¶¶ÒùÊÓƵ

Language selection

Search

Annual Report to Parliament on the Administration of the Privacy Act 2022-2023

Table of Contents

Introduction

We are pleased to table the Annual Report to Parliament on the administration of the Privacy Act for fiscal year 2022-2023, as required under section 72 of the Act. ¶¶ÒùÊÓƵ is not reporting on behalf of wholly owned subsidiaries or non-operational institutions.

NOTE: The Department is referred to in this report as ¶¶ÒùÊÓƵ (GAC). Its legal name, however, remains the Department of Foreign Affairs, Trade and Development, as set out in the Department of Foreign Affairs, Trade and Development Act.

Purpose of the Privacy Act

The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.

Mandate of the Institution

¶¶ÒùÊÓƵ, under the leadership of the Minister of Foreign Affairs; the Minister of Export Promotion, International Trade and Economic Development; and the Minister of International Development, is responsible for advancing Canada’s international relations, including:

¶¶ÒùÊÓƵ manages Canada’s diplomatic and consular relations with foreign governments and international organizations, engaging and influencing international players to advance Canada’s political, legal and economic interests, including poverty reduction, the empowerment of women and girls, the promotion of a rules-based international order, international peace and security, human rights, inclusive and accountable governance, peaceful pluralism, inclusion and respect for diversity, and environmental sustainability.

In support of efforts to eradicate global poverty and contribute to a more peaceful, prosperous, and inclusive world, the department manages the majority of Canada’s international assistance. The department also leads coordinated Canadian responses to crises and natural disasters abroad, including the provision of needs-based humanitarian assistance.

¶¶ÒùÊÓƵ also manages Canada’s international platform—a global network of missions in approximately 110 countries that supports the international work of the department and partner departments, agencies, and co-locators.

To improve and maintain market access for Canadian businesses, ¶¶ÒùÊÓƵ leads the negotiation of bilateral, plurilateral and multilateral trade agreements, the administration of export and import controls, as well as the management of international trade disputes. The Department also provides advice and services to help Canadian businesses succeed abroad and attract foreign direct investment to Canada, and supports international innovation, science, and technology.

The Department delivers consular services and provides travel information to Canadians.

It also supports global peace and stability and addresses international security threats such as terrorism, transnational organized crime and the proliferation of weapons, and materials of mass destruction.

¶¶ÒùÊÓƵ develops and implements policy and programming based on analysis of available evidence, including through consultation and engagement with Canadians and international stakeholders. The department is responsible for fostering the development of international law and its applications in Canada’s foreign relations.

The department’s legal responsibilities are detailed in the 2013 .

For more information on the ministers’ mandated commitments, see the .

Organizational Structure

The Access to Information and Privacy Protection (ATIP) Division is responsible for the administration of the Access to Information Act and the Privacy Act, including the processing of requests and consultations. The Director of the ATIP Division reports to the Corporate Secretary who, in turn, reports to the Deputy Minister of Foreign Affairs.

In 2022-2023, the ATIP Division had 70 Full-Time Equivalent (FTE) positions to fulfill the Department’s obligations under both the Access to Information Act and the Privacy Act. During the fiscal year, the ATIP Division was able to fill, on average, 48 of those 70 positions and relied on the services of up to 10 ATIP consultants.

The Access to Information and Privacy Division is led by a Director, who manages the teams that administer the Access to Information and Privacy Acts:

All employees are working within a hybrid model, with telework from home and in-office presence at headquarters (125 Sussex Drive). ¶¶ÒùÊÓƵ did not have any regional ATIP staff.

During the fiscal year 2022-2023, ¶¶ÒùÊÓƵ did not have any service agreements pursuant to section 73.1 of the Privacy Act.

Delegation Order

Consistent with Section 73 of the Privacy Act, the Minister’s authority is delegated to the Deputy Ministers, to the Corporate Secretary, to the Director of the ATIP Division, and to the Deputy Directors of the ATIP Division. It is also delegated to Heads of Mission for the purpose of public interest disclosures under section 8(2)(m) of the Act.

A copy of ¶¶ÒùÊÓƵ’s signed Delegation Order is provided in Annex A.

Performance 2022-2023

Number of Requests

In 2022-2023, the Department received 118 new requests under the Privacy Act, an increase of 8% compared to the 2021-2022 fiscal year. A total of 72 requests were carried over into this reporting period; 49 requests were outstanding from the previous reporting period and 23 outstanding from more than one reporting period, for a total of 190 active requests.

During the same reporting period, 124 requests were completed; an increase of almost 13% compared to the 2021-2022 fiscal year. The rise in the number of completed requests, compared to 2021-2022, reflects a gradual normalization of access to the workplace that followed the first year of the pandemic, during which time access to the office was severely constrained.

Text version

Privacy Requests

Type2019-20202020-20212021-20222022-2023

Received

105

82

109

118

Completed

110

74

110

124

The carry-over of active files at the end of fiscal year 2022-2023 was 66.

Active Requests Outstanding from Previous Reporting Periods

At the end of reporting period, approximately 21% of ¶¶ÒùÊÓƵ’s outstanding requests from previous reporting period were still on time.

2018-2019

2019-2020

2020-2021

2021-2022

2022-2023

Total

Active

6

5

6

8

41

66

On time

0

0

0

0

14

14

Late

6

5

6

8

27

52

Extensions

During the reporting period, the Department took extensions on 22 out of the 124 requests it closed. The reasons for extension include 21 extensions taken under section 15(a)(i) for interference with operations, and 1 extension under section 15 (a)(ii) for consultation requirement.

Compliance Rate

The compliance rate is defined as the percentage of Access to Information requests that the Department responded to within the deadline required under the Act. In 2022-2023, the departmental compliance rate for ¶¶ÒùÊÓƵ was 52%. This means that 48% of Privacy requests received a response beyond the deadline. The compliance rate for the reporting period increased by 7 percentage points compared to the previous reporting period.

Text version

Compliance Rate

2019-20202020-20212021-20222022-2023

Percentage

55%

11%

45%

52%

Completion Time

During the reporting period, the Department was able to close a total of 33 requests in 15 days or less (27%), 19 requests within 16-30 days (15%), 25 requests within 31-60 days (20%), 8 requests within 61-120 days (6.5%), 8 requests within 121-180 days (6.5%), 15 requests within 181-365 days (12%), and 16 requests took over 365 days to complete (13%).

Text version

Completion Time

This pie graph illustrates the percentage of requests that were completed during the reporting period within the following timeframes: 1 to 15 days (27%), 16 to 30 days (15%), 31 to 60 days (20%), 61 to 120 days (6.5%), 121 to 180 days (6.5%), 181 to 365 days (12%), and over 365 days (13%).

Disposition of Completed Requests

Of the 124 Privacy requests closed in the 2022-2023 fiscal year, 17 were all disclosed (14%), 53 were disclosed in part (43%), 1 was all exempted (1%), 14 had no records in existence (11%), and 39 were abandoned (31%).

Text version

Disposition of Completed Requests

This pie graph illustrates the percentage of requests that were completed during the reporting period with the following dispositions: All Disclosed (14%), Disclosed in Part (43%), All Exempted (1%), No records exist (11%), and Request abandoned (31%).

Consultations from Other Institutions

Given its mandate and various responsibilities at the international level, the Department plays a key role under the Act on behalf of other institutions of the Government of Canada. Specifically, the Department consulted foreign governments and organizations on behalf of other federal government institutions when the latter needed to determine whether they could release records that originated abroad.

During the reporting period, the Department received two new consultations from other government institutions and had carried over 1 consultation from the previous reporting period. Of these 3 active requests, the Department closed 2 consultation requests having reviewed 41 pages.

Of the 2 consultation requests closed this fiscal year, 1 request was closed in 15 days or less (50%), and 1 request within 121-180 days.

Number of Days TakenNumber of Requests ClosedPercentage

1-15 days

1

50%

16-30 days

0

0%

31-60 days

0

0%

61-120 days

0

0%

121-180 days

1

50%

181-365 days

0

0%

365+ days

0

0%

Staffing

In 2022-2023, the ATIP Division had approximately 12 Full-Time Equivalent (FTE) positions working on Privacy Protection requests and Privacy Policy. This is consistent with the staffing level of the previous reporting period.

Text version

Privacy Protection Total Human Resources in FTE

2019-20202020-20212021-20222022-2023

Total

9.92

11.63

11.45

11.67

COVID-19 Impacts to Privacy Operations

In 2022-2023, ¶¶ÒùÊÓƵ adopted the hybrid model and departmental officials were able to provide responsive records to requests made under the Privacy Act, regardless of security classification. The ATIP office remained fully operational during the fiscal year 2022-2023 reporting period, as there were no significant impacts on ATIP performance attributable to COVID-19.

Training and Awareness

The ATIP Division continues to develop tools, guidance and training to ATIP Analysts, ATIP Liaison Officers and subject matter experts across ¶¶ÒùÊÓƵ.

Again this fiscal year, the ATIP Division benefited from its Professional Development Program (PDP), which allows the Department to train and promote its ATIP Analysts from junior (PM-01) to senior (PM-05) levels. This long-standing program continues to be very successful in addressing recruitment, retention, and succession planning issues. The majority of the employees working in the division are already part of the PDP and are eligible for promotion to the next level once they meet the required objectives. The PDP aims to build a more robust ATIP capacity within ¶¶ÒùÊÓƵ by “growing its own”, thereby addressing the shortage of Analysts and Team Leaders across the federal ATIP community.

A small team within the division provided ATIP training to 5 Junior ATIP Analysts. The training was composed of 3 sessions that lasted up to 2 hours each session and was divided as the following:

  1. The A-to-Z process of ATIA and PA requests
  2. Extension and Consultations under the ATIA and PA
  3. Exemptions and Exclusions under the ATIA and PA

Training was given in small sessions (1-2 employees per session), providing participants with the opportunity to speak freely and ask any questions as they arose.

Along with internal coaching, the division also participated in training for other divisions within the Department. For example, the Blended Learning Program for Administrative/Executive Assistance at Headquarters educated 37 participants on privacy awareness and gave an overview of their obligations vis-à-vis the Access to Information Act. Furthermore, ATIP training was provided to 13 participants during the Foreign Service Executive Administrative Assistants (FSEAA) onboarding program.

Additionally, the ATIP Division provided the following training modules to GAC employees:

  1. ATIP for Liaison Officers
  2. ATIP for Reviewing Officers

Due to GAC’s rotational employee structure, ATIP training sessions were made available upon request and attendance varied between 1 to 42 employees. During the fiscal year, a total of 67 training sessions were delivered to approximately 700 ¶¶ÒùÊÓƵ employees. Of these presentations, 65 were delivered virtually via the use of MS Teams and 2 training sessions were delivered in person.

In addition, 171 employees successfully completed an online interactive ATIP awareness tutorial during the reporting period, which was developed in collaboration with the Canadian Foreign Service Institute (CFSI).

The Policy and Governance Team continues to offer training to all employees of ¶¶ÒùÊÓƵ to address the specific business and operational needs of the individual groups within the department.

The Privacy Policy Team maintains an updated spreadsheet, documenting all privacy training sessions conducted within the organization throughout the fiscal year, ensuring an accurate reflection of specific topics discussed and keeping track of employees’ increasing privacy awareness. The team is also developing new privacy awareness modules which will mirror new language to be included in the modernized Privacy Act, as well as targeted training sessions in-line with GAC’s new Privacy Management Framework.

Policies, Guidelines, and Procedures

ATIP ADM Tasking

Over the fiscal year, the ATIP Division at ¶¶ÒùÊÓƵ gradually implemented the ATIP Assistant Deputy Minister (ADM) tasking model. The division used to rely on ATIP Liaison Officers working in the Director General office (DGO) to coordinate the retrieval of relevant records in response to requests made under the Access to Information Act and Privacy Act. Before implementing the initiatives, the ATIP Division had approximately 100 ATIP Liaison Officers across ¶¶ÒùÊÓƵ. In an attempt to better identify subject matter experts within the department, the ADM tasking model encompasses a coordination role held by an Assistant Deputy Minister office (ADMO) Liaison Officer (LO). ADMO LOs coordinate a branch-wide ATIP response to the ATIP Division and are able to monitor compliance and backlog progress directly with their responsible DGOs.

GAC is composed of 16 branches (that are ADM-led) and 13 special bureaus (that are led by a Director General and/or report directly to a Deputy Minister). In September 2022, the ATIP Division piloted 5 branches and 5 special bureaus in its ADM tasking model. Following a successful pilot phase, the division onboarded an additional 5 branches and 8 special bureaus in December 2022. In January 2023, another 3 branches joined the new model. The final implementation phase is scheduled for the 2023-2024 fiscal year, where the remaining 4 branches will join the new structure.

Since its implementation, the Department has seen an increase in on-time tasking responses of 25% and tasking backlog by about 50%, reducing overall outstanding taskings from 811 to 410 by fiscal year end.

ATIP at the Executive Committee Meeting

During the fiscal year of 2022-2023, the Corporate Secretary of ¶¶ÒùÊÓƵ overseeing the administration of the Access to Information Act made 3 appearances at GAC’s Executive Committee (EXCO) – June 14, 2022, September 15, 2022, and March 23, 2023. During appearances at EXCO the Corporate Secretary emphasized both the requirement to respond to ATIP requests in a timely fashion and the importance of reducing the backlog of ATIP taskings. In order to meet these goals, best practices were discussed, and achievable reduction targets were imposed on GAC’s ADMOs and special bureaus.

HR Strategies

The implementation of the hybrid work model proved beneficial for the retention of staff in the ATIP Division. However, recruitment of skilled analysts, at GAC as in other government institutions, remains a challenge, especially at the Senior Analyst level. Despite the challenges, there have been recent successes having onboarded 23 new employees in the 2022-2023 fiscal year. Staffing strategies included hiring a new Deputy Director within the division to manage a range of recruitment activities, including staffing processes, multi-level advertised processes, and participation in the recruitment efforts led by ATIP Community Development Office at TBS. The division also actively utilizes its Professional Development Program resulting in the promotions of 1 Senior Analyst and 2 Privacy Analysts, as well as 7 Team Leaders and Senior Advisors at the PM-05 level through its expanded program.

These initiatives have aided in the ATIP Division’s successes in the 2022-2023 fiscal year.

Privacy Tools and Initiatives

The official launch of a privacy management framework in November 2022 marks an important milestone for GAC. This framework provides the Department with guidelines to implement effective privacy policies and procedures that comply with the latest legislative regulations. It emphasizes the need for transparency, accountability, and security in data processing, storage, and sharing. The launch of this framework is a step forward towards ensuring individuals' rights to privacy and strengthening trust between GAC and Canadian citizens.

Further to the launch, the Privacy Policy Team continues to develop various tools for advancing privacy awareness and ensuring proper privacy safeguards are in place:

The Privacy Policy Team continues to actively participate in the Department of Justice led modernization of the Privacy Act and awaits the next meetings on its development so that ¶¶ÒùÊÓƵ’s views can be reflected within.

Initiatives and Projects to Improve Privacy

New ATIP Software

The current case management software used to process requests is becoming obsolete and will no longer be supported by the vendor in the coming years. GAC is using this opportunity to replace the legacy software and leverage new technology such as artificial intelligence to increase efficiencies in their service delivery and to better handle the large volume of ATIP requests. Deployment of the new solution is anticipated for fiscal year 2025-2026.

During the reporting period, we have started the ATIP Online Request Service to communicate responsive records through the online portal, which enables us to provide faster responses to requesters while ensuring transmittal is done in a safe and secure manner.

Summary of Key Issues and Actions Taken on Complaints

Requests for Personal Information

During fiscal year 2022-2023, 20 complaints were made to the Office of the Privacy Commissioner of Canada regarding Privacy requests to the Department. The reasons for the complaints are as follows:

Reason for ComplaintNumber of Complaints

Collection

1

Delay

16

Miscellaneous

1

Refusal-Exemptions

1

Refusal-General

1

Over the course of the reporting period, 9 complaints against the Department were closed. The findings on closed complaints were as follows:

Complaint FindingsNumber of Complaints

Discontinued

3

No finding

1

Well-Founded

5

All closed complaints regarding access to personal information were resolved by responding or providing additional personal information to the requesters. The ATIP Division relied on continuous and consistent follow-ups on outstanding taskings, ensuring escalation procedures are conducted in order to respond to requesters fully and close complaints.

The ATIP Division continues to operate a team dedicated to managing complaints from the Office of the Privacy Commissioner (OPC). This team serves as the primary point of contact between ¶¶ÒùÊÓƵ and the OPC, working closely and collaboratively to strengthen relationships and improve ¶¶ÒùÊÓƵ’s ATIP program performance.

Management of Personal Information

The Privacy Policy Team received 3 new complaints during the reporting period relating to the management of personal information. Specifically, they can be summarized as:

  1. A mission’s unauthorized disclosure of personal information regarding the mandatory COVID-19 vaccination for federal employees,
  2. An inadvertent disclosure where personal information of an employee was shared with the wrong recipient, and
  3. An individual’s personal health information improperly disclosed to a foreign government by an employee of ¶¶ÒùÊÓƵ.

The team closed one complaint relating to the management of personal information during the reporting period: Item 1 was closed March 10, 2023. In this instance the Office of the Privacy Commissioner sought representations from the Department, further to any steps taken since the incident to ensure the security of staff information. The Department informed the OPC that the division is not storing personal medical records of staff, including any that may have been vaccinated. The COVID vaccination was an exclusive task managed by Human Resources and that the personal health information requested had to be provided to the local government to obtain the COVID certificate required for travel. This was known to all participants. The Department also informed the OPC that the personal health information was stored on a protected drive that could only be accessed by Human Resources, while the mission had to process the information and obtain a COVID Vaccination Certificate from the local government’s Health authority. The information was subsequently removed from the mission’s drive following receipt of the complaint. Additionally, the mission has put a policy in place in the event where the office is required to collect personal information from staff, that staff will be aware of the purpose of collection and be requested to consider consenting to its collection and use.

Active Complaints Outstanding from Previous Reporting Periods

2017-2018

2018-2019

2019-2020

2020-2021

2021-2022

2022-2023

Total

Active

2

3

4

1

7

13

30

Material Privacy Breaches

During fiscal year 2022-2023, six material privacy breaches were reported to the Department. At the end of the fiscal year, six material privacy breach notifications were reported to the Treasury Board Secretariat and the Office of the Privacy Commissioner.

Material Breaches Reported to OPC and TBS 2022-2023

No.DescriptionSummary of Action

1

The disclosure of personal information regarding passport documents (expired and new) and a Canadian Citizenship certificate of a client, sent from mission (Embassy) by-hand, for delivery by commercial courier to the passport client, suspected lost in mail by courier.

Discovery, containment, and mitigation measures taken:

  1. Discovery of the breach occurred between March 8, 2022, following the client’s initial email contact with a mission passport agent that resulted in mission follow up with the third-party courier and included various communications between the mission’s passport agent and courier officer on the status of the package hand delivered to the courier. Discovery continued up until the mission received confirmation from the third party on March 28, 2022, that the courier had no record of receiving the package. The passport agent provided status updates on the delivery and communicated with the passport client throughout this period.
  2. The loss and incident was reported to the appropriate Passport offices within IRCC on March 29, 2022.
  3. A gratis replacement passport was requested on March 30, 2022, which the client has since received.
  4. The status of the passport was updated by IRCC and declared lost on March 31, 2022.
  5. The client was informed of the loss of documents throughout this process, including appropriate steps to take to obtain a new passport and Canadian Citizenship Certificate.
  6. IRCC contacted the Department’s ATIP unit to notify of the incident on April 21, 2022
  7. The mission reported the incident to the Department’s ATIP unit for review and assessment on April 27, 2022.
  8. The Department notified the Office of the Privacy Commissioner and Treasury Board Secretariat of Canada on August 10, 2022.

2

The disclosure of personal information regarding the passport (Regular) of a client, sent for delivery from Canada to a mission (Consulate General of Canada), via commercial courier (approximately 2017), suspected lost in transit between the courier and the mission.

Discovery, containment, and mitigation measures taken:

  1. Discovery of the breach occurred between March 21, 2022, following the client’s initial email sent to the mission to enquire on the status of the Regular passport which resulted in mission follow up and various communications between the mission, IRCC and third-party courier. Discovery continued up until the mission received confirmation from IRCC on April 1, 2022, that the document was sent from Canada to mission in 2017 and confirmation from the courier on April 7, 2022, that records older than 2 years are not available. There is no record of the mission’s receipt of the passport document.
  2. While a temporary passport was received by the applicant at the time of application in 2016, the applicant did not complete the exchange in 2016-2017, as originally agreed upon.
  3. The applicant returned the temporary passport which was received at mission on April 22, 2022.
  4. Further to guidance from IRCC, the mission proceeded with a gratis passport replacement.
  5. On April 28, 2022, the mission informed the client that the status and location of the passport is unknown and requested the client to submit a new passport application, at no cost.
  6. The client submitted the new passport application, received at mission on May 19, 2022. On the same date, the mission contacted IRCC to report the previous passport lost.
  7. The application was processed, and the new passport was sent to the client from mission via commercial courier on May 31, 2022 and signed for on June 1, 2022.
  8. The mission reported the incident to the Department’s ATIP unit for review and assessment on June 28, 2022.
  9. The Department notified the Office of the Privacy Commissioner and Treasury Board Secretariat of Canada on August 11, 2022.

3

The disclosure of personal information regarding a passport (Regular) document of a client, sent from mission (Consulate General of Canada) for delivery to client via commercial courier on October 5, 2021, suspected lost in transit.

Discovery, containment, and mitigation measures taken:

  1. Discovery of the breach occurred between October 24, 2021, following the client’s initial email sent to the mission to enquire on the status of the passport, which resulted in mission follow up with IRCC and third-party courier. Discovery continued up until the mission received confirmation from the courier that the client had already filed a claim with the courier and that the matter was being investigated on April 27, 2022, by their offices.
  2. Further to the mission’s email response to the applicant of October 25, 2021, the mission informed the client that the courier tracking status indicated that the package was delivered.
  3. The client contacted the mission again on April 13, 2022, to inform that the mission’s email had gone to their spam folder and was not seen until then. The mission replied and requested whether the client was aware if another person signed on the client’s behalf. The client replied on April 26, 2022, to inform the mission, that the client could not confirm whether the package had been received and signed for by someone else.
  4. The mission reported the incident and loss of a passport document to IRCC on April 27, 2022.
  5. The mission opened a new passport application on April 28, 2022, and offered a gratis replacement to the client.
  6. The mission reported the incident to the Department’s ATIP unit for review and assessment on June 28, 2022.
  7. The Department notified the Office of the Privacy Commissioner and Treasury Board Secretariat of Canada on August 11, 2022.

4

The disclosure of personal information regarding a passport (Regular) document of a client, sent for delivery from the mission (Consulate General of Canada) to the client via commercial courier on April 28, 2022, and reported by the client as lost by courier.

Discovery, containment, and mitigation measures taken:

  1. Discovery of the breach occurred following the client’s initial contact with the mission on May 6, 2022, where the mission was informed that the client had not received the passport, that resulted in mission follow up with IRCC and further discussion with the client. Discovery continued up until the client contacted the mission on May 19, 2022, to inform the mission that the courier had lost the package.
  2. The mission notified and requested guidance from IRCC further to the issuance of a gratis passport on May 20, 2022, and a new passport was delivered to the client.
  3. IRCC contacted the Department’s ATIP office to notify of the incident on May 20, 2022.
  4. The mission filed and placed a lost package claim with the courier on May 24, 2022.
  5. The mission reported the incident to the Department’s ATIP unit for review and assessment on May 26, 2022.
  6. The Department notified the Office of the Privacy Commissioner and Treasury Board Secretariat of Canada on August 12, 2022.

5

The disclosure of personal information regarding a passport (Regular) document of a client when the packaging containing newly issued passports (Regular) of multiple clients being delivered from Canada to mission by third-party courier was received at mission opened. The shipment contained one passport package that was opened/damaged.

Discovery, containment, and mitigation measures taken:

  1. Discovery of the breach occurred at mission on May 26, 2022, when the mission received a shipment of passports that was opened and re-taped. Inside the shipment was a passport package that was opened/damaged
  2. The mission reported the incident to IRCC on May 26, 2022, and informed their office that when the shipment was opened, one of the inner passport envelopes was damaged and the passport contained inside could be accessed through the ripped envelope. Though the package was damaged, all the passports were accounted for and only one of the individual passport envelopes was opened/damaged.
  3. IRCC contacted ESDC to report the incident and open an investigation on the same day.
  4. Passport was cancelled and a gratis replacement issued.
  5. IRCC contacted the Department’s ATIP office to notify of the incident on May 26, 2022.
  6. The mission reported the incident to the Department’s ATIP unit for review and assessment on June 2, 2022.
  7. The ATIP office recommended mission notify the individual.
  8. The Department notified the Office of the Privacy Commissioner and Treasury Board Secretariat of Canada on November 8, 2022.

6

The disclosure of personal information regarding passport documents (new and expired) sent for delivery to the applicant from mission (Embassy) via commercial courier on September 21, 2022, and suspected lost in mail by courier

Discovery, containment, and mitigation measures taken:

  1. Discovery of the breach occurred following the client’s initial contact with the mission September 23, 2022, where the mission was informed that the client’s passport had not been received, which resulted in mission follow up with IRCC and the third-party courier.
  2. The mission reported the incident to IRCC on October 13, 2022, and confirmed that it sent the package to the client on September 21, 2022 and contacted the courier to begin an investigation.
  3. IRCC provided guidance to the mission further to the issuance of a gratis replacement passport.
  4. IRCC contacted the Department’s ATIP unit to notify of the incident on October 14, 2022.
  5. The mission reported the incident to the Department’s ATIP unit for review and assessment on December 29, 2022.
  6. The Department notified the Office of the Privacy Commissioner and Treasury Board Secretariat of Canada on January 24, 2023.

Privacy Impact Assessments

During the fiscal year, ¶¶ÒùÊÓƵ finalized three Privacy Impact Assessments.

  1. Canadian National Contact Point (NCP) for Responsible Business Conduct

The purpose of this Privacy Impact Assessment (PIA) is to identify and analyze the potential privacy risks associated with the collection, use, disclosure, and retention of personal information (PI) by the NCP Secretariat in relation to the changes it is making to its procedures. The NCP operates as a unit within GAC, which is named in the Schedule to the Privacy Act and is subject to the privacy policies and directives of the Treasury Board Secretariat (TBS). This PIA is the assessment of the privacy impacts associated with the NCP to fulfill the requirements of the TBS Directive on Privacy Impact Assessment, the TBS Directive on Privacy Practices and to reflect the Privacy Commissioner of Canada instrument – Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada. This PIA will assess the NCP’s complaint/Request for Review (RfR) process from the point of collection of PI through to the destruction of that PI.

The Order in Council authorizing the creation of Canada’s NCP was issued in 2000. Since that time the NCP has made substantial changes to its operations, and their alignment with the Privacy Act has been deemed a priority. The changes include adopting a de-identification model, revising its Procedures Guide, and creating an intake form and a case tracker.

In this PIA, the NCP is:

  1. Mission Emergency Plan Generator (MEPGEN)

The Mission Emergency Plan (MEP) provides Mission personnel with information and guidance on relevant emergency management policy and procedures. MEP is used for contingency planning for emergency preparedness and response to events, up to and including evacuation of staff and mission closures or relocations. The MEP incorporates planning and emergency response policies and best practices that have been used by ¶¶ÒùÊÓƵ and its missions in responding to emergency events. The plan also incorporates mission-specific information that will assist in creating local response strategies for dealing with emergencies. In general, information is not repeated from one component of the plan to another. The MEP is supported by stand-alone contingency plans, protocols, or standard operating procedures (SOPs).

The MEP is prepared under the authority of the Head of Mission (HOM). The HOM is responsible for the entire life cycle of Mission emergency management activities. Emergency Management (EM) is the process of conducting activities, including risk management measures, that will help prepare for, prevent, mitigate, respond to, or recover from all types of emergencies. ¶¶ÒùÊÓƵ emergency management capabilities are central to a coordinated whole of government approach to international emergency events.

The Department of Foreign Affairs, Trade and Development Act sets out the mandate to coordinate the direction given by the Government of Canada to the heads of Canada’s diplomatic and consular missions. These directions include but are not limited to mission emergency preparedness, from planning, training, emergency exercises, to MEP evaluation and improvements.

¶¶ÒùÊÓƵ uses and discloses personal information collected to construct MEPs for each mission as and when required. Mission Emergency Plans are stored in MEPGEN, a secure encrypted web-based system that draws key information from departmental databases to facilitate emergency planning at missions. Global Affairs is modernizing the existing legacy system for better efficiency, mission accessibility and interoperability with other GC modernized systems.

The scope of this Privacy Impact Assessment (PIA) is to review and assess the privacy protection practices and identify potential risks to the personal information collected, used, managed, disclosed, and retained by GAC while operating the Mission Emergency Plan Generator (MEPGEN) system.

The Privacy Impact Assessment is an independent process that assesses privacy protection measures, identifying potential gaps and risks to the institution. In order to protect the institution as well as the privacy rights of individuals, it offers mitigation strategies to remedy the risks found. There are limited inherent risks associated with information capture, collection, retention, and flow in the context of the operational features of the MEPGEN.

The Supreme Court of Canada has characterized the Privacy Act as "quasi-constitutional" because of the role privacy plays in the preservation of a free and democratic society. With the enactment of the Federal Accountability Act, the scope of the Privacy Act was broadened, and it now includes well over 200 government institutions. The Policy on Privacy Protection facilitates statutory and regulatory compliance, as well as enhancing effective application of the Privacy Act and its Regulations by government institutions.

There is administrative legislation such as the Federal Accountability Act, the Financial Administration Act, Access to Information Act and the Privacy Act, all designed to ensure transparency and accountability. A host of Treasury Board policies and directives related to privacy and data protection facilitates statutory and regulatory compliance with the Privacy Act as well as ensuring consistency in practices and procedures in administering the Act and Regulations across of all of government.

Throughout this assessment mitigation strategies have been offered to reduce the level of risk presented by the operational environment, however, these strategies do not eliminate the risks entirely. This assessment has resulted in the identification of a series of risks and includes detailed mitigation strategies associated with each risk. For a comprehensive list of all risks and mitigation strategies please review Section II (page 23) – Risk Area Identification and Categorization as well as Section VI (page 57) – Summary of Analysis and Recommendations of this document.

The following is a brief and limited summary of recommendations associated with key risks found through this assessment. These recommendations are part of an integrated privacy risk management approach designed to reduce the level of risk found within the operational environment.

Recommendation 1: It is recommended that GAC develop a clear policy on MEPGEN to highlight potential privacy and safeguarding practices.

Recommendation 2: It is recommended that GAC formalize retention and disposition procedures related to MEPGEN reports on all platforms. Development of MEPGEN related policy prescribing retention and disposition guidelines and expected practices is required.

  1. PIA Case, Contact and Emergency Management (CCEM)

This Privacy Impact Assessment (PIA) builds on the original 2019 Case, Contact and Emergency Management (CCEM) PIA. The 2019 PIA assessed the planning and development process, and this PIA will assess the implementation and operations of the CCEM system. The 2019 PIA offers a more comprehensive coverage of select topics such as Online Appointment Booking Solution (OABS) and use of commercial cloud services, which are not updated in this PIA.

The scope of this Privacy Impact Assessment is to review and assess the privacy protection practices and identify potential risks to the personal information collected, used, managed, disclosed and retained by GAC while operating the Case, Contact and Emergency Management system (CCEM), Registration of Canadians Abroad system (ROCA) as well as the Online Appointment Booking Solution (ORV).

The Privacy Impact Assessment is an independent process that assesses privacy protection measures, identifying potential gaps and risks to the institution. In order to protect the institution as well as the privacy rights of individuals, it offers mitigation strategies to remedy the risks found. There are inherent risks associated with information capture, collection, retention, and flow in the context of the operational features of the CCEM.

The Privacy Impact Assessment is an independent process that assesses privacy protection measures, identifying potential gaps and risks to the institution. In order to protect the institution, as well as the privacy rights of individuals, it also offers mitigation strategies to remedy the risks found.

Some of the key recommendations are:

Recommendation 1: It is recommended that GAC provide privacy protection training and awareness to CCEM users on a regular basis. Also, it is important that the privacy section of the Consular Manual provide context and guidance on managing CCEM protected information on the system as well as management of the reports and data extracted from the system.

Recommendation 2: GAC has determined to proceed with the CCEM deployment process even though the system will operate with some flaws until such time they are resolved. It is recommended that the Department judiciously risk manage potential areas of vulnerability and continue with user acceptance and verification testing.

Recommendation 3: This assessment was performed during COVID restrictions, with GAC resources, especially those at missions, strained in helping Canadians with their needs. While GAC may find global deployment and training challenging in present conditions, it is recommended that the Department implement continuous user training and awareness plans. It is further recommended that the Department assess CCEM’s data quality management requirements and develop appropriate methodologies, procedures and technical solutions to assist with ongoing quality control data-assessment, reporting and data accuracy and completeness.

Recommendation 4: In order to safeguard personal information collected, retained and used, it is recommended that GAC reduce and limit the use of offline temporary templates to collect case and contact information and to be inputted by other staff into CCEM. It is recommended that the Department ensure robust training, support, and awareness opportunities for all potential and designated users of CCEM in order to avoid the use of temporary templates where possible.

The Privacy Policy Team is liaising with the web publishing team within the department to publish the PIAs summaries.

Public Interest Disclosures

Subsection 8(2) of the Privacy Act provides that “personal information under the control of a government institution may be disclosed” without consent under certain specific circumstances.

During fiscal year 2022-2023, the Department made a total of 103 disclosures pursuant to subsection 8(2)(m) of the Privacy Act. In 20 cases, the Department determined that the public interest in disclosing personal information clearly outweighed any invasion of privacy that could result. All other disclosures were determined to clearly benefit the individual to whom the information related.

Disclosures pursuant to subparagraph 8(2)(m)(i):

Disclosures pursuant to subparagraph 8(2)(m)(ii):

In all instances notification to the Privacy Commissioner occurred after disclosure.

Monitoring Compliance

Ongoing Reporting

The ATIP Division prepares and distributes a weekly statistics report to management that tracks the number of requests that were received and closed, as well as any emerging trends and performance statistics. The report also allows for comparison of workload and completion rates in relation to the previous year in order to identify changes in ATIP processing.

Additionally, an active tasking report is generated and posted to the intranet weekly to identify all current active taskings within the Department. This report is available for all offices of primary interest (OPIs) to view and lists all open taskings by bureau, highlighting late files.

New this fiscal year is the process of having the Director General and Corporate Secretary overseeing the administration of the Access to Information and Privacy Acts, send the ATIP Twice Monthly Performance Report to Deputy Ministers, Assistant Deputy Ministers, and Directors General, outlining the number of active taskings and compliance within each of the branches/special bureaus. The intent of this procedure is to sensitize senior management to the backlog of active taskings, thereby increasing compliance.

Limiting Inter-institutional Consultations

During the reporting period, the ATIP Division monitored superfluous inter-institutional consultations by having experienced ATIP Team Leaders oversee the relevant records before they were sent out for consultation. By doing so, ATIP Team Leaders were able to reduce the number of consultations sent to the other Government of Canada institutions and other organizations outside the Government of Canada, reducing the amount of time to process requests and not overburdening other departments with unnecessary consultations.

Frequently Requested Types of Information

Throughout fiscal year 2022-2023, GAC did not monitor or review frequently requested types of information for the purpose of making the information available by other means.

Privacy Protection in Contracting

In reviewing contracts, the Privacy Policy group provides privacy clauses that are written to call out privacy protections and regulatory requirements within the statement of work and then mapped to service-level agreements to ensure there are no questions concerning data privacy responsibilities, breach response, incident response, media press releases on breaches, and other considerations, as if the vendor were part of the organization.

As per the information sharing agreements, the Privacy Policy group ensure privacy protection assisted by the TBS Guidance on Preparing Information Sharing Agreements Involving Personal Information.

Annex A: Designation Order

Designation Order
Text version

Privacy Act Designation Order

The Minister of Foreign Affairs, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons acting in those positions, to exercise the powers and perform the duties and functions of the Minister of Foreign Affairs as the head of a Government institution under the sections of the Act set out after each position in the schedule. This designation replaces the designation dated October 2, 2009.

Schedule

Position

  1. Deputy Minister of Foreign Affairs (all sections)
  2. Deputy Minister for International Trade (all sections)
  3. Deputy Minister for International Development (all sections)
  4. Associate Deputy Minister of Foreign Affairs (all sections)
  5. Assistant Deputy Minister, Consular Services (pursuant only to paragraph 8(2)(m) as it relates to public interest disclosure)
  6. Heads of Mission (pursuant only to paragraph 8(2)(m) as it relates to public interest disclosure)
  7. Director General, Corporate Secretariat (all sections)
  8. Director, Access to Information and Privacy Protection Division (all sections)
  9. Deputy Directors, Access to Information and Privacy Protection Division (all sections)

The Honourable Chrystia Freeland, P.C., M.P.
Ottawa, July 4, 2017

Annex B: ¶¶ÒùÊÓƵ 2022-2023 Statistical Report

Statistical Report on the Privacy Act

Name of institution: ¶¶ÒùÊÓƵ

Reporting period: 2022-04-01 to 2023-03-31

Section 1: Requests Under the Privacy Act

1.1 Number of requests received

Request TypeNumber of Requests

Received during reporting period

118

Outstanding from previous reporting periods

72

  • Outstanding from previous reporting period

49

  • Outstanding from more than one reporting period

23

Total

190

Closed during reporting period

124

Carried over to next reporting period

66

  • Carried over within legislated timeline

14

  • Carried over beyond legislated timeline

52

1.2 Channels of requests

SourceNumber of Requests

Online

107

E-mail

2

Mail

9

In person

0

Phone

0

Fax

0

Total

118

Section 2: Informal Requests

2.1 Number of informal requests

TypeNumber of Requests

Received during reporting period

0

Outstanding from previous reporting periods

0

  • Outstanding from previous reporting period

0

  • Outstanding from more than one reporting period

0

Total

0

Closed during reporting period

0

Carried over to next reporting period

0

2.2 Channels of informal requests

SourceNumber of Requests

Online

0

E-mail

0

Mail

0

In person

0

Phone

0

Fax

0

Total

0

2.3 Completion time of informal requests

Completion Time

1 to 15 Days

16 to 30 Days

31 to 60 Days

61 to 120 Days

121 to 180 Days

181 to 365 Days

More Than 365 Days

Total

0

0

0

0

0

0

0

0

2.4 Pages released informally

Less Than 100
Pages Released

100-500
Pages Released

501-1000
Pages Released

1001-5000
Pages Released

More Than 5000
Pages Released

Number of Requests

Pages Released

Number of Requests

Pages Released

Number of Requests

Pages Released

Number of Requests

Pages Released

Number of Requests

Pages Released

0

0

0

0

0

0

0

0

0

0

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time

Disposition of Requests

Completion Time

1 to 15
Days

16 to 30 Days

31 to 60 Days

61 to 120 Days

121 to 180 Days

181 to 365 Days

More Than 365 Days

Total

All disclosed

3

6

4

1

1

1

1

17

Disclosed in part

0

5

13

6

6

13

10

53

All exempted

0

0

1

0

0

0

0

1

All excluded

0

0

0

0

0

0

0

0

No records exist

4

6

3

1

0

0

0

14

Request abandoned

26

2

4

0

1

1

5

39

Neither confirmed nor denied

0

0

0

0

0

0

0

0

Total

33

19

25

8

8

15

16

124

3.2 Exemptions

SectionNumber of Requests

18(2)

0

19(1)(a)

3

19(1)(b)

2

19(1)(c)

0

19(1)(d)

0

19(1)(e)

0

19(1)(f)

0

20

0

21

8

22(1)(a)(i)

0

22(1)(a)(ii)

0

22(1)(a)(iii)

0

22(1)(b)

4

22(1)(c)

1

22(2)

0

22.1

0

22.2

0

22.3

0

22.4

0

23(a)

1

23(b)

0

24(a)

0

24(b)

0

25

0

26

48

27

6

27.1

0

28

0

3.3 Exclusions

SectionNumber of Requests

69(1)(a)

0

69(1)(b)

0

69.1

0

70(1)

0

70(1)(a)

0

70(1)(b)

0

70(1)(c)

0

70(1)(d)

0

70(1)(e)

0

70(1)(f)

0

70.1

0

3.4 Format of information released

Paper

Electronic

Other

E-record

Data set

Video

Audio

5

64

0

1

2

0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats

Number of Pages  ProcessedNumber of Pages DisclosedNumber of Requests

26,102

18,608

110

3.5.2 Relevant pages processed by request disposition for paper and e-record formats by size of requests

Disposition

Less Than 100
Pages Processed

100-500
Pages Processed

501-1000
Pages Processed

1001-5000
Pages Processed

More Than 5000
Pages Processed

Number of Requests

Pages Processed

Number of Requests

Pages Processed

Number of Requests

Pages Processed

Number of Requests

Pages Processed

Number of Requests

Pages Processed

All disclosed

15

246

2

306

0

0

0

0

0

0

Disclosed in part

22

983

20

5,386

4

2,758

7

16,056

0

0

All exempted

0

0

1

367

0

0

0

0

0

0

All excluded

0

0

0

0

0

0

0

0

0

0

Request abandoned

39

0

0

0

0

0

0

0

0

0

Neither confirmed nor denied

0

0

0

0

0

0

0

0

0

0

Total

76

1,229

23

6,059

4

2,758

7

16,056

0

0

3.5.3 Relevant minutes processed and disclosed for audio formats

Number of Minutes ProcessedNumber of Minutes DisclosedNumber of Requests

79

79

2

3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests

Disposition

Less than 60 Minutes processed

60-120 Minutes processed

More than 120 Minutes processed

Number of requests

Minutes Processed

Number of requests

Minutes Processed

Number of requests

Minutes Processed

All disclosed

1

6

1

73

0

0

Disclosed in part

0

0

0

0

0

0

All exempted

0

0

0

0

0

0

All excluded

0

0

0

0

0

0

Request abandoned

0

0

0

0

0

0

Neither confirmed nor denied

0

0

0

0

0

0

Total

1

6

1

73

0

0

3.5.5 Relevant minutes processed and disclosed for video formats

Number of Minutes ProcessedNumber of Minutes DisclosedNumber of Requests

8

8

1

3.5.6 Relevant minutes processed per request disposition for video formats by size of requests

Disposition

Less than 60 Minutes processed

60-120 Minutes processed

More than 120 Minutes processed

Number of requests

Minutes Processed

Number of requests

Minutes Processed

Number of requests

Minutes Processed

All disclosed

1

8

0

0

0

0

Disclosed in part

0

0

0

0

0

0

All exempted

0

0

0

0

0

0

All excluded

0

0

0

0

0

0

Request abandoned

0

0

0

0

0

0

Neither confirmed nor denied

0

0

0

0

0

0

Total

1

8

0

0

0

0

3.5.7 Other complexities

DispositionConsultation RequiredLegal Advice SoughtInterwoven InformationOtherTotal

All disclosed

0

0

0

0

0

Disclosed in part

4

0

48

0

52

All exempted

0

0

0

0

0

All excluded

0

0

0

0

0

Request abandoned

1

0

0

0

1

Neither confirmed nor denied

0

0

0

0

0

Total

5

0

48

0

53

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

Number of requests closed past the legislated timelines

Principal Reason

Interference with operations / Workload

External Consultation

Internal Consultation

Other

59

27

0

2

30

3.7.2 Request closed beyond legislated timelines (including any extension taken)

Number of days past legislated timelinesNumber of requests past legislated timeline where no extension was takenNumber of requests past  legislated timeline where an extension was takenTotal

1 to 15 days

10

0

10

16 to 30 days

3

0

3

31 to 60 days

5

0

5

61 to 120 days

5

3

8

121  to 180 days

12

2

14

181 to 365 days

9

3

12

More than 365 days

2

5

7

Total

46

13

59

3.8 Requests for translation

Translation RequestsAcceptedRefusedTotal

English to French

0

0

0

French to English

0

0

0

Total

0

0

0

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Paragraph 8(2)(e)Paragraph 8(2)(m)Subsection 8(5)Total

1

103

0

104

Section 5: Requests for Correction of Personal Information and Notations

Disposition for Correction Requests ReceivedNumber

Notations attached

0

Requests for correction accepted

0

Total

0

Section 6: Extensions

6.1 Reasons for extensions

 

 

Number of
extensions taken

15(a)(i) Interference with operations

15(a)(ii) Consultation

15(b)
Translation purposes or conversion

Further review required to determine exemptions

Large volume of pages

Large volume of requests

Documents are difficult to obtain

Cabinet ConfidenceSection (Section 70)

External

Internal

22

0

9

11

1

0

0

1

0

6.2 Length of extensions

 

 

Number of
extensions taken

15(a)(i) Interference with operations

15(a)(ii) Consultation

15(b)
Translation purposes or conversion

Further review required to determine exemptions

Large volume of pages

Large volume of requests

Documents are difficult to obtain

Cabinet ConfidenceSection (Section 70)

External

Internal

1 to 15 days

0

0

0

0

0

0

0

0

16 to 30 days

0

9

11

1

0

0

1

0

31 days or greater

0

0

0

0

0

0

0

0

Total

0

9

11

1

0

0

1

0

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

ConsultationsOther Government of Canada InstitutionsNumber of Pages to ReviewOther
Organizations
Number of Pages to Review

Received during the reporting period

2

41

0

0

Outstanding from the previous reporting period

1

33

0

0

Total

3

74

0

0

Closed during the reporting period

2

41

0

0

Carried over within negotiated timelines

0

0

0

0

Carried over beyond negotiated timelines

1

33

0

0

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendation

Number of Days Required to Complete Consultation Requests

1 to 15
Days

16 to 30
Days

31 to 60
Days

61 to 120 Days

121  to 180 Days

181 to 365 Days

More Than 365 Days

Total

Disclose entirely

0

0

0

0

0

0

0

0

Disclose in part

0

0

0

0

1

0

0

1

Exempt entirely

1

0

0

0

0

0

0

1

Exclude entirely

0

0

0

0

0

0

0

0

Consult other institution

0

0

0

0

0

0

0

0

Other

0

0

0

0

0

0

0

0

Total

1

0

0

0

1

0

0

2

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Recommendation

Number of Days Required to Complete Consultation Requests

1 to 15
Days

16 to 30
Days

31 to 60
Days

61 to 120 Days

121  to 180 Days

181 to 365 Days

More Than 365 Days

Total

Disclose entirely

0

0

0

0

0

0

0

0

Disclose in part

0

0

0

0

0

0

0

0

Exempt entirely

0

0

0

0

0

0

0

0

Exclude entirely

0

0

0

0

0

0

0

0

Consult other institution

0

0

0

0

0

0

0

0

Other

0

0

0

0

0

0

0

0

Total

0

0

0

0

0

0

0

0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services

Number of Days

Fewer Than 100 Pages Processed

100-500 Pages Processed

501-1000
Pages Processed

1001-5000
Pages Processed

More than 5000
Pages Processed

Number of
Requests

Pages Disclosed

Number of
Requests

Pages Disclosed

Number of
Requests

Pages Disclosed

Number of
Requests

Pages Disclosed

Number of
Requests

Pages Disclosed

1 to 15

0

0

0

0

0

0

0

0

0

0

16 to 30

0

0

0

0

0

0

0

0

0

0

31 to 60

0

0

0

0

0

0

0

0

0

0

61 to 120

0

0

0

0

0

0

0

0

0

0

121 to 180

0

0

0

0

0

0

0

0

0

0

181 to 365

0

0

0

0

0

0

0

0

0

0

More than 365

0

0

0

0

0

0

0

0

0

0

Total

0

0

0

0

0

0

0

0

0

0

8.2 Requests with Privy Council Office

Number of Days

Fewer Than 100 Pages Processed

100-500 Pages Processed

501-1000
Pages Processed

1001-5000
Pages Processed

More than 5000
Pages Processed

Number of
Requests

Pages Disclosed

Number of
Requests

Pages Disclosed

Number of
Requests

Pages Disclosed

Number of
Requests

Pages Disclosed

Number of
Requests

Pages Disclosed

1 to 15

0

0

0

0

0

0

0

0

0

0

16 to 30

0

0

0

0

0

0

0

0

0

0

31 to 60

0

0

0

0

0

0

0

0

0

0

61 to 120

0

0

0

0

0

0

0

0

0

0

121 to 180

0

0

0

0

0

0

0

0

0

0

181 to 365

0

0

0

0

0

0

0

0

0

0

More than 365

0

0

0

0

0

0

0

0

0

0

Total

0

0

0

0

0

0

0

0

0

0

Section 9: Complaints and Investigations Notices Received

Section 31Section 33Section 35Court actionTotal

3

2

1

0

6

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy Impact Assessments

10.2 Institution-specific and Central Personal Information Banks

Personal Information BanksActiveCreatedTerminatedModified

Institution-specific

17

1

0

0

Central

1

0

0

0

Total

18

1

0

0

Section 11: Privacy Breaches

11.1 Material Privacy Breaches Reported

11.2 Non-Material Privacy Breaches

Section 12: Resources Related to the Privacy Act

12.1 Allocated Costs

ExpendituresAmount

Salaries

$878,017

Overtime

$8,532

Goods and Services

$327,117

  • Professional services contracts

$299,857

  • Other

$27,260

Total

$1,213,666

12.2 Human Resources

ResourcesPerson Years Dedicated to Privacy Activities

Full-time employees

9.550

Part-time and casual employees

0.400

Regional staff

0.000

Consultants and agency personnel

1.720

Students

0.000

Total

11.670

Annex C: ¶¶ÒùÊÓƵ 2022-2023 Supplemental Statistical Report

Supplemental Statistical Report on the Access to Information Act and the Privacy Act

Name of institution: ¶¶ÒùÊÓƵ

Reporting period: 2022-04-01 to 2023-03-31

Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act

1.1  Enter the number of weeks your institution was able to receive ATIP requests through the different channels.

Request TypeNumber of Weeks

Able to receive requests by mail

52

Able to receive requests by email

52

Able to receive requests through the digital request service

52

Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act

2.1  Enter the number of weeks your institution was able to process paper records in different classification levels.

Record TypeNo CapacityPartial CapacityFull CapacityTotal

Unclassified Paper Records

0

0

52

52

Protected B Paper Records

0

0

52

52

Secret and Top Secret Paper Records

0

0

52

52

2.2  Enter the number of weeks your institution was able to process electronic records in different classification levels.

Record TypeNo CapacityPartial CapacityFull CapacityTotal

Unclassified Electronic Records

0

0

52

52

Protected B Electronic Records

0

0

52

52

Secret and Top Secret Electronic Records

0

0

52

52

Section 3: Open Requests and Complaints Under the Access to Information Act

3.1  Enter the number of open requests that are outstanding from previous reporting periods.

Fiscal Year Open Requests Were ReceivedOpen Requests that are Within Legislated Timelines as of March 31, 2023Open Requests that are Beyond Legislated Timelines as of March 31, 2023Total

Received in 2022-2023

424

409

833

Received in 2021-2022

58

214

272

Received in 2020-2021

0

82

82

Received in 2019-2020

3

53

56

Received in 2018-2019

2

12

14

Received in 2017-2018

0

4

4

Received in 2016-2017

1

0

1

Received in 2015-2016

0

0

0

Received in 2014-2015

0

0

0

Received in 2013-2014 or earlier

0

0

0

Total

488

774

1,262

3.2  Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.

Fiscal Year Open Complaints Were Received by InstitutionNumber of Open Complaints

Received in 2022-2023

64

Received in 2021-2022

7

Received in 2020-2021

6

Received in 2019-2020

6

Received in 2018-2019

4

Received in 2017-2018

2

Received in 2016-2017

1

Received in 2015-2016

2

Received in 2014-2015

0

Received in 2013-2014 or earlier

0

Total

92

Section 4: Open Requests and Complaints Under the Privacy Act

4.1  Enter the number of open requests that are outstanding from previous reporting periods.

Fiscal Year Open Requests Were ReceivedOpen Requests that are Within Legislated Timelines as of March 31, 2023Open Requests that are Beyond Legislated Timelines as of March 31, 2023Total

Received in 2022-2023

14

27

41

Received in 2021-2022

0

8

8

Received in 2020-2021

0

6

6

Received in 2019-2020

0

5

5

Received in 2018-2019

0

6

6

Received in 2017-2018

0

0

0

Received in 2016-2017

0

0

0

Received in 2015-2016

0

0

0

Received in 2014-2015

0

0

0

Received in 2013-2014 or earlier

0

0

0

Total

14

52

66

4.2  Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.

Fiscal Year Open Complaints Were Received by InstitutionNumber of Open Complaints

Received in 2022-2023

13

Received in 2021-2022

7

Received in 2020-2021

1

Received in 2019-2020

4

Received in 2018-2019

3

Received in 2017-2018

2

Received in 2016-2017

0

Received in 2015-2016

0

Received in 2014-2015

0

Received in 2013-2014 or earlier

0

Total

30

Section 5: Social Insurance Number

5.1  Has your institution begun a new collection or a new consistent use of the SIN in 2022-2023? No

Section 6: Universal Access under the Privacy Act

6.1  How many requests were received from confirmed foreign nationals outside of Canada in 2022-2023? 0

Date modified: