2007-08 Annual Reports on the Access to Information Act and the Privacy Act (ATIP)

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

1. The Access to Information Act

December 2008

Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 995-8210, 1-800-282-1376
Fax (613) 947-6850
TDD (613) 992-9190


Introduction

The Access to Information Act (ATIA) came into effect on July 1, 1983. It provides Canadian citizens, permanent residents and any person and corporation present in Canada a right of access to information contained in government records, subject to certain specific and limited exceptions.

Section 72 of the ATIA requires that the head of every federal government institution submit an annual report to Parliament on the administration of the Act within their institutions during the fiscal year.

When the Federal Accountability Act received Royal Assent on December 12, 2006, the Office of the Privacy Commissioner (OPC) along with other Agents of Parliament were added to Schedule I of the ATIA. So, while not initially subject to the ATIA, the OPC became so on April 1, 2007.

While this change has been—and continues to be—a learning experience for the OPC as a whole, we are fully supportive of greater transparency and accountability on the part of government and its institutions. In fact, shortly after taking office in 2003, the Privacy Commissioner publicly stated that although not yet subject to the ATIA, the OPC would act as though it were. So, in the spirit of the ATIA and using it as a guide, we began processing requests for access to OPC information well before April 1, 2007. Due to the nature of the work that we do and the information that we hold (e.g. through audits, investigations, research, etc.), we expected that once formally subject to the ATIA, we would receive a large number of requests but—as our statistics show—that has not been the case. While perhaps somewhat surprising, the situation nevertheless afforded us the opportunity to build the administrative side of the ATIP Unit, create ATIP policies and procedures, and ensure that the ATIP Unit staff had all of the training they required.

The OPC is pleased to submit our first Annual Report which describes how we fulfilled our responsibilities under the ATIA during the fiscal year 2007-2008.

Mandate / Mission of the OPC

The OPC is mandated to oversee compliance with the Privacy Act, which covers the personal information handling practices of federal government departments and agencies, and with the Personal Information Protection and Electronic Documents Act (PIPEDA) which is Canada’s private sector privacy law. Our mission is to protect and promote the privacy rights of individuals by, among other things:

  • Investigating complaints and incidents under the Privacy Act and PIPEDA concerning the handling of personal information;
  • Issuing reports to federal government institutions and private sector organizations which may contain recommendations designed to assist them in remedying situations and preventing errors in handling personal information;
  • Assessing compliance with Privacy Act and PIPEDA obligations through audit and review activities, and publicly reports on findings;
  • Reviewing and advising on Privacy Impact Assessments (PIAs) that deal with new or existing government initiatives;
  • Providing legal and policy expertise to help guide Parliament’s review of evolving legislation in order to ensure respect for individuals’ right to privacy;
  • Assisting Parliamentarians, individuals and organizations who are seeking information and guidance with respect to personal information handling practices;
  • Promoting public awareness and compliance with the two Acts and fostering understanding of privacy rights and obligations;
  • Monitoring trends in privacy practices, identifying systemic privacy issues to be addressed by federal government institutions and private sector organizations and promoting integration of best practices; and
  • Working closely with privacy stakeholders from other Canadian and international jurisdictions in order to address global privacy issues arising from ever-increasing trans-border data flows.

The OPC’s focus is on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In some unresolved cases, the Commissioner may take the matter to Federal Court.

Organizational Structure

The Privacy Commissioner is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is assisted by two Assistant Privacy Commissioners, one responsible for the Privacy Act and the other responsible for PIPEDA. The OPC is comprised of seven distinct branches: Research, Education and Outreach; Communications; Audit and Review; Legal Services and Policy; Human Resources; Corporate Services, and; Investigations and Inquiries.

Organizational Structure

The Access to Information and Privacy (ATIP) Unit falls under the Corporate Services Branch. ATIP is headed by a Director who is supported by one Senior Analyst. This fiscal year, the ATIP Unit also used the services of an experienced ATIP analyst on a part time contract basis.

Under section 73 of the ATIA the Privacy Commissioner, as the head of the OPC, delegated her authority to the Director General of Corporate Services and to the ATIP Director with respect to the application of the ATIA and its Regulations. A copy of that Delegation Order is attached as Appendix A.

ATIP Unit Activities

Although the OPC was not subject to the ATIA until April 1, 2007, the ATIP Unit was staffed in February 2007 in order to begin the process of setting up the Unit and to handle nine formal requests that the OPC had already received. Among other things, those requests sought access to information concerning OPC research Contribution Agreements, expense information related to the External Advisory Committee, hospitality and travel claims, and responses that the OPC had received to its July 2006 PIPEDA Review discussion document. Over 6,000 pages of information were reviewed with respect to those requests with the vast majority of the information being fully disclosed. The information not provided consisted largely of personal information about other individuals.

Given that the OPC was newly subject to ATIP responsibilities, the early focus was on administrative work that needed to be done. One of the first requirements was to ensure that information about the OPC was provided to the Treasury Board Secretariat. In early May 2007 all of the OPC’s Sources of Federal Employee Information – Standard Personal Information Banks (PIBs) and Sources of Federal Government Information – Standard Banks were registered with the Secretariat. The Secretariat was also provided initial information about the OPC to be included in Info Source such as background information, the OPC’s responsibilities, descriptions of and contacts for each OPC Branch, and the location of the OPC reading room. A review of all of the OPC’s record holdings was then undertaken to ensure that all non-standard bank information would be included in the next edition of Info Source.

While preparing formal Access to Information Act training for OPC employees, in the interim, the ATIP Unit prepared a “Preliminary Guideline for Processing Requests Pursuant to the Access to Information Act” which was distributed to each branch head in June 2007 and which was published on the Intranet as a reference guide with respect to employees’ roles and responsibilities in the OPC’s new “Atipable” environment. The ATIP Unit has since written an “Access to Information Process and Compliance Manual” which is available to all staff on the OPC Intranet site and to the public on the OPC website. This manual describes all of the steps taken by the ATIP Unit in the processing of requests under both the ATIA and the Privacy Act. It provides extensive information on a wide variety of subjects, e.g. responsibilities of employees in their retrieval of the information, the legislative time constraints, exemptions and exclusions, the complaint and investigation process, etc. It also contains the ATIP policy with respect to fees and fee waivers.

Four ATIA Awareness Sessions were given to OPC employees in June 2007 followed by two sessions in March 2008. In all some 125 employees received the training—the vast majority of staff. The Privacy Commissioner directed that this training be mandatory for all staff, including those working with the OPC on contract or on a temporary basis. Sessions will be given at least once a year in order to ensure that new staff receive the training as well.

The ATIP Director sits on the OPC’s Policy Development Committee and has played a collaborative role in the planning, development and updating of OPC policies, procedures and directives in order to ensure that the ATIA is respected. The ATIP Director has also recently drafted a “Directive Concerning Section 67.1 of the Access to Information Act” which—as of the writing of this report—has been presented to the Committee for first review.

In 2007 the Information and Privacy Policy Division of the Chief Information Officer Branch within the Treasury Board Secretariat began the process of renewing the Access to Information and Privacy policies and guidelines. The OPC’s ATIP Unit is part of the Secretariat’s Policy Renewal Working Group and, as such, participated in a number of meetings during the fiscal year.

Throughout the year the ATIP Unit has been active in providing advice to all OPC staff with respect to informal requests for access to information. The ATIP Unit has also supported the Information Management function by providing input concerning proper information handling practices and has been involved in discussions with Library and Archives Canada personnel concerning retention schedules for OPC records and information.

Concurrently, the OPC’s ATIP Senior Analyst assisted another federal government institution by sitting on several competition boards for the recruitment of ATIP analysts.

Finally, the OPC has included a section on its website entitled “Access to Information and Privacy” which provides the public with information about the ATIA, including how to request access to information that is under the control of the OPC.

Access to Information Act Statistical Report and Interpretation

The OPC’s statistical Report on the Access to Information Act is attached at Appendix B.

The OPC received 44 formal requests under the ATIA during the fiscal year. Of those, 14 sought access to records which were not under the control of the OPC and they were therefore transferred to Citizenship and Immigration Canada, the RCMP, the Canada Revenue Agency, the Department of National Defence and Correctional Service Canada for processing.

Of the 30 requests for records under the OPC’s control, the ATIP Unit had responded to 29 by the end of the fiscal year—only one has been carried forward. While the OPC did not receive as many requests as anticipated, the 29 completed requests constituted 9,696 pages of information. All were completed within the statutory time limits.

Section 16.1 of the ATIA was added to the ATIA as a result of the Federal Accountability Act. This provision requires that the OPC protect the information that we obtained during the course of our investigations or audits even once the matter and all related proceedings have been concluded.

Of the 29 requests completed during the fiscal year, six were for the contents of Privacy Act or PIPEDA investigation files. In two instances all of the information was withheld—one as the applicant was seeking a third party contract that the OPC had obtained from a respondent during the course of a PIPEDA investigation, and the other as the investigation was an active one. In the remaining cases, the information in the files was processed because the investigations were concluded and all appeal mechanisms had been exhausted.

Of the 44 requests received, six were submitted by media (13.636%), two by academia (4.545%), 18 by businesses (40.909%), and 18 by the public (40.909%).

Request Received

Request Received

The exemption provision invoked most often was section 19(1) concerning the personal information of others, followed closely by section 16.1 with respect to information the OPC received or created during the course of an investigation and section 23 with respect to solicitor-client information.

The OPC received notice of five complaints that were submitted to the Information Commissioner—four of which were from one individual. Three of the complaints alleged denial of access, while two alleged a violation of the statutory time limit. The Information Commissioner concluded that two of the access complaints were “not substantiated” while the third was “resolved”. As for the delay complaints, the Information Commissioner concluded that one was “not substantiated”—the second is outstanding.

As of the writing of this report, no applications have been submitted to the Federal Court following the Information Commissioner’s findings.

In addition to processing its own ATIA requests, the OPC was consulted seven times by five government institutions with respect to eight documents. In each case, the OPC had no objection to the full disclosure of the documents.

With respect to fees, we collected the mandatory $5.00 application fee from all but two individuals. In one case, the individual had submitted two requests, one for each of our investigation files concerning her PIPEDA complaints. As the investigation files were so closely intertwined and contained many of the same records, the OPC waived the application fee with respect to the second request. In the other instance, the application fee was waived because of the specific nature of the information being requested.

None of the requests required the assessment of search, preparation or computer processing time. As for reproduction costs, federal government institutions generally waive reproduction costs for the first 125 pages of records—this amounts to $25.00. Given that this was our first year of operating under the ATIA, the OPC did not charge any of its requesters for providing copies of the documents they were seeking. Of the 20 requests to which we responded with copies, 12 of those were over 125 pages.

The ATIP Unit has prepared a fee waiver policy which took effect April 1, 2008 and which is included in the “Access to Information Process and Compliance Manual”. The policy outlines the fees chargeable under the ATIA, states that the decision to waive, reduce or refund fees will be made on a case-by-case basis, and outlines the circumstances under which certain fees may be waived.

For additional information on the OPC’s activities, please visit www.priv.gc.ca.

Additional copies of this report may be obtained from:

Director, Access to Information and Privacy
Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, ON K1A 1H3

Appendix A – Access to Information Act Delegation Order

The Privacy Commissioner of Canada, as the head of the government institution, hereby designates pursuant to section 73 of the Access to Information Act, the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties or functions of the Privacy Commissioner as specified below and as more fully described in Annex A:

Position Sections of Access to Information Act
Director General, Corporate Services
and Chief Financial Officer

Director, ATIP
Act: 7(a), 8(1), 9, 11(2) to (6), 12(2) and (3), 13 to 24, 25, 26, 27(1) and (4), 28(1), (2) and (4), 29(1), 33, 35(2), 37(1) and (4), 43(1), 44(2), 52(2) and (3), 71(2), 72(1);
and

Regulations: 6(1) and 8.

Dated at the City of Ottawa, this 1st day of October, 2008

(Original signed by)

Jennifer Stoddart
Privacy Commissioner of Canada

Access to Information Act

7(a) Respond to request for access within 30 days; give access or give notice
8(1) Transfer of Request to government institution with greater interest
9 Extend time limit for responding to request for access
11(2), (3), (4), (5), (6) Additional fees
12(2)(b) Decide whether to translate requested record
12(3) Decide whether to give access in an alternative format
13(1) Shall refuse to disclose information obtained in confidence from another government
13(2) May disclose any information referred to in 13(1) if the other government consents to the disclosure or makes the information public
14 May refuse to disclose information injurious to the conduct of federal-provincial affairs
15 May refuse to disclose information injurious to international affairs or defence
16 Series of discretionary exemptions related to law enforcement and investigations; security; and policing services for provinces or municipalities.
16.1(1) In force April 1, 2007 - Specific to four named Officers of Parliament - Auditor General, Commissioner of Official Languages, Information Commissioner and Privacy Commissioner - shall refuse to disclose information obtained or created by them in the course of an investigation or audit
16.1(2) In force April 1, 2007 - Specific to two named Officers of Parliament - Information and Privacy Commissioner - shall not refuse under 16.1(1) to disclose any information created by the Commissioner in the course of an investigation or audit once the investigation or audit and related proceedings are concluded
17 May refuse to disclose information which could threaten the safety of individuals
18 May refuse to disclose information related to economic interests of Canada
18.1(1) (Not yet in force) May refuse to disclose confidential commercial information of Canada Post Corporation, Export Development Canada, Public Sector Pension Investment Board, or VIA Rail Inc.
18.1(2) (Not yet in force) Shall not refuse under 18.1(1) to disclose information relating to general administration of the institution
19 Shall refuse to disclose personal information as defined in section 3 of the Privacy Act, but may disclose if individual consents, if information is publicly available, or disclosure is in accordance with section 8 of Privacy Act
20 Shall refuse to disclose third party information, subject to exceptions
21 May refuse to disclose records containing advice or recommendations
22 May refuse to disclose information relating to testing or auditing procedures
22.1 (Not yet in force) May refuse to disclose draft report of an internal audit
23 May refuse to disclose information subject to solicitor/client privilege
24 Shall refuse to disclose information where statutory prohibition (Schedule II)
25 Shall disclose any part of record that can reasonably be severed
26 May refuse to disclose where information to be published
27(1),(4) Third party notification
28(1),(2),(4) Receive representations of third party
29(1) Disclosure on recommendation of Information Commissioner
33 Advise Information Commissioner of third party involvement
35(2) Right to make representations to the Information Commissioner during an investigation
37(1) Receive Information Commissioner’s report of findings of the investigation and give notice of action taken
37(4) Give complainant access to information after 37(1)(b) notice
43(1) Notice to third party (application to Federal court for review)
44(2) Notice to applicant (application to federal Court by third party)
52(2)(b) Request that section 52 hearing be held in the National Capital Region
52(3) Request and be given right to make representations in section 51 hearings
71(2) Exempt information may be severed from manuals
72(1) Prepare annual report to Parliament

Access to Information Regulations

6(1) Procedures relating to transfer of access request to another government institution under 8(1) of the Act
8 Form of Access

Appendix B – Statistical Report on the Access to Information Act

Institution
Office of the Privacy Commissioner of Canada
Reporting period / Période visée par le rapport
April 1, 2007 to March 31, 2008
Source Media / Médias
6
Academia / Secteur universitatire
2
Business / Secteur commercial
18
Organization / Organisme Public
18
I Requests under the Access to Information Act /
Demandes en vertu de la Loi sur l’accès à l’information
Received during reporting period /
Reçues pendant la période visée par le rapport
44
Outstanding from previous period /
En suspens depuis la période antérieure
 
TOTAL 44
Completed during reporting period /
Traitées pendant la période visées par le rapport
43
Carried forward / Reportées 1
II Dispositon of requests completed /
Disposition à l’égard des demandes traitées
1. All disclosed / Communication totale 5 6. Unable to process / Traitement impossible 4
2. Disclosed in part / Communication partielle 15 7. Abandoned by applicant / Abandon de la demande 2
3. Nothing disclosed (excluded) /
Aucune communication (exclusion)
n/a 8. Treated informally / Traitement non officiel  
4. Nothing disclosed (exempt) /
Aucune communication (exemption)
3 TOTAL 43
5. Transferred / Transmission 14
III Exemptions invoked / Exceptions invoquées
S.
Art. 13(1)(a)
S.
Art 16(1)(a)
S.
Art. 18(b)
S.
Art. 21(1)(a)
3
(b)   (b)   (c)   (b) 2
(c) 1 (c)   (d)   (c)  
(d)   (d)   S.
Art. 19(1)
10 (d)  
S.
Art. 14
  S.
Art. 16(2)
1 S.
Art. 20(1)(a)
  S.
Art.22
2
S. 15(1) International rel. /
Art. Relations interm.
  S.
Art. 16(3)
  (b)   S.
Art 23
8
Defence /
Défense
  S.
Art. 17
  (c)   S.
Art. 24
 
Subversive activities /
Activités subversives
  S.
Art. 18(a)
2 (d)   S.
Art 26
 
IV Exclusions cited /Exclusions citées
S. /
Art. 68(a)
S. / Art. 69(1)(c)
(b)   (d)  
(c)   (e)  
S. / Art. 69(1)(a)   (f)  
(b)   (g) 1
V Completion time /Délai de traitement
30 days or under / 30 jours ou moins 40
31 to 60 days / De 31 à 60 jours 1
61 to 120 days /De 61 à 120 jours 2
121 days or over / 121 jours ou plus  
VI Extensions /Prorogations des délais
  30 days or under /
30 jours ou moins
31 days or over /
31 jours ou plus
Searching /
Recherche
1  
Consultation   2
Third party /
Tiers
   
TOTAL 1 2
VII Translations /Traduction
Translations requested /
Traductions demandées
 
Translations prepared / English to French /
De l’anglais au français
Traductions préparées French to English /
Du français à l’anglais
 
VIII Method of access /Méthode de consultation
Copies given /
Copies de l’original
20
Examination /
Examen de l’original
 
Copies and examination /
Copies et examen
 
IX Fees /Frais
Net fees collected /
Frais net perçus
Application fees /
Frais de la demande
$140.00 Preparation /
Préparation
Reproduction   Computer processing /
Traitement informatique
 
Searching / Recherche   TOTAL $140.00
Fees waived /
Dispense de frais
No. of times /
Nombre de fois
$
$25.00 or under /
25 $ ou moins
11 $84.80
Over $25.00 /De plus de 25 $ 12 $993.00
X Costs / Coûts
Financial (all reasons) /
Financiers (raisons)
Salary /
Traitement
$64,966.28
Administration (O and M) /
Administration (fonctionnement et maintien)
$36,792.03
TOTAL $101,758.31
Person year utilization (all reasons) /
Années-personnes utilisées (raison)
Person year (decimal format) /
Années-personnes (nombre décimal)
.9715

TBS/SCT 350-62 (Rev. 1999/03)

Discrepancies
Source of requests

OPC included in the source the transferred requests.

III – Exemptions invoked

Section 16.1 was invoked on 9 requests.

IX – Fees

OPC waived the $5.00 application fee in two instances.

In one case, the individual had submitted two requests, one for each of our investigation files on her complaints. As the investigation files were so closely intertwined and contained many of the same records, the OPC waived the application fee with respect to the second request.

In another instance an application fee was waived because of the specific nature of the information requested.

X – Costs

All operating and maintenance costs are borne by other OPC Branches, eg: Human Resources (training), Information Technology (computers, printouts, etc.), Corporate Services (supplies, mailing, etc.).

Other

The OPC received and responded to 7 consultations from other government institutions.

Supplemental Reporting Requirements for 2007-2008 Access to Information Act

In addition to the reporting requirements addressed in form TBS/SCT 350-62 "Report on the Access to Information Act", institutions are required to report on the following using this form:

Part III – Exemptions invoked

Section 13

Subsection 13(e)
N/A

Section 14

Subsections 14(a) N/A
Subsections 14(b) N/A

Part IV – Exclusions cited:

Subsection 69.1
1

2. The Privacy Act

December 2008

Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 995-8210, 1-800-282-1376
Fax (613) 947-6850
TDD (613) 992-9190


Introduction

The Privacy Act took effect on July 1, 1983. This Act imposes obligations on federal government departments and agencies to respect the privacy rights of individuals by limiting the collection, use and disclosure of personal information. The Act also gives individuals the right of access to their personal information and the right to request the correction of that information.

Section 72 of the Act requires that the head of every federal government institution submit an annual report to Parliament on the administration of the Act within their institutions during the fiscal year.

When the Federal Accountability Act received Royal Assent on December 12, 2006, the Office of the Privacy Commissioner (OPC) along with other Agents of Parliament were added to the Schedule of the Privacy Act. So, while not initially subject to the Act, the OPC became so on April 1, 2007.

While this change has been—and continues to be—a learning experience for the OPC as a whole, we are fully supportive of greater transparency and accountability on the part of government and its institutions. In fact, shortly after taking office in 2003, the Privacy Commissioner maintained that although not yet subject to the Privacy Act, the OPC would conduct itself as though it were.

We did not receive any requests from individuals for access to their personal information prior to April 1, 2007 but we did receive a number of requests for other information which we processed using the Access to Information Act as a guide.

Due to the nature of the work we do—and as our investigation files contain extensive personal information—we expected that once formally subject to the Privacy Act, we would receive a large number of requests for the contents of those files. However, as our statistics show, that has not been the case. While perhaps somewhat surprising, the situation nevertheless afforded us the opportunity to build the administrative side of the ATIP Unit, create ATIP policies and procedures, and ensure that the ATIP Unit staff had all of the training they required.

For the past 25 years the OPC has been overseeing federal government institutions’ compliance with the Privacy Act and, in doing so, we have at times been quite critical of their personal information management practices. With the passing of the Federal Accountability Act we now find ourselves on the ‘other side of the fence’. Admittedly, it is sometimes difficult to look inwards but, in this case, we wholeheartedly welcome our complete and formal inclusion into the Privacy Act family. Not only are we committed to fulfilling the mandate given the OPC under the Act, we are wholly committed to ensuring that we fully adhere to the Act with respect to the proper handling of the personal information which is under our control.

The OPC is therefore pleased to submit our first Annual Report which describes how we fulfilled our responsibilities under the Privacy Act during the fiscal year 2007-2008.

Mandate / Mission of the OPC

The OPC is mandated to oversee compliance with the Privacy Act, which covers the personal information handling practices of federal government departments and agencies, and with the Personal Information Protection and Electronic Documents Act (PIPEDA) which is Canada’s private sector privacy law. Our mission is to protect and promote the privacy rights of individuals by, among other things:

  • Investigating complaints and incidents under the Privacy Act and PIPEDA concerning the handling of personal information;
  • Issuing reports to federal government institutions and private sector organizations which may contain recommendations designed to assist them in remedying situations and preventing errors in handling personal information;
  • Assessing compliance with Privacy Act and PIPEDA obligations through audit and review activities, and publicly reports on findings;
  • Reviewing and advising on Privacy Impact Assessments (PIAs) that deal with new or existing government initiatives;
  • Providing legal and policy expertise to help guide Parliament’s review of evolving legislation in order to ensure respect for individuals’ right to privacy;
  • Assisting Parliamentarians, individuals and organizations who are seeking information and guidance with respect to personal information handling practices;
  • Promoting public awareness and compliance with the two Acts and fostering understanding of privacy rights and obligations;
  • Monitoring trends in privacy practices, identifying systemic privacy issues to be addressed by federal government institutions and private sector organizations and promoting integration of best practices; and
  • Working closely with privacy stakeholders from other Canadian and international jurisdictions in order to address global privacy issues arising from ever-increasing trans-border data flows.

The OPC’s focus is on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In some unresolved cases, the Commissioner may take the matter to Federal Court.

Organizational Structure

The Privacy Commissioner is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is assisted by two Assistant Privacy Commissioners, one responsible for the Privacy Act and the other responsible for PIPEDA.

The OPC is comprised of seven distinct branches: Research, Education and Outreach; Communications; Audit and Review; Legal Services and Policy; Human Resources; Corporate Services, and; Investigations and Inquiries.

The Access to Information and Privacy (ATIP) Unit falls under the Corporate Services Branch. ATIP is headed by a Director who is supported by one Senior Analyst. This fiscal year, the ATIP Unit also used the services of an experienced ATIP analyst on a part time contract basis.

Under section 73 of the ATIA the Privacy Commissioner, as the head of the OPC, delegated her authority to the Director General of Corporate Services and to the ATIP Director with respect to the application of the ATIA and its Regulations. A copy of that Delegation Order is attached as Appendix A.

Organizational Structure

Privacy Commissioner, ad hoc / Complaint Mechanism

When the Federal Accountability Act received Royal Assent on December 12, 2006, it did not contain a mechanism under which Privacy Act complaints against the OPC would be investigated. Clearly, it is entirely inappropriate that the OPC to investigate its own actions with respect to its administration of the Privacy Act.

Indeed, the issue was raised in the Department of Justice Discussion Paper on Strengthening the Access to Information Act which was released on April 11, 2006. The Paper encouraged the House of Commons Committee on Access to Information, Privacy and Ethics to offer suggestions on an appropriate design of a mechanism, the appointment process and the qualifications of the selected individual.

On May 30, 2006 the Privacy Commissioner appeared before the House of Commons Legislative Committee and said:

Finally, I bring to your attention what I see as a serious omission in Bill C-2: the absence of a mechanism to investigate access or privacy complaints against the Information and Privacy Commissioners. I would hope that the provisions in Bill C-2 making the two Commissioners subject to both Acts will not come into force until an alternative complaint investigation process is properly established to deal with these new types of situations.

The Commissioner then appeared before the Standing Committee on Legal and Constitutional Affairs on September 21, 2006 during which she voiced her expectation that changes to the Privacy Act should not come into force until an appropriate mechanism was in place. This was reiterated in her written Submission to the Committee.

In its October 26, 2006 Report to the House on C-2, the Senate Committee endorsed the Privacy Commissioner’s view and stated, “We join with the Privacy Commissioner in urging the Government to delay the entry into force of these measures until an appropriate mechanism to address this situation is identified and in place.”

We fully expected that our concern would be addressed by the government, but the Federal Accountability Act remains silent. After a year, we find ourselves in the extremely difficult position of having to create and maintain our own mechanism, one which hopefully gives individuals confidence that investigations against the OPC are being conducted independently of the OPC. This is difficult to say the least, given that the OPC ultimately decides who will be the Privacy Commissioner, ad hoc and since the OPC is absorbing all of the costs associated with the process.

In September 2007 the Honorable Peter de C. Cory accepted to be engaged as Privacy Commissioner, ad hoc to receive and investigate complaints concerning the OPC pursuant to section 29 of the Privacy Act. The Privacy Commissioner delegated the majority of her powers, duties and functions as set out in sections 29 through 35 and section 42 of the Act to Mr. Cory in order that he could carry out his investigations. Mr. Cory also accepted to be engaged as Information Commissioner ad hoc so as to investigate ATIA complaints filed concerning the Office of the Information Commissioner (OIC).

It was quickly recognized that it would be inappropriate for the investigator conducting Privacy Act investigations against the OPC to work within the offices of the OPC—a view shared by the OIC with respect to the investigator conducting ATIA complaints against that Office. Therefore, the OPC and the OIC entered into an agreement whereby we would each provide secured office space for the other’s investigator along with locked cabinets, stand-alone computers, etc.

Mr. Cory’s services are no longer available to us. The OPC has therefore engaged the Honourable Andrew W. MacKay, former Judge of the Federal Court.

ATIP Unit Activities

Although the OPC was not subject to the Privacy Act until April 1, 2007, the ATIP Unit was staffed in February 2007 in order to begin the process of setting up the Unit and to handle a number of informal requests that the OPC had already received under the Access to Information Act.

Given that the OPC was newly subject to ATIP responsibilities, the early focus was on administrative work that needed to be done. One of the first requirements was to ensure that information about the OPC was provided to the Treasury Board Secretariat. In early May 2007 all of the OPC’s Sources of Federal Employee Information – Standard Personal Information Banks (PIBs) and Sources of Federal Government Information – Standard Banks were registered with the Secretariat. The Secretariat was also provided initial information about the OPC to be included in Info Source such as background information, the OPC’s responsibilities, descriptions of and contacts for each OPC Branch, and the location of the OPC reading room. A review of all of the OPC’s record holdings was then undertaken to ensure that all non-standard bank information would be included in the next edition of Info Source.

The ATIP Unit has written an “Access to Information Process and Compliance Manual” which is available to all staff on the OPC Intranet site and to the public on the OPC website as well. This manual describes all of the steps taken by the ATIP Unit in receiving and responding to requests under both the Privacy Act (ATIA) and the Privacy Act. It provides extensive information for staff on a wide variety of subjects including responsibilities of staff to retrieve information, legislative time constraints, exemptions and exclusions, the complaint and investigation process. The manual also provides extensive information concerning the proper collection, retention, use, disclosure and disposition of personal information.

No specific Privacy Act training has been given to staff to date although we certainly intend to do so soon. However, it is important to note that the vast majority of OPC staff are already extremely sensitized to privacy issues and the requirements of government institutions covered by the Privacy Act concerning the protection of personal information given the nature of our work. In assessing training needs in our new “Atipable” environment, we quickly realized that most OPC employees were not as fully informed as to their ATIA responsibilities; therefore, priority training was given with respect to the ATIA. While preparing specific Privacy Act training, in the meantime the OPC’s “Access to Information Process and Compliance Manual” provides clear guidance as to the proper handling of personal information.

The ATIP Director sits on the OPC’s Policy Development Committee and has taken a collaborative role in the planning, development and updating of OPC policies, procedures and directives in order to ensure that the Privacy Act is respected.

In 2007 the Information and Privacy Policy Division of the Chief Information Officer Branch within the Treasury Board Secretariat began the process of renewing the Access to Information and Privacy policies and guidelines. The OPC’s ATIP Director is part of the Secretariat’s Policy Renewal Working Group and, as such, participated in a number of meetings during the fiscal year.

Throughout the year the ATIP Unit has been active in providing advice to all OPC staff with respect to personal information handling practices. The ATIP Unit has also supported the Information Management function by providing input concerning proper information handling practices and has been involved in discussions with Library and Archives Canada personnel concerning retention schedules for OPC records and information.

Concurrently, the OPC’s ATIP Senior Analyst assisted another federal government institution by sitting on several competition boards for the recruitment of ATIP analysts.

Finally, the OPC has included a section on its website entitled “Access to Information and Privacy” which provides the public with information about the Privacy Act, including how to request access to information that is under the control of the OPC.

Privacy Act Statistical Report and Interpretation

The OPC’s statistical Report on the Privacy Act is attached at Appendix B.

The OPC received 45 formal requests under the Privacy Act for the fiscal year. Of those, 23 sought access to personal information under the control of other government institutions and therefore—with the consent of the requesters—they were re-directed to those institutions for processing (Citizenship and Immigration; the RCMP; the Canada Revenue Agency; National Defence; Correctional Service Canada; the Canada Post Corporation; Canadian Heritage; Service Canada; and the Canadian Firearms Centre).

Of the 22 requests for personal information under the OPC’s control, the ATIP Unit had responded to all of them by the end of the reporting year. While the OPC did not receive as many requests as anticipated, the 22 requests constituted 4,451 pages of information. No time extensions were taken and all were completed within the statutory time limits.

Section 22.1 of the Privacy Act was added to the Act as a result of the Federal Accountability Act. This provision requires that the OPC protect the information that we obtained during the course of our investigations or audits even once the matter and all related proceedings have been concluded.

Of the 22 Privacy Act requests completed, 10 were for the contents of Privacy Act or PIPEDA investigation files. In two of those instances all of the information was withheld as one case was before the Court, and as all appeal mechanisms with respect to the other had not yet been exhausted. In the remaining cases our investigations and all related proceedings were closed. So, the information in those files was processed and released to the requesters subject to applicable exemptions.

Of the 22 requests received for access to OPC information, one (1) was submitted by a lawyer while the remainder were submitted by individuals.

The exemption provision invoked most often was section 22.1 with respect to information the OPC received or created during the course of an investigation, followed closely by section 26 concerning the personal information of other individuals.

The OPC received notice of two complaints of denial of access made to the Privacy Commissioner ad hoc, both of which were filed by one individual. While the Privacy Commissioner ad hoc has concluded that both complaints are “not well-founded”, they are not included in our statistical report. The findings were rendered on April 2, 2008 and therefore will be included in our report for fiscal year 2008-2009.

As of the writing of this report, no applications have been submitted to the Federal Court following the Privacy Commissioner ad hoc’s findings.

In addition to processing its own Privacy Act requests, the OPC was also consulted three times by two government institutions with respect to eleven 11 documents. In each case, the OPC had no objection to the disclosure of the information they contained.

Report on the Privacy Impact Assessment (PIA) Policy

The Privacy Impact Assessment Policy which came into effect on May 2, 2002, requires that the Treasury Board Secretariat monitor compliance with the Policy. Given this responsibility, institutions are asked to include pertinent statistics in their annual reports on the administration of the Privacy Act.

The OPC has not conducted any PIAs during this reporting fiscal year. It is anticipated, however, that one will be conducted with respect to the Office’s new Case Management system. The requirements of this system are presently being defined.

Disclosures of Personal Information

The OPC disclosed no personal information under sections 8(2)(e), (f), (g) or (m) of the Privacy Act during this fiscal year.

Privacy-Related Policies

The ATIP Director is a member of the OPC’s Policy Development Committee. In that role, policies, directives and guidelines have been and continue to be reviewed to ensure that the Privacy Act is respected. The ATIP Unit drafted the OPC’s Employee Privacy Policy which has been finalized and approved by senior management. The Unit has also drafted a Corporate Privacy Policy and a Privacy Breach Policy. It is expected that all of these will be in place during the 2008-2009 reporting fiscal year.

For additional information on the OPC’s activities, please visit www.priv.gc.ca

Additional copies of this report may be obtained from:

Director, Access to Information and Privacy
Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, ON K1A 1H3

Appendix A – Privacy Act Delegation Order

The Privacy Commissioner of Canada, as the head of the government institution, hereby designates pursuant to section 73 of the Privacy Act, the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties or functions of the Privacy Commissioner as specified below and as more fully described in Annex A:

Position Sections of Privacy Act

Privacy Commissioner

Assistant Commissioner

8(2)(m)

Director General, Corporate Services
and Chief Financial Officer

Director, ATIP

Act: 8(2)(j), 8(4) and (5), 9(1) and (4), 10, 14, 15, 17(2)(b) and (3)(b),18 to 28, 31, 33(2), 35(1) and (4), 36(3), 37(3), 51(2)(b) and (3), 72(1)

Regulations: 9, 11(2) and (4), 13(1), 14

Dated at the City of Ottawa, this 1st day of October, 2008

(Original signed by)

Jennifer Stoddart
Privacy Commissioner of Canada

Privacy Act

8(2)(j) Disclose personal information for research purposes
8(2)(m) Disclose personal information in the public interest or in the interest of the individual
8(4) Retain copy of 8(2)(e) requests and disclosed records
8(5) Notify Privacy Commissioner of 8(2)(m) disclosures
9(1) Retain record of use
9(4) Notify Privacy Commissioner of consistent use and amend index
10 Include personal information in personal information banks
14 Respond to request for access within 30 days; give access or give notice
15 Extend time limit for responding to request for access
17(2)(b) Decide whether to translate requested information
17(3)(b) Decide whether to give access in an alternative format
18(2) May refuse to disclose information contained in an exempt bank
19(1) Shall refuse to disclose information obtained in confidence from another government
19(2) May disclose any information referred to in 19(1) if the other government consents to the disclosure or makes the information public
20 May refuse to disclose information injurious to the conduct of federal-provincial affairs
21 May refuse to disclose information injurious to international affairs or defence
22 Series of discretionary exemptions related to law enforcement and investigations; and policing services for provinces or municipalities.
22.1(1) In force April 1, 2007 - Privacy Commissioner shall refuse to disclose information obtained or created in the course of an investigation conducted by the Commissioner
22.1(2) In force April 1, 2007 - Privacy Commissioner shall not refuse under 22.1(1) to disclose any information created by the Commissioner in the course of an investigation conducted by the Commissioner once the investigation and related proceedings are concluded
23 May refuse to disclose information prepared by an investigative body for security clearances
24 May refuse to disclose information collected by the Correctional Service of Canada or the National Parole Board while individual was under sentence if conditions in section are met
25 May refuse to disclose information which could threaten the safety of individuals
26 May refuse to disclose information about another individual, and shall refuse to disclose such information where disclosure is prohibited under section 8
27 May refuse to disclose information subject to solicitor-client privilege
28 May refuse to disclose information relating to the individual’s physical or mental health where disclosure is contrary to best interests of the individual
31 Receive notice of investigation by Privacy Commissioner
33(2) Right to make representations to the Privacy Commissioner during an investigation
35(1) Receive Privacy Commissioner’s report of findings of the investigation and give notice of action taken
35(4) Give complainant access to information after 35(1)(b) notice
36(3) Receive Privacy Commissioner’s report of findings of investigation of exempt bank
37(3) Receive report of Privacy Commissioner’s findings after compliance investigation
51(2)(b) Request that section 51 hearing be held in the National Capital Region
51(3) Request and be given right to make representations in section 51 hearings
72(1) Prepare annual report to Parliament

Privacy Regulations

9 Provide reasonable facilities to examine information
11(2) and (4) Procedures for correction or notation of information
13(1) Disclosure of information relating to physical or mental health to qualified practitioner or psychologist
14 Require individual to examine information in presence of qualified practitioner or psychologist

Appendix B – Statistical Report on the Privacy Act

Institution
Office of the Privacy Commissioner of Canada
Reporting period / Période visée par le rapport
April 1, 2007 to March 31, 2008
I Requests under the Privacy Act /
Demandes en vertu de la Loi sur la protection
des renseignements personnels
Received during reporting period /
Reçues pendant la période visée par le rapport
45
Outstanding from previous period /
En suspens depuis la période antérieure
 
TOTAL 45
Completed during reporting period /
Traitées pendant la période visées par le rapport
45
Carried forward /
Reportées
 
II Disposition of request completed /
Disposition à l’égard des demandes traitées
1. All disclosed /
Communication totale
4
2. Disclosed in part /
Communication partielle
10
3. Nothing disclosed (excluded) /
Aucune communication (exclusion)
 
4. Nothing disclosed (exempt) /
Aucune communication (exemption)
2
5. Unable to process /
Traitement impossible
6
6. Abandonned by applicant /
Abandon de la demande
 
7. Transferred /
Transmission
23
TOTAL 45
III Exemptions invoked /
Exceptions invoquées
S.
Art. 18(2)
S.
Art. 19(1)(a)
 
(b)  
(c)  
(d)  
S.
Art. 20
 
S.
Art. 21
 
S. / Art. 22(1)(a)  
(b)  
(c)  
S. / Art. 22(2)  
S. / Art. 23 (a)  
(b)  
S. / Art. 24  
S. / Art. 25  
S. / Art. 26 5
S. / Art. 27  
S. / Art. 28  
IV Exclusions cited /
Exclusions citées
S.
Art. 69(1)(a)
(b)  
S.
Art. 70(1)(a)
 
(b)  
(c)  
(d)  
(e)  
(f)  
V Completion time /
Délai de traitement
30 days or under /
30 jours ou moins
45
31 to 60 days /
De 31 à 60 jours
 
61 to 120 days /
De 61 à 120 jours
 
121 days or over /
121 jours ou plus
 
VI Extentions /
Prorogations des délais
  30 days or under /
30 jours ou moins
31 days or over /
31 jours ou plus
Interference with operations /
Interruption des opérations
   
Consultation    
Translation /
Traduction
   
TOTAL    
VII Translations /
Traductions
Translations requested /
Traductions demandées
 
Translations
prepared /
English to French /
De l’anglais au français
Traductions
préparées
French to English /
Du français à l’anglais
 
VIII Method of access /
Méthode de consultation
Copies given / Copies de l’original 14
Examination / Examen de l’original  
Copies and examination / Copies et examen  
IX Corrections and notation /
Corrections et mention
Corrections requested /
Corrections demandées
Corrections made /
Corrections effectuées
 
Notation attached /
Mention annexée
 
X Costs /
Coûts
Financial (all reasons) /
Financiers (raisons)
Salary /
Traitement
$ 67,988.38
Administration (O and M) /
Administration (fonctionnement et maintien)
$ 38,503.51
TOTAL $ 106,491.89
Person year utilization (all reasons) /
Années-personnes utilisées (raisons)
Person year (decimal format) /
Années-personnes (nombre décimal)
1.0167

TBS/SCT 350-63 (Rev. 1999/03)

Discrepancies
III – Exemptions invoked

Section 22.1 was invoked on 7 requests.

X – Costs

All operating and maintenance costs are borne by other OPC Branches i.e.: Human Resources (training), Information Technology (computers, printouts, etc), Corporate Services (supplies, mailing, etc).

Other

The OPC received and responded to 3 consultations from other government institutions.

Supplemental Reporting Requirements for 2007-2008 Privacy Act

Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) through a variety of means. Institutions are therefore required to report the following information for the 2007-2008 reporting period.

Indicate the number of:

Preliminary Privacy Impact Assessments initiated: N/A

Preliminary Privacy Impact Assessments completed: N/A

Privacy Impact Assessments initiated: N/A

Privacy Impact Assessments completed: N/A

Privacy Impact Assessments forwarded to the Office of the Privacy Commissioner (OPC): N/A

If your institution did not undertake any of the activities noted above during the reporting period, this must be stated explicitly.

  • The OPC did not undertake any of the activities noted above during the reporting period.
Date modified: