¶¶ÒùÊÓƵ

Language selection

Search

Annual Report to Parliament on the Administration of the Privacy Act 2023-2024

Table of Contents

Introduction

We are pleased to table the Annual Report to Parliament on the administration of the Privacy Act (the Act) for fiscal year 2023-2024, as required under section 72 of the Act. ¶¶ÒùÊÓƵ is not reporting on behalf of wholly owned subsidiaries or non-operational institutions.

Note: The Department is referred to in this report as ¶¶ÒùÊÓƵ (GAC). Its legal name, however, remains the Department of Foreign Affairs, Trade and Development, as set out in the Department of Foreign Affairs, Trade and Development Act.

Purpose of the Privacy Act

The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.

Mandate of the Institution

¶¶ÒùÊÓƵ, under the leadership of the Minister of Foreign Affairs; the Minister of Export Promotion, International Trade and Economic Development; and the Minister of International Development, is responsible for advancing Canada’s international relations, including:

¶¶ÒùÊÓƵ manages Canada’s diplomatic and consular relations with foreign governments and international organizations, engaging and influencing international players to advance Canada’s political, legal and economic interests, including poverty reduction, the empowerment of women and girls, the promotion of a rules-based international order, international peace and security, human rights, inclusive and accountable governance, peaceful pluralism, inclusion and respect for diversity, and environmental sustainability.

In support of efforts to eradicate global poverty and contribute to a more peaceful, prosperous, and inclusive world, the department manages the majority of Canada’s international assistance. The department also leads coordinated Canadian responses to crises and natural disasters abroad, including the provision of needs-based humanitarian assistance.

¶¶ÒùÊÓƵ also manages Canada’s international platform—a global network of missions in approximately 110 countries that supports the international work of the department and partner departments, agencies, and co-locators.

To improve and maintain market access for Canadian businesses, ¶¶ÒùÊÓƵ leads the negotiation of bilateral, plurilateral and multilateral trade agreements, the administration of export and import controls, as well as the management of international trade disputes. The Department also provides advice and services to help Canadian businesses succeed abroad and attract foreign direct investment to Canada, and supports international innovation, science, and technology.

The Department delivers consular services and provides travel information to Canadians.

It also supports global peace and stability and addresses international security threats such as terrorism, transnational organized crime and the proliferation of weapons, and materials of mass destruction.

¶¶ÒùÊÓƵ develops and implements policy and programming based on analysis of available evidence, including through consultation and engagement with Canadians and international stakeholders. The department is responsible for fostering the development of international law and its applications in Canada’s foreign relations.

The department’s legal responsibilities are detailed in the 2013 .

For more information on the ministers’ mandated commitments, see the .

Organizational Structure

The Access to Information and Privacy Protection Division (The ATIP Division) is responsible for the administration of the Access to Information Act and the Privacy Act (PA), including the processing of requests and consultations. The Director of the ATIP Division reports to the Corporate Secretary who, in turn, reports to the Deputy Minister of Foreign Affairs.

In 2023-2024, the ATIP Division had 69 Full-time Equivalent positions to fulfill the Department’s obligations under both the Access to Information Act and the Privacy Act. During the fiscal year, the ATIP Division filled on average, 50 of those 69 positions and relied on up to 7 ATIP consultants.

The ATIP Division is led by a director, who manages the teams that administer the access to information and privacy acts:

All employees are working within a hybrid model, with telework from home and in-office presence at headquarters (125 Sussex Drive). ¶¶ÒùÊÓƵ did not have any regional ATIP staff. 

During the 2023-2024 fiscal year, ¶¶ÒùÊÓƵ did not have any service agreements pursuant to section 73.1 of the Privacy Act.

Delegation Order

Consistent with section 73 of the Privacy Act, the Minister’s authority is delegated to the deputy ministers, to the Corporate Secretary, to the Director of the ATIP Division, and to the deputy directors of the ATIP Division. It is also delegated to heads of mission for the purpose of public interest disclosures under paragraph 8(2)(m) of the Act.

A copy of ¶¶ÒùÊÓƵ’s signed Designation Order is provided in Annex A.

Performance 2023-2024

Number of Requests

In 2023-2024, the Department received 361 new requests under the Privacy Act, an increase of 206% compared to the 2022-2023 fiscal year. A total of 61 requests were carried over into this reporting period; 36 requests were outstanding from the previous reporting period and 25 outstanding from more than one reporting period.

During the same reporting period, 344 requests were completed; an increase of 177% compared to the 2022-2023 fiscal year. The rise in the number of received and completed requests, compared to 2022-2023, reflects a small group of individuals that submitted 220 requests. Several days after submitting these requests, these individuals decided to abandon all their requests.

Figure 1
Text version
Privacy Requests2020-20212021-20222022-20332023-2024
Received82109118361
Completed74110124344

Active Requests Carried Over to the Next Reporting Period

At the end of reporting period, 35% of ¶¶ÒùÊÓƵ’s outstanding requests were still on time. The carry-over of active files at the end of fiscal year 2023-2024 was 78.

2018-20192019-20202020-20212021-20222022-20232023-2024Total
On time000002727
Late445562751
Total 445565478

Extensions

During the reporting period, the Department took extensions on 17 out of the 344 requests it closed. The reasons for extension include 12 extensions taken under paragraph 15(a)(i) for interference with operations and 5 extensions under paragraph 15 (a)(ii) for required consultation.

Compliance Rate

The compliance rate is defined as the percentage of privacy requests that the Department responded within the deadline required under the Act. In 2023-2024, the departmental compliance rate for ¶¶ÒùÊÓƵ was 82%. This means that 18% of privacy requests received a response beyond the deadline. The compliance rate for the reporting period increased by 30 percentage points compared to the previous reporting period.

Completion Time

During the reporting period, the Department closed a total of 258 requests closed in 15 days or less (75%), 19 requests closed within 16-30 days (5%), 16 requests closed within 31-60 days (5%), 28 requests closed within 61-120 days (8%), 10 requests closed within 121-180 days (3%), 6 requests closed within 181-365 days (2%), and 7 requests took over 365 days to complete (2%).

Figure 2
Text version

Completion Time

This pie graph illustrates the percentage of requests that were completed during the reporting period within the following timeframes: 1 to 15 days (75%), 16 to 30 days (5%), 31 to 60 days (5%), 61 to 120 days (8%), 121 to 180 days (3%), 181 to 365 days (2%), and over 365 days (2%).

Disposition of Completed Requests

Of the 344 privacy requests closed during the 2023-2024 fiscal year, 10 were all disclosed (3%), 54 were disclosed in part (16%), 1 was all exempted (<1%), 1 was all excluded (<1%), 14 had no records in existence (4%), and 264 were abandoned (77%).

Figure 3
Text version

Disposition of Completed Requests

This pie graph illustrates the percentage of requests that were completed during the reporting period with the following dispositions: All Disclosed (3%), Disclosed in Part (16%), All Exempted (<1%), All Excluded (<1%), No records exist (4%), and Request abandoned (77%).

Consultations from Other Institutions

Given its mandate and various responsibilities at the international level, the Department plays a key role under the Act on behalf of other institutions of the Government of Canada. Specifically, the Department consulted foreign governments on behalf of other federal government institutions when the latter needed to determine whether they could release records that originated abroad.

During the reporting period, the Department received two new consultations from other government institutions and didn’t carry over any consultation from the previous reporting period. ¶¶ÒùÊÓƵ was able to complete these two consultation requests during the fiscal year having reviewed 124 pages.

Of the two consultation requests closed this fiscal year, one request was closed within 16-30 days (50%), and one request within 61-120 days (50%).

Number of Days TakenNumber of Requests ClosedPercentage
0-15 days00%
16-30 days150%
31-60 days00%
61-120 days150%
121-180 days00%
181-365 days00%
More than 365 days00%

Staffing

In 2023-2024, the ATIP Division had approximately 12 Full time Equivalents dedicated to privacy activities (personal information requests and privacy policy). This is consistent with the staffing level of the previous reporting period.

Figure 4
Text version
Privacy Protection Total Human Resources in FTE2020-20212021-20222022-20232023-2024
Total11.6311.4511.6712.00

Training and Awareness

The ATIP Division continues to develop tools, guidance and training for ATIP analysts, ATIP liaison officers and subject matter experts across ¶¶ÒùÊÓƵ.

Again, during the reporting period, the ATIP Division benefited from its Professional Development Program (PDP), which allows the Department to train and promote its ATIP analysts from junior (PM-01) to senior (PM-05) levels. This long-standing program continues to be highly successful in addressing recruitment, retention, and succession planning issues. Most of the employees working in the ATIP Division are already part of the PDP and are eligible for promotion to the next level once they meet the required objectives. The PDP aims to build a more robust ATIP capacity within ¶¶ÒùÊÓƵ by “growing its own”, thereby addressing the shortage of analysts and team leaders across the federal ATIP community.

ATIP Training was also provided to the ATIP Division at ¶¶ÒùÊÓƵ. During the reported fiscal year, the ATIP Division hired a consultant to deliver an introductory course on the administration of the Access to Information Act and Privacy Act. The course was delivered to 28 employees from June 20 to June 22, 2023. Furthermore, on December 4, 2023, the same consultant provided an in-depth training on the application of exemptions and exclusions of the Access to Information Act and Privacy Act, 37 employees attended the training entitled “Exemptions provisions of ATIP” which was geared for ATIP analysts and ATIP team leaders. Lastly, on February 22, 2024, a different consultant provided training to 43 employees on the application of subsection 70(1) of the Privacy Act. The training provided insight on how to identify confidences of the King’s Privy Council for Canada and the necessary steps to undertake when excluding information pertaining to subsection 70(1) of the PA.

Additionally, the ATIP Division provided the following training modules to GAC employees:

Due to GAC’s rotational employee structure, ATIP training sessions were made available upon request and attendance varied between 1 and 76 employees. During the fiscal year, a total of 57 training sessions were delivered to 691 ¶¶ÒùÊÓƵ employees. Of these presentations, 50 were delivered virtually via the use of MS Teams and 7 training sessions were delivered in person.

Along with internal coaching, the division also participated in training for other divisions within the Department. For example, the Blended Learning Program for administrative/executive assistants at headquarters educated 37 participants on privacy awareness and gave an overview of their obligations vis-à-vis the Privacy Act. Furthermore, ATIP training was provided to 13 participants during the Foreign Service Executive Administrative Assistants onboarding program.   

The Privacy Policy Team maintains an updated spreadsheet, documenting all privacy training sessions conducted within the organization throughout the fiscal year, ensuring an accurate reflection of specific topics discussed and keeping track of employees’ increasing privacy awareness.

Over the reporting period, the Privacy Policy Unit delivered privacy training to the Missions Inspections Group through three dedicated sessions, each involving 13 participants. These sessions were structured to include active learning techniques, utilizing depersonalized privacy examples to illustrate key concepts while ensuring that sensitive information remained confidential. This method facilitated an engaging environment where participants could freely discuss their questions and concerns. In addition to these tailored sessions, the Privacy Policy Unit also supported broader departmental training initiatives.

In addition, the Unit conducted a specialized session for the Crime and Terrorism Policy Division. This session was designed to meet the specific business requirements of the program, focusing on the Privacy Impact Assessment (PIA) process and its essential components.

