Annual Reports to Parliament

[Back to Table of Contents] [Part One] [Part Two] [Part Three]

Annual Report to Parliament 2003-2004

---

Part One - Report on the Privacy Act

Introduction

The Privacy Act has been in force in Canada since 1983, protecting the personal information of individuals held by institutions of the federal government. The Act governs the collection, use, disclosure, retention and disposal of personal information by federal government departments and agencies. It gives individuals the right to request access to and correction of their government-held personal information. The Act also sets out the duties, responsibilities and mandate of the Privacy Commissioner of Canada.

The Commissioner receives and investigates complaints from individuals who believe their Privacy Act rights have been violated. The Commissioner may herself initiate a complaint and investigation in any situation where she has reasonable grounds to believe the Act has been violated.

The Privacy Commissioner of Canada works as an ombudsman to resolve complaints through mediation, negotiation, and persuasion whenever possible.

However, the Act gives the Commissioner broad investigative powers in order to carry out her mandate. She may subpoena witnesses, compel testimony, and enter premises to obtain documents or to conduct interviews. It is an offence under the Act to obstruct an investigation. The Act does not grant order-making powers to the Commissioner.

However, the Commissioner can and does make recommendations for changes in the information-handling practices of government institutions when necessary. The Commissioner may conduct audits of any federal department or agency at any time, and may recommend changes to any practices that are not in compliance with the Privacy Act.

The Commissioner is required to submit an Annual Report to Parliament, detailing the activities of the Office in the previous fiscal year. This Report covers the period from April 1, 2003 to March 31, 2004 for the Privacy Act.

Investigations and Inquiries

The Office of the Privacy Commissioner is responsible for investigating complaints received from individuals under section 29 of the Privacy Act (and section 11 of the Personal Information Protection and Electronic Documents Act, known as PIPEDA).

Investigations serve to establish whether individuals have had their privacy rights violated and whether they have been accorded their rights of access to their personal information. Where privacy or access rights have been violated, the investigation process seeks to provide redress for individuals and prevent violations from reoccurring.

Last year the Office received 4,206 new complaints – an all-time record representing a 250 per cent increase over last year. There were several contributing factors:

• 472 members of Canada's aboriginal communities complained that they were required by Health Canada to sign a broadly worded consent form in order to receive government-funded health benefits;
• 608 correctional officers lodged more than 1,100 complaints against Correctional Service Canada (CSC) for refusing to give them copies of their employee personnel files;
• 107 employees at the Joyceville Institution complained that CSC failed to protect their personal information, after learning that a list containing their home addresses and phone numbers had been found amongst the inmate population; and,
• 38 offenders in British Columbia filed a total of 950 complaints against CSC for not providing timely responses to requests for their personal information held in the 25 standard personal information banks CSC maintains on offenders.

Erratum The print version of the 2003-2004 Annual Report to Parliament contained an error regarding the number of complaints concluded by our investigators. The correct number of complaints concluded was 3,134 as was indicated under the section Complaints under the Privacy Act.

It was also a record year in terms of productivity with investigators concluding 3,134 complaints.

Complaints under the Privacy Act

It was also a record year in terms of productivity with investigators concluding 3134 complaints. Although we did close 3,483 cases last year, 2,323 of these represented investigative work done two years earlier. This year's statistics represent active investigative work completed in 2003/2004. They were concluded as follows:

Not well-founded	1,243
Well-founded	1,180
Well-founded/resolved	69
Resolved	11
Settled	265
Discontinued	366

Definitions of findings under the Privacy Act

Not Well-founded: This finding means that the investigation uncovered no or insufficient evidence to conclude that the government institution violated the complainant's rights under the Privacy Act.

Well-founded: This finding means that the government institution failed to respect the Privacy Act rights of an individual.

Well-founded/Resolved: This finding means that the allegations are substantiated by the investigation, and the government institution has agreed to take corrective measures to rectify the problem.

Resolved: This finding is used for those complaints where well-founded would be too harsh to fit what essentially is a miscommunication or misunderstanding. It means that this Office, after a full and thorough investigation, has helped negotiate a solution that satisfies all parties.

Settled during the course of the investigation: This disposition is used when the Office has helped negotiate a solution that satisfies all involved parties during the course of the investigation. No finding is issued.

Discontinued: This means that the investigation was terminated before all the allegations were fully investigated. A case may be discontinued for any number of reasons – for instance, the complainant may no longer be interested in pursuing the matter or cannot be located to provide additional information critical to reaching a conclusion.

Early resolution: This is a new type of disposition, which the Office will begin using in April 2004. It will be applied to situations where the issue is dealt with before a formal investigation is undertaken. For example, if an individual lodges a complaint about an issue that the Office has already investigated and found to be compliant with the Privacy Act, we would explain this to the individual. We also receive complaints where proceeding with a formal investigation could have adverse implications for the individual, which are discussed at length with the individual. In these situations, where the individual chooses to not proceed further, the file is closed as "early resolution".

Select Cases under the Privacy Act

HEALTH CARE

Health Canada's Non-Insured Health Benefits Program

Overview
In the summer of 2003 the OPC received several hundred complaints, as well as numerous inquiries, about Health Canada's decision to require First Nations and Inuit recipients of certain government-funded health benefits to sign a consent form endorsing the department's practices with regard to the collection, use, and disclosure of their personal information. The complainants objected to the complex language of the form, its broad scope, and the lack of adequate measures to protect personal information held by third-party service providers.

Several aboriginal associations, including the Assembly of First Nations and the Inuit Tapiriit Kanatami, supported the complaints and made representations on behalf of their membership.

The impetus for the campaign was a recommendation from the Auditor General that Health Canada improve its tracking mechanisms to prevent the misuse of prescribed drugs. Health Canada also worked to respect the right of benefit recipients to be fully informed about the possible consequences of a drug utilization review.

