Contents

1 Introduction

This report to Parliament describes the activities of the Office of the Information Commissioner of Canada (OIC) for 2011–2012 under the Privacy Act.Footnote 1 It was prepared and is being tabled pursuant to section 72 of the Act.

The purpose of the Privacy Act is to safeguard the privacy of individuals by protecting personal information about them held by federal institutions, and to provide individuals with a right of access to that information.

The OIC is an independent public body set up in 1983 under the Access to Information Act. Our mission is to conduct efficient, fair and confidential investigations into complaints about federal institutions' handling of access to information requests. The goal of our work is to maximize compliance with the Act while fostering disclosure of public sector information. The Commissioner uses the full range of tools, activities and powers at her disposal—from information and mediation to persuasion and litigation, when required.

The OIC became subject to the Act in 2007. Since then, we have made every effort to provide exemplary service to requesters. We have also reported annually to Parliament on the administration of our privacy program. Here are some highlights from 2011–2012:

  • We completed formal requests in an average of 15.8 days.
  • No complaints were filed against us about our administration of the Privacy Act during 2011–2012. 

2 Organization

The Information Commissioner of Canada is an Agent of Parliament and ombudsperson appointed by Parliament under the Access to Information Act. The Commissioner is supported by the OIC. The OIC has three branches, as follows:

  • The Complaints Resolution and Compliance Branch investigates individual complaints about the processing of access requests, conducts dispute resolution activities and makes formal recommendations to institutions, as required. It also assesses federal institutions' compliance with their obligations under the Access to Information Act and carries out systemic investigations and analysis.  
  • Legal Services represents the Commissioner in court and provides legal advice on investigations, legislative issues and administrative matters. It closely monitors the range of cases having a potential impact on our mandate and on access to information in general. Legal Services also assists investigators by providing them with up-to-date and customized reference tools on the evolving technicalities of the case law.
  • Corporate Services provides strategic and corporate leadership in planning and reporting, communications, human resources and financial management, security and administrative services, internal audit, as well as information management and technology. It conducts external relations with a wide range of stakeholders, notably Parliament, government and representatives of the media. It is also responsible for managing our access to information and privacy function.

The Access to Information and Privacy (ATIP) Secretariat processes all requests filed under the Privacy Act for records under the control of the OIC. The ATIP Secretariat had two staff members in 2011–2012:

  • The Director, ATIP Secretariat, is responsible for the management of the Secretariat, including overseeing request administration, policy development and training. The Director holds full delegated authority under the Act as ATIP Coordinator.
  • The ATIP Officer is responsible for processing requests and holds some delegated authority, for extension of time limits and arranging translation of requested records, when required.

3 Delegation order

Under the Privacy Act, the Information Commissioner is the designated head of the institution, for the purpose of administering the legislation.

At the start of the reporting period, the delegation order the Commissioner signed in September 2010 was in effect (see Appendix A). This order gave full authority for decisions under the Act to the Interim Assistant Commissioner, Policy, Communications and Operations, and to the Director, Information Management.

On April 21, 2011, the Commissioner revoked the authority delegated to the Interim Assistant Commissioner (see Appendix B) and to the Director, Information Management (see Appendix C). A new delegation order was put in place to reflect organizational changes. That order gives full authority to the Director General, Corporate Services, and to the Director, ATIP Secretariat (see Appendix D).

On the July 16, 2011, the Commissioner modified this delegation order to give limited authority to the ATIP Officer (see Appendix E).

4 Interpretation of the statistical report

The OIC's statistical report details all aspects of the processing of privacy requests received by the ATIP Secretariat from April 1, 2011, to March 31, 2012 (see Appendix F).

4.1 Requests received under the Privacy Act

We received five requests under the Privacy Act in 2011–2012, one fewer than in the previous reporting period. We completed all of these requests before March 31, 2012. As well, we processed one consultation request from another institution.

4.2 Disposition of requests completed

Of the five requests we completed, we disclosed all the requested information in one case. For three requests, we determined that no records existed. The final request was abandoned by the applicant.

4.3 Exemptions

We invoked no exemptions under the Privacy Act in 2011–2012.

4.4 Completion times

We completed all five requests under the Privacy Act within 30 days. The average turnaround time was 15.8 days. We completed the one consultation request within 15 days of receipt.

4.5 Method of access

We released the records associated with the one request for which we had records on CD-ROM.

4.6 Costs

Category of cost Amount
Salary $7,620
Administration (operations and management) $121
Total $7,741
Person-years 0.3

Costs incurred during the reporting period are calculated based on the salaries of ATIP Secretariat members and expenses associated with the administration of the Act.

5 Privacy Impact Assessments

The OIC neither initiated nor completed any Privacy Impact Assessments in 2011–2012. These assessments are required when an organization changes the purposes for which it gathers personal information or gathers new information.

6 Public interest disclosures

The OIC made no disclosures of information under paragraph 8(2)(m) of the Privacy Act during the reporting period. These disclosures are made when the Commissioner decides that releasing the information clearly outweighs any invasion of privacy of the person to whom the records relate or when releasing the information would benefit the person in question.

7 Changes to the organization, programs, operations or policies

During 2011–2012, theATIP Secretariat was separated from the OIC's IM/IT Division and now reports directly to the Director General, Corporate Services. This has streamlined the approval process and facilitated the timely processing of requests.

Throughout the year, we continued to revise and refine our ATIP Procedures Manual. This document provides a detailed look at the steps required to process a privacy request.

After successfully implementing our new electronic records management system in the spring of 2011, we began work to renew the legal case management system. We also began to modernize the architecture behind our networks and continued to enhance the security of our systems to protect the sensitive information we collect from institutions. We expect each of these measures to have a positive impact on our ability to retrieve records and respond to requests.

8 Education and training

During 2011–2012, the ATIP Secretariat conducted individual training sessions, in both official languages, on the Access to Information Act and the Privacy Act, and related processes. A total of 5 of our approximately 100 employees took this training in 2011–2012.

9 Complaints

No complaints against us were lodged with the Office of the Privacy Commissioner (OPC) during the reporting period. Three were carried over from the previous fiscal year and closed in 2011–2012.

Of these three, one was closed as Resolved and one was Well-founded/Resolved. Both of these were the result of administrative errors on our part. The final complaint was settled during the course of the investigation.

We were advised of one privacy breach during the year, in which we inadvertently sent a document associated with an investigation, and containing personal information about the complainant, to the wrong institution. Upon learning of this breach, we immediately reported it to the OPC. We are awaiting a response from the OPC on the matter.

Appendix A

Delegation orders for the purpose of the Access to Information Act and the Privacy Act

Text Version

Appendix B

Delegation orders for the purpose of the Access to Information Act and the Privacy Act

Text Version

Appendix C

Delegation orders for the purpose of the Access to Information Act and the Privacy Act

Text Version

Appendix D

Delegation orders for the purpose of the Access to Information Act and the Privacy Act

Text Version

Appendix E

Delegation orders for the purpose of the Access to Information Act and the Privacy Act

Text Version

Schedule

Text Version

Appendix F

Schedule

Schedule

Schedule

Schedule

Schedule

Schedule

Schedule

Text Version