Annual Report to Parliament 2020-21: Privacy Act
Part II – Report on The Privacy Act
Requests under the Privacy Act
Statistical Report
The Annual Statistical Report for fiscal year 2020-21 is included at Part III of this Report.
Interpretation of the Statistical Report
Overview of Requests Pursuant to the Privacy Act
| Fiscal Year | # of Requests Received | # of Requests Completed | # of Pages Processed | # of Pages Released |
|---|---|---|---|---|
| 2020-21 | 128 | 130 | 25,853 | 5,468 |
| 2019-20 | 196 | 201 | 28,125 | 12,176 |
| 2018-19 | 253 | 248 | 14,479 | 7,397 |
Requests Received Pursuant to the Privacy Act
128 requests were received during the period under review. In addition, 46 requests were carried forward from previous years, for a total of 174 requests.
Requests Completed Pursuant to the Privacy Act
130 requests were completed during the period under review and 44 were carried forward to be completed in fiscal year 2021-22.
Responding to formal privacy requests involved the review of 25,853 pages, of which 5,468 pages were partially or entirely disclosed.
Disposition of Completed Requests
Of the 130 requests completed in fiscal year 2020-21:
- No relevant records existed under the control of the Department for 59 (45%) requests; and
- 42 (32%) requests were abandoned by the applicant. In the majority of cases, the applicant did not pursue the requests, either by withdrawing them or by not providing the clarification that was requested by the ATIP Office.
The remaining 29 requests were released in the following manner:
- 2 were fully disclosed (1%);
- 23 were partially disclosed (18%);
- 2 could not be confirmed nor denied (2%); and
- 2 were entirely exempted (2%).
Dispositions
Dispositions – Text version
This pie graph illustrates the percentage of requests that were completed during the reporting period with the following dispositions: All Disclosed (1%), Disclosed in Part (18%), neither confirmed nor denied (2%), Exempt Entirely (2%), no relevant records (45%) and abandoned (32%).
Completion Time and Extensions
Out of 130 requests completed in 2020-21, 87 (67%) were processed within 30 days or less.
Completion Time
Completion Time – Text version
This pie graph illustrates the percentage of requests that were completed during the reporting period within the following timeframes: 1 to 15 days (42%), 16 to 30 days (25%), 31 to 60 days (12%), 61 to 120 days (5%), 121 to 180 days (3%), 181 to 365 days (4%) and more than 365 days (9%).
The ATIP Office routinely monitored the processing time for privacy requests. This routine monitoring was done through various statistical reports and meetings with ATIP employees to ensure that requests were being processed in a most timely manner. All ATIP employees, portfolio contacts and senior management were made aware of the performance metrics.
In some instances, the Department found it necessary to seek extensions to the prescribed time limits due to interference with operations (39 times).
Exemptions Invoked
The Department invoked exemptions under the PA for 43 requests. Section 26 was invoked most often (24 times), which exempts personal information relating to individuals other than the applicant, and section 27 (18 times), which exempts information relating to solicitor-client privilege. For further details regarding all the exemptions invoked, please refer to the Statistical Report at Part III of this Report.
Exclusions Cited
Information was excluded under section 70(1) once during the reporting period.
Method of Access
A total of 6 requesters wanted paper copies and 19 applicants chose to receive information electronically.
Consultations by other Federal Institutions or Departments
Overview of Consultations Requests Received from other Government Institutions and Organizations
| Fiscal Year | # of Requests Received | # Pages Received | # of Requests Completed | # of Pages Reviewed |
|---|---|---|---|---|
| 2020-21 | 25 | 1,793 | 26 | 2,891 |
| 2019-20 | 19 | 369 | 19 | 951 |
| 2018-19 | 26 | 1,387 | 26 | 1,162 |
During the period under review, the Department received 25 requests from other government institutions and organizations requesting recommendations regarding records originating from, pertaining to, or of interest to the Department. In addition, 5 consultations outstanding from previous years were carried over, for a total of 30. In total, the Department reviewed 1,793 pages for these consultations.
Of the 30 consultations active throughout the reporting period, 26 were completed during the 2020-21 fiscal year and the remaining four were carried forward to be completed in fiscal year 2021-22.
