2021-22 Annual Report to Parliament on the Privacy Act – Office of the Privacy Commissioner of Canada – Commissariat à la protection de la vie privée du Canada

2021-22 Annual Report to Parliament on the Privacy Act – Office of the Privacy Commissioner of Canada – Commissariat à la protection de la vie privée du Canada

2021-22 Annual Report to Parliament on the Privacy Act – Office of the Privacy Commissioner of Canada – Commissariat à la protection de la vie privée du Canada 150 150 Alan Dickson

Introduction
Mandate and Mission of the OPC
Organizational Structure
Privacy Commissioner, Ad Hoc / Complaint Mechanism
ATIP Directorate Activities
Privacy Act Statistical Interpretation
Report on the TBS Directive on Privacy Impact Assessment (PIA)
Data Sharing Activities
Disclosures of Personal Information
Material Privacy Breach
Privacy Related Policy Instruments
Appendix A — Privacy Act Delegation Order
Appendix B — Statistical Report
September 2022
Office of the Privacy Commissioner of Canada
30 Victoria Street, 1st Floor
Gatineau, Quebec
K1A 1H3
819-994-5444, 1-800-282-1376
Fax: 819-994-5424
Follow us on Twitter: @privacyprivee
The Privacy Act (PA) came into effect on July 1, 1983. The Act imposes obligations on federal government departments and agencies to respect the privacy rights of individuals by limiting the collection, use and disclosure of personal information. The Act also gives individuals the right of access to their personal information and the right to request the correction of that information.
When the Federal Accountability Act received Royal Assent on December 12, 2006, the Office of the Privacy Commissioner (OPC) was added to the Schedule of the Privacy Act along with other Agents of Parliament. Therefore, while not initially subject to the Act, the OPC became so on April 1, 2007.
Section 72 of the Act requires that the head of every federal government institution submit an annual report to Parliament on the administration of the Act within their institutions during the fiscal year.
The OPC is pleased to submit its fifteenth Annual Report which describes how we fulfilled our responsibilities under the Privacy Act in 2021-22.
The mandate of the OPC is to oversee compliance with both the PA, which covers the personal information handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law.
The OPC’s mission is to protect and promote the fundamental privacy rights of individuals.
The Commissioner works independently from any other part of the government to investigate privacy complaints from individuals with respect to the federal public sector and certain aspects of the private sector. In public sector matters, individuals may complain to the Commissioner about any matter specified in section 29 of the PA.
For matters relating to personal information in the private sector, the Commissioner may investigate complaints under section 11 of PIPEDA except in the provinces that have adopted substantially similar privacy legislation, namely Quebec, British Columbia, and Alberta. Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador now fall into this category with respect to personal health information held by health information custodians under their health sector privacy laws. However, even in those provinces with substantially similar legislation, and elsewhere in Canada, PIPEDA continues to apply to personal information collected, used or disclosed by all federal works, undertakings and businesses, including personal information about their employees. PIPEDA also applies to all personal data that flows across provincial or national borders, in the course of commercial activities.
The Commissioner focuses on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary cooperation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the complainant or the Commissioner may take the matter to Federal Court and seek a court order to rectify the situation.
As a public advocate for the privacy rights of Canadians, the Commissioner carries out the following activities:
The Privacy Commissioner is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner may be assisted by Assistant Commissioners, who have delegated responsibilities under both the PA and PIPEDA.
In 2018, the OPC, following an organizational review, adopted a new structure to support the Privacy Commissioner’s vision to be more proactive, and to focus efforts where there can be an impact for the greatest number of Canadians.
The core responsibility of the OPC is the protection of privacy rights of Canadians. To do this, the OPC’s work falls into two program areas — Compliance and Promotion. Both areas are important in protecting privacy.
The OPC’s organizational structure is comprised of three sectors: the Compliance Sector, the Policy and Promotion Sector, and the Corporate Management Sector. The work of each sector is overseen by a Deputy Commissioner. The three Deputy Commissioners, as well as the Legal Services Directorate, report directly to the Privacy Commissioner. The Commissioner is also supported by the OPC’s Executive Secretariat.
The OPC is structured in the following way:
The Compliance Program, headed by the Deputy Commissioner, Compliance, focuses on addressing existing privacy compliance problems through a variety of enforcement activities to ensure violations of the law are identified and that remedies are recommended. This includes investigations into complaints filed by Canadians, but also a shift towards more proactive enforcement, such as proactive, Commissioner-initiated investigations or, in certain cases, audits, to review issues that are not being addressed through the complaint system.
The Compliance Sector includes three directorates: the Privacy Act Compliance Directorate (public sector), the Personal Information and Electronic Documents Act (PIPEDA) Compliance Directorate (private sector) and the Compliance, Intake and Resolution Directorate (public and private sectors).
The PA Compliance Directorate investigates complaints under the Privacy Act from individuals who believe they have not been given access to their personal information held by government institutions, or feel that their information has been inappropriately, collected, used, disclosed or managed. The Directorate also investigates complaints and conducts audits that are initiated by the Commissioner.
The PIPEDA Compliance Directorate investigates complaints under the PIPEDA from individuals about the collection, use and disclosure of their personal information in the course of commercial activities. The Directorate also investigates complaints and conducts audits that are initiated by the Commissioner, including sector-wide investigations.
The Compliance, Intake and Resolution Directorate is a new directorate within the Compliance Sector. It is responsible for receiving and quickly resolving complaints received under the PIPEDA and the Privacy Act. The Directorate also:
On January 1, 2020, the Compliance, Intake and Resolution Directorate’s Executive Director took on the role of Chief Privacy Officer for the OPC.
The Promotion Program, headed by the Deputy Commissioner, Policy and Promotion, is forward-looking and aims to inform Canadians of their rights and how to exercise them, and to bring organizations into compliance with the law. This involves, for example, the development and promotion of general—yet practical—information and guidance, reviewing and commenting on Privacy Impact Assessments (PIAs), and offering industry advice on specific initiatives. The goal is to share information and advice with businesses and departments when they are designing their services so that Canadians may enjoy the benefits of innovation without undue risk to their privacy.
The Policy and Promotion Sector includes five directorates: the Government Advisory Directorate, the Business Advisory Directorate, the Policy, Research and Parliamentary Affairs Directorate, the Technology Analysis Directorate and the Communications Directorate.
The Government Advisory Directorate provides advice and recommendations to federal public sector institutions in relation to specific programs and initiatives, as well as in the review of PIAs and information sharing agreements submitted by departments and agencies. This group also undertakes various outreach initiatives with the federal public sector in order to encourage compliance with the PA.
The Business Advisory Directorate provides advice to businesses subject to PIPEDA in the context of advisory services for new programs and initiatives, reviews for existing privacy practices and proactive engagements with the business community. This group also undertakes various outreach initiatives with the private sector in order to encourage compliance with PIPEDA.
The Policy, Research and Parliamentary Affairs Directorate develops strategic policy positions on legislative bills, government policies and private sector initiatives; supports the Commissioner’s appearances before Parliament; develops guidance for public and private sector; and conducts applied research on emerging privacy issues in support of this work. This Directorate also manages the OPC Contributions Program which funds external researchers and non-profit organizations to advance and apply new knowledge about data protection in the private sector.
The Technology Analysis Directorate identifies and analyzes technological trends and developments in electronic platforms and digital media; conducts research to assess the impact of technology on the protection of personal information in the digital world and provides strategic analysis and guidance on complex, varied and sensitive technological issues involving government and commercial systems that store personal information.
The Communications Directorate focuses on providing strategic advice and support for the planning and execution of public education and communications activities. Activities relate to the production and dissemination of information for Canadians and organizations aimed at increasing awareness of privacy rights and obligations through, for example, media monitoring and analysis, public opinion polling, media relations, publications, special events, various outreach campaigns and the OPC web site. The Directorate is also responsible for responding to requests for information from the public and organizations regarding privacy rights and responsibilities through the OPC’s Information Centre.
The Corporate Management Sector is led by the Deputy Commissioner, Corporate Management. The Corporate Management Sector includes four directorates: the Human Resources Directorate, the Finance and Administration Directorate, the Information Management/Information Technology Directorate, and the Business Planning, Performance, Audit and Evaluation Directorate.
The Corporate Management Sector provides advice and integrated administrative services such as corporate planning, resource management, financial management, information management/technology, human resources and people management and general administration to managers and staff.
The Legal Services Directorate reports directly to the Privacy Commissioner. The Directorate provides legal advice in relation to PIPEDA and PA investigations and audits, and in support of other operational activities across the OPC. It represents the OPC in litigation matters before the courts and in negotiations with other parties. The Directorate also includes OPC’s Access to Information and Privacy Program.
Organizational Chart for the OPC
In 2021-22, the ATIP Directorate was headed by a Director supported by two analysts.
Under section 73(1) of the PA, the Privacy Commissioner, as the head of the OPC, has delegated the Privacy Commissioner’s authority in relation to all access-related powers, duties and functions to the ATIP Director with respect to the application of the Act and its Regulations. In November 2021, the Privacy Commissioner signed a revised delegation instrument to reflect the separate roles of the Chief Privacy Officer (CPO) and the Director of ATIP at the OPC. The revised instrument delegates all access-related powers, duties, and functions to the Director of ATIP. A copy of the Delegation Order is attached as Appendix A.
Given the silence of the Federal Accountability Act with respect to an independent mechanism under which PA complaints against the OPC would be investigated, the Office has developed an alternative mechanism to investigate OPC actions with respect to its administration of the Act.
For this purpose, the Commissioner’s powers, duties and functions as set out in sections 29 through 35 and section 42 of the Act have been delegated to a Privacy Commissioner, Ad Hoc in order to investigate PA complaints lodged against the OPC.
In 2021-22, the Privacy Commissioner, Ad Hoc was Anne Bertrand (QC). Ms. Bertrand was the Province of New Brunswick’s first Access to Information and Privacy Commissioner from 2010 to 2017. In 2016, she also served as the Acting Conflict of Interest Commissioner for one year. She was previously a lawyer in Fredericton for over 24 years, working in multiple of areas of the law, including administrative law, criminal law, labour law and civil litigation. She served as an arbitrator on various administrative tribunals for a number of years.
In the reporting fiscal year, four ATIP training sessions were offered to 48 OPC employees, including new employees and those returning from extended leave or temporary assignments elsewhere.
The OPC’s Statistical Report on the PA is attached in Appendix B.
The OPC received 39 formal requests under the PA during the fiscal year, this was in addition to one request carried forward from the previous year, for a total of 40 requests. Of these, 37 requests were closed during the course of this reporting year and three were carried forward to the next fiscal year. Thirty-six of the 37 requests closed during the reporting period were closed within legislated timelines (97.2%).
Chart - Requests under the Privacy Act
Of the 39 requests received, two were carried forward to the 2022-2023 reporting year in addition to the one request carried forward the previous year, for a total of 37 requests processed under the PA concerning information under the OPC’s control, i.e., a total of 5255 pages of information. This represents an approximately 51% increase in the number of pages of information processed compared to the previous year. Of the 37 requests closed, 28 were completed within 1 to 15 days, 7 were completed within 16 to 30 days, 1 was completed within 31 to 60 days and 1 was completed within 61 to 120 days. Of the 3 requests carried over from previous year, all 3 were received in 2021-2022 and were within legislated timeframe.
In one case, the OPC was required to claim an extension of the time limit, as the volume of records that required processing was quite large, and finalizing those requests within the original 30-day timeframe would have unreasonably interfered with the operations of the OPC. With respect to the 37 requests processed in 2021-22:
Of the 37 requests processed in the reporting year, 11 were for the contents of PA investigation files and/or content processed by the OPC. Section 22.1 of the PA prohibits the OPC from releasing information it obtained during the course of its investigations or audits even after the matter and all related proceedings have been concluded. However, the OPC cannot refuse to disclose information it created during the course of an investigation or audit, once they and any related proceedings are completed — and subject to any applicable exemptions. This exemption was applied in 8 cases during the reporting period. With respect to other exemptions, section 26 (Information about another individual) was invoked in 6 cases, and section 27 (solicitor-client privileged information) in 2 cases.
The OPC also processed 8 requests for consultations received from other institutions during the fiscal year within the reporting period on a total of 146 pages. Of the 8 requests, 7 were answered within 15 days and 1 was answered within 16 to 30 days.
It is quite common for the OPC to receive broad requests seeking access to personal information held by other federal institutions. In most cases, the OPC does not have any of the requested personal information under its control. In such cases, requesters are advised to contact the relevant federal institution or to consult Info Source: Sources of Federal Government and Employee Information for a detailed listing of the personal information holdings of each federal organization and to submit requests to those most likely to have the personal information to which they seek access.
At no point during the reporting period were requests received for correction of personal information held within the OPC nor was the OPC consulted by any federal institution with a request for correction.
Processing times for information requests are tracked on a weekly basis by the ATIP team using the access to information management system.
The COVID-19 pandemic created challenges for individuals throughout the OPC.
Most OPC staff have been teleworking since mid-March 2020. The OPC ATIP office was able to work at its usual capacity throughout the pandemic period. Other Directorates of the OPC, however, were more impacted by the situation, which may have caused delays in responding to certain requests.
During the reporting period covered in this report, the OPC did not receive any complaints made against it under the Privacy Act.
The Directive on Privacy Impact Assessment, which came into effect on April 1, 2010, requires that TBS monitor compliance with the Directive. Given this responsibility, institutions are asked to include pertinent statistics in their annual reports on the administration of the PA.
The OPC completed a PIA for the project to implement the Microsoft 365 suite of cloud-based software-as-a-service application (M365 cloud services) during the reporting period.
The objective of the OPC cloud initiative is to modernize the technology the OPC currently uses to enhance the office’s operations by providing additional functions and features beyond the OPC’s current on-premise products. This implementation will allow the OPC to achieve efficient and effective information management to support OPC program and service delivery. It also aligns with the Government of Canada (GC) cloud adoption strategy, directives and guidance.
The OPC did not undertake any personal data sharing activities this reporting year.
The OPC disclosed no personal information under sections 8(2)(e), (m), or 8(2) (5) of the PA during this fiscal year.
No material privacy breaches occurred within the OPC during this fiscal reporting year.
No work concerning privacy-related policy instruments was undertaken during the fiscal reporting period covered by this report.
Additional copies of this report may be obtained from:
Director, Access to Information and Privacy
Office of the Privacy Commissioner of Canada
30 Victoria Street, 1st Floor
Gatineau, Quebec K1A 1H3
Pursuant to subsection 73(1) of the Privacy Act, the Privacy Commissioner of Canada hereby delegates to the persons holding the positions set out below, or the persons occupying the positions on an acting basis, the following powers, duties, and functions of the Privacy Commissioner of Canada, as head of the institution, under the provisions of the Act and related regulations set out in the column opposite each position, as specified below:
For greater clarity, this delegation to the positions set out above, or to the persons occupying on an acting basis these positions, includes all powers, duties, and functions as they existed prior to June 21, 2019 under section 73 of the Privacy Act to be exercised with respect to any complaint, investigation, application, judicial review or appeal that was initiated before June 21, 2019.
This delegation of authority supersedes any previous delegation of the powers, duties and functions set out herein.
Dated at the City of Gatineau, this 18 of November, 2021.
 
(Original signed by)
Daniel Therrien
Privacy Commissioner of Canada
Name of institution: Office of the Privacy Commissioner of Canada
Reporting period: 2021-04-01 to 2022-03-31
Introduction
Mandate and Mission of the OPC
Organizational Structure
Privacy Commissioner, Ad Hoc / Complaint Mechanism
ATIP Directorate Activities
Privacy Act Statistical Interpretation
Report on the TBS Directive on Privacy Impact Assessment (PIA)
Data Sharing Activities
Disclosures of Personal Information
Material Privacy Breach
Privacy Related Policy Instruments
Appendix A — Privacy Act Delegation Order
Appendix B — Statistical Report
The Privacy Commissioner of Canada is an Agent of Parliament whose mission is to protect and promote privacy rights.
Get updates about the OPC’s announcements and activities, as well as the events in which we participate.
We respect your privacy
Read our Privacy policy and Terms and conditions of use to find out more about your privacy and rights when using the priv.gc.ca website or contacting the Office of the Privacy Commissioner of Canada.
If you have a question, concerns about your privacy or want to file a complaint against an organization, we are here to help.

source

    Would you like to receive notifications on latest updates? No Yes