Annual Report to Parliament on the Administration of the Privacy Act 2021-2022

Table of contents

• Introduction
  • Purpose of the Privacy Act
  • Mandate of Fisheries and Oceans Canada
• Organizational structure
  • Departmental organization
  • Access to Information and Privacy Secretariat
• Delegation Order
• Highlights of the statistical report, 2021-22
  • Overview of 2021-22 requests under the Privacy Act
  • Requests closed during the reporting period
    • Disposition and completion time
    • Exemptions and exclusions
    • Format of information released
    • Complexity
    • Deemed refusals
    • Extensions
    • Reasons for extensions and disposition of requests
    • Impact of COVID-19 on the administration of the Privacy Act
  • Consultations
    • Consultations received from other institutions and organizations
    • Disclosures to federal investigative bodies
    • Public interest disclosures
    • Other requests
• Training and awareness
• Policies, guidelines, procedures and initiatives
  • Digital strategy
• Summary of key issues and actions taken on complaints or audits
• Monitoring compliance
• Material privacy breaches
• Privacy impact assessments
• Appendix A: Delegation Order
• Appendix B: 2021-22 statistical report on the Privacy Act

Introduction

Purpose of the Privacy Act

The Privacy Act (Act) came into effect on July 1, 1983. The Act protects individuals' personal information that is held by government institutions, and provides these individuals with a right of access to this information. In addition, the Privacy Act gives individuals rights over the collection, use and disclosure of their personal information.

Section 72 of the Privacy Act requires that the head of every government institution prepare and submit an annual report to Parliament, that details the administration of the Act within the institution for each fiscal year.

This annual report describes how Fisheries and Oceans Canada (DFO) administered the Privacy Act from April 1, 2021, to March 31, 2022.

Mandate of Fisheries and Oceans Canada

DFO is responsible for safeguarding Canadian waters and managing Canada's fisheries and oceans resources. DFO helps to ensure healthy and sustainable aquatic ecosystems through habitat protection and sound science. DFO supports economic growth in the marine and fisheries sectors, and innovation in areas such as aquaculture and biotechnology. DFO is committed to working with fishers, coastal, and Indigenous communities to enable their continued prosperity from fish and seafood.

The Canadian Coast Guard (CCG), is a special operating agency of DFO that works to ensure the safety of mariners in Canadian waters and protect Canada’s marine environment. It supports Canada’s economic growth through the safe and efficient movement of maritime trade. CCG helps to ensure our country’s sovereignty and security through its presence in Canadian waters. The CCG also supports other government organizations by providing a civilian fleet and a broadly distributed shore-based infrastructure.

Organizational structure

Departmental organization

DFO has a presence across Canada, with the majority of employees working outside the national headquarters in one of the seven DFO regions or four CCG operational regions. National objectives, policies, procedures, and standards for DFO and CCG are established at national headquarters in Ottawa. Regions are responsible for delivering programs and activities according to national and regional priorities and within national performance parameters.

Access to information and Privacy Secretariat

The Access to Information and Privacy (ATIP) Director reported to the Assistant Deputy Minister, Human Resources and Corporate Services during the reporting period. However, effective April 1, 2022, the Director of ATIP reports to the Director General, Public Affairs Directorate.

The ATIP Director is accountable for the development, coordination and implementation of effective ATIP-related policies, guidelines, systems and procedures. This accountability ensures that DFO’s responsibilities under the Access to Information Act and Privacy Act are met, and enables appropriate processing and proper disclosure of information.

The ATIP Secretariat is divided along two business lines according to their main functions and the business lines are managed by Deputy Directors. One business line is responsible for processing requests under the Act; the other is responsible for all other activities related to the administration of the Act at DFO.

The Operations Division is responsible for processing requests and providing issues management and is supported by:

• An Intake Unit, which oversees all incoming requests and liaises with requesters, programs and regions;
• An Administrative Support Group, which handles scanning/uploading records, file management and quality control; and
• A team of analysts and consultants, which is responsible for the overall processing of requests.

The Policy and Privacy Division (PPD) is responsible for many of the remaining responsibilities related to the administration of the Act. PPD acts as the Policy Centre for the Secretariat and provides advice to departmental officials on complex access to information matters, updates DFO’s Info Source chapter, investigates and responds to suspected privacy breach incidents, provides guidance to and assists program areas in conducting privacy impact assessments, oversees DFO’s disclosures under subsection 8(2) of the Privacy Act, oversees proactive disclosures of information including requirements under Part 2 of the ATIA, advises senior management on changes related to the Act and relevant Treasury Board of Canada Secretariat (TBS) policies, and liaises with the wider ATIP community.

PPD is also responsible for tracking departmental performance, supporting the Operations Division with staffing processes, hiring contracted resources, maintaining case management technology, leading strategic projects to improve the overall delivery of the ATIP program, and coordinating access to information training to ensure the ongoing sound application of the Act.

The ATIP Secretariat works with a network of ATIP contacts from each region and sector who act as liaisons for their respective programs within the Department.

In total, throughout the course of this reporting period, the ATIP Secretariat employed 9.81 full-time employees devoted to Privacy Act activities; this includes full-time employees, consultants, agency personnel, casual employees and students.

Delegation order

Responsibility for the administration of the Privacy Act at DFO is delegated from the Minister to the Director and Deputy Directors of the ATIP Secretariat. A copy of the Delegation Order is included as Appendix A.

Highlights of the statistical report, 2021-22

The Statistical Report on the Privacy Act is prepared by government institutions to assist TBS to analyze trends and exercise oversight.

DFO’s complete 2021-22 Statistical Report on the Privacy Act is found at Appendix B. Previous years’ statistical reports can be obtained from the ATIP Secretariat upon request.

Overview of 2021-22 requests under the Privacy Act

The analysis in this section compares data found in DFO’s 2021-22 Statistical Report on the Privacy Act with data from 2019-20 to produce a three-year trend analysis.

In 2021-22, DFO received 93 requests under the Privacy Act and had 23 requests outstanding from previous reporting periods. Of these 116 requests, DFO completed 99 and carried forward 17 into the next reporting period.

As shown in Table 1 below, DFO received 16% more requests under the Privacy Act compared to the previous reporting period. Compliance for 2021-22 remains positive; 2021-22 figures show that 82.8 % of privacy files were closed on or before their statutory or extended deadline.

The following table illustrates fluctuations in workload over the past three years.

Requests closed during the reporting period

Disposition and completion time

Section 14 of the Act requires institutions to provide a response to the requester within 30 days of receipt of the request, or to notify the requester that an extension is required. Of the 99 requests completed during the reporting period, 56 requests (57%) were completed within 30 days, 26 requests (26%) were completed in 31 to 60 days, four requests (4%) were completed in 61 to 120 days, three requests (3%) were completed in 121 to 180 days, 10 requests (10%) were completed in 181 to 365 days, and no requests required more than 365 days to process.

The 99 requests completed by DFO in 2021-22 were finalized in the following manner:

• All disclosed – for nine requests (9%), all relevant information was released in full to the requester;
• Disclosed in part – for 53 requests (54%), requesters were granted partial access to information;
• No records exist – for 29 requests (29%), no relevant records existed under the control of DFO; and
• Request abandoned – for eight requests (8%), the requester abandoned their request.
• No request was processed where all relevant information was exempted, excluded or where DFO could neither confirm nor deny the existence of the requested information.

As shown in Table 2, DFO carried over 17 outstanding requests to the next reporting period. Table 2 provides an overview of these requests according to the reporting period in which they were received. The majority (76.5%) of the outstanding requests carried forward into the 2022-23 were received during the 2021-22 reporting period.

Exemptions and exclusions

Exemptions are provisions of the Act that allow or require the heads of federal government institutions to withhold information requested under the legislation. For requests completed during the reporting period, DFO invoked exemptions pursuant to paragraphs, 22(1)(b) as well as sections 25 and 26 of the Privacy Act. As was the case in 2019-20 and 2020-21.

In 2021-22, section 26 was the most frequently invoked provision. It was cited in 49 requests, and was used to protect personal information about individuals other than the requester.

The following table shows the three most commonly invoked exemptions by DFO in 2021-22.

Exclusions are provisions of the Act that remove certain records from the application of the legislation. Records excluded from the requirements of the Act include published material and confidences of the Queen’s Privy Council (Cabinet Confidences) pursuant to sections 69 and 70, respectively. In 2021-2022 there were no requests for which records were excluded from the application of the Act.

Format of information released

When requests are complete, requesters may receive the information in paper or electronic formats, or they may view the records at a DFO office. During the reporting period, access to relevant documents was given, in whole or in part, for 85 requests. The information was released in paper format for 39 of these requests (45.9%) and electronically for 46 requests (54.1%).

Complexity

In 2021-22, the ATIP Secretariat processed a total of 28,429 relevant pages. Of the pages processed, 14,878 pages (52%) were disclosed in whole or in part.

Of the 99 requests closed during the reporting period 70 of them had relevant records to process. Of the 70 requests completed during the reporting period, 29 requests (41.4%) required the processing of fewer than 100 relevant pages, 22 requests (31.4%) had 101-500 pages, 11 requests (15.7%) had 501-1,000 pages, eight requests (11.4%) had 1,001-5,000 pages, and there were no requests that had more than 5,000 pages.

Deemed refusals

During the 2021-22 reporting period, the ATIP Secretariat closed 17 requests (17%) past the legislated timeline.

The principal reason for delay in the requests closed past the statutory deadline is related to interference with operations/workload.

Extensions

Section 15 of the Act provides for the extension of statutory time limits if processing a request within the original time limit would unreasonably interfere with the Department’s operations, if consultations are necessary, if additional time is necessary for translation purposes, or for converting the personal information into an alternative format.

Reasons for extensions and disposition of requests

During the reporting period, 31 extensions were taken for the following reasons:

• Under subparagraph 15(a)(i), 26 extensions were taken because processing the request within the original time limit would unreasonably interfere with the operations of DFO; and
• Under subparagraph 15(a)(ii), five extensions were taken for consultations.

All extensions taken were for a period of 1 to 30 days beyond the initial 30 days statutory deadline.

Impact of COVID-19 on the administration of the Privacy Act

COVID-19 continued to challenge institutions throughout the reporting period. The right of access is a quasi-constitutional right, however, the processing of ATIP requests is not considered a critical service for the purpose of business continuity planning. Despite this, DFO remained committed to providing uninterrupted services to Canadians.

The solutions developed and implemented through leveraging new tools and applications allowed DFO to mitigate technical gaps and operational barriers to ensure continuity in the processing requests pursuant to the under that Access to Information Act and the Privacy Act throughout the COVID-19 pandemic period. These solutions represent the department’s resilience, ability to remain agile, develop and adopt innovative solutions, and be equipped to overcome barriers that would otherwise have impeded on DFO’s excellent record in delivering results.

Consultations

Consultations received from other institutions and organizations

When other institutions and organizations retrieve information that concerns or originates from DFO in response to Privacy Act requests, they may consult the DFO ATIP Secretariat for recommendations on disclosure. Other institutions are defined as federal institutions subject to the Privacy Act. Organizations include the governments of the provinces, territories and municipalities, and of other countries.

In 2021-22, DFO did not receive any consultation requests from other Government of Canada institutions nor from other organizations.

Disclosures to federal investigative bodies

Subsection 8(2) of the Privacy Act describes certain instances in which personal information under the control of a federal government institution may be disclosed without the consent of the individual to whom the information relates.

Paragraph 8(2)(e) allows institutions to disclose personal information to a federal investigative body specified in Schedule II of the Privacy Regulations on the written request of the body for the purpose of enforcing any law of Canada or any province or carrying out a lawful investigation.

In 2021-22, DFO made three disclosures pursuant to paragraph 8(2)(e).

Public interest disclosures

Subsection 8(2) of the Privacy Act describes certain instances in which personal information under the control of a federal government institution may be disclosed without the consent of the individual to whom the information relates.

Paragraph 8(2)(m) allows institutions to disclose personal information in circumstances where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or where disclosure would clearly benefit the individual to whom the information relates.

In 2021-22, DFO made no disclosures under paragraph 8(2)(m).

Other requests

In addition to processing requests under the Act, developing policy tools, and delivering training, the ATIP Secretariat engages in a significant amount of activities related to the administration of the Privacy Act. These activities include:

• working with departmental programs to mitigate privacy risks;
• managing and investigating potential privacy breaches;
• overseeing disclosures pursuant to subsection 8(2) of the Act;
• reviewing investigation reports for privacy considerations;
• providing advice and guidance to departmental officials on privacy impact assessments, privacy notice statements, information sharing agreements and contracts that include the sharing of personal information; and
• releasing information outside of the formal request process under the Act, where appropriate.

Table 4 below illustrates the workload associated with administering the Privacy Act apart from formal privacy requests.

During this reporting period, the ATIP Secretariat saw an increase in the number of requests for advice and privacy risk related assessments on various issues relating to access to information and privacy protection. ATIP also completed investigations about incidents of potential privacy breaches and reviewed investigation reports prior to disclosures to involved parties.

A possible reason for the increase in requests for advice and privacy related analysis is that the ATIP Secretariat’s increased overall departmental awareness about the shared responsibility for protecting personal information, including when making disclosures under subsection 8(2) of the Privacy Act.

Training and awareness

As per the requirements of the DFO Privacy Policy, employees and managers at all levels must take privacy training at least once every five years. In support of this policy, DFO promotes awareness of federal access to information and privacy legislation and the corresponding responsibilities of DFO employees through ongoing training delivery, a quarterly newsletter, informative articles and awareness events.

The ATIP Secretariat increased the frequency of its training offerings to employees and executives while continuing to offer ad-hoc training tailored to programs’ needs. The ATIP Secretariat successfully implemented a predictable training schedule approach to deliver training to all DFO and CCG sectors and regions within a 12-month cycle.

Training and awareness content was also updated to enhance participants’ learning experience in a virtual environment through the use of various interactive tools. Virtual training also allowed DFO to engage an increased number officials across the Department. During the 2021-22 reporting period, 3070 participants received ATIP training through the sessions offered by the ATIP Secretariat. These sessions focused on processing access to information requests; managing and reporting privacy breaches; and protecting and managing personal information.

DFO also continued its efforts to promote the Canada School of Public Service (CSPS) to DFO employees in 2021-22. During this reporting period, 679 participants completed CSPS ATIP-related training courses. Table 5 highlights all ATIP-related training activities undertaken during the reporting period.

The ATIP Secretariat continued to provide awareness to DFO and CCG employees regarding diverse ATIP-related information through a quarterly newsletter. In addition, DFO published various articles to provide employees with information and guidance about privacy and protection principles as well as about ATIP processes and best practices. Events were also organized throughout the year for specific awareness campaigns such as Data Privacy Day, Privacy Awareness Week, and Right to Know Week. 

Additionally the ATIP Secretariat continued to engage ATIP contacts across the Department through monthly meetings. These meetings served as an additional forum to share new information and guidance to ATIP contacts about the overall records retrieval process, responsibilities and expectations, and opportunities for improvements within the department.

Policies, guidelines, procedures and initiatives

The ATIP Secretariat continues to revise DFO’s ATIP policy suite where appropriate. The suite of policy tools was developed to help DFO employees understand their responsibilities with regards to the protection of personal information. Included in the policy suite are DFO’s Privacy Policy, Directive on Privacy Practices, the Standard on Privacy Breaches, the Standard on Permissible Disclosures of Personal Information and related tools such as Guidelines for the Informal Release of Information, the Privacy Impact Assessment: Needs Analysis, the Privacy Notice Template and privacy breach reporting forms.

Digital strategy

Over the reporting period, the ATIP Secretariat continued to expand upon its Digital Strategy that was initiated in the 2019-2020 reporting period. The Secretariat’s implementation of digital solutions, such as epost Connect, WeTransfer as well as GCdocs resulted in the department continuing to meet its legislative obligations for providing responsive records to requesters while reducing the departmental carbon footprint.

With an unprecedented number of employees working remotely, the digital strategy ensured that reasonable efforts were made to process and respond to ATIP requests. This strategy fostered a strong on-time compliance rate throughout the COVID-19 pandemic period while committing to making the health and safety of employees and the community a priority.

Summary of key issues and actions taken on complaints or audits

The Privacy Commissioner review any complaints resulting from a refusal by the head of a government institution to disclose personal information. DFO reviews the outcomes of each Privacy Commissioner investigation and audit. Where appropriate, DFO incorporates lessons learned into business processes.

In 2021-22 DFO actioned 32 complaints and investigations related notices from the Office of the Privacy Commissioner. However, there were no complaints outstanding with the Privacy Commissioner of Canada from previous reporting periods.

Monitoring compliance

DFO makes every effort to meet statutory deadlines and actively monitors the time taken to process access to information requests. Monitoring begins as soon as a request is received by the DFO ATIP Secretariat, entered into the case management system and assigned to an analyst. All requests, including requests for consultations and requests for informal advice or review of records, are entered into the case management system for tracking. This electronic tracking of deadlines is essential, as analysts work on numerous requests, each with multiple actions with specific deadlines, at any given time. Analysts meet with their respective team leaders on a weekly basis to identify issues with requests that might result in delays. Issues are raised with the ATIP management team, if necessary. The Director and Deputy Directors of the ATIP Secretariat get involved in files where they can use their authority as the Minister’s delegates under the Access to Information Act and the Privacy Act to promote compliance with deadlines and deliverables.

The department also proactively discloses records including to meet statutory proactive publication requirements under Part 2 of the Access to Information Act. The ATIP program reviews all records before disclosures are made to ensure that information disclosed is in accordance with the Access to Information Act and Privacy Act.

During this reporting period, DFO proactively published certain information including titles and tracking numbers of briefing notes, briefing packages for Parliamentary Committee appearances, and Question Period notes in accordance with Part 2 of the Access to Information Act. The department maintained a 100% compliance with proactive disclosure requirements under the ATIA. A cornerstone to this success can be attributed to DFO's Framework on Proactive Disclosures that was developed and implemented in 2019.

Material privacy breaches

A privacy breach is defined by the Office of the Privacy Commissioner as the loss of, unauthorized access to, or disclosure of, personal information. A material privacy breach is defined by TBS as involving sensitive information that could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.

During the reporting period, no privacy breaches were reported to the DFO ATIP Secretariat that were deemed to be material.

Privacy impact assessments

To fulfill its mandate, many of DFO’s activities require the collection, use and disclosure of personal information. In accordance with TBS policies and directives, DFO uses Privacy Impact Assessments (PIAs) as a risk management tool to determine whether privacy risks are present in new or substantially modified departmental programs, initiatives or projects that collect, use and retain personal information.

During the reporting period, three initiatives were assessed to evaluate whether a PIA was required in accordance with the TBS Directive on Privacy Impact Assessment. However, no PIAs were completed.

Appendix A: Delegation order

Appendix B: 2021-22 statistical report on the Privacy Act

Section 1: Requests under the Privacy Act

1.1  Number of requests received

1.2  Channels of requests

Section 2: Informal requests

2.1 Number of informal requests

2.2  Channels of informal requests

2.3 Completion time of informal requests

2.4 Pages released informally

Section 3: Requests closed during the reporting period

3.1 Disposition and completion time

3.2 Exemptions

3.3 Exclusions

3.4 Format of information released

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats

3.5.2 Relevant pages processed by request disposition for paper and e-record formats by size of requests

3.5.3 Relevant minutes processed and disclosed for audio formats

3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests

3.5.5 Relevant minutes processed and disclosed for video formats

3.5.6 Relevant minutes processed per request disposition for video formats by size of requests

3.5.7 Other complexities

3.6 Closed requests

3.6.1 Number of requests closed within the statutory time limits

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

3.7.2 Request closed beyond legislated timelines (including any extension taken)

3.8 Requests for translation

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Section 5: Requests for correction of personal information and notations

Section 6: Extensions

6.1 Reasons for extensions

6.2 Length of extensions

Section 7: Consultations received from other institutions and organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Section 8: Completion time of consultations on Cabinet confidences

8.1 Requests with Legal Services

8.2 Requests with Privy Council Office

Section 9: Complaints and investigations notices received

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy Impact Assessments

10.2 Institution-specific and Central Personal Information Banks

Section 11: Privacy Breaches

11.1 Material Privacy Breaches reported

11.2 Non-Material Privacy Breaches

Section 12: Resources related to the Privacy Act

12.1 Allocated costs

12.2 Human resources

Note: Enter values to three decimal places.