Other types of Requests
Advice
The ATIP Office acted as a resource on several occasions for departmental officials as well as those from other government institutions, offering advice and guidance on the provisions of the legislation as well as related policies. The Office was consulted on the disclosure and collection of information on a wide range of issues.
Complaints, Investigations and Federal Court Cases
Complaints Filed
The Department received 5 Notices of Intention to Investigate from the Office of the Privacy Commissioner (OPC) during the reporting period. The reasons for the complaints were as follows:
- 2 related to delay;
- 1 related to exemption;
- 1 concerned the handling of the request in general; and
- 1 concerned the used and disclosure of personal information
Completed Investigations
Complaint findings are defined as follows:
- Well-founded: The institution contravened a provision of the PA.
- Well-founded and resolved: The institution contravened a provision of the PA but has since taken corrective measures to resolve the issue to the satisfaction of the OPC.
- Not well-founded: There was no or insufficient evidence to conclude the institution/organization contravened the privacy legislation.
- Resolved: The investigation revealed that the complaint is essentially a result of a miscommunication, misunderstanding, etc., between parties; and/or the institution agreed to take measures to rectify the problem to the satisfaction of the OPC.
- Settled: The OPC helped negotiate a solution that satisfied all parties during the course of the investigation, anddid not issue a finding.
- Discontinued: The investigation was terminated before allegations were fully investigated.
- Early Resolution (ER): Applied to situations in which the issue is resolved to the satisfaction of the complainant early in the investigation process and the OPC did not issue a finding.
A total of 6 investigations were completed during the reporting period, some of which had been carried forward from previous years. Of the 6 investigations, 2 were not well-founded (including the complaint on use and disclosure of personal information), 1 was well-founded; 3 were closed in Early Resolution. No key issues were raised as a result of these complaints.
At the end of the fiscal year, 4 complaints were still under investigation by the OPC.
Review by the Federal Court of Canada
No applications were filed before the Federal Court pursuant to sections 41, 42 and 44 of the PA during the reporting period.
Request for Correction of Personal Information
Paragraph 12(2)(a) of the PA provides that every individual given access to personal information about himself or herself that has been used, is being used, or is available for use for an administrative purpose, is entitled to request correction of such information where the individual believes there is an error or omission therein.
The Department did not receive any request for correction of personal information during the reporting period.
Use and Disclosure
It is the Department’s policy that personal information be used solely for the purpose for which it is collected or for a consistent use as described in the Info Source publication.
Disclosure under Paragraph 8(2)
Paragraph 8(2)(m) of the PA permits the disclosure of personal information in situations where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure or when the disclosure would clearly benefit the individual to whom the information relates. The Privacy Commissioner must be informed of disclosures to be made under these provisions.
The Department did not disclose personal information pursuant to paragraph 8(2)(m) during the reporting period.
Exempt Banks
The Department had no exempt banks under the PA.
Audits Conducted by the Privacy Commissioner
Pursuant to subsection 37(1) of the PA, the Privacy Commissioner may carry-out investigations in respect of personal information under the control of government institutions to ensure compliance with paragraphs 4 to 8.
No formal investigations by the Commissioner were completed during the reporting period.
Privacy Breaches
Federal institutions are required to notify the OPC of Canada and the Treasury Board of Canada Secretariat of all material privacy breaches and of the mitigation measures being implemented if the breach involves sensitive personal information and could reasonably be expected to cause serious injury to the individual.
1 material breach was reported during this reporting period.
Summary of the Material Privacy Breach
A letter and attached receipts containing taxpayer information were sent by courrier from the Department’s office in Edmonton to an employee’s home. The employee was working from home due to COVID-19. The employee confirmed that she did not receive the package and filed a breach report. The matter was investigated by the ATIP Office and the documents were deemed to be lost. The Department filed a report with the Edmonton Police Service. The individuals were informed of the breach.
Corrective measures taken
The Department moved to further limit physical transfer of documents via courier during the COVID-19 outbreak to the extent possible.
Privacy Impact Assessments (PIAs)
PIAs are a means to ensure that privacy principles are taken into account during the design, implementation and evolution of programs and services that involve personal information. Programs and services with potential privacy risks are required to undergo a PIA.
No PIAs were completed during this reporting period.
- Date modified: