2010-2011 Annual Report on the Administration of the Privacy Act
Table of Contents
- 1 Introduction
- 2 Organization
- 3 Delegation Order
- 4 Statistical Report
- 5 Interpretation of the Statistical Report
- 6 Privacy Impact Assessments
- 7 Data-sharing Activities
- 8 Education and Training Activities
- 9 Changes to the Organization, Programs, Operations or Policies
- 10 New Policies or Procedures
- 11 Privacy Complaints and Investigations
- Appendix A—Delegation, January 18, 2010
- Appendix B—Revocation, September 22, 2010
- Appendix C—Delegation, September 22, 2010
- Appendix D—Statistical Report
This report to Parliament describes the activities of the Office of the Information Commissioner of Canada (OIC) for 2010-2011 that support compliance with the Privacy Act. It is submitted pursuant to section 72 of the Privacy Act.1
The purpose of the Privacy Act is to protect the privacy of individuals with respect to personal information about themselves held by federal institutions, and to provide individuals with a right of access to that information.
The mandate of the Information Commissioner is to investigate complaints under the Access to Information Act(the Act)from individuals who feel that their rights to access have not been respected by federal institutions. The Commissioner is also authorized to initiate a complaint relating to requesting or obtaining access to records under the Act if there are reasonable grounds to do so.2
This report details the activities and accomplishments of the Access to Information and Privacy program as they pertain to the Privacy Act . Some highlights include:
- We completed formal requests in an average of 16.5 days.
- We completed two Preliminary-Privacy Impact Assessments (PPIAs) regarding the implementation of the electronic corporate records repository and the new corporate Intranet website.
- We contributed innovative approaches to enhance the organization's ability to respond to evolving business requirements. One initiative provided for the temporary deployment of two members of the Access to Information and Privacy Secretariat to help with the investigative function.
The Information Commissioner is an Agent of Parliament and ombudsperson appointed by Parliament under the Access to Information Act. The Commissioner is supported by the OIC, an independent public body established in 1983 under the Act to respond to complaints from the public about access to information.
The OIC was restructured at the end of the reporting period into three branches as follows:
The Complaints Resolution and Compliance (CRC) Branch investigates individual complaints about the processing of access requests, conducts dispute resolution activities and makes formal recommendations to institutions, as required. It also assesses federal institutions' compliance with their obligations and carries out systemic investigations and analysis.
Legal Services represents the Commissioner in court and provides legal advice on investigations, legislative issues and administrative matters. It closely monitors the range of cases having potential litigation ramifications for the OIC and access to information in general. It also assists investigators by providing them with up-to-date and customized reference tools on the evolving technicalities of the case law.
Corporate Services provides strategic and corporate leadership in human resources and financial management, internal audit as well as information management and technology. It provides policy direction and conducts the OIC's external relations with a wide range of stakeholders, notably Parliament, government and representatives of the media. It is also responsible for managing the OIC's access to information and privacy function.
The Access to Information and Privacy (ATIP) Secretariat processes access requests filed under the Act for records under the control of the OIC. Prior to the restructuring of the Corporate Services Branch, the ATIP Secretariat comprised four staff members:
the Director, Information Management Division, who also holds full delegated authority under the Act as institutional ATIP Coordinator;
the Director, ATIP Secretariat, who is responsible for the management of the Secretariat, including oversight of request administration, policy development and training, and holds full delegated authority under the Act as ATIP Coordinator;
the Senior ATIP Analyst, who is responsible for the processing of complex and/or voluminous files and the second review of completed requests; and
the Junior ATIP Analyst, who administers less complex and smaller volume applications under the Act.
Since the demand in the ATIP Secretariat decreased this year, we were in a position to offer additional support to increase the organization's investigation capacity. Two staff members were temporarily assigned to the CRC Branch to boost capacity and maximize efficiencies.
Under the Act, the Information Commissioner is the designated head of the institution, for the purpose of administering the legislation.
The delegation order signed January 18, 2010 was still in force at the start of the reporting period. The order delegated full authority under section 73 to the Interim Assistant Commissioner, Policy, Communications and Operations; the Acting Director, Information Management; and the ATIP Manager (see Appendix A).
During the reporting period, one change was made in the delegated authority. In September 2010, the delegation to the ATIP Deputy Director was revoked as this individual was being assigned temporarily to assist in investigating complaints (see Appendix B). The revocation of the delegation ensured there was no conflict of interest as the employee assumed new responsibilities. A new delegation order was then issued authorising the Acting Assistant Commissioner, Policy, Communications and Operations as well as the Director, Information Management to exercise authority under the Act (see Appendix C).
The statistical report is attached as (see Appendix D).
This section provides details on the six requests the ATIP Secretariat processed under the Privacy Act during the reporting period. Only those sections of the Act that were applicable to those requests will be discussed in this section.
We received six requests under the Privacy Act during this fiscal year. All of these, were completed before March 31, 2011.
Of the six requests completed, two were disclosed in part, two were transferred to another institution with a greater interest, one was disclosed in full and one was abandoned by the applicant.
Section 22 of the Act was invoked three timesin order to protect OIC investigations.
All files were completed within the original 30 days. The average turnaround time for a request under thePrivacy Act was 16.5 days.
In all three cases, copies of the records were provided to the requester in a CD format.
Costs to administer the OIC privacy program between April 1, 2010, and March 31, 2011
Person Year (decimal format)
During the reporting period two Preliminary-Privacy impact assessments (PPIA) were completed. The first PPIA covered the implementation of the electronic corporate records repository — RDIMS. No significant privacy risks were identified. The PPIA will be posted on the corporate website upon approval by the OIC Executive Committee.
A second PPIA was done to assess privacy risks associated with the implementation of the new corporate Intranet website. The PPIA identified the need for signed consent forms to be completed by OIC employees prior to their pictures or other personal information being posted on the site. The OIC has therefore mitigated any risks to privacy rights by implementing a procedure requiring consent forms to be completed before any employees' personal information is posted on the site.
There were no new data-sharing activities during the reporting period.
During 2010−2011, the ATIP Secretariat conducted three training sessions, in both official languages, on the Access to Information Act and the Privacy Act and related processes.
Legal Services provided one-on-one training on the legislation for all new employees. They also offered four sessions on the Act in general, two sessions on the duty to assist, and four sessions on the exercise of discretion.
The ATIP staff attended the 18th Congress of the Association sur l'accès et la protection de l'information held in Quebec City. This three-day conference provided an opportunity to see the developments underway in the Quebec provincial access to information and privacy community.
As discussed above, the OIC underwent a restructuring at the end of the reporting period. The former Policy, Communications and Operations Branch was streamlined with a view to enhancing controls and accountability for all corporate functions, including access to information. Policy development and systemic affairs are now under the responsibility of the Complaints Resolution and Compliance Branch. The new Corporate Services Branch includes human resource management.
The continued implementation of the organization's strategy to renew its information management and information technology further contributed to maintaining our excellent performance in quickly handling access to information and privacy requests.
In 2008 a preliminary assessment of our information management and information technology (IM/IT) program was completed and a five-year strategic plan was developed and approved by the Treasury Board Secretariat. The plan sets out the roadmap to integrate the IM/IT infrastructure and develop it to full maturity with the applications, policies and processes needed to fully meet the organization's business requirements.
During the reporting period we operationalized Year 2 of the IM/IT strategy. Our projects included implementing an electronic corporate records repository (RDIMS). The IM section developed and delivered group training on RDIMS and IM, and subsequently posted the training on the OIC website in both official languages to facilitate access. A support function for RDIMS was implemented, including a network of trained IM practitioners representing each business area. The IT team provided programming and technical support to the project.
The IM Section also finished the work on a corporate wide effort to identify and describe all records held by the OIC into a corporate universal classification system.
The division also made an electronic training module on the classification of sensitive information available on the website for all users.
Finally, the first-ever disposition of records under the Multi-Institutional Disposition Authority (MIDA) for case files took place this year. We disposed of more than 20,000 investigative files and began shipping records of archival value to Library and Archives Canada (LAC) to preserve the documentary heritage of Canadians. We also began the disposition of records under the MIDAs for common administrative functions. We anticipate completing the disposition of financial records and ATI files by the end of 2011−2012.
In the IT area, we focused on upgrades to our network which resulted in a 30% reduction in service calls overall to the IT Help Desk. We also worked closely with the investigative branch to customize an off-the shelf software solution to its case management needs. Through user acceptance testing, we further refined the product to fully meet investigators' needs. The new system will be deployed starting in April 2011.
The IT team also focussed on developing sound reporting tools that would enable senior management to monitor the progress of investigations more effectively.
Throughout the year we revised and refined our ATIP Procedures Manual. This document provides a detailed look at the steps required to process an access to information request. The six pillars of the access to information and privacy regime at the OIC are as follows:
1. Full implementation of duty to assist
- Exercise discretion to waive application fee.
- Advise requesters on ways to clarify their requests to facilitate faster and greater disclosure.
- Expedite consultation process when required.
- Provide interim releases when time extensions are necessary.
2. Maximum disclosure
- Apply a presumption in favour of disclosure and due consideration to the public interest in the information requested. Severances are applied only when the access to information and privacy coordinator is satisfied that disclosure would result in specific and probable harm to the interest covered under a discretionary exemption.
3. Minimal extensions of deadlines
- Resort to extensions only when unavoidable and for the shortest time possible.
4. Timeliness of responses
- Release as soon as possible without waiting for the 30-day deadline.
5. Confidentiality of the investigative process
- Refrain from making recommendations to institutions consulting the office regarding information that could be the subject of a subsequent investigation, thereby eliminating any potential conflict of interest.
6. Protection of personal information
- Guarantee the privacy, confidentiality and security of personal information in accordance with the Privacy Act.
In the interest of reducing the request processing time as much as possible, the ATIP Secretariat, with the full support of the executive committee, reduced the tasking time for document retrieval from 7 days to 5 days. As a result, we are able to process our requests more quickly. This initiative was key to our achieving and maintaining an average turnaround time of 16.5 days on requests.
Four complaints were lodged with the Office of the Privacy Commissioner (OPC) during the reporting period, and three were still open as of March 31, 2011.
The complaint investigation that was closed this year had a finding of "not-well founded". In this instance the requester complained that OIC was denying him access to his personal information by applying exemptions to the records he requested under the Privacy Act. The Privacy Commissioner reviewed our application of the exemptions and found that none of the requester's personal information had been withheld from him.