any PIAs during this reporting fiscal year. It is anticipated, however, that one will be conducted with respect to the Office’s new Case Management system. The requirements of this system are presently being defined.

Disclosures of Personal Information

The OPC disclosed no personal information under sections 8(2)(e), (f), (g) or (m) of the Privacy Act during this fiscal year.

Privacy-Related Policies

The ATIP Director is a member of the OPC’s Policy Development Committee. In that role, policies, directives and guidelines have been and continue to be reviewed to ensure that the Privacy Act is respected. The ATIP Unit drafted the OPC’s Employee Privacy Policy which has been finalized and approved by senior management. The Unit has also drafted a Corporate Privacy Policy and a Privacy Breach Policy.  It is expected that all of these will be in place during the 2008-2009 reporting fiscal year.

For additional information on the OPC’s activities, please visit www.priv.gc.ca

Additional copies of this report may be obtained from:

Director, Access to Information and Privacy
Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, ON  K1A 1H3

Appendix A – Privacy Act Delegation Order

The Privacy Commissioner of Canada, as the head of the government institution, hereby designates pursuant to section 73 of the Privacy Act, the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties or functions of the Privacy Commissioner as specified below and as more fully described in Annex A:

Position	Sections of Privacy Act
Privacy Commissioner Assistant Commissioner	8(2)(m)
Director General, Corporate Services and Chief Financial Officer Director, ATIP	Act: 8(2)(j), 8(4) and (5), 9(1) and (4), 10, 14, 15, 17(2)(b) and (3)(b),18 to 28, 31, 33(2), 35(1) and (4), 36(3), 37(3), 51(2)(b) and (3), 72(1) Regulations: 9, 11(2) and (4), 13(1), 14

Dated at the City of Ottawa, this 1^st day of October, 2008

 

(Original signed by)
__________________________
Jennifer Stoddart
Privacy Commissioner of Canada

Privacy Act

8(2)(j)	Disclose personal information for research purposes
8(2)(m)	Disclose personal information in the public interest or in the interest of the individual
8(4)	Retain copy of 8(2)(e) requests and disclosed records
8(5)	Notify Privacy Commissioner of 8(2)(m) disclosures
9(1)	Retain record of use
9(4)	Notify Privacy Commissioner of consistent use and amend index
10	Include personal information in personal information banks
14	Respond to request for access within 30 days; give access or give notice
15	Extend time limit for responding to request for access
17(2)(b)	Decide whether to translate requested information
17(3)(b)	Decide whether to give access in an alternative format
18(2)	May refuse to disclose information contained in an exempt bank
19(1)	Shall refuse to disclose information obtained in confidence from another government
19(2)	May disclose any information referred to in 19(1) if the other government consents to the disclosure or makes the information public
20	May refuse to disclose information injurious to the conduct of federal-provincial affairs
21	May refuse to disclose information injurious to international affairs or defence
22	Series of discretionary exemptions related to law enforcement and investigations; and policing services for provinces or municipalities.
22.1(1)	In force April 1, 2007 - Privacy Commissioner shall refuse to disclose information obtained or created in the course of an investigation conducted by the Commissioner
22.1(2)	In force April 1, 2007 - Privacy Commissioner shall not refuse under 22.1(1) to disclose any information created by the Commissioner in the course of an investigation conducted by the Commissioner once the investigation and related proceedings are concluded
23	May refuse to disclose information prepared by an investigative body for security clearances
24	May refuse to disclose information collected by the Correctional Service of Canada or the National Parole Board while individual was under sentence if conditions in section are met
25	May refuse to disclose information which could threaten the safety of individuals
26	May refuse to disclose information about another individual, and shall refuse to disclose such information where disclosure is prohibited under section 8
27	May refuse to disclose information subject to solicitor-client privilege
28	May refuse to disclose information relating to the individual’s physical or mental health where disclosure is contrary to best interests of the individual
31	Receive notice of investigation by Privacy Commissioner
33(2)	Right to make representations to the Privacy Commissioner during an investigation
35(1)	Receive Privacy Commissioner’s report of findings of the investigation and give notice of action taken
35(4)	Give complainant access to information after 35(1)(b) notice
36(3)	Receive Privacy Commissioner’s report of findings of investigation of exempt bank
37(3)	Receive report of Privacy Commissioner’s findings after compliance investigation
51(2)(b)	Request that section 51 hearing be held in the National Capital Region
51(3)	Request and be given right to make representations in section 51 hearings
72(1)	Prepare annual report to Parliament

Privacy Regulations

9	Provide reasonable facilities to examine information
11(2) and (4)	Procedures for correction or notation of information
13(1)	Disclosure of information relating to physical or mental health to qualified practitioner or psychologist
14	Require individual to examine information in presence of qualified practitioner or psychologist

Appendix B – Statistical Report on the Privacy Act

Institution   Office of the Privacy Commissioner of Canada

Reporting period / Période visée par le rapport April 1, 2007 to March 31, 2008

I	Requests under the Privacy Act / Demandes en vertu de la Loi sur la protection des renseignements personnels

Received during reporting period / Reçues pendant la période visée par le rapport		45
Outstanding from previous period / En suspens depuis la période antérieure
TOTAL		45
Completed during reporting period / Traitées pendant la période visées par le rapport		45
Carried forward / Reportées

II	Disposition of request completed / Disposition à l'égard des demandes traitées

1.	All disclosed / Communication totale	4
2.	Disclosed in part / Communication partielle	10
3.	Nothing disclosed (excluded) / Aucune communication (exclusion)
4.	Nothing disclosed (exempt) / Aucune communication (exemption)	2
5.	Unable to process / Traitement impossible	6
6.	Abandonned by applicant / Abandon de la demande
7.	Transferred / Transmission	23
TOTAL		45

III	Exemptions invoked / Exceptions invoquées

S. Art. 18(2)
S. Art. 19(1)(a)
(b)
(c)
(d)
S. Art. 20
S. Art. 21
S. / Art. 22(1)(a)
(b)
(c)
S. / Art. 22(2)
S. / Art. 23  (a)
(b)
S. / Art. 24
S. / Art. 25
S. / Art. 26		5
S. / Art. 27
S. / Art. 28

IV	Exclusions cited / Exclusions citées

S. Art. 69(1)(a)
(b)
S. Art. 70(1)(a)
(b)
(c)
(d)
(e)
(f)

V	Completion time / Délai de traitement

30 days or  under / 30 jours ou moins		45
31 to 60 days / De 31 à 60 jours
61 to 120 days / De 61 à 120 jours
121 days or over / 121 jours ou plus

VI	Extentions / Prorogations des délais

			30 days or under / 30 jours ou moins	31 days or over / 31 jours ou plus
Interference with operations / Interruption des opérations
Consultation
Translation / Traduction
TOTAL

VII	Translations / Traductions

Translations requested / Traductions demandées
Translations prepared /			English to French / De l'anglais au français
Traductions préparées			French to English / Du français à l'anglais

VIII	Method of access / Méthode de consultation

Copies given / Copies de l'original						14
Examination / Examen de l'original
Copies and examination / Copies et examen

IX	Corrections and notation / Corrections et mention

Corrections requested / Corrections demandées
Corrections made / Corrections effectuées
Notation attached / Mention annexée

X	Costs / Coûts

Financial (all reasons) / Financiers (raisons)
Salary / Traitement		$ 67,988.38
Administration (O and M) / Administration (fonctionnement et maintien)		$ 38,503.51
TOTAL		$ 106,491.89
Person year utilization (all reasons) / Années-personnes utilisées (raisons)
Person year (decimal format) / Années-personnes (nombre décimal)			1.0167

TBS/SCT 350-63 (Rev. 1999/03)

Discrepancies
III – Exemptions invoked Section 22.1 was invoked on 7 requests. X – Costs All operating and maintenance costs are borne by other OPC Branches i.e.:  Human Resources (training), Information Technology (computers, printouts, etc), Corporate Services (supplies, mailing, etc). Other The OPC received and responded to 3 consultations from other government institutions.

Supplemental Reporting Requirements for 2007-2008 Privacy Act

Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) through a variety of means. Institutions are therefore required to report the following information for the 2007-2008 reporting period.

Indicate the number of:

Preliminary Privacy Impact Assessments initiated: N/A

Preliminary Privacy Impact Assessments completed: N/A

Privacy Impact Assessments initiated: N/A

Privacy Impact Assessments completed: N/A

Privacy Impact Assessments forwarded to the Office of the Privacy Commissioner (OPC): N/A

If your institution did not undertake any of the activities noted above during the reporting period, this must be stated explicitly.

• The OPC did not undertake any of the activities noted above during the reporting period.