The complainants felt that the program benefits were and had always been a matter of treaty rights, and that they had no real choice but to agree to review practices that Health Canada was now planning to impose or lose their benefit coverage. They objected to the complex language of the form, its broad scope, and the lack of adequate measures to protect personal information held by third-party providers.

Actions taken by the OPC
We accepted the complaints under the provisions of the Privacy Act, and subsequently determined that there was no infringement of a provision of that Act. However, our Office continued to work with the aboriginal associations and the department to craft a new approach to the consent initiative that would address privacy concerns. We jointly identified the critical points in the health benefits program requiring fully informed consent of recipients. In addition, we agreed that the privacy provisions of the contracts with third-party providers needed to be strengthened, and Health Canada committed to do so. We also agreed the language of the consent forms needed to be as simple and clear as possible.

Outcome of OPC Actions
Health Canada subsequently proposed an alternative approach to the consent initiative, one that has been supported by aboriginal stakeholders. The approach is as follows:

• the department will continue to promote consent as a matter of best practice (a position that our Office endorses), but will no longer require that everyone sign a form;
• it will implement a mechanism to obtain the express consent of benefit recipients where there are patient safety issues or concerns that the program is being used inappropriately;
• it has established a Health Canada/ First Nations Drug Utilization Review Committee, composed of licensed health care professionals, experts in drug use evaluation, Aboriginal health issues and drug utilization;
• it is developing a Privacy Code that sets out the program's collection, use and disclosure practices. The Code meets the higher standard of consent embedded in the Personal Information Protection and Electronic Documents Act, as many of the third-party providers associated with Health Canada's program are subject to that Act.

Our Office has offered continuing support to achieve an appropriate balance between the privacy interests of benefit recipients, and the program imperatives of Health Canada.

RCMP medical questionnaire too intrusive for civilian applicants

Overview
A woman was denied a civilian telecommunications officer position with the RCMP after refusing to answer certain questions posed on a medical history questionnaire she was asked to complete during the recruitment process. The questions included:

• "Do you have monthly menstrual periods?"
• "What was the date of your last period?"
• "Are your menstrual periods painful?"
• "When was your last Pap smear test?"
• "How many times, including abortion and miscarriage have you been pregnant?"

Candidates were also asked if they had varicose veins, arthritis, phlebitis, hay fever, venereal disease, and whether any of their family members had diabetes, cancer, high blood pressure, tuberculosis or heart disease.

Actions taken by the OPC
We established that the woman was required to submit to the same testing process as a candidate applying to be a police officer. The RCMP, however, could not demonstrate how such questions were relevant to a civilian desk job. We concluded that the complaint was well-founded.

Outcome of OPC Actions
Following discussions with the RCMP, its Health Services officials agreed to suspend the use of this questionnaire for civilian candidates. It has undertaken to create a new form specifically for telecommunications officer candidates and geared to the medical requirements of the job, such as hearing, upper body movement, and diseases that could affect cognitive thinking and speech recognition.

While the woman also objected to having to undergo a psychological assessment, the RCMP explained to our satisfaction that telecommunications officers are often the only lifeline between victims and the police officers handling emergency calls. The RCMP therefore needs to ensure that candidates are able to withstand the pressures of the job and deal comfortably with the situations they encounter. Collection of personal information to assess candidates' ability to deal with those stresses is therefore reasonable and appropriate.

SURVEILLANCE TECHNOLOGIES

Video surveillance cameras at Nanaimo Harbour Front scaled back

Overview
A British Columbia resident, aware of the former Commissioner's position on video surveillance on the streets of Kelowna, lodged a complaint about the Nanaimo Port Authority's plans to install video surveillance cameras within its Harbour Front.

The Port Authority provides, among other things, mooring facilities for a fee. The customers paying for this service expect the Port Authority to protect their property. Several customer complaints about vandalism and thefts from vessels prompted the Port Authority to consider installing cameras on its piers. Other areas of the property were also earmarked for surveillance – the Port Authority's offices, the parking lots, a boardwalk, the laundry facilities, and the area where fishers and other boat owners deposit pollutants from their vessels that could endanger the environment.

Actions taken by the OPC
While we did not object to the cameras installed in most of these areas for security purposes, we had concerns about monitoring activities along the publicly accessible boardwalk.

Outcome of OPC Actions
The Port Authority's officials readily agreed to move the cameras away from that area. It also agreed to post signs alerting the public of the presence of surveillance cameras at the Harbour Front.

The investigation helped the Port Authority put safeguards in place to ensure that data collected by the cameras is adequately protected, that it is retained no longer than necessary, and that access and disclosure of the information is closely restricted. Given the Port Authority's willingness to address our concerns, the complaint was deemed resolved.

A different kind of fishing expedition?

Overview
The Office received two complaints about the Fisheries and Oceans Canada Observer Program that requires fishers as a condition of their licence, to allow an observer to stay on board their commercial fishing vessels, including during the evening and overnight hours, and during non-fishing hours. Some fishers have only family members on board, and their vessels are too small to accommodate a stranger. One of the complaints also concerned the intrusiveness of an alternative to having the observer on board – electronic monitoring by use of video cameras and global positioning systems.

Actions taken by the OPC
The investigation established that the Observer Program is authorized by regulation. Observers' duties are to monitor fishing activities by, among other things, examining and measuring fishing gear, verifying the weight and species of fish caught, inspecting fishing records and conducting biological samplings of fish. The only personal information observers would normally collect include the names, addresses and contact numbers of vessel personnel. All of the remaining information collected relates to the fishing activities under observation.

While having a stranger on board vessels is intrusive by nature, the issue is one of "personal" privacy, which does not fall under the Privacy Act, rather than one of protection of personal information.

Outcome of OPC Actions
The Office concluded the complaints were not well-founded. Although the complaints were not well-founded, we discussed the complainants' concerns with Fisheries and Oceans Canada officials who maintained that the department must retain the ability to monitor the fishery. However, they agreed to consult the fishing industry, and we encouraged them to recommend other less intrusive options to carry out this program activity.

HANDLING OF PERSONAL INFORMATION

Where were you born?

Overview
An individual complained that the practice of the Department of Foreign Affairs and International Trade of displaying a passport holder's place of birth on the passport was discriminatory and violated individual privacy.

Actions taken by the OPC
Our investigation determined that more than 85 countries require that the place of birth be indicated on the passport before entry is permitted. Foreign Affairs officials indicated that when negotiating reciprocal visa-waiving agreements, the place of birth on the passport is often a condition stipulated by other countries. The International Civil Aviation Organization also recommends including place of birth on travel documents.

Nevertheless, passport holders have had the option of having this information displayed or not since 1986. Those choosing to have it excluded must sign statements that they were informed they might encounter difficulties at border points, such as additional questioning by customs officers, the requirement to obtain a visa, or even denial of entry.

Outcome of OPC Actions
We concluded that the complaint was not well-founded.

Correspondence to CRTC posted on Web site

Overview
An individual wrote to the Canadian Radio-television & Telecommunications Commission (CRTC) supporting the licence application of a cultural broadcasting company.

The CRTC posted the individual's correspondence on its Web site exactly as it had been received, including her name, address, phone number and e-mail address. This practice is explained on the Web site, but unfortunately the individual had not noticed this and had no idea that her correspondence would be published in this fashion. She was also not aware that she could ask the CRTC to remove personal identifiers before the correspondence was posted.

When the individual learned that her personal information was on the Web site, she immediately asked that it be removed. The CRTC complied within 48 hours. However, in the meantime, the search engine Google (and possibly others) had picked up the data. When the individual's name was "Googled," her original correspondence to the CRTC would come up.

The individual contacted Google requesting that it too remove her personal information. It replied that it would not do so without a formal request from the webmaster of the site that originally posted the information on the Internet. The individual forwarded her correspondence to the CRTC for appropriate follow-up action, but her personal information remained on the Internet.

Actions taken by the OPC
Following our Office's intervention, the CRTC's webmaster made three requests to Google. None of these requests received a formal response. However, Google did eventually remove the individual's personal information – to her relief and satisfaction.

Outcome of OPC Actions
We closed the file as "settled during the course of investigation."

Taxpayers must comply with Canada Revenue Agency demands for information

Overview – Case One
Two cases the Office investigated last year illustrate the Canada Revenue Agency's (CRA's) authority to require taxpayers to provide very private information.

In the first case, during a routine audit of an Ontario man's 2001 tax return, the CRA asked him to provide a copy of the separation agreement with his former spouse to substantiate the amounts he claimed as child support payments. Although he agreed to provide those portions of the separation agreement that dealt specifically with the payments, he objected to the CRA's insistence that it be given a complete unsevered copy.

Overview – Case Two
In the second case, a Quebec woman complained about the detailed questions posed by a CRA officer attempting to collect an outstanding tax debt. She had been unable to pay the full amount of her tax debt within a reasonable period and requested an extended payment arrangement.

Actions taken by the OPC
Following our investigation of the first case, we explained to the complainant that the CRA had the legal authority under the Income Tax Act to demand this information in order to satisfy itself that there were no other clauses in the agreement about child support that might have an impact on his tax situation.

In the second case, we determined that the CRA tries in such cases to reach a mutually acceptable payment schedule with tax debtors based on their financial situation. This requires the individual to make full disclosure of his/her income and his/her monthly expenses as well as assets and liabilities. If an acceptable arrangement is not reached, the CRA may take legal action to recover the debt, including seizing and selling the debtor's assets.

Outcome of OPC Actions
In the first case, in an effort to limit the privacy intrusion, the CRA agreed to keep for its records only those portions of the agreement pertinent to the man's child support payments that it needed to determine his entitlements. The man was pleased with the compromise, and the case was closed as "settled during the course of investigation."

In the case at hand, the CRA officer questioned the woman's expenses for costly prescription drugs to deal with her medical condition, which she claimed precluded her from making significant advances in reducing the debt. The officer asked the woman to obtain a note from her treating physician confirming her condition, which would be factored into the CRA's assessment of her monthly expenses. The complainant accepted our explanations about the CRA's rationale for such an unusual request and the implications should she not comply. The file was closed as "settled during the course of investigation."

Incidents under the Privacy Act

Incidents of mismanagement of personal information that warrant further review are brought to the attention of our Office. We conducted 30 such reviews last year. Of note, seven of the incidents related to clients of government departments receiving another client's personal information in error.

Health Identification Cards forwarded to wrong address
In one such case, Veterans Affairs Canada (VAC) was in the process of re-issuing approximately 143,000 client health identification cards with a new National Contact Centre toll-free number. A corrupted data file used during production assigned to about 12,000 clients in Ontario contained the addresses of other clients and before the error was detected, the new cards were incorrectly forwarded to the wrong addresses. VAC officials told us that as soon as they learned about the problem, they immediately halted production until enhanced quality control procedures were implemented. The department contacted all the clients affected by the error.

Misdirected passports
The Office also reviewed two instances of misdirected passports. In one case, an Alberta man received an envelope from the Passport Office containing the passport, birth certificate, credit card information and driver's licence of a woman from Quebec, along with his own documents. In the second case, a Canadian citizen living in Colorado, USA, was mistakenly sent the passport, green card, birth certificate and credit card number belonging to woman living in Wisconsin, USA. The Wisconsin resident received the documents belonging to the Colorado woman. We determined that human error was the contributing factor in both cases; the passports were prepared and mailed on the same day, along with several thousand others.

With that many mailings in one day, mistakes in stuffing envelopes can happen. The Passport Office indicated that in the six-month time frame between incidents, it had processed in excess of 500,000 applications. The increased volume was a result of additional security procedures and travel restrictions put in place internationally after the events of 9/11. Since enhancements to the mailing procedures were implemented in January 2004, neither the Passport Office nor this Office has received further complaints about misdirected passport documentation.

Stolen computers raise privacy concerns
In another case, six computers were stolen from the CRA's Laval, Quebec tax services office. One of the computers was being used to test computer applications. It was password protected, and contained approximately two million records from four confidential databases. These databases contained personal information, but not tax return information. More than 120,000 affected individuals were advised of the security breach, and given tips on what to do to reduce the possibility of identity theft, such as:

• review and verify all bank account, credit card and other financial transaction statements;
• report any problems/delays with mail delivery to Canada Post;
• report to Human Resources and Skills Development Canada any suspicion about use of the social insurance number (SIN); and
• contact a credit reporting agency such as Equifax or Trans-Union, which are experienced in helping individuals in such matters.

Sixteen individuals later lodged formal complaints with our Office, alleging that the CRA had not adequately protected their information. The CRA indicated that as a result of a lapse in security procedures, the computer had not been stored in a secure room at the end of the day. Appropriate disciplinary action, consistent with CRA policies, was taken.

Public interest disclosures under the Privacy Act

Paragraph 8(2)(m) of the Privacy Act gives heads of government institutions the discretion to disclose personal information without the individual's consent where the disclosure would benefit the individual or where there is a compelling public interest that outweighs the invasion of the individual's privacy. Under subsection 8(5), the head of the institution is required to notify the Privacy Commissioner of such disclosures, preferably in advance unless there is some urgency that dictates otherwise.

Last year we received 67 such notices. Correctional Service Canada (CSC) topped the list with 20 notices, most of them related to the disclosure of personal information about offenders who died in custody. CSC routinely relies on the public interest provisions of the Privacy Act to share information with family members wanting access to the reports prepared by CSC staff who reviewed the circumstances surrounding the offender's death.

The RCMP sent 15 notices of impending public interest disclosures. Most of these concerned individuals released from custody at the end of their sentences who were considered at high risk to re-offend. The RCMP intended to issue press releases in communities where the offender planned to live to alert residents of the individual's presence and of specific conditions attached to the individual's release. For example, such a condition might bar the offender from school grounds, parks or playgrounds or the company of under-age children.

National Defence sent nine notices. Seven concerned sharing information with family members following the death of a Canadian Forces member.

The remaining notices came from Transport Canada, Public Works & Government Services Canada, Agriculture & Agri-Food Canada, Health Canada, Indian & Northern Affairs Canada, the Immigration & Refugee Board, the Treasury Board Secretariat, Solicitor General Canada, the Office of the Auditor General of Canada, the Public Service Commission of Canada, the Ombudsman for National Defence/Canadian Forces, the Commission for Public Complaints against the RCMP, CSIS and the National Parole Board.

Inquiries

The Office responds to thousands of inquiries from the general public seeking advice and assistance on a wide variety of privacy-related issues dealing with federal government institutions.

The most common inquiry our Office received during the 2003/2004 year about the Privacy Act regarded accessing personal information held by a federal department. These inquiries were made by federal employees and citizens alike. Inquirers were also concerned about how well certain federal departments were protecting their personal information.

Inquiry statistics
(April 1 2003 to March 30, 2004)

Telephone inquiries received	2,580
Written inquiries received (letter, e-mail and fax)	2,148
Total number of inquiries received	4,728

Top ten departments by complaints received
For the year ending March 31, 2004

Organization	Total	Access to Personal Information	Time	Privacy	Other
Correctional Service of Canada	2,760	1,235	1,335	190
Health Canada	485	2	3	480
Canada Customs and Revenue Agency	255	103	72	80
Citizenship and Immigration Canada	132	48	75	9
Royal Canadian Mounted Police	129	78	34	17
National Defence	80	32	17	31
Canada Post Corporation	72	13	24	35
Human Resources Development Canada	65	21	10	34
Justice Canada	23	8	10	5
Foreign Affairs and International Trade	22	4	10	8
Others	183	91	39	53
Total	4,206	1,635	1,629	942	0

Complaints received by complaint type
For Complaints Received between 01/04/2003 and 31/03/2004

Complaint Type	Count
Access	1,612
Collection	535
Correction – Notation	20
Correction – Time Limits	27
Extension Notice	28
Inappropriate Fees	1
Language	2
Retention and Disposal	17
Time Limits	1,574
Use and Disclosure	390
Total	4,206

Complaints received by respondent
For Complaints Received from: 01/04/2003 to 31/03/2004

Agriculture & Agri-food Canada	8
Auditor General of Canada, Office of	1
Bank of Canada	1
Business Development Bank of Canada	1
Canada Revenue Agency	265
Canada Post Corporation	72
Canada Firearms Centre	4
Canadian Food Inspection Agency	4
Canadian Heritage	4
Canadian Human Rights Commission	2
Canadian Museum of Civilization	4
Canadian Radio-Television and Telecommunications Commission	3
Canadian Security Intelligence Service	20
Canadian Space Agency	4
Canadian Tourism Commission	4
Citizenship & Immigration Canada	132
Commissioner of Official Languages, Office of the	1
Correction Investigator Canada, The	5
Correctional Service Canada	2,760
EDULINX Canada Corporation	1
Environment Canada	1
Finance Canada, Department of	1
Financial Transactions & Reports Analysis Centre of Canada	1
Fisheries & Oceans	5
Foreign Affairs & International Trade Canada	22
Health Canada	485
Human Resources Development Canada	65
Immigration & Refugee Board	15
Indian & Northern Affairs Canada	2
Industry Canada	2
Justice Canada, Department of	23
Military Police Complaints Commission	5
National Archives of Canada	4
National Defence	80
National Gallery of Canada	1
National Parole Board	19
National Research Council Canada	3
Ombudsman National Defence and Canadian Forces	1
Pension Appeals Board Canada	1
Privy Council Office	5
Public Service Commission Canada	4
Public Works and Government Services Canada	5
Royal Canadian Mint	1
Royal Canadian Mounted Police	129
Solicitor General Canada	8
Statistics Canada	4
Status of Women Canada	2
Transport Canada	10
Treasury Board of Canada Secretariat	5
Veterans Affairs Canada	4
Total	3,134

Closed complaints by complaint type
For Complaints Closed between 01/04/2003 and 31/03/2004

Complaint Type	Count
Access	782
Collection	539
Correction – Notation	14
Correction – Time Limits	16
Extension Notice	30
Inappropriate Fees	1
Language	2
Retention and Disposal	15
Time Limits	1,511
Use and Disclosure	224
Total	3,134

Closed complaints by origin
For complaints closed between 01/04/2003 and 31/03/2004

Province/Territory	Total
Alberta	658
British Columbia	1,128
International	18
Manitoba	65
National Capital Region (ON)	140
National Capital Region (QC)	22
New Brunswick	41
Newfoundland	8
Nova Scotia	27
Nunavut	1
Ontario	315
Prince Edward Island	1
Quebec	560
Saskatchewan	150
Total	3,134

Complaints by complaint type and finding
For complaints closed between 01/04/2003 and 31/03/2004

	Discon- tinued	Not well-founded	Resolved	Settled in course of investigation	Well-founded	Well-founded & Resolved	Total
Access	40	477	6	177	19	63	782
Collection	6	503	3	14	12	1	539
Correction – Notation	0	10	0	2	0	2	14
Correction – Time Limits	1	1	0	0	14	0	16
Extension Notice	0	16	0	0	14	0	30
Inappropriate Fees	1	0	0	0	0	0	1
Language	0	2	0	0	0	0	2
Retention & Disposal	1	5	0	6	1	2	15
Time Limits	294	140	0	11	1,066	0	1,511
Use & Disclosure	23	89	2	55	54	1	224
Total	366	1,243	11	265	1,180	69	3,134

Closed complaints by respondent
For complaints received from 01/042003 to 31/03/2004

Federal Institution	Total
Agriculture & Agri-food Canada	6
Bank of Canada	1
Business Development Bank of Canada	1
Canada Customs & Revenue Agency	252
Canada Post Corporation	46
Canada Firearms Centre	3
Canadian Food Inspection Agency	4
Canadian Heritage	3
Canadian Human Rights Commission	1
Canadian International Development Agency	1
Canadian Museum of Civilization	3
Canadian Radio-Television and Telecommunications Commission	4
Canadian Security Intelligence Service	48
Canadian Space Agency	1
Citizenship & Immigration Canada	92
Commission for Public Complaints Against the RCMP	1
Commissioner of Official Languages, Office of the	1
Communication Canada	1
Correction Investigator Canada, The	4
Correctional Service Canada	1,636
Environment Canada	6
Finance Canada, Department of	1
Fisheries & Oceans	11
Foreign Affairs & International Trade Canada	16
Health Canada	488
Human Resources Development Canada	51
Immigration & Refugee Board	18
Indian & Northern Affairs Canada	3
Industry Canada	7
Justice Canada, Department of	56
Military Police Complaints Commission	4
Montreal Port Authority	1
Nanaimo Port Authority	1
National Archives of Canada	3
National Defence	109
National Parole Board	23
National Research Council Canada	4
Natural Resources Canada	1
Natural Sciences and Engineering Research Council of Canada	1
Office of the Superintendent of Financial Institutions Canada	2
Ombudsman National Defence and Canadian Forces	1
Privy Council Office	3
Public Service Commission Canada	9
Public Works and Government Services Canada	14
Royal Canadian Mounted Police	164
Solicitor General Canada	11
Statistics Canada	1
Transport Canada	5
Treasury Board of Canada Secretariat	8
Veterans Affairs Canada	3
Total	3,134

Completed investigations and results by respondent
For Complaints Closed between 01/04/2003 and 31/03/2004

Respondent	Discon- tinued	Not well-founded	Resolved	Settled in course of investigation	Well-founded	Well-founded & Resolved	Total
Agriculture & Agri-food Canada	1	1	0	2	2	0	6
Bank of Canada	0	0	0	1	0	0	1
Business Development Bank of Canada	0	1	0	0	0	0	1
Canada Customs & Revenue Agency	5	94	2	65	60	26	252
Canada Post Corporation	7	14	1	14	7	3	46
Canada Firearms Centre	0	1	0	2	0	0	3
Canadian Food Inspection Agency	1	2	0	0	1	0	4
Canadian Heritage	0	2	0	1	0	0	3
Canadian Human Rights Commission	0	0	0	0	1	0	1
Canadian International Development Agency	0	1	0	0	0	0	1
Canadian Museum of Civilization	3	0	0	0	0	0	3
Canadian Radio-Television and Telecommunications Commission	0	2	0	2	0	0	4
Canadian Security Intelligence Service	1	43	0	4	0	0	48
Canadian Space Agency	0	0	0	0	1	0	1
Citizenship & Immigration Canada	12	25	0	13	41	1	92
Commission for Public Complaints Against the RCMP	0	1	0	0	0	0	1
Commissioner of Official Languages, Office of the	0	0	0	0	1	0	1
Communication Canada	0	1	0	0	0	0	1
Correction Investigator Canada, The	0	0	0	0	4	0	4
Correctional Service Canada	308	357	2	46	911	12	1,636
Environment Canada	3	1	0	2	0	0	6
Finance Canada, Department of	0	1	0	0	0	0	1
Fisheries & Oceans	2	5	0	3	0	1	11
Foreign Affairs & International Trade Canada	3	6	1	5	1	0	16
Health Canada	0	481	0	4	2	1	488
Human Resources Development Canada	1	25	1	9	9	6	51
Immigration & Refugee Board	0	3	0	1	10	4	18
Indian & Northern Affairs Canada	0	2	0	1	0	0	3
Industry Canada	0	6	0	0	1	0	7
Justice Canada, Department of	0	7	0	41	7	1	56
Military Police Complaints Commission	0	4	0	0	0	0	4
Montreal Port Authority	0	1	0	0	0	0	1
Nanaimo Port Authority	0	0	1	0	0	0	1
National Archives of Canada	0	0	0	1	2	0	3
National Defence	7	21	0	19	52	10	109
National Parole Board	2	19	0	0	2	0	23
National Research Council Canada	1	2	0	0	1	0	4
Natural Resources Canada	0	1	0	0	0	0	1
Natural Sciences and Engineering Research Council of Canada	0	1	0	0	0	0	1
Office of the Superintendent of Financial Institutions Canada	0	2	0	0	0	0	2
Ombudsman National Defence and Canadian Forces	1	0	0	0	0	0	1
Privy Council Office	0	2	0	0	1	0	3
Public Service Commission Canada	0	4	0	1	4	0	9
Public Works and Government Services Canada	2	7	0	1	4	0	14
Royal Canadian Mounted Police	4	79	1	25	52	3	164
Solicitor General Canada	0	10	0	1	0	0	11
Statistics Canada	0	1	0	0	0	0	1
Transport Canada	2	2	0	0	0	1	5
Treasury Board of Canada Secretariat	0	4	2	0	2	0	8
Veterans Affairs Canada	0	1	0	0	2	0	3
Total	366	1,243	11	265	1,180	69	3,134

Privacy Practices and Reviews

The Office of the Privacy Commissioner promotes compliance with Canada's two privacy laws through the conduct of privacy audits and compliance reviews. The Office serves as a source of in-house expertise providing assistance and advice to both public and private sector institutions. With the introduction of the Treasury Board Secretariat's Privacy Impact Assessment (PIA) Policy in May 2002, the Office has also assumed responsibility for reviewing and commenting on the PIAs prepared by federal government institutions.

Audits and compliance reviews under the Privacy Act

During the past year, the Office conducted Section 37 reviews of the personal information-handling practices of the Canada Industrial Relations Board (CIRB) and the Canadian Forces Grievance Board (CFGB). We selected these two institutions not because of any suspicion of non-compliance with acceptable privacy practices, but rather because they are small institutions which have in the past escaped the kind of scrutiny given to larger government institutions with significant personal information holdings.

The purpose of the CIRB and CFGB reviews was to provide guidance and education on privacy matters. This is particularly important in small institutions, where the resources available to devote to privacy are relatively limited. We looked at the practices surrounding the collection, use, disclosure, protection, retention and disposal of personal information, both in hard copy files and electronic format. We also examined the institutions' public listings in Info Source, contracting-out activities, staff awareness of their rights and obligations under the Privacy Act, tele-work arrangements, workplace surveillance and the security issues relating to the electronic transmission of information.

The Canada Industrial Relations Board
The CIRB is the independent, quasi-judicial tribunal which interprets and administers Part 1 (Industrial Relations) and certain provisions of Part II (Occupational Health and Safety) of the Canada Labour Code. The Board certifies trades unions, investigates unfair labour practices, orders an end to unlawful strikes and lockouts, decides jurisdictional issues, deals with the complexities of corporate mergers and sales and offers mediation and arbitration services for dispute resolution.

The compliance review was conducted at the CIRB's head office in Ottawa and at its regional offices in Toronto and Vancouver. The review found that the Board's personal information handling practices generally comply with the fair information principles established in sections 4 to 8 of the Privacy Act. However, our Office identified several matters requiring remedial attention, including the need to develop policies and protocols regarding the protection of operational files and information contained in portable computers carried outside the physical confines of the CIRB. As well, case files required proper identification according to their respective security designations, and attention was needed to properly dispose of records in accordance with established retention and disposition schedules.

The Canadian Forces Grievance Board
Our examination of the Board's operations revealed a high level of compliance with the Privacy Act and its fair information principles. However, the review did remark some forms used by the Board to collect personal information required enhancements to ensure that individuals were informed of the purpose of the collection. The review also indicated the need to establish a policy governing the use of faxes to transmit personal information.

At the end of the reviews, the CIRB and the CFGB were issued reports with our findings. We have recently issued our final reports and are awaiting responses from the CIRB and the CFGB to the recommendations contained therein.

Anti-terrorism survey
In addition to these two audits, our Office followed through with an undertaking, discussed in last year's Annual Report, to assess the impact of anti-terrorism measures adopted in the wake of September 11 2001 on the privacy of Canadians. To this end, we conducted reviews of the Royal Canadian Mounted Police (RCMP), the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment Service (CSE).

The objectives of the reviews were: to determine what had changed in terms of the legislative authorities and operational programs of the RCMP, CSE and CSIS as a result of the anti-terrorism measures introduced by the Government of Canada under its Anti-Terrorism Plan; to examine any new initiative planned or implemented by the organizations subsequent to September 11, 2001, which would impact on the privacy of Canadians; and to assess the extent to which the management of personal information under the new initiatives are in compliance with the fair information practices enunciated in the Privacy Act.

Reviews of CSIS and CSE
With regards to CSIS and the CSE, it should be noted that the scope of the reviews did not include commenting on the broader issues of the Government of Canada's national security or foreign intelligence gathering activities. Rather, the focus was to assess the impact of anti-terrorism measures on the personal information handling practices of these institutions. Our inquiries suggest that the events of September 11, 2001, have not resulted in fundamental changes to the management of personal information held under the control of the CSIS and the CSE. Based on our examination of selected documentation and on the responses of CSIS and CSE officials who were interviewed, no substantive Privacy Act issues or concerns were identified.

Reviews of the RCMP
The compliance review at the RCMP involved an examination of three primary initiatives: Integrated National Security Enforcement Teams (INSETs); Integrated Border Enforcement Teams (IBETs); and the creation of the Financial Intelligence Branch. While our review revealed a high degree of compliance with the Privacy Act, we did have concerns regarding the agreements or arrangements governing the sharing of personal information between the RCMP and its INSET and IBET partners. The matter has been the subject of ongoing discussions with the RCMP.

Cross-border flow of personal information
On the subject of disclosure, a number of programs and activities established by federal Government institutions and agencies provide for the disclosure of personal information about Canadian citizens and residents to departments and agencies of the United States government. During this fiscal year, the Office completed an examination of agreements, arrangements and memoranda of understanding between Canada and the United States that include provisions for the sharing of personal information. Our review found that many of the sharing agreements were deficient in terms of containing adequate privacy protection provisions.

The cross border flow of personal information raises serious privacy risks relating to the jurisdictional differences affecting the protection of personal information, the security of personal information in transit, and the adequacy of legal instruments governing the management of the information shared. Issues related to the trans-border flow of personal information will be a key area of review for the Office during the next fiscal year. To this end, we are conducting an audit of the trans-border information sharing activities of the newly constituted Canadian Border Services Agency (CBSA).

The Canadian Firearms Program
During the course of the year, we continued close monitoring of the Canadian Firearms Program, which was subject to a review by this Office in 2001. Some of the recommendations we made in 2001 have been implemented. The RCMP, for example, adopted our 2001 recommendations to limit Firearms Officer access to the Police Information Retrieval System (PIRS) system and to operational files. We have also followed up on a number of outstanding issues referred to in our 2001 comprehensive Firearms Report, such as outsourcing, international information sharing agreements and the use of supplementary questionnaires.

One of the difficulties in reviewing the Firearms Program is that it has been very much a moving target due to persistent legislative, policy, administrative and information technology (IT) changes to the Program. In the past year, for example, the Auditor General issued her report on the value for money of the program which recommended changes to it; the program was transferred from the Minister of Justice to the Minister of the Solicitor General (now the Department of Public Security and Emergency Preparedness Canada (PSEPC); a new position of Firearms Commissioner has been created; Bill C-10 was passed by Parliament; and Minister Guarnieri was given the mandate in January 2004 to conduct a full program review.

Some of our observations and findings from the 2001 report, and from our more recent review have been affected by these on-going changes. That said, we have made some significant progress with the Canada Firearms Centre to address the outstanding issues in light of the current state of affairs. We will report on further progress in next year's Annual Report.

Other compliance activities

In addition to compliance audits, our Office also undertakes reviews of submissions from both federal government and private sector organizations and offers advice on a broad range of compliance issues. Some of these compliance review activities are mandated under the Privacy Act and the PIPEDA, while others are mandated under federal government policy. Other review activities have come about through institutional arrangements involving voluntary consultation with the Office on privacy matters. Human Resources and Skills Development Canada's (HRSDC) - formally the Department of Human Resources Development Canada (HRDC) - Governance Protocol for the Databank Review Committee is a case in point.

HRSDC databank review
As described in our earlier reports, HRSDC developed a review procedure to deal with policy analysis, research and evaluation activities involving the linking of separate databanks. Part of this procedure includes consultation with our Office. During the past year, the Office has analyzed and commented on 20 HRSDC submissions, including an evaluation of the Employment Insurance program since the 1996 reforms, the success of various Labour Market Development Agreements and studies relating to the Canada Student Loans Program. Over the course of the last several years we have witnessed a marked improvement in the completeness and quality of the submissions we have received. This is evidence of the seriousness with which HRSDC regards its data linkage activities, and its dedication to ensuring that such linkages are undertaken in accordance with privacy best practice principles.

Policy on Data Matching
Under the Treasury Board Secretariat of Canada's Policy on Data Matching, federal government departments and agencies are required to notify the Office of any data matching proposal. The purpose of this notification is to afford the Office an opportunity to review and comment on the proposal so as to ensure that the data matching complies with the requirements of the Policy. Over the course of the last fiscal year, our Office received 10 data matching submissions. These submissions complied with the nominal requirements of the Policy, though we have found it necessary to remind departments of their duty to inform the public when their personal information is to be matched against other government information holdings. In most cases such notification will not prejudice the use of the information.

Disclosure of personal information to a third party
Pursuant to paragraphs 7(2)(c ) and 7(3)(f) of the PIPEDA, private sector organizations are required to notify our Office when personal information is to be disclosed to a third party without the consent of the individual for "statistical, scholarly study or research purposes."

Our role is to provide advisory services to a number of federal government departments and to serve as a resource for private sector organizations seeking information on the application of privacy best practice principles to their respective commercial activities.

Organizations must demonstrate in their submissions that; 1) the information contemplated for disclosure will be used solely for "statistical, scholarly study or research purpose; 2) the purpose of the disclosure cannot be achieved without the information being in an identifiable format; 3) obtaining consent from the individuals involved would be "impracticable"; and 4) the disclosing organization has taken such measures as are appropriate to ensure that the information will be used in a manner that preserves its confidentiality.

In the course of the last fiscal year the Office has received 4 notifications under paragraph 7(3)(f) of the PIPEDA. Most of these submissions involved the use and disclosure of medical information for health research purposes. These submissions have been of varying levels of completeness and quality. While relying on a very small sample, it is evident that organizations are unsure of their obligations under paragraph 7(3)(f) of the PIPEDA. Particularly problematic is the question of when and under what circumstances obtaining consent would be "impracticable." Over the course of the next fiscal year, the Office will commit resources to develop a guide to assist organizations in understanding their obligations under section 7 of the law, and in preparing their submissions to the Office of the Privacy Commissioner.

Other consultation and advisory services
The Office also provides less formal advice, comments, and recommendations to numerous federal departments as needed. Departments aided in this way include the Treasury Board of Canada, Statistics Canada, Health Canada, Human Resources and Skills Development Canada, Indian and Northern Affairs Canada, the Canada Revenue Agency and the Canadian Border Services Agency.

Consultations were undertaken on a wide variety of issues, including

• A Privacy Impact Assessment Audit Guide
• Data matching policies
• Policies for use of the Social Insurance Number (SIN)
• Privacy best practices for departments
• Legislative and policy reform
• Privacy risks of specific programs and initiatives

The Office also assists private sector organizations in assessing privacy risks, instilling best practices and developing appropriate privacy policies.

Privacy Impact Assessments

The Treasury Board Secretariat of Canada's Policy on Privacy Impact Assessments (PIA) has now been in effect since May 2002. When first launched, the Policy was enthusiastically welcomed by members of the professional privacy community, and with good reason. For the first time federal Government departments and agencies were equipped with a tool that could be used to forecast the impacts on privacy relating to a given initiative, to assess and weigh the impacts in a consistent fashion, and to come up with strategies to mitigate those impacts or risks. By requiring privacy principles to be considered in the planning, design, and implementation phases of a project, the Policy helps to give effect to those principles in a way that is tangible and demonstrable.

The Policy was the first of its kind to make PIAs mandatory for all new federal government programs or services that raise potential privacy issues. The Policy requires that federal government departments and agencies notify the Privacy Commissioner when undertaking a PIA, giving the OPC an opportunity to review and comment on the project. This provides added assurance that risks relating to a given initiative have been properly identified and that mitigating measures proposed to deal with those risks are reasonable and appropriate.

OPC perspective on PIAs

Since the Policy came in effect in May 2002, the OPC has received over 100 PIAs and Preliminary Privacy Impact Assessments (PPIA) reports for examination. As could be expected with the launch of any new policy directive, many of the PIA and PPIA submissions we received for review in the first year ranged in completeness and quality. Common errors and omissions we observed with those early submissions were itemized in the Commissioner's Annual Report for fiscal year 2002-2003.

In the course of the last fiscal year, however, we have observed a marked improvement in the completeness and quality of the PIA and PPIAs we have received. We see this improvement as evidence that departments are learning from consultations with our Office. This improvement can also be attributed to the efforts of the Treasury Board Secretariat to educate departments on the requirements and methodologies of the Policy. Treasury Board's "PIA e-learning tool" which became available on-line in the fall of 2003, has been a valuable resource. We would encourage anyone interested in learning more about the PIA process to visit Treasury Board's web site at: www.tbs-sct.gc.ca.

Looking ahead

While we have been impressed by the general improvement in the quality of the PIA and PPIA submissions we receive, there is one frequent omission that continues to give us cause for concern. Many PIAs fail to include an action plan to actually address and resolve the privacy risks they identify. Our Office will be working with departments and agencies to encourage the inclusion of such action plans in all PIAs, and to help departments identify the appropriate next steps.

However, there are strong indications that the Policy is achieving its primary purpose; that of increasing awareness among government personnel at all levels of the importance of privacy in day-to-day administrative functions. Departments can no longer create new databases, link information holdings, enter into information sharing arrangements with other departments, or launch new programs or services, without considering their potential impact on privacy.

Just as departments have struggled with limited resources to comply with the Policy's requirements, so too has the OPC challenged to allocate sufficient resources to effectively perform its advisory role under the Policy without supplementary resources.

Erratum Please note that the English version of the Annual Report included a duplicate paragraph on Privacy Impact Assessments regarding the reduction of staff available within the OPC to review PIAs and PPIAs.

The reduction of staff available within the OPC to review PIAs and PPIAs, combined with an increase in the volume of submissions over the last fiscal year has led to delays in providing departments with feedback. The OPC is endeavouring to address this resource deficit and we are optimistic that a remedy will be found.

We believe no other government initiative since the enactment of the Privacy Act itself has made as significant a contribution to fostering a privacy-sensitive culture within the federal public service.

However, our Office has found it a challenge to perform its advisory role under the PIA Policy without the allocation of supplementary resources. A lack of human and monetary resources for this purpose for this purpose and a great increase in the volume of submissions over the fiscal year has led to unfortunate delays in providing departments with the feedback they need. OPC will continue to press for a resolution to this resource deficit so that we may avoid further delays, clear the current backlog, and adequately support departments in applying the TBS PIA Policy.

In the Courts

Section 41 of the Privacy Act allows an individual, following the results of an investigation of a complaint by the Privacy Commissioner, to apply to the Federal Court for review of the decision of a Government institution to refuse the individual access to personal information. From the time the Privacy Act came into force in 1983 to March 31, 2004, approximately 141 applications for review have been filed in the Federal Court. Eleven of these were filed in the year ending March 31, 2004.

Section 42 of the Privacy Act allows the Commissioner to appear in Federal Court. The Commissioner can apply to the Federal Court for review of the decision of a Government institution to refuse access to personal information, with the consent of the individual who requested the information. The Commissioner can appear before the Court on behalf of an individual who has applied for review under section 41. Or, with leave of the Court, the Commissioner can appear as a party to any review applied for under section 41.

The Commissioner has also intervened on numerous occasions in other litigation arising outside of the Privacy Act in which issues involving interpretation of the Act were raised.

In last year's annual report we reported on the conclusion of a number of cases in which the Commissioner had been actively involved. In the past fiscal year there has been no significant litigation concerning interpretation of the Privacy Act that required the intervention of the Commissioner.

---

[Back to Table of Contents] [Part One] [Part Two] [Part Three]