2009-2010 Annual Report on the Administration of the Privacy Act
Table of Contents
- 1. Introduction
- 2. Organization
- 3. Delegation Order
- 4. Statistical Report
- 5. Interpretation of the Statistical Report
- 6. Privacy Impact Assessments
- 7. Data-sharing Activities
- 8. Education and Training Activities
- 9. Changes to the Organization, Programs, Operations or Policies
- 10. New Policies or Procedures
- 11. Privacy Complaints and Investigations
- Appendix A—Delegation, November 10, 2008
- Appendix B—Delegation, May 21, 2009
- Appendix C—Delegation, July 27, 2009
- Appendix D—Delegation, January 18, 2010
- Appendix E—Statistical Report
This report to Parliament describes the activities of the Office of the Information Commissioner of Canada (OIC) that support compliance with the Privacy Act. It is submitted pursuant to section 72 of the Act.1
The purpose of the Privacy Act is to protect the privacy of individuals with respect to personal information about themselves held by federal institutions, and to provide individuals with a right of access to that information.
The mandate of the Information Commissioner is to investigate complaints under the Access to Information Act from individuals who feel that their rights to access have not been respected by federal institutions. The Commissioner is also authorized to initiate a complaint relating to requesting or obtaining access to records under the Act if there are reasonable grounds to do so.2
Since the OIC was itself made subject to the Access to Information Act in 2007, we are now required to report annually on the administration of our own Access to Information program. This report details the activities and accomplishments of the program as they pertain to the Privacy Act. Some highlights include:
- the convergence of Information Technology and Information Management (IM/IT) products, policies and services to facilitate speedier access to information for requesters, as well as greater transparency for Canadians; and
- the development and implementation of innovative new approaches that cross organizational units to balance the unpredictable demand of requests with the need for high quality analysis and organizational capacity requirements to conduct special projects.
1 Privacy Act, R.S., 1985, c. P-21
2Access to information Act, R.S. 1985, c. A-1, section 30
The Information Commissioner is an Officer of Parliament and ombudsman appointed by Parliament under the Access to Information Act, Canada’s freedom of information legislation. The Commissioner is supported by the OIC, an independent public body established in 1983 under the Act to respond to complaints from the public about access to information.
The Office has four branches:
- The Complaints Resolution and Compliance Branch carries out investigations and dispute resolution activities to resolve complaints.
- The Policy, Communications and Operations Branch assesses federal institutions’ performance under the Act, conducts systemic investigations and analyses, provides strategic policy direction for the Office, leads the Office’s external relations with the public, the government and Parliament, and provides strategic and corporate leadership in the areas of financial management, internal audit and information management. The Policy, Communications and Operations Branch also comprises the ATIP Secretariat.
- The Legal Services Branch represents the Commissioner in court cases and provides legal advice on investigations, as well as legislative and administrative matters.
- The Human Resources Branch oversees all aspects of human resources management and provides advice to managers and employees on human resources issues.
The Access to Information and Privacy (ATIP) Secretariat, which was established within the Policy, Communications and Operations Branch, administers and processes requests for OIC information under the Access to Information and Privacy acts. The staff of the Secretariat in 2009–2010 comprised five persons:
- the Director, Information Management Division, who, as institutional ATIP Coordinator, also holds full delegated authority under the acts;
- the Deputy Director, who is responsible for the management of the Secretariat, including oversight of request administration, policy development and training;
- the Senior ATIP Analyst, who is responsible for the processing of complex and/or voluminous files, and the second review of completed requests;
- the Junior ATIP Analyst, who administers less complex and smaller volume applications under the PA; and
- the ATIP Assistant, who enters all applications into the electronic system, acknowledges requests, performs imaging services, produces reports and is responsible for other administrative tasks.
3. Delegation Order
Under the Privacy Act, the Information Commissioner is the designated head of the institution, for the purpose of administering the legislation.
The delegation order signed on November 10th, 2008, was in force at the start of this reporting period. The order delegated full authority under section 73 of the Act to the Assistant Commissioner, Policy, Communications and Operations, the Director, Information Services and Knowledge Management, as well as the Director, Strategic Case Management.
During the reporting period, three consecutive delegation orders were put in place that reflected changes in staffing within the organization. The first order, signed on May 21, 2009, stipulated that full authority to administer the Act was delegated to the Assistant Commissioner, the Acting Director of the Information Management Division and the ATIP Manager. The second order, signed July 27, 2009, specified that the delegation was held by the Interim Assistant Commissioner, Policy Communications and Operations, the Director, Information Management, and the ATIP Manager. The final delegation order, signed January 18, 2010, repeated the previous delegation to reflect staffing changes that had occurred to that point.
Copies of the delegation orders are attached as Appendices A, B, C and D.
4. Statistical Report
The statistical report is attached as Appendix E.
5. Interpretation of the Statistical Report
This section provides details on the four requests the ATIP Secretariat processed under the Privacy Act during the reporting period. Only those sections of the Act that were applicable to those requests will be discussed.
5.1 Requests received under the Privacy Act
We received three requests under the Privacy Act during this fiscal year. All of these, as well as the one request carried over from the previous reporting period, were completed before March 31, 2010.
5.2 Disposition of requests completed
Of the four requests completed, three were disclosed in part and one was abandoned by the applicant.
5.3 Exemptions invoked
Section 26 of the Act, personal information belonging to an individual other than the requester, was invoked three times. Section 21, pertaining to international affairs and defence, and paragraph 22(1)(b)(i), pertaining to investigations, were each invoked once.
5.4 Completion times
All files were completed within their statutory deadlines. Three of the four were completed within the original 30 days. The fourth file was completed in 32 days and was done within the statutory deadline, since the 30th calendar day fell on a Saturday.
5.5 Method of access
In all three cases, copies of the records were provided to the requester in a CD format.
|Costs to administer the OIC privacy program between April 1, 2009, and March 31, 2010|
|Person Year (decimal format)||0.5|
6. Privacy Impact Assessments
No privacy impact assessments were completed during the reporting period.
There is one Preliminary Privacy Impact Assessment being finalized regarding the implementation of the new corporate repository system (RDIMS) to be implemented in the coming fiscal year.
7. Data-sharing Activities
There were no new data-sharing activities during the reporting period.
8. Education and Training Activities
During the reporting period, the ATIP Secretariat conducted three training sessions, in both official languages, on the Access to Information and Privacy acts and their associated processes.
The Secretariat staff attended learning activities organized by Treasury Board Secretariat on specific provisions in the legislation, as well as professional development opportunities such as the conference held by the Canadian Access and Privacy Association and the Canadian Association of Professional Access and Privacy Administrators.
The Secretariat also developed and trained specific cohorts in the OIC on the classification and handling of sensitive records.
9. Changes to the Organization, Programs, Operations or Policies
9.1 OIC IM/IT strategy
In December 2008, following a preliminary assessment of our IM/IT, we developed a five-year strategic plan that was subsequently approved by the Treasury Board Secretariat. The plan calls for a major overhaul of IM and IT services to address investment in an integrated infrastructure, business applications, and supporting policies and processes. The plan included a roadmap of the path and steps required for us to develop IM/IT to full maturity as a process-driven organization with a multi-layered business solutions infrastructure.
Maturing the IT and IM functions
To meet the challenges of creating access and implementing Year 1 of the strategic plan, we
- organized IT into Operations and Application units, and staffed these units based on the plan and available resources; and
- prioritized activities to enable staff to divide their time as required to accommodate both normal operational and strategic project priorities.
Subsequently, the IT Operations unit’s focus shifted to include stabilizing the current production environment and building the development capacity for the strategic initiatives.
We also put in place a Project Management Office, which has proven to be extremely useful in setting the stage to effectively manage all of our projects. Through a master work plan and schedule, we can manage and monitor the status of all IM/IT projects from a single project file. Individual projects are created as a team approach by the IT Special Advisor, the project managers and the professionals who are delivering the project services.
In the IM function, staffing efforts began early in the new fiscal year so that we could stabilize the IM function and also deliver on the key components of our institutional IM program. The maturing of the IM function included ongoing activities such as:
- ensuring the security of the records area by restricting access and creating appropriate storage wherever possible;
- implementing procedures for submitting closed files to the Records Centre for storage;
- providing advice and training to specific cohorts within the OIC on the classification of sensitive documents and the lifecycle of records; and
- implementing the first annual disposition of investigative records and ongoing disposition of corporate transitory records.
Partnering and repurposing
Coming into 2009–2010, our IM/IT unit recognized that we had a major challenge. As a small agency with limited resources, we faced a set of significant issues related to the IM/IT strategy implementation. To meet this challenge, we decided that the best approach was to identify and repurpose existing solutions from elsewhere within the government rather than creating unique solutions for the OIC.
We were particularly successful over the past year in identifying relevant candidate solutions and building relationships with other federal institutions to be able to reuse their solutions and relevant experience. Our plan is to repurpose these solutions for the OIC and then continue in the partnering spirit by sharing our accomplishments.
Early in the year, the terms of reference were defined for an IM/IT steering committee. This includes Director-level representation from all of the OIC. It meets bi-monthly to review functional issues, project progress, and any relevant changes to the IM/IT context.
Discussions and decisions at the IM/IT steering committee have produced two significant positive outcomes:
- stronger ties to the business areas and enhanced communications between IM/IT staff and the rest of the OIC; and
- a decision-making forum for changes to the IM/IT infrastructure at the OIC.
9.2 Access to Information and Privacy Secretariat
During the reporting period, the ATIP Secretariat was also undergoing a transformation in the way that it works and is administered to facilitate faster access to information for requesters and improved information management.
By working closely with out with our IT section, and software supplier, the Secretariat ensured that our electronic request management system was functioning optimally, and that all users were fully trained. This allowed us to maximize efficiencies in request processing to ensure that requesters received their information in the shortest time possible.
Greater understanding of our electronic request administration system also allowed us to electronically administer our responses to complaints made to Information Commissioner and to expedite closing of the complaint files. Full implementation of our electronic request processing system has also meant that we are now positioned to post the text of our requests on our website in both official languages and produce copies of release packages on demand. This is a key step in supporting our corporate transparency focus.
Finally, the ATIP Secretariat worked in innovative ways to manage the unpredictability of demand within the unit, leveraging its expertise in the legislation and easy access to the IT project management office to support special projects within the OIC. In this way we ensured flexibility to meet unpredictable demand, while building a strong collaborative relationship with the business areas. This, in turn, has fostered better understanding and increased capacity internally.
10. New Policies or Procedures
Early in the fiscal year we realized we required an IM strategy to set out clearly what we needed to do to modernize our practices and ensure compliance with the Library and Archives of Canada Act. We then drafted an IM policy suite that covers the high-level IM policy direction for the OIC. We produced a procedures manual outlining the business rules for the organization, as well as the specific business rules by function. We developed a function-based universal file classification system and descriptions of records in consultation with the business areas. Specific procedures incorporated in the manual include guidelines for managers on what to do with employee-generated records when they leave the organization, how to classify sensitive documents and details on metadata. These tools established the foundation for our migration to a corporate electronic records management tool in the coming year.
- full implementation of the duty to assist provision;
- justified application of exemptions;
- minimal extension of deadlines only;
- timeliness of responses;
- maintaining the confidentiality of our investigative process; and
- commitment to the confidentiality and security of personal information at all times.
We developed, in consultation with our Legal Services Division, four practice directions that set out the specific practices in place within the ATIP Secretariat, and in particular, a practice direction on the duty to assist provisions of the legislation. The practice directions will be posted on our website in the first quarter of 2010–2011.
11. Privacy Complaints and Investigations
While no complaints were lodged with the Office of the Privacy Commissioner (OPC) during the reporting period, there were two privacy breaches identified, one of which led to an investigation by the OPC.
The first breach was caused by a lost memory stick containing personal information. The report was completed. The OPC and the individual in question were notified. The OPC investigated the breach and found that steps had been taken to mitigate and prevent reoccurrence.
The second breach was discovered when reviewing an older access to information request. It was found that some personal information pertaining to OIC employees had inadvertently been released to the requester. The report was completed and filed with the OPC. The employees in question were notified.