The Privacy Policy Unit also conducted training for the broader ATIP Division on public interest disclosures, privacy breaches, and the definition of personal information. This training, attended by 40 members of the division, included detailed discussions and practical examples to clarify these critical issues. The sessions aimed to ensure that all participants understood how to manage privacy-related matters in line with departmental policies and regulations. This effort underscores the unit’s commitment to improving the division’s expertise in privacy management and supporting its role in upholding information security standards.

Policies, Guidelines, and Procedures

Step by Step guide 

During the reporting period, the ATIP Division at ¶¶ÒùÊÓƵ developed a comprehensive step-by-step manual to help both junior and more experienced ATIP Analysts in navigating the A-To-Z process of both Access to Information and/or Privacy Act requests at ¶¶ÒùÊÓƵ. The manual is divided into multiple chapters covering topics such as: detailing the specific steps an analyst must follow when handling new requests, steps when reviewing responsive records, and the actions required before completing the approval process and disclosing the information to the requester. Each chapter was drafted one at a time and was reviewed by management who provided comments and insight before the guide was implemented and shared with the ATIP Division.

Guidelines

Throughout the fiscal year, the ATIP Division also implemented the following three guidelines:

  1. How to handle the names of ¶¶ÒùÊÓƵ officials and exempt staff at ¶¶ÒùÊÓƵ under the Access to Information Act.
  2. Processing cellular numbers under the Access to Information Act at ¶¶ÒùÊÓƵ.
  3. Processing an Access to Information Act request which contains personal information of the requester.

Each guideline was drafted individually and reviewed by the management team who provided comments and insights before the guidelines were shared with the entire division and implemented.

Outreach

During fiscal year 2022-2023, the responsibility of retrieving and providing recommendations for the disclosure of records made pursuant to the ATIA or PA shifted from the Director’s General office to the Assistant Deputy Minister (ADM) office. Since the implementation of the ATIP ADM Tasking initiative, two ADM offices have contacted the Corporate Secretary/ATIP Division to get a sense of their branch’s performance in relation to their response time and administration of the ATIA and PA. During the 2023-2024 fiscal year, the ATIP Division, represented by the Corporate Secretary and/or the Director of the Access to Information Division, delivered presentations to the Indo-Pacific sector as well as the Consular, Security and Emergency Management sector at their executive meetings.

ATIP at the Corporate Management Meeting

During the 2023-2024 fiscal year, the Corporate Secretary of ¶¶ÒùÊÓƵ responsible for overseeing the administration of the Access to Information Act attended GAC’s Corporate Management Meeting (CMC) on November 8, 2023. At the meeting, the Corporate Secretary emphasized the importance of responding promptly to ATIP requests and of reducing the backlog of ATIP taskings. Best practices were discussed to best achieve these goals.

HR Strategies

The implementation of the hybrid work model proved beneficial for the retention of staff in the ATIP Division. However, recruitment of skilled analysts, at GAC as in other government institutions, remains a challenge, especially at the senior analyst level. Despite the challenges, there have been recent successes having onboarded five new employees in the 2023-2024 fiscal year. The ATIP division also actively utilizes its Professional Development Program resulting in the promotion of one senior analyst.  

These initiatives have aided in the ATIP Division’s successes in the 2023-2024 fiscal year.

Privacy Tools and Initiatives

The implementation of the Privacy Management Framework, officially launched in November 2022, continues to be a cornerstone for the Department's privacy practices. Over the past year, this framework has guided the development and refinement of privacy policies and procedures, ensuring adherence to evolving legislative regulations. It underscores our commitment to transparency, accountability, and robust security measures in data processing, storage, and sharing. The ongoing application of this framework enhances our ability to safeguard individual privacy rights and reinforces the trust between GAC and Canadian citizens, marking a significant advancement in our privacy management efforts.

The ATIP Division is making significant progress with several key initiatives. The Privacy Impact Assessment policy, which was launched in August 2023, plays a critical role in identifying and mitigating privacy risks associated with new or revised programs and projects. Looking ahead, the development of handling practices for senior management, a Data and Privacy Breach Protocol, and a Protocol for the Handling of Personal Information for Non-Administrative Purposes are all on track, with completion anticipated for Fall 2024. These tools are essential for ensuring that senior management is equipped to address privacy issues, that breaches are managed efficiently, and that personal information is handled appropriately in non-administrative contexts. Collectively, these efforts demonstrate the unit's ongoing commitment to advancing privacy management and bolstering information security across the department. 

The Privacy Policy Team continued to actively participate in the Department of Justice led modernization of the Privacy Act and awaits the next meetings on its development so that ¶¶ÒùÊÓƵ’s views can be reflected within.

Initiatives and Projects to Improve Privacy

New Request Processing Software Solution

The current case management software used to process requests is becoming obsolete and will no longer be supported by the vendor in the coming years. GAC is using this opportunity to replace the legacy software and leverage new technology to increase efficiencies in our service delivery and to better handle the large volume of ATIP requests. Deployment of the new solution is anticipated for fiscal year 2025-2026.

Summary of Key Issues and Actions Taken on Complaints

Requests for Personal Information

During fiscal year 2023-2024, 20 complaints were made to the Office of the Privacy Commissioner of Canada regarding privacy requests to the Department. The reasons for the complaints are as follows:

Reason for ComplaintNumber of Complaints
Collection1
Delay16
Miscellaneous1
Refusal-Exemptions1
Refusal-General1

Over the course of the reporting period, 8 complaints against the Department were closed. The findings on closed complaints were as follows:

Complaint FindingsNumber of Complaints
Discontinued3
No finding1
Well-Founded5

All closed complaints regarding access to personal information were resolved by responding to or providing additional information to the requesters. The ATIP Division ensured continuous and consistent follow-ups on outstanding taskings, utilizing escalation procedures to fully respond to requesters and close complaints.

The ATIP Division continues to operate a team dedicated to managing complaints from the Office of the Privacy Commissioner (OPC). This team serves as the primary point of contact between ¶¶ÒùÊÓƵ and the OPC, working closely and collaboratively to strengthen relationships and improve ¶¶ÒùÊÓƵ’s ATIP program performance.

Management of Personal Information

The Privacy Policy Team received 1 new complaint during the reporting period relating to the management of personal information. Specifically, they can be summarized as:

A mission’s unauthorized disclosure of personal information of an employee to the rest of employees.

The team closed the complaint relating to the management of personal information during the reporting period May 11, 2023. In this instance the Office of the Privacy Commissioner sought representations from the Department, further to any steps taken since the incident to ensure the security and the privacy of staff information. The Department informed the OPC that as an effective measure in preventing reoccurrence, a privacy training will include elements specifically related to communications and how details that could be considered personal information should be effectively managed.

Training will include examples of specific cases such as this one dealing with vaccination policy.

Active Complaints Carried Over to the Next Reporting Period

2017-20182018-20192019-20202020-20212021-20222022-20232023-2024Total
Active 2321641028

Material Privacy Breaches

During fiscal year 2023-2024, six material privacy breaches were reported to the Department. At the end of the fiscal year, six material privacy breach notifications were reported to the Treasury Board Secretariat and the Office of the Privacy Commissioner.

Material Breaches Reported to OPC and TBS 2023-2024
No.DescriptionSummary of Action
1Disclosure of Personal Information, wrong recipients received the passport form application (MOUS) forms.
  • July 18, 2023: A completed form for one client was mistakenly sent to a new client instead of the intended blank form.
  • July 19, 2023: The new client discovered the error during a visit to the mission, where the form was processed, and a credit card charged. The new client reported the mistake upon return, thinking the form was an example.
  • July 21, 2023: The High Commission of Canada to the United Kingdom informed GAC’s Privacy Unit about the privacy breach involving the misdirected form.
  • December 15, 2023: The Privacy Unit received an update from the mission indicating that the affected client was contacted. The client chose not to cancel their card and was advised to report any issues.
2WSHDC via IRCC, Disclosure of Personal Information, Lost passport (1)
  • October 7, 2023: FedEx tracking shows that a package containing a newly issued blue passport was delivered.
  • October 10, 2023: The client reports that they did not receive the FedEx package.
  • October 10, 2023: Guidance is provided to check the signature for the package's receipt.
  • October 11, 2023: A screenshot of the FedEx "proof of delivery" is provided.
  • October 11, 2023: Advice is given to start an investigation with FedEx, and a claim is submitted to FedEx.
  • October 12, 2023: FedEx approves the claim.
3MANIL, Disclosure of personal information, lost Birth Certificate (1)
  • September 14, 2023: The client visited the mission in-person during an outreach activity but could not provide a supplementary ID at the time of application.
  • September 19, 2023: The Consular Section received the complete application, including the original Canadian birth certificate, from the client via courier.
  • October 4, 2023: The mission received the new passport. The passport examiner placed the passport inside an envelope with other documents. A staff member in charge of dispatch later discovered that the applicant’s original birth certificate was missing from the envelope.
  • October 19, 2023: The consular team advised about the privacy breach involving the lost birth certificate.

Privacy Impact Assessments

During the fiscal year, ¶¶ÒùÊÓƵ finalized two Privacy Impact Assessments.

1 - Flight PS752 Commemorative Scholarship Program

On January 8, 2020, fifty-five Canadians and thirty Canadian permanent residents were lost in the downing of Ukraine International Airlines Flight 752 (PS752) by an Iranian surface-to-air missile. In December 2020, Cabinet approved the establishment of the Flight PS752 Commemorative Scholarship Program as a tribute to those lost. Its purpose is to acknowledge the significant number of academics and students among the victims of Flight PS752, and to pay tribute to their contribution to Canadian postsecondary institutions. Following Cabinet’s approval, five million dollars over the course of five years was allocated to the Program in memory of the victims of PS752. The Program’s planned implementation was announced by the Minister of Foreign Affairs in January 2022 with the aim of delivering the first scholarships to applicants for the 2024-25 academic year; the launch date was later amended by the Minister of Foreign Affairs to the 2023-24 academic year.

In the management, administration, and operation of the Program, GAC will be collecting personal information from scholarship applicants. Personal information will generally be limited to an applicant’s name, biographic, and contact information; past education and academic information; planned uses of scholarship funds; and the applicant’s connection to Flight PS752. As each scholarship is to be awarded in the memory of a victim of Flight PS752, kinship with the victims, specifically those applicants from countries with economic hardship and/or oppressive regimes, is to be considered as part of the Program’s eligibility and evaluation criteria. The Program is open to both Canadian and international students planning on attending Canadian educational institutions to pursue their studies, personal information is likely to be collected from both Canadians and foreign nationals. Information collected and used to confirm or certify the veracity and eligibility of applicant includes:

Personal information may also be used in support of the distribution and administration of scholarship awards. As a commemorative scholarship, and as a tribute to the victims of Flight PS752, information about scholarship recipients may be disclosed to the families of Flight victims or made public by GAC through Program reports and corporate communications. This includes GAC or GAC-supported websites, posters, and brochures used for Program promotion. Personal information may also be shared under new agreement or an existing information-sharing arrangement with Canadian and foreign academic institutions, a student's diplomatic representation in Canada and foreign embassy in Canada, or a Canadian embassy/high commission/consulate abroad. Limited personal information may also be disclosed to other federal institutions, such as the Canada Revenue Agency (for tax reporting purposes), Immigration, Refugees and Citizenship Canada, or the Canada Border Services Agency (to ensure compliance with the immigration or visitation terms and conditions to which the student has agreed in relation to the completion of their studies)

The PIA for the program was completed under the direction of the Head of the PS752 Task Force. It included a review of the Program’s application and evaluation process, and a review of policies, procedures and controls implemented by GAC to ensure that its collection and use of applicant information complies with federal requirements and best practices for the handling of personal information. The PIA also included a summary review of the platform to be used for the collection of personal information, and an assessment of program evaluation and reporting plans.

Based on the present assessment, privacy risks arising from the implementation, management, administration of the PS752 Commemorative Scholarship Program are expected to be moderate to low. GAC has significant experience in the creation and implementation of international scholarship programs and is expected to leverage existing processes, IT infrastructure, and systems to ensure the secure collection, use, disclosure, and retention of personal information. Although the receipt and vetting of applications (along with the selection or recommendation of scholarship recipients) has been delegated to an arm’s length Program Administrator, the contract governing the Program Administrator’s services includes essential clauses pertaining to privacy and security. All personal information collected from applicants will remain under the care and custody of the Government of Canada and will not be used for purposes other than those for which it was first collected or a use consistent with its collection.

Applicant information will be housed on GAC servers in a Protected B environment, consistent with the information’s sensitivity, and securely destroyed after it is of no further value. Notwithstanding the privacy positive measures noted above, several issues were identified during the PIA process requiring remedial action. The following recommendations are intended to address those issues. Once implemented, the overall or residual level of privacy risk relating to the Program and its management and administration is expected to be reduced to a low or acceptable level.

Recommendations

  1. Notification – It is recommended that GAC develop a stand-alone privacy notice for inclusion in the Program posting and scholarship application form. The privacy notice should include all mandatory elements prescribed by the Treasury Board of Canada Secretariat’s (TBS) Directive on Privacy Practices, including a link to an approved Personal Information Bank (PIB).
  2. Data Review and Minimization – It is recommended that GAC undertake an annual review of personal information elements to be collected in relation to the Program to ensure that each element is directly related and demonstrably necessary to meet the Program’s needs and objectives.
  3. Data Management – It is recommended that the PS752 Task Force (as the Program owner) identify and adopt, where appropriate, standard departmental practices and protocols developed by GAC’s International Scholarships Program for the handling of personal information in relation to the PS752 Scholarship Program. Alternatively, the PS752 Task Force should develop a stand-alone privacy protocol to support the proper handling of PS752 scholarship data. That protocol should set out key roles, responsibilities, and accountabilities for the proper handling of personal information, and establish express limits on the collection, use, disclosure, and retention of applicant information.
  4. Monitoring and Compliance – It is recommended that GAC track and monitor the Program Administrator’s compliance with the data privacy requirements set out in its master service agreement, particularly those pertaining to access to Program data and its use, disclosure, retention, and security.
  5. Data De-Identification - It is recommended that GAC de-identify or anonymize personal information belonging to scholarship applicants where that information is to be used for non-administrative purposes, including Program evaluation, promotion, reporting, policy, research, and statistical purposes.
  6. Openness – It is recommended that GAC identify an appropriate PIB describing the collection, use, disclosure, and retention of personal information in relation to the Program to ensure that the Department meets transparency requirements prescribed under the Privacy Act. A new PIB may be required where the activities of the PS752 Scholarship Program and/or the handling of applicant information is not in keeping with the collection, use, disclosure, and retention of personal information by GAC in relation to its broader International Scholarships Program (as currently described in PIB GAC PPU 911).

GAC has reviewed the above recommendations and has developed a mitigation plan to address each risk and recommendation. Wherever possible, potential impacts on the privacy of scholarship applicants will be managed by GAC through existing legal, policy, and technical measures geared at the protection of personal information.

A new PIB for the program was created:

2 - Global Affairs Learning Management System (LMS)

¶¶ÒùÊÓƵ (CFSI) currently is a sub-school of the Canada School of Public Service (the School), using the current Learning Management System (LMS) via the service provider Saba, currently known as MyAccount. The current LMS will be decommissioned on August 31st 2022. The School engaged in a contract with Desire to Learn (D2L) and GAC signed an MOU with the School for the use of their contract with D2L under a federated multi-tenancy model. The federated multi-tenancy model provides autonomy to GAC in the management of their departmental learning platform and benefit from the collective work undertaken by the School, including, procurement, system configurations, accessibility and official languages compliance, as well as cyber security assessments that align to the GC Security control profile for cloud based GC services (ITSG-33 & PROTECTED B / Medium Integrity / Medium Availability) guidelines provided by the Canadian Centre for Cyber Security. Under this secure Next Generation Digital Learning Environment (NGDLE) umbrella, GAC can benefit from its own instance of Brightspace, a LMS provided by the vendor, D2L. GAC can configure the system to its specific needs and will manage its own integrations, modifying as required. Included as a component of the learning platform ecosystem is Course Merchant, a product catalog that allows users to advertise offerings and enable registrations. In the federated multi-tenancy model, GAC leverages the School’s contract with D2L to gain access to these software as a service (SaaS) products. GAC works directly with the vendor(s) for all system implementation or administration support as outlined in the contract, providing the same level of access to the vendor as the School. The new LMS solution for which this PIA is requested is to be assessed as a separate initiative in its entirety; This PIA represents a new service provided by CFSI to the Global Affairs learning community. If there is any leverage of CSPS services, it is uniquely for contractual purpose towards parties like, for example, the 3rd party solution Desire2Learn or SSC.

Recommendations

Openness – It is recommended that GAC identify an appropriate PIB describing the collection, use, disclosure, and retention of personal information in relation to the Program to ensure that the Department meets transparency requirements prescribed under the Privacy Act. A new PIB is under development.

GAC a mitigation plan to address each risk and recommendation. Wherever possible, potential impacts on the privacy of learners will be managed by GAC through existing legal, policy, and technical measures geared at the protection of personal information.

All the identified risks were low, and the mitigation measures are already in place.

Public Interest Disclosures

Subsection 8(2) of the Privacy Act provides that “personal information under the control of a government institution may be disclosed” without consent under certain specific circumstances.

During the 2023-2024 fiscal year, the Department made a total of 102 disclosures pursuant to paragraph 8(2)(m) of the Privacy Act. In 20 cases, the Department determined that the public interest in disclosing personal information clearly outweighed any invasion of privacy that could result. All other disclosures were determined to clearly benefit the individual to whom the information related.

Disclosures pursuant to subparagraph 8(2)(m)(i):

Disclosures pursuant to subparagraph 8(2)(m)(ii):

In all instances notification to the Privacy Commissioner occurred after disclosure.

Monitoring Compliance

Ongoing Reporting

The ATIP Division prepares and distributes a weekly statistics report to the ATIP Division’s management team that tracks the number of requests that were received and closed, as well as any emerging trends and performance statistics. The report also allows for comparison of workload and completion rates in relation to the previous year to identify changes in ATIP processing.

Additionally, an active tasking report is generated and posted to the intranet weekly to identify all current active taskings within the Department. This report is available for all offices of primary interest (OPIs) to view and lists all open taskings by branch, highlighting late files.

During fiscal year 2023-2024, the director general and corporate secretary overseeing the administration of the access to information and privacy acts continued to send the ATIP Twice Monthly Performance Report to deputy ministers, assistant deputy ministers, and directors general, outlining the number of active taskings and compliance within each of the branches/special bureaus. The intent of this procedure is to sensitize senior management to the backlog of active taskings, thereby increasing compliance.

New in the reporting period, the ATIP Division implemented the ATIP Quarterly Report. ATIP Quarterly Reports are also sent to deputy ministers, assistant deputy ministers, and directors general, outlining branches and special bureaus' performance on completed taskings and compliance under the Access to Information Act and Privacy Act. This report's intent was to recognize the ATIP work completed throughout the year by branches and bureaus by keeping a close eye on their ATIP compliance rate.  

Limiting Inter-institutional Consultations

During the reporting period, the ATIP Division monitored superfluous inter-institutional consultations by having experienced ATIP team leaders oversee the relevant records before they were sent out for consultation. By doing so, ATIP team leaders were able to reduce the number of consultations sent to the other Government of Canada institutions and other organizations outside the Government of Canada, reducing the amount of time to process requests and not overburdening other departments with unnecessary consultations.

Frequently Requested Types of Information

Throughout fiscal year 2023-2024, ¶¶ÒùÊÓƵ did not monitor or review frequently requested types of information for the purpose of making the information available by other means.

Privacy Protection in Contracting

In reviewing contracts, the Privacy Policy Team provides privacy clauses that are written to call out privacy protections and regulatory requirements within the statement of work and then mapped to service-level agreements to ensure there are no questions concerning data privacy responsibilities, breach response, incident response, media press releases on breaches, and other considerations, as if the vendor were part of the organization.

As per the information sharing agreements, the Privacy Policy group ensure privacy protection assisted by the TBS Guidance on Preparing Information Sharing Agreements Involving Personal Information.

Annex A: Designation Order

Figure 5
Text version

Privacy Act Designation Order

The Minister of Foreign Affairs, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons acting in those positions, to exercise the powers and perform the duties and functions of the Minister of Foreign Affairs as the head of a Government institution under the sections of the Act set out after each position in the schedule. This designation replaces the designation dated October 2, 2009.

Schedule

Position

  1. Deputy Minister of Foreign Affairs (all sections)
  2. Deputy Minister for International Trade (all sections)
  3. Deputy Minister for International Development (all sections)
  4. Associate Deputy Minister of Foreign Affairs (all sections)
  5. Assistant Deputy Minister, Consular Services (pursuant only to paragraph 8(2)(m) as it relates to public interest disclosure)
  6. Heads of Mission (pursuant only to paragraph 8(2)(m) as it relates to public interest disclosure)
  7. Director General, Corporate Secretariat (all sections)
  8. Director, Access to Information and Privacy Protection Division (all sections)
  9. Deputy Directors, Access to Information and Privacy Protection Division (all sections)

The Honourable Chrystia Freeland, P.C., M.P.Ottawa, July 4, 2017

Annex B: ¶¶ÒùÊÓƵ 2023-2024 Statistical Report

Statistical Report on the Privacy Act

Name of institution: ¶¶ÒùÊÓƵ

Reporting period: 2023-04-01 to 2024-03-31

Section 1: Requests Under the Privacy Act

1.1 Number of requests received

Request TypeNumber of Requests
Received during reporting period361
Outstanding from previous reporting periods61
Outstanding from previous reporting period36
Outstanding from more than one reporting period25
Total422
Closed during reporting period344
Carried over to next reporting period78
Carried over within legislated timeline27
Carried over beyond legislated timeline51

1.2 Channels of requests

SourceNumber of Requests
Online341
E-mail13
Mail7
In person0
Phone0
Fax0
Total361

Section 2: Informal Requests

2.1 Number of informal requests

TypeNumber of Requests
Received during reporting period0
Outstanding from previous reporting periods0
Outstanding from previous reporting period0
Outstanding from more than one reporting period0
Total0
Closed during reporting period0
Carried over to next reporting period0

2.2 Channels of informal requests

SourceNumber of Requests
Online0
E-mail0
Mail0
In person0
Phone0
Fax0
Total0

2.3 Completion time of informal requests

Completion Time
1 to 15 Days16 to 30 Days31 to 60 Days61 to 120 Days121 to 180 Days181 to 365 DaysMore Than 365 DaysTotal
00000000

2.4 Pages released informally

Less Than 100Pages Released100-500Pages Released501-1000Pages Released1001-5000Pages ReleasedMore Than 5000Pages Released
Number of RequestsPages ReleasedNumber of RequestsPages ReleasedNumber of RequestsPages ReleasedNumber of RequestsPages ReleasedNumber of RequestsPages Released
0000000000

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time

Disposition of RequestsCompletion Time
1 to 15Days16 to 30 Days31 to 60 Days61 to 120 Days121 to 180 Days181 to 365 DaysMore Than 365 DaysTotal
All disclosed260200010
Disclosed in part1582394454
All exempted00100001
All excluded00000101
No records exist451211014
Request abandoned251361003264
Neither confirmed nor denied00000000
Total2581916281067344

3.2 Exemptions

SectionNumber of Requests
18(2)0
19(1)(a)2
19(1)(b)0
19(1)(c)0
19(1)(d)0
19(1)(e)0
19(1)(f)0
200
2111
22(1)(a)(i)0
22(1)(a)(ii)0
22(1)(a)(iii)0
22(1)(b)0
22(1)(c)0
22(2)0
22.10
22.20
22.30
22.40
23(a)0
23(b)0
24(a)0
24(b)0
250
2649
275
27.10
280

3.3 Exclusions

SectionNumber of Requests
69(1)(a)0
69(1)(b)0
69.10
70(1)1
70(1)(a)1
70(1)(b)0
70(1)(c)0
70(1)(d)0
70(1)(e)0
70(1)(f)0
70.10

3.4 Format of information released

PaperElectronicOther
E-recordData setVideoAudio
0640110

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats

Number of Pages ProcessedNumber of Pages DisclosedNumber of Requests
21,65117,893330

3.5.2 Relevant pages processed by request disposition for paper and e-record formats by size of requests

DispositionLess Than 100 Pages Processed100-500 Pages Processed501-1000 Pages Processed1001-5000 Pages ProcessedMore Than 5000 Pages Processed
Number of RequestsPages ProcessedNumber of RequestsPages ProcessedNumber of RequestsPages ProcessedNumber of RequestsPages ProcessedNumber of RequestsPages Processed
All disclosed1025800000000
Disclosed in part221,110235,60342,72845,35115,886
All exempted000017030000
All excluded11200000000
Request abandoned264000000000
Neither confirmed nor denied0000000000
Total2971,380235,60353,43145,35115,886

3.5.3 Relevant minutes processed and disclosed for audio formats

Number of Minutes ProcessedNumber of Minutes DisclosedNumber of Requests
601

3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests

DispositionLess than 60 Minutes processed60-120 Minutes processedMore than 120 Minutes processed
Number of requestsMinutes ProcessedNumber of requestsMinutes ProcessedNumber of requestsMinutes Processed
All disclosed000000
Disclosed in part160000
All exempted000000
All excluded000000
Request abandoned000000
Neither confirmed nor denied000000
Total160000

3.5.5 Relevant minutes processed and disclosed for video formats

Number of Minutes ProcessedNumber of Minutes DisclosedNumber of Requests
111

3.5.6 Relevant minutes processed per request disposition for video formats by size of requests

DispositionLess than 60 Minutes processed60-120 Minutes processedMore than 120 Minutes processed
Number of requestsMinutes ProcessedNumber of requestsMinutes ProcessedNumber of requestsMinutes Processed
All disclosed000000
Disclosed in part110000
All exempted000000
All excluded000000
Request abandoned000000
Neither confirmed nor denied000000
Total110000

3.5.7 Other complexities

DispositionConsultation RequiredLegal Advice SoughtInterwoven InformationOtherTotal
All disclosed10023
Disclosed in part4310017
All exempted00000
All excluded00000
Request abandoned00101
Neither confirmed nor denied00000
Total5311221

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

Number of requests closed past the legislated timelinesPrincipal Reason
Interference with operations / WorkloadExternal ConsultationInternal ConsultationOther
59283523

3.7.2 Request closed beyond legislated timelines (including any extension taken)

Number of days past legislated timelinesNumber of requests past legislated timeline where no extension was takenNumber of requests past  legislated timeline where an extension was takenTotal
1 to 15 days448
16 to 30 days718
31 to 60 days9312
61 to 120 days12113
121  to 180 days718
181 to 365 days303
More than 365 days707
Total491059

3.8 Requests for translation

Translation RequestsAcceptedRefusedTotal
English to French000
French to English000
Total000

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Paragraph 8(2)(e)Paragraph 8(2)(m)Subsection 8(5)Total
01020102

Section 5: Requests for Correction of Personal Information and Notations

Disposition for Correction Requests ReceivedNumber
Notations attached0
Requests for correction accepted0
Total0

Section 6: Extensions

6.1 Reasons for extensions

Number ofextensions taken15(a)(i) Interference with operations15(a)(ii) Consultation15(b)Translation purposes or conversion
Further review required to determine exemptionsLarge volume of pagesLarge volume of requestsDocuments are difficult to obtainCabinet ConfidenceSection (Section 70)ExternalInternal
1726040230

6.2 Length of extensions

Number ofextensions taken15(a)(i) Interference with operations15(a)(ii) Consultation15(b)Translation purposes or conversion
Further review required to determine exemptionsLarge volume of pagesLarge volume of requestsDocuments are difficult to obtainCabinet ConfidenceSection (Section 70)ExternalInternal
1 to 15 days00000000
16 to 30 days26040230
31 days or greater00000000
Total26040230

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

ConsultationsOther Government of Canada InstitutionsNumber of Pages to ReviewOther OrganizationsNumber of Pages to Review
Received during the reporting period212400
Outstanding from the previous reporting period0000
Total212400
Closed during the reporting period212400
Carried over within negotiated timelines0000
Carried over beyond negotiated timelines0000

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

RecommendationNumber of Days Required to Complete Consultation Requests
1 to 15 Days16 to 30 Days31 to 60 Days61 to 120 Days121 to 180 Days181 to 365 DaysMore Than 365 DaysTotal
Disclose entirely00000000
Disclose in part00010001
Exempt entirely00000000
Exclude entirely00000000
Consult other institution00000000
Other01000001
Total01010002

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

RecommendationNumber of Days Required to Complete Consultation Requests
1 to 15 Days16 to 30 Days31 to 60 Days61 to 120 Days121 to 180 Days181 to 365 DaysMore Than 365 DaysTotal
Disclose entirely00000000
Disclose in part00000000
Exempt entirely00000000
Exclude entirely00000000
Consult other institution00000000
Other00000000
Total00000000

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services

Number of DaysFewer Than 100 Pages Processed100-500 Pages Processed501-1000 Pages Processed1001-5000 Pages ProcessedMore than 5000 Pages Processed
Number of RequestsPages DisclosedNumber of RequestsPages DisclosedNumber of RequestsPages DisclosedNumber of RequestsPages DisclosedNumber of RequestsPages Disclosed
1 to 150000000000
16 to 300000000000
31 to 600000000000
61 to 1200000000000
121 to 1800000000000
181 to 3650000000000
More than 3650000000000
Total0000000000

8.2 Requests with Privy Council Office

Number of DaysFewer Than 100 Pages Processed100-500 Pages Processed501-1000 Pages Processed1001-5000 Pages ProcessedMore than 5000 Pages Processed
Number of RequestsPages DisclosedNumber of RequestsPages DisclosedNumber of RequestsPages DisclosedNumber of RequestsPages DisclosedNumber of RequestsPages Disclosed
1 to 150000000000
16 to 300000000000
31 to 600000000000
61 to 1200000000000
121 to 1800000000000
181 to 3650000000000
More than 3650000000000
Total0000000000

Section 9: Complaints and Investigations Notices Received

Section 31Section 33Section 35Court actionTotal
201914053

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy Impact Assessments

10.2 Institution-specific and Central Personal Information Banks

Personal Information BanksActiveCreatedTerminatedModified
Institution-specific19200
Central50000
Total69200

Section 11: Privacy Breaches

11.1 Material Privacy Breaches Reported

11.2 Non-Material Privacy Breaches

Section 12: Resources Related to the Privacy Act

12.1 Allocated Costs

ExpendituresAmount
Salaries$1,029,252
Overtime$16,085
Goods and Services$188,174
Professional services contracts$162,644
Other$25,530
Total$1,233,511

12.2 Human Resources

ResourcesPerson Years Dedicated to Privacy Activities
Full-time employees10.796
Part-time and casual employees0.178
Regional staff0.000
Consultants and agency personnel0.586
Students0.000
Total11.560

Annex C: ¶¶ÒùÊÓƵ 2023-2024 Supplemental Statistical Report

Supplemental Statistical Report on the Access to Information Act and the Privacy Act

Name of institution: ¶¶ÒùÊÓƵ

Reporting period: 2023-04-01 to 2024-03-31

Section 1: Open Requests and Complaints Under the Access to Information Act

1.1 Enter the number of open requests that are outstanding from previous reporting periods.

Fiscal Year Open Requests Were ReceivedOpen Requests that are Within Legislated Timelines as of March 31, 2024Open Requests that are Beyond Legislated Timelines as of March 31, 2024Total
Received in 2023-245286181,146
Received in 2022-23141345486
Received in 2021-2248154202
Received in 2020-2106060
Received in 2019-2014445
Received in 2018-192810
Received in 2017-18044
Received in 2016-17101
Received in 2015-16000
Received in 2014-15 or earlier000
Total7211,2331,954

1.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.

Fiscal Year Open Complaints Were Received by InstitutionNumber of Open Complaints
Received in 2023-24227
Received in 2022-2311
Received in 2021-221
Received in 2020-211
Received in 2019-201
Received in 2018-190
Received in 2017-180
Received in 2016-170
Received in 2015-160
Received in 2014-15 or earlier0
Total241

Section 2: Open Requests and Complaints Under the Privacy Act

2.1 Enter the number of open requests that are outstanding from previous reporting periods.

Fiscal Year Open Requests Were ReceivedOpen Requests that are Within Legislated Timelines as of March 31, 2024Open Requests that are Beyond Legislated Timelines as of March 31, 2024Total
Received in 2023-24272754
Received in 2022-23066
Received in 2021-22055
Received in 2020-21055
Received in 2019-20044
Received in 2018-19044
Received in 2017-18000
Received in 2016-17000
Received in 2015-16000
Received in 2014-15 or earlier000
Total275178

2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.

Fiscal Year Open Complaints Were Received by InstitutionNumber of Open Complaints
Received in 2023-2410
Received in 2022-234
Received in 2021-226
Received in 2020-211
Received in 2019-202
Received in 2018-193
Received in 2017-182
Received in 2016-170
Received in 2015-160
Received in 2014-15 or earlier0
Total28

Section 3: Social Insurance Number

Has your institution begun a new collection or a new consistent use of the SIN in 2023-24? No

Section 4: Universal Access under the Privacy Act

How many requests were received from foreign nationals outside of Canada in 2023-24? 234

Date modified: