2008-2009 Annual Report on the Administration of the Privacy Act
Table of Contents
This report to Parliament describes the activities of the Office of the Information Commissioner of Canada (OIC), that support compliance with the Privacy Act in accordance in accordance with section 72.
The purpose of the Privacy Act is to protect the privacy of individuals with respect to personal information about themselves held by federal institutions, and to provide individuals with a right of access to that information.
The Information Commissioner’s mandate is to investigate complaints under the Access to Information Act (ATIA) from individuals who feel that their rights to access have not been respected by federal institutions. The Commissioner is also entitled to initiate a complaint if there are reasonable grounds to do so.
The period from April 1, 2008 to March 31, 2009 was an event-filled time for the OIC on several fronts. Highlights in this report include:
- We increased the capacity in the ATIP Secretariat to process requests. The Treasury Board Secretariat (TBS) approved funding for 2008-2009 that was used to hire two new ATIP analysts as well as to purchase an electronic request processing system which was implemented mid-year. An ATIP Assistant position was also created from the existing budget.
- We made considerable strides in our information management, both in the ATIP Secretariat, and in the larger organization. Improvements such as network consolidation, business process transformation and a shift to electronic service delivery helped us to operate more efficiently, while at the same time assisting our clients.
The OIC has 82 full-time employees. It is divided into four main branches.
- The Complaints Resolution and Compliance Branch carries out investigations and dispute resolution efforts to resolve complaints.
- The Policy, Communications and Operations Branch assesses federal institutions’ performance under the Act, conducts systemic investigations and analyses, provides strategic policy direction for the Office, leads the Office’s external relations with the public, the government and Parliament, and provides strategic and corporate leadership in the areas of financial management, internal audit and information management.
- The Legal Services Branch represents the Commissioner in court cases and provides legal advice on investigations as well as legislative and administrative matters.
- The Human Resources Branch oversees all aspects of human resources management and provides advice to managers and employees on human resources issues.
The ATIP Secretariat which was established within the Policy, Communications and Operations Branch, administers and processes requests for OIC information under the ATIA and the Privacy Act. The staff of the ATIP Secretariat comprised four persons:
- the Director, Information Management Division, who, as institutional ATIP Coordinator also holds the full delegated authority under the ATIA and the Privacy Act;
- the Senior ATIP analyst who is responsible for the processing of complex and/or voluminous files, and the second review of completed requests;
- the Junior ATIP analyst who administers straightforward smaller volume applications under the ATIA; and
- the ATIP Assistant who enters all applications into the electronic system, acknowledges requests, performs imaging services, produces reports and is responsible for other administrative tasks as required.
Under the Privacy Act, the head of the institution is responsible for setting out what powers have been delegated, and to whom, under a delegation order.
During the reporting period, two consecutive delegation orders were put in place that echoed changes in staffing within the organization. At the beginning of the year, the delegation order provided that the Assistant Commissioner, Policy, Communications and Operations, the ATIP Coordinator, and the Senior Policy Analyst were entitled to administer the Act. The second order stipulated that the delegated authority was held by the Assistant Commissioner, the Director, Information Management, and the Director, Strategic Case Management.
Copies of both delegation orders are attached as Appendices A and B.
The statistical report is attached as Appendix C
This section provides the details on the 2 requests made under the Privacy Act to the ATIP Secretariat during the reporting period. Only those sections of the Act that were applicable to those requests will be discussed.
One of the two requests received was completed during the reporting period and one was carried over into the new fiscal year.
The request completed during the reporting period resulted in partial disclosure.
Two exemptions were applied during the reporting period. Section 26 was invoked to protect the personal information of a third party, and information that was related to law enforcement was exempted under subparagraph 22 (1) (b) (iii).
The request was completed within the 30 day time limit.
When the request was completed, photocopies were provided to the applicant.
The total costs of the Privacy program for the OIC during the reporting period was $7,502.20, which breaks down as follows:
There were no privacy impact assessments completed during the fiscal year.
There were no new data sharing activities during the reporting period.
A new training module was developed in 2008-2009 to assist OIC program officials in understanding their responsibilities in retrieving records and making recommendations. The module which will be offered early in the next fiscal year outlines the step by step process for officials to follow in carrying out their responsibilities under the Access to Information Act and the Privacy Act. Analysts in the ATIP Secretariat will also receive section-specific training offered by the Treasury Board Secretariat as required.
Enhancing our information management capacity
Information management (IM) is critical to the success of our new business model. We produce a significant amount of documentation in the form of investigation files, legal opinions, memos, briefings, correspondence and other information. In turn, we receive a significant amount of information from external sources. To take best advantage of all this information, we must manage it in such a way that we can easily coordinate, re-use, re-purpose and distribute it in a useful, targeted and responsible manner.
In 2008–2009, we conducted a thorough assessment of our IM capacity. Consequently, we created a new IM division—regrouping the information technology (IT) function, the Records Centre, Library Services and the Access to Information and Privacy Secretariat—and developed a comprehensive long-term IM/IT strategy designed to make IM service delivery more proactive.
In 2008–2009, we developed a five-year strategic plan aimed at positioning us as a leader in resolving access to information complaints and providing agile and enhanced service delivery. This plan identified a number of IM/IT renewal initiatives designed to enable us to create, manage, access and share information and knowledge with a seamless technology infrastructure. We focused our efforts on the most critical issues that were having a direct impact on our productivity, left us vulnerable to security breaches, and caused instability in our infrastructure. Our initiatives included the following:
- We established a new unit with a director and five IT professionals, who are responsible for implementing our IM/IT vision.
- We created a proactive service delivery model that anticipates business needs and identifies strategic solutions.
- We consolidated our IT infrastructure, with appropriate and up-to-date software and processes, including tools for project and change management.
- We updated or developed and implemented all the required policies and procedures.
- We increased security measures to protect data, both at rest and in transit across our network, according to their security classification while minimizing the impact of existing and emerging threats to the integrity of the information.
The results of our IM/IT renewal initiatives have been immediate and significant. The successful consolidation of the network and desktop environment has had a positive impact on our productivity while improving overall IT security, stability and management.
Since the Office of the Information Commissioner was founded in 1983, we have conducted thousands of investigations. Over the years, the volume of files associated with closed investigations increased to the point that we had to take decisive action to manage the overwhelming quantity of paper records. In 2008–2009, we developed our first Records Disposition Authority to determine how long we should keep present and future paper and electronic records created by investigators.
We also increased the capacity of our records section, in anticipation of the work we will have to do to develop and implement an institutional information management framework. Specifically, we created the positions of Manager, Information Management, and Manager, Records, to develop and maintain critical elements of an IM framework, such as a universal classification system, business rules and a concept of operations, as well as additional disposition authorities to cover all institutional records.
Access to Information and Privacy Secretariat
Since our organization became subject to the Access to Information Act and the Privacy Act in 2007, we have proactively managed our access to information program with the goal of achieving perfect compliance with the law. We used new funding obtained in 2007 to staff analyst positions and to purchase electronic request processing software. Electronic processing allows us to manage records associated with access and privacy requests more efficiently, maximize compliance with deadlines, and deliver records on CD-ROM, which effectively eliminates photocopy fees—a potential barrier to access.
The resulting improvement in information management has had several benefits:
- reproduction fees have been eliminated;
- packages of records are easily re-created, when necessary;
- statistical reporting is more accurate; and
- the overall quality of the packages of records we release is generally improved, in terms of organization of the records, legibility, contextualization of information and completeness and accuracy.
The impact of better information management has also allowed us to build our access to information and privacy capacity. Given the widespread shortage in qualified personnel across federal institutions, and the need for more junior staff to come up to speed quickly, having reliable electronic records keeping and accompanying processes means that we can spend less time on training than previously and allows for greater ease of succession.
We also developed and approved a Use of Electronic Networks Policy governing use of the corporate network. The policy, which was approved in late 2008 and implemented shortly thereafter, outlines what is considered personal information on the OIC’s network, and what expectations employees can have if their personal information is stored on the network.
Two complaints were made under the Privacy Act by an employee who stated that the OIC had accessed his personal information on his Facebook page inappropriately. The complaint was abandoned by the applicant partway through the investigation.
The second complaint was related to information about one complaint accidentally being sent to another complainant. The Privacy Commissioner investigated and found that the complaint was well-founded; however, it was also found to be resolved since the OIC took steps to correct the situation.