2008-2009 Annual Report to Parliament on the Privacy Act

PDF Version

August 2009

Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 995-8210, 1-800-282-1376
Fax (613) 947-6850
TDD (613) 992-9190

---

Table of Contents

• Introduction
• Mandate / Mission of the OPC
• Organizational Structure
• Privacy Commissioner, ad hoc / Complaint Mechanism
• ATIP Unit Activities
• Privacy Act Statistical Report and Interpretation
• Report on the Privacy Impact Assessment (PIA) Policy
• Data Sharing Activities
• Disclosures of Personal Information
• Privacy-Related Policies
• Appendix A – Privacy Act Delegation Order
• Appendix B – Statistical Report on the Privacy Act
• Appendix C

Introduction

The Privacy Act came into effect On July 1, 1983. This Act imposes obligations on federal government departments and agencies to respect the privacy rights of individuals by limiting the collection, use and disclosure of personal information. The Act also gives individuals the right of access to their personal information and the right to request the correction of that information.

When the Federal Accountability Act received Royal Assent on December 12, 2006, the Office of the Privacy Commissioner (OPC) was added to the Schedule of the Privacy Act along with other Agents of Parliament. So, while not initially subject to the Act, the OPC became so on April 1, 2007.

Section 72 of the Act requires that the head of every federal government institution submit an annual report to Parliament on the administration of the Act within their institutions during the fiscal year.

The OPC is pleased to submit our second Annual Report which describes how we fulfilled our responsibilities under the Privacy Act during the fiscal year 2008-2009.

Mandate / Mission of the OPC

The mandate of the OPC is to oversee compliance with both the Privacy Act (PA) which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law.

The OPC’s mission is to protect and promote the privacy rights of individuals.

The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. In public sector matters, individuals may complain to the Commissioner about any matter specified in Section 29 of the PA.

For matters relating to personal information in the private sector, the Commissioner may investigate complaints under Section 11 of PIPEDA except in the provinces that have adopted substantially similar privacy legislation, namely Québec, British Columbia, and Alberta. Ontario now falls into this category with respect to personal health information held by health information custodians under its health sector privacy law. However, even in those provinces with substantially similar legislation, and elsewhere in Canada, PIPEDA continues to apply to personal information collected, used or disclosed by all federal works, undertakings and businesses, including personal information about their employees. PIPEDA also applies to all personal data that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to PIPEDA or to substantially similar legislation.

The Commissioner focuses on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may take the matter to Federal Court and seek a court order to rectify the situation.

As a public advocate for the privacy rights of Canadians, the Commissioner carries out the following activities:

• Investigating complaints and issuing reports with recommendations to federal government institutions and private sector organizations to remedy situations, as appropriate;
• Pursuing legal action before Federal Courts where matters remain unresolved;
• Assessing compliance with obligations contained in the PA and PIPEDA through the conduct of independent audit and review activities, and publicly report on findings;
• Advising on, and review, Privacy Impact Assessments (PIAs) of new and existing government initiatives;
• Providing legal and policy analyses and expertise to help guide Parliament’s review of evolving legislation to ensure respect for individuals’ right to privacy;
• Responding to inquiries of Parliamentarians, individual Canadians and organizations seeking information and guidance and taking proactive steps to inform them of emerging privacy issues;
• Promoting public awareness and compliance, and fostering understanding of privacy rights and obligations through: proactive engagement with federal government institutions, industry associations, legal community, academia, professional associations, and other stakeholders; preparation and dissemination of public education materials, positions on evolving legislation, regulations and policies, guidance documents and research findings for use by the general public, federal government institutions and private sector organizations;
• Providing legal opinions and litigate court cases to advance the interpretation and application of federal privacy laws;
• Monitoring trends in privacy practices, identify systemic privacy issues that need to be addressed by federal government institutions and private sector organizations and promoting integration of best practices; and
• Working with privacy stakeholders from other jurisdictions in Canada and on the international scene to address global privacy issues that result from ever-increasing trans-border data flows.

Organizational Structure

The Privacy Commissioner is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is assisted by two Assistant Privacy Commissioners, one responsible for matters related to the PA and the other responsible for those related to PIPEDA.

The OPC is comprised of seven distinct branches:

Investigations and Inquiries Branch

The Investigations and Inquiries (I&I) Branch investigates complaints received from individuals under Section 29 of the PA and Section 11 of PIPEDA which may include allegations of the mismanagement of personal information but which are different from incident investigations. The Branch also investigates incidents that are different from individual complaints and not filed under those provisions. These incidents come to the Branch’s attention through various sources, including federal government institutions subject to the PA and entities subject to PIPEDA. The Branch also examines these occurrences in an effort to assist federal government institutions PA and organizations PIPEDA in ensuring that such incidents do not recur. The Branch is headed by Mr. Art Dunfee, Director General.

Audit and Review Branch

The Audit and Review Branch audits organizations to assess their compliance with the requirements set out in the two federal privacy laws. The Branch also analyses and provides recommendations on PIAs submitted to the OPC pursuant to the Treasury Board Secretariat Policy on PIAs. The Branch is headed by Mr. Steven Morgan, Director General.

Research, Education and Outreach Branch

The Research, Education and Outreach Branch is responsible for researching privacy and technology issues to support policy development, investigation and audit, and the public education program. The Branch administers the research program, which was launched in 2004 to support research into, and the promotion of, the protection of personal information. The Branch supports international outreach activities and stakeholder engagement activities. The Branch is headed by Mr. Colin McKay, Director.

Communications Branch

The Communications Branch focuses on providing strategic advice and support for communications and public education activities for the OPC. In addition, the Branch plans and implements public education and communications activities through media monitoring and analysis, public opinion polling, media relations, publications, special events and the OPC web site. The Branch is headed by Ms. Anne-Marie Hayden, Director.

Legal Services, Policy and Parliamentary Affairs Branch

The Legal Services, Policy and Parliamentary Affairs Branch provides strategic legal and policy expertise to the OPC on emerging privacy issues in Canada and internationally. It represents the OPC in litigation before the courts both in Canada and internationally, and provides advice to the Commissioners on the interpretation and application of the PA and PIPEDA. The Branch provides expert legal support to the operational Branches of OPC, including Inquiries & Investigations and Audit & Review, as well as general legal counsel on a variety of corporate matters. It is responsible for monitoring legislative and government program initiatives, analyzing them and advising the Commissioners on appropriate policy positions to protect and advance privacy rights in Canada. The Branch prepares for and supports the office in appearances before Parliament and in relations with Parliamentarians. The Branch is headed by Ms. Lisa Campbell, Acting General Counsel.

Human Resources

Human Resources is responsible for the provision of strategic advice, management and delivery of comprehensive human resource management programs in areas such as staffing, classification, staff relations, human resource planning, learning and development, employment equity, official languages and compensation. The Branch is headed by Ms. Maureen Munhall, Director.

Corporate Services

The Corporate Services Branch provides advice and integrated administrative services such as corporate planning, resource management, financial management, information management/technology and general administration to managers and staff. The Branch is headed by Mr. Tom Pulcine, Director General and Chief Financial Officer.

The Access to Information and Privacy (ATIP) Unit falls under the Corporate Services Branch. ATIP is headed by a Director who is supported by one Senior Analyst.

Under section 73 of the Privacy Act the Privacy Commissioner, as the head of the OPC, delegated her authority to the Director General of Corporate Services and to the ATIP Director with respect to the application of the Act and its Regulations. However, due to the seriousness of public interest disclosures under section 8(2)(m) of the Act, the Commissioner has retained sole delegation for those decisions. A copy of the Delegation Order is attached as Appendix A.

The ATIP Director also serves as the OPC’s Chief Privacy Officer.

Privacy Commissioner, ad hoc / Complaint Mechanism

In our 2007-2008 Annual Report on the Privacy Act, we outlined our views concerning the silence of the Federal Accountability Act with respect to an independent mechanism under which Privacy Act complaints against the OPC would be investigated.

We remain of the view that it is inappropriate that the OPC investigate its own actions with respect to its administration of the Act but as the situation remains unchanged, we continue to maintain our own mechanism.

The Privacy Commissioner, ad hoc for the first fiscal year was the Honorable Peter de C. Cory to whom the Privacy Commissioner delegated the majority of her powers, duties and functions as set out in sections 29 through 35 and section 42 of the Act in order that he could investigate Privacy Act complaints lodged against the OPC.

The current Privacy Commissioner, ad hoc is the Honourable Andrew W. MacKay, former Judge of the Federal Court to whom the Privacy Commissioner has delegated the same powers, duties and functions as those delegated previously. Mr. MacKay’s biography may be found at http://cas-ncr-nter03.cas-satj.gc.ca/portal/page/portal/fc_cf_en/MacKay.

ATIP Unit Activities

While we had hoped to provide Privacy Act training to staff this year, the focus was once again on the Access to Information Act (ATIA) as we experienced a significant turnover of staff new to the OPC, the majority of who had not had previous training on the ATIA. As noted in our first annual report, given the nature of the work mandated to us under the Privacy Act, OPC staff are already extremely sensitized to privacy issues and to what is required of the OPC with respect to the handling of personal information. Still, we hope to be able to provide specific training on the Act in the 2009-2010 fiscal year.

During the reporting year, ATIP finalized, received approval for and registered all of our Personal Information Banks and, so, we will be fully described in the Treasury Board Secretariat’s next printing of Info Source.

In 2007 the Information and Privacy Policy Division of the Chief Information Officer Branch of the Treasury Board Secretariat began the process of renewing the Access to Information and Privacy policies and guidelines. The OPC’s ATIP Director is part of the Secretariat’s Policy Renewal Working Group and, as such, continued to participate in working group meetings.

Throughout the year the ATIP Unit has been active in providing advice to all OPC staff with respect to informal requests for access to personal information and concerning the proper handling of the personal information under our control. ATIP has also continued to support the Information Management function by providing input concerning proper information handling practices.

Finally, the ATIP section on the OPC website has been updated to include the OPC’s “Principles on Assistance to Applicants” concerning the processing of requests under the PA and the ATIA:

In processing your access request under the Access to Information Act or the Privacy Act we will:

• Process the request without regard to your identity.
• Offer reasonable assistance throughout the request process.
• Provide information on the Acts including information on the processing of your request and your right to complain to the Information Commissioner of Canada or to the Privacy Commissioner ad hoc.
• Inform you as appropriate and without undue delay when your request needs to be clarified.
• Make every reasonable effort to locate and retrieve the requested records under the control of the government institution.
• Apply limited and specific exemptions to the requested records.
• Provide accurate and complete responses.
• Provide timely access to the requested information.
• Provide records in the format and official language requested as appropriate.
• Provide an appropriate location within the government institution to examine the requested information.

Privacy Act Statistical Report and Interpretation

The OPC’s statistical Report on the Privacy Act is attached at Appendix B.

The OPC received 85 formal requests under the Privacy Act for the fiscal year, up from 45 the previous year. However, the vast majority of those requests—75 of them—sought access to personal information under the control of other government institutions. They were therefore re-directed to those institutions for processing, for example to the Canada Revenue Agency, Correctional Service Canada, the Department of National Defence and the RCMP.

Last reporting year the OPC received 22 Privacy Act requests for personal information under our control and we processed some 4,451 pages of information. This fiscal year was quite different in that we only received 10 such requests which comprised 885 pages. We do not know the reason for the drop in numbers but perhaps the explanation on our website concerning the mandatory nature of section 22.1 had a role to play—we simply do not know.

Still, ATIP took no extensions of the statutory time limit in order to process the requests and all were completed within the first 30 days. The longest request to process took 15 days and the shortest time taken was 1 day. No requests were carried over to the next fiscal year.

Section 22.1 of the Privacy Act was added to the Act as a result of the Federal Accountability Act. This provision requires that the OPC protect the information that we obtained during the course of our investigations or audits even once the matter and all related proceedings have been concluded.

Of the 10 Privacy Act requests completed, 7 were for the contents of Privacy Act or PIPEDA investigation files. In 1 instance all of the information was withheld as the case had not yet been concluded. In the remaining cases our investigations and all related proceedings were closed. So, the information in those files was processed and released to the requesters subject to applicable exemptions. Other exemptions applied in conjunction with section 22.1 (which was claimed in 7 cases) were sections 26 (claimed in 4 cases—2 requests processed together) and 27 (claimed in 1 case)—still other information was withheld as the individual did not have a right of access to it (section 12(1) of the Act).

As to the 3 remaining requests, no information existed in one instance, one request was abandoned, and all information was released in the last request but for small snippets of personal information about individuals other than the requester.

The OPC did not receive any complaints against it under the Privacy Act in this reporting year. However, the results of the investigation of 2 ‘access’ complaints that were received in the 2007-2008 fiscal year were reported by the Privacy Commissioner ad hoc, on April 2, 2008 and are included here. We are pleased to say that both complaints (which had been filed by one individual), were concluded by the Privacy Commissioner ad hoc as “not well-founded”. 

No applications have been submitted to the Federal Court following the Privacy Commissioner ad hoc’s findings.

Finally, unlike last year when the OPC was consulted 3 times by other government institutions, the OPC receive no such consultations this year.

Report on the Privacy Impact Assessment (PIA) Policy

The Privacy Impact Assessment Policy which came into effect on May 2, 2002, requires that the Treasury Board Secretariat monitor compliance with the Policy. Given this responsibility, institutions are asked to include pertinent statistics in their annual reports on the administration of the Privacy Act.

The OPC has not conducted any PIAs during this reporting fiscal year. The ATIP Director has, however, begun to draft a PIA concerning the OPC’s new Case Management System. It is anticipated that it will be completed for the next reporting year.

Data Sharing Activities

The OPC has not undertaken any data sharing activities this reporting year.

Disclosures of Personal Information

The OPC disclosed no personal information under sections 8(2)(e), (f), (g) or (m) of the Privacy Act during this fiscal year.

Privacy-Related Policies

The ATIP Director is a member of the OPC’s Policy Development Committee. In that role, policies, directives and guidelines have been and continue to be reviewed to ensure that the Privacy Act is respected. In the 2007-2008 Annual Report we reported that ATIP had drafted the OPC’s Employee Privacy Policy, a Corporate Privacy Policy and a Privacy Breach Policy.  All of these have since been approved by the Committee and the OPC’s Senior Management Committee and they are now in place. 

Additional copies of this report may be obtained from:

Director, Access to Information and Privacy
Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, ON  K1A 1H3

Appendix A – Privacy Act
Delegation Order

The Privacy Commissioner of Canada, as the head of the government institution, hereby designates pursuant to section 73 of the Privacy Act, the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties or functions of the Privacy Commissioner as specified below and as more fully described in Annex A:

Position	Sections of Privacy Act
Privacy Commissioner Assistant Commissioner	8(2)(m)
Director General, Corporate Services and Chief Financial Officer Director, ATIP	Act: 8(2)(j), 8(4) and (5), 9(1) and (4), 10, 14, 15, 17(2)(b) and (3)(b),18 to 28, 31, 33(2), 35(1) and (4), 36(3), 37(3), 51(2)(b) and (3), 72(1) Regulations: 9, 11(2) and (4), 13(1), 14

Dated at the City of Ottawa, this 1^st day of October, 2008

(Original signed by)
__________________________
Jennifer Stoddart
Privacy Commissioner of Canada

Privacy Act

8(2)(j)	Disclose personal information for research purposes
8(2)(m)	Disclose personal information in the public interest or in the interest of the individual
8(4)	Retain copy of 8(2)(e) requests and disclosed records
8(5)	Notify Privacy Commissioner of 8(2)(m) disclosures
9(1)	Retain record of use
9(4)	Notify Privacy Commissioner of consistent use and amend index
10	Include personal information in personal information banks
14	Respond to request for access within 30 days; give access or give notice
15	Extend time limit for responding to request for access
17(2)(b)	Decide whether to translate requested information
17(3)(b)	Decide whether to give access in an alternative format
18(2)	May refuse to disclose information contained in an exempt bank
19(1)	Shall refuse to disclose information obtained in confidence from another government
19(2)	May disclose any information referred to in 19(1) if the other government consents to the disclosure or makes the information public
20	May refuse to disclose information injurious to the conduct of federal-provincial affairs
21	May refuse to disclose information injurious to international affairs or defence
22	Series of discretionary exemptions related to law enforcement and investigations; and policing services for provinces or municipalities.
22.1(1)	In force April 1, 2007 - Privacy Commissioner shall refuse to disclose information obtained or created in the course of an investigation conducted by the Commissioner
22.1(2)	In force April 1, 2007 - Privacy Commissioner shall not refuse under 22.1(1) to disclose any information created by the Commissioner in the course of an investigation conducted by the Commissioner once the investigation and related proceedings are concluded
23	May refuse to disclose information prepared by an investigative body for security clearances
24	May refuse to disclose information collected by the Correctional Service of Canada or the National Parole Board while individual was under sentence if conditions in section are met
25	May refuse to disclose information which could threaten the safety of individuals
26	May refuse to disclose information about another individual, and shall refuse to disclose such information where disclosure is prohibited under section 8
27	May refuse to disclose information subject to solicitor-client privilege
28	May refuse to disclose information relating to the individual’s physical or mental health where disclosure is contrary to best interests of the individual
31	Receive notice of investigation by Privacy Commissioner
33(2)	Right to make representations to the Privacy Commissioner during an investigation
35(1)	Receive Privacy Commissioner’s report of findings of the investigation and give notice of action taken
35(4)	Give complainant access to information after 35(1)(b) notice
36(3)	Receive Privacy Commissioner’s report of findings of investigation of exempt bank
37(3)	Receive report of Privacy Commissioner’s findings after compliance investigation
51(2)(b)	Request that section 51 hearing be held in the National Capital Region
51(3)	Request and be given right to make representations in section 51 hearings
72(1)	Prepare annual report to Parliament

Privacy Regulations

9	Provide reasonable facilities to examine information
11(2) and (4)	Procedures for correction or notation of information
13(1)	Disclosure of information relating to physical or mental health to qualified practitioner or psychologist
14	Require individual to examine information in presence of qualified practitioner or psychologist

Appendix B – Statistical Report on the Privacy Act

REPORT ON THE PRIVACY ACT

Institution Office of the Privacy Commissioner of Canada

Reporting period / Période visée par le rapport April 1, 2008 to March 31, 2009

I	Requests under the Privacy Act / Demandes en vertu de la Loi sur la protection des renseignements personnels

Received during reporting period / Reçues pendant la période visée par le rapport		85
Outstanding from previous period / En suspens depuis la période antérieure
TOTAL		85
Completed during reporting period / Traitées pendant la période visées par le rapport		85
Carried forward / Reportées

II	Disposition of request completed / Disposition à l'égard des demandes traitées

1.	All disclosed / Communication totale
2.	Disclosed in part / Communication partielle	7
3.	Nothing disclosed (excluded) / Aucune communication (exclusion)
4.	Nothing disclosed (exempt) / Aucune communication (exemption)	1
5.	Unable to process / Traitement impossible	1
6.	Abandonned by applicant / Abandon de la demande	1
7.	Transferred / Transmission	75
TOTAL		85

III	Exemptions invoked / Exceptions invoquées

S. Art. 18(2)
S. Art. 19(1)(a)
(b)
(c)
(d)
S. Art. 20
S. Art. 21
S. / Art. 22(1)(a)
(b)
(c)
S. / Art. 22(2)
S. / Art. 23  (a)
(b)
S. / Art. 24
S. / Art. 25
S. / Art. 26		4
S. / Art. 27		1
S. / Art. 28

IV	Exclusions cited / Exclusions citées

S. Art. 69(1)(a)
(b)
S. Art. 70(1)(a)
(b)
(c)
(d)
(e)
(f)

V	Completion time / Délai de traitement

30 days or  under / 30 jours ou moins		85
31 to 60 days / De 31 à 60 jours
61 to 120 days / De 61 à 120 jours
121 days or over / 121 jours ou plus

VI	Extentions / Prorogations des délais

			30 days or under / 30 jours ou moins	31 days or over / 31 jours ou plus
Interference with operations / Interruption des opérations
Consultation
Translation / Traduction
TOTAL

VII	Translations / Traductions

Translations requested / Traductions demandées
Translations prepared /			English to French / De l'anglais au français
Traductions préparées			French to English / Du français à l'anglais

VIII	Method of access / Méthode de consultation

Copies given / Copies de l'original				7
Examination / Examen de l'original
Copies and examination / Copies et examen

IX	Corrections and notation / Corrections et mention

Corrections requested / Corrections demandées
Corrections made / Corrections effectuées
Notation attached / Mention annexée

X	Costs / Coûts

Financial (all reasons) / Financiers (raisons)
Salary / Traitement		$ 92,411.58
Administration (O and M) / Administration (fonctionnement et maintien)
TOTAL		$ 92,411.58

Person year utilization (all reasons) / Années-personnes utilisées (raisons)
Person year (decimal format) / Années-personnes (nombre décimal)			1.089

TBS/SCT 350-63 (Rev. 1999/03)

Appendix C

Discrepancies
III – Exemptions invoked Section 22.1 was invoked on 7 requests. X – Costs All operating and maintenance costs are borne by other OPC Branches i.e.:  Human Resources (training), Information Technology (computers, printouts, etc), Corporate Services (supplies, mailing, etc).

Supplemental Reporting Requirements for 2008-2009
Privacy Act

Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) through a variety of means. Institutions are therefore required to report the following information for the 2008-2008 reporting period.

Indicate the number of:

Preliminary Privacy Impact Assessments initiated: N/A

Preliminary Privacy Impact Assessments completed: N/A

Privacy Impact Assessments initiated: 1

Privacy Impact Assessments completed: N/A

Privacy Impact Assessments forwarded to the Office of the Privacy Commissioner (OPC): N/A

If your institution did not undertake any of the activities noted above during the reporting period, this must be stated explicitly.