Annual Report on the Administration of the Privacy Act -
On this page
- Introduction
- Organizational Structure
- Delegation Order
- Performance in accordance with the Privacy Act, -
- Training and Awareness
- Policies, Guidelines and Procedures
- Initiatives and Projects to Improve Privacy
- Summary of Key Issues and Actions Taken on Complaints
- Material Privacy Breaches
- Privacy Impact Assessments
- Public Interest Disclosures
- Monitoring Compliance
- Conclusion
- Annex: Delegation Order
© His Majesty the King in Right of Canada, as represented by the Minister of Industry and Minister responsible for Canada Economic Development for Quebec Regions, .
Catalogue Number: ST96-6E-PDF.
ISSN : 2293-975X
Introduction
In this section
The Privacy Act (R.S.C. , c. P-21, the Act) was proclaimed into force on . It extends the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and provides individuals with a right of access to that information.
Section 72 of the Act requires each head of a federal government institution to submit a report to Parliament on the administration of the Act within their institution during the fiscal year. We are pleased to provide the following Annual Report to Parliament on the Administration of the Privacy Act in accordance with section 72. It provides an overview on the activities of the Canadian Space Agency (CSA) during the reporting period of to .
The CSA is not reporting on behalf of wholly owned subsidiaries or non-operational institutions.
Mandate of the CSA
To provide a better understanding of the context in which the Act is implemented at the CSA, this section gives an overview of the institution's objectives and activities.
The CSA reports to the Minister of Industry and Minister responsible for Canada Economic Development for Quebec Regions. Its mandate, as set out in the Canadian Space Agency Act, is "to promote the peaceful use and development of space, to advance the knowledge of space through science and to ensure that space science and technology provide social and economic benefits for Canadians."
Mission
The CSA is committed to leading the development and application of space knowledge for the benefit of Canadians and humanity.
To fulfill its mission, the CSA:
- pursues excellence collectively;
- advocates a client-centred attitude;
- supports employee-oriented practices and open communications;
- commits itself to both empowerment and accountability; and
- pledges to co-operate and work with partners for our mutual benefit.
The CSA has been a source of inspiration for Canadians since its creation in . In addition to consolidating major federal space programs, it coordinates all the components of the Canadian Space Program and manages Canada's major space-related activities.
More information about the CSA can be found at the following: www.asc-csa.gc.ca.
Organizational Structure
The Access to Information and Privacy (ATIP) Office is a member of the Information Management and Information Technologies Directorate (IM-IT). The IM-IT Directorate is led by the Chief Information Officer who reports to the Vice-President Corporate Strategy, Innovation and Chief Financial Officer. The Access to Information and Open Government Coordinator is overseen by the Director of Cybersecurity and Information Management.
The ATIP Office is the central coordinating office for all requests received by the CSA under the Access to Information Act and the Privacy Act. It provides advice to senior management on the implementation of statutes and prepares reports to Parliament, the Treasury Board Secretariat and senior management. The ATIP Office also represents the CSA in complaints and investigations conducted by the Information Commissioner and Privacy Commissioner of Canada, and in any Federal Court application arising from ATIP matters.
The main functions of the CSA ATIP Office are ATIP Operations and Privacy. Analysts assigned to ATIP Operations coordinate and process the CSA's ATIP requests. These analysts are responsible for coordinating with sectors and performing a "line-by-line" review of records. Conversely, the analyst assigned to Privacy provides privacy recommendations and expertise within the CSA. The analyst leads the horizontal implementation of departmental privacy policies, conducts risk analyses including privacy impact assessments and privacy protocols for non-administrative purposes; as well as the prevention and management of privacy breaches.
As of , the ATIP Office was comprised of 4 full-time employees which include: 1 ATIP coordinator, 2 senior officers and 1 junior officer.
Evolving Role of the ATIP Office
Open government is becoming a global priority in improving transparency and making information more readily available to the public. The Government of Canada is no exception in that regard and has implemented a series of commitments in which departments and agencies are taking part. Briefly, the goal is to release as much data and information as possible in a manner that is accessible, interoperable, and publicly usable. This vision of transparency is closely linked to the principles in the application of the Act.
Request Processing Procedure
When it receives a request under the Act, the ATIP Office consults the appropriate Office of Primary Interest (OPI) and, as necessary, other government departments and third-party stakeholders. These parties include, but are not limited to, Justice Canada, information-related communities of practice, Treasury Board Secretariat (TBS) and other institutions.
Once the documents have been analyzed and the consultations are completed, the ATIP Office recommends the application of exemption(s) to the Chief Information Officer of the CSA. The Chief Information Officer is responsible for approving the communication of documents disseminated under the Act. The records in response to the request are then sent to the requester.
Service Agreements
Pursuant to section 73.1 of the Act, government institutions may provide (or receive) services to another government institution under the responsibility of the same minister.
The CSA was not party to any agreement for services under the portfolio of the Minister of Industry and Minister responsible for Canada Economic Development for Quebec Regions.
Delegation Order
Under the Act, the head of the CSA is the Minister of Industry and Minister responsible for Canada Economic Development for Quebec Regions. Decision-making responsibility for the application of the various provisions of the Access to Information Act and the Privacy Act have been formally established and are outlined in the departmental Delegation of Authority Instrument found in the Annex of this report.
The Delegation Order in effect during the - reporting period was approved in May 2021. The instrument identified that powers are delegated to the Chief Information Officer and the Access to Information and Open Government Coordinator.
Performance in accordance with the Privacy Act, -
In this section
During the – fiscal year, the CSA ATIP Office received a total of 7 requests for personal information under the Privacy Act. Of these, 5 were submitted through the Access to Information and Privacy (ATIP) Online Request Service, while the remaining 2 were received by mail. This represents a decrease of 4 requests compared to the previous fiscal year, indicating a small downward trend in the number of Privacy Act requests received.
Over the course of the year, the CSA completed 7 requests under the Privacy Act, achieving a compliance rate of 86% within statutory time limits. At the end of the reporting period, 2 requests still within the legislated timelines, remained active and were carried forward to the – fiscal year.
The following table illustrates the trend in number of requests received under the Privacy Act from - to -:
| - | - | - | - | - | |
|---|---|---|---|---|---|
| Number of requests | 33 | 9 | 2 | 11 | 7 |
Disposition and Processing Times
In -, the CSA completed 2 requests within the first 30 calendar day timeframe (29%), 2 requests (29%) were completed within 31-60 days, and 3 requests (43%) were completed within 61 to 120 days.
The following table illustrates the processing times of requests that were completed under the Privacy Act during the reporting period of -:
| 1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | |
|---|---|---|---|---|---|
| Number of requests | 0 | 2 | 2 | 3 | 0 |
All 7 requests processed this fiscal year (100%) were partially disclosed. Additionally, at the conclusion of the - reporting period, 2 requests within the legislative timelines were carried forward to the following reporting period.
Extensions Invoked
The legislation allows for extensions when the response requires internal or external consultations, additional review time due to large amount of records, or when the review could interfere with the operations of the government institution. During the reporting period, 4 requests were extended pursuant to paragraph 15 (a) (ii) of the Act.
Exemptions and Exclusions Invoked
The Privacy Act allows institutions to exempt information from being released for a variety of reasons. Among the 7 partially disclosed requests, article 26 [information about another individual] was applied in 6 instances, article 27 [solicitor-client privilege] was applied in 3 instances and article 23(b) [security clearance] was applied in 1 instance.
Format of Information Disclosed
All requests completed in - were disclosed electronically.
Pages Disclosed
The number of pages disclosed can vary considerably from year to year, depending on the subject matter of requests and the number of relevant documents. This fiscal year, there was an increase in number of pages disclosed from 499 in the previous year to 1,202 pages.
The following table illustrates the number of pages disclosed were completed under the Privacy Act during the reporting period of -:
| - | - | - | - | - | |
|---|---|---|---|---|---|
| Number of pages disclosed | 3,081 | 1,536 | 305 | 499 | 1,202 |
Corrections
Paragraph 12(2)(a) of the Privacy Act gives individual the right to request a correction of their personal information held by the federal government. The CSA did not receive any requests for correction in the - reporting period.
Disclosure under Subsection 8(2)
Paragraphs 8(2)(e), (f), (g) and (m) of the Privacy Act permit the disclosure of personal information to various investigative bodies and Members of Parliament, as well as disclosure in the public interest. Additionally, the Privacy Commissioner must be informed of disclosures made under these provisions. During fiscal year -, the CSA disclosed personal information pursuant to paragraph 8(2)(m) in 1 instance.
Consultations Received from Other Federal Institutions
It is uncommon for the CSA to receive consultation requests from other government institutions or organizations relating to personal information. In -, the CSA did not receive any requests for consultation.
Administration Fees and Costs
In the - reporting period, the total cost of administering the Privacy Act was $218,766 for the CSA. Within this amount, 96% of the costs were dedicated to salary expenditures for an amount of $210,780. The cost of goods and services represented 4% ($7,986) for expenses related to a consultant that provided privacy advice and assessments.
Training and Awareness
In addition to managing requests the ATIP Office provides guidance and advice on complying with the Act. This guidance is presented to all CSA employees but also to targeted professional groups such as: Human Resources, Information Technology, Contracting and Procurement, etc. This ensures knowledge of common ATIP principles but also tailored to the mandate of different CSA sectors.
This year the CSA beneficiated from the services of a consultant to deliver privacy awareness training throughout the Agency. More than 301 employees participated in 4 French and 4 English courses which covered the following topics:
- ATIP "by design" creating records and information that respect ATIP principles
- Privacy "Audit" A guide to assessing privacy compliance
- Privacy Breaches
- Privacy Protection 101
- Privacy considerations during the purchase of software
The purpose of these training sessions was to raise awareness concerning the role of employees and their responsibilities as they relate to the handing of personal information and the processing of privacy and access requests.
Information sessions are also available on the general processing of requests at the CSA. This training session covers an overview of procedures and responsibilities during the processing of a request. In -, 1 session was delivered to approximatively 10 individuals.
Policies, Guidelines and Procedures
In the reporting period of -, the ATIP Office created a three-year Privacy Action Plan (-). The purpose of this framework is to guide the advancement of Privacy awareness at the CSA. Within this framework, 5 principles were identified in the Privacy Action Plan and are as follows:
- Program Design and Delivery
- Employee Outreach
- Internal and External Controls
- Risk Management and Compliance
- Management of Privacy Breaches
In each of the 5 principles mentioned above, the CSA ATIP Office identified multiple short, medium, and long-term goals for each principle. In -, the CSA ATIP office worked towards the implementation of medium and long-term goals identified in the Privacy Action Plan. These actions included the following: promoting oversight and accountability, promoting best practices when sharing personal information externally, ongoing general privacy awareness and training, monitor artificial intelligence, awareness on responsibilities as described in the Directives on Privacy Practices developing oversight to ensure privacy requirements are being used effectively, updating the policy on privacy impact assessments, creating an internal directive on monitoring compliance and develop guidance for contracting and procurement. The ATIP Office also published guidance on the recording of meetings and improvement to internal training presentations.
In alignment with the updated Policy on Privacy Protection and the Directive on Privacy Practices, the ATIP Office initiated a comprehensive privacy compliance exercise throughout the Department. This organization-wide assessment will identify areas for improvement and guide necessary actions to ensure compliance with the revised requirements.
Initiatives and Projects to Improve Privacy
The CSA continues to use the ATIP Online Request Service platform managed by the Treasury Board Secretariat to receive requests under the Act.
The ATIP Office currently uses an access to information request management tool which was implemented in -. After obtaining this tool, the ATIP Office was able to benefit from its functions which facilitated the production of reports and follow-up of access to information requests. Through TBS procurement, the ATIP Office is preparing for a new system to be implemented in -. This new system will allow the ATIP Office to implement technological upgrades and innovations that will improve services (for example, automation of administrative tasks). The ATIP Office is currently undergoing a data migration exercise before this new system is fully implemented.
The ATIP Office is also a member of the Access to Information and Privacy Communities Development Office (APCDO) since its inception in -. The APCDO is an initiative led by the TBS with membership open to ATIP offices across the federal public service. The goal of the APCDO is to enhance the capacity of ATIP offices to provide Canadians with access to government information in a timely manner by attracting new talent to ATIP offices and providing ATIP professionals with centralized training and professional development programs. In -, employees of the Department's ATIP Office benefited from attending several APCDO training sessions tailored to the community thereby enhancing knowledge and skills.
Summary of Key Issues and Actions Taken on Complaints
No complaints were received by the CSA in -. Additionally, no applications or appeals were filed with the Federal Court or Federal Court of Appeal during the reporting period.
Material Privacy Breaches
According to the Directive on Privacy Breaches section 6.1.2, in the event of a material privacy breach, institutions are required to notify the Office of the Privacy Commissioner, the TBS and all parties affected. A material privacy breach has the highest risk impact and is defined as involving sensitive personal information and could reasonably be expected to cause serious injury or harm to the individual and/or involves many affected individuals. In -, the CSA did not report any material privacy breaches.
Privacy Impact Assessments
All government institutions that create, sponsor or fund programs, projects or initiatives involving the collection, use or sharing of personal information, are responsible for conducting a Privacy Impact Assessment. TBS Directive on Privacy Impact Assessment supports institutions such as the CSA in this activity. One Privacy Impact Assessment was initiated during the - reporting period on the collection of personal information in the Coordination Events for Mission Launches. A summary of Privacy Impact Assessments can be found at the following link: Privacy Impact Assessments.
Public Interest Disclosures
Section 8(2)(m) of the Privacy Act allows the head of a government institution to disclose personal information without the consent of an individual when public interest clearly outweighs the possible invasion of privacy, or where it is clearly in the best interests of the individual to do so. In –, the CSA disclosed personal information on one occasion under paragraph 8(2)(m) of the Privacy Act to an appropriate authority in a situation involving a potential risk. This disclosure was reported to the Office of the Privacy Commissioner in accordance with subsection 8(5).
Monitoring Compliance
The CSA ATIP Office engages regularly with departmental official at various levels to ensure requests are processed in a timely and efficient manner. Meetings are held regularly with CSA sectors and analysts to ensure that timelines are respected. For all requests, legislative deadlines are tracked through an electronic ATIP request processing system and deadlines are followed-up on a regular basis. The ATIP Office produces weekly reports to monitor performance within the CSA. The weekly reports are sent to the Vice-Presidents, Chief Information Officer, Communications, ISED and other groups who may have interest in the subject matter of the request.
In delivering its mandate, the CSA ATIP Office is involved in many horizontal privacy initiatives and recommendations. The ATIP Office works collaboratively with CSA sectors to ensure that privacy requirements are reflected in contracts, MOUs, and information sharing agreements. The ATIP Office is also focused on the development of tools, guides, and policies to raise awareness, maintain compliance and report on access and privacy processes and procedures.
Conclusion
The CSA ATIP Office continues to implement its mandate to respond to all requests for access to personal information in accordance with the Privacy Act.
Annex A - Delegation Order
Approved in
Canadian Space Agency
Access to Information Act and Privacy Act Delegation Order
The Minister of Industry, pursuant to subsections 95(1) of the Access to Information Act and 73(1) the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers and functions of the Minister as the head of a government institution, under the section of the Acts set out in the schedule opposite each position. This Delegation Order supersedes all previous Delegation Orders
Schedule
| Position | Access to information Act and Regulations | Privacy Act and Regulations |
|---|---|---|
| Chief Information Officer | Full authority | Full authority |
| Coordinator Access to Information and Open Data | Full authority | Full authority |
Dated, at the City of Ottawa
This
François-Philippe Champagne
Minister of Industry