Annual Report to Parliament on the Administration of the Privacy Act 2017-2018

Pursuant to subsection 72(1) of the Privacy Act, this document contains the Annual Report to Parliament on the Administration of the Privacy Act for 2017-2018 as submitted by the Minister of National Defence.

Table of contents

Introduction

The purpose of the Privacy Act is to extend the laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal government institution, and to provide individuals with a right of access to that information.

Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust.

This is the fifth annual report prepared by the Communications Security Establishment (CSE) and tabled in Parliament in accordance with section 72 of the Act. It presents an overview of the agency’s activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Privacy Act during the reporting period 1 April 2017 to 31 March 2018.

Mandate of the Communications Security Establishment

In accordance with subsection 273.64(1) of the National Defence Act, CSE has a three-part mandate:

  • To acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities;
  • To provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and
  • To provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.

The National Defence Act requires that CSE take appropriate measures to protect Canadians’ privacy. The independent CSE Commissioner reviews those measures to ensure they follow the requirements of the Act.

Structure of the Access to Information and Privacy Office

The ATIP Office is part of the Policy, Disclosure and Review group in CSE’s Policy and Communications Branch. The Minister of National Defence delegated all authorities under section 73 of the Privacy Act to the Deputy Chief, Policy and Communications; also the CSE ATIP Coordinator and Chief Privacy Officer for CSE, and most authorities to the Director, Disclosure, Policy and Review and to the Manager, Disclosure Management (previous Manager, ATIP). A copy of the Delegation Order setting out the responsibilities under the Act appears in Appendix I of this report.

The protection of privacy is a fundamental part of our organizational culture and remains of paramount importance in all functions across the organization. The ATIP Office includes a manager responsible for seven (7) full-time positions working in two distinct teams: ATIP Operations and Privacy Policy and Governance (PPG). The ATIP Operations team includes one (1) supervisor, two (2) analysts and one (1) support officer. The PPG consists of one (1) supervisor and two (2) analysts.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS, and representatives of the federal Information and Privacy Commissioners regarding CSE’s administration of legislation.

Specifically, the ATIP Operations team is responsible for the following activities:

  • Processing requests under the Access to Information Act and Privacy Act;
  • Responding to consultation requests from other government institutions;
  • Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
  • Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
  • Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
  • Providing training to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

  • Providing advice and guidance to senior management and staff of CSE on privacy legislation and policy-related matters;
  • Providing expert privacy advice and assistance to business lines in the undertaking of Privacy Impact Assessments, privacy breach management, drafting of Privacy Notice Statements, and maintenance of Personal Information Banks;
  • Supporting CSE’s legislative compliance obligations under the Privacy Act, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in privacy protection communities of practice;
  • Coordinating the annual update of the institution’s Info Source publication, which includes a description of the agency’s organizational structure and record holdings;
  • Drafting and implementing privacy-related internal procedures, guidance documents and working aids; and,
  • Providing training to CSE staff on the administration of the Privacy Act focusing on the protection of personal information.

Key Activities and Accomplishments

Education and Training

Privacy training at CSE ensures all employees are informed of their responsibilities with regard to the management of personal information in both mission and non-mission related activities. In 2017-2018, the ATIP Office delivered 8 comprehensive privacy awareness training sessions, reaching a total of 170 personnel. CSE’s commitment to the learning and development of its employees will continue with additional sessions in 2018-2019.

Additional privacy educational initiatives in 2017-2018 included promoting privacy awareness through the presentation of Privacy Awareness Week at CSE from May 15, 2017 to May 21, 2017. The Privacy Awareness Week gave the ATIP office the opportunity to further educate employees of their responsibilities with personal information and of the various resources available to them, including the Privacy Policy and Governance Office and Privacy Awareness Training.

Collectively, these efforts have increased awareness across the organization, resulting in a greater number of program managers and stakeholders consulting with CSE’s ATIP Operations Office and Privacy Policy and Governance Office for guidance on CSE privacy policies, procedures, and best practices for personal information management. A number of new initiatives promoting privacy awareness are planned throughout 2018-2019.

Institutional Privacy Policies and Procedures

The CSE privacy policy suite includes a broad-scoped CSE Administrative Privacy Policy promulgated October 2016. It outlines CSE’s obligations to manage and protect personal information in the course of its corporate functions in accordance with the Privacy Act, its regulations and Treasury Board Secretariat (TBS) policies relating to privacy. The Policy on Privacy Breaches for Non-Mission Related Activities outlines CSE’s obligations in the event of a privacy breach relating to non-mission activities. CSE did not make any changes to the privacy policy suite during the reporting period.

The Privacy Policy and Governance Office implemented Access Pro Case Management as its case management system. This system allows the Privacy Policy and Governance team to create, track and complete ongoing cases including Privacy Needs Analysis (PNA), Privacy Impact Assessment (PIA), Privacy Queries, and other projects.

Most notably, the PPG team revamped its privacy breach documentation to streamline its internal privacy breach investigation process. In 2018-2019, PPG plans to update the PNA form based on CSE client feedback, in order to further enhance CSE’s privacy considerations.

Other Initiatives

Coinciding with Privacy Awareness Week, CSE officially launched the Privacy, Policy and Governance Office website. This website provides CSE employees with information on privacy accountabilities, responsibilities and activities. CSE employees can access important resources and tools via the website to support the development of Privacy Notice Statements, Privacy Needs Analysis, Privacy Impact Assessments, Privacy Breach investigations, Personal Information Banks and to request Privacy Awareness Training.

ATIP Operations implemented an initiative with its Offices of Primary Interest (OPIs) in order to increase efficiency and timeliness in the processing of requests by shifting the initial review of records to the ATIP Office. This initiative will continue to be monitored for effectiveness throughout the next fiscal year.

Privacy Impact Assessments

Privacy Policy and Governance is currently drafting summaries for Privacy Impact Assessment completed to date, with the intention of posting them in 2018-2019.

During the 2017-2018 reporting period, CSE completed one (1) Privacy Impact Assessment pertaining to CERRID2. CERRID2 is CSE’s corporate electronic document repository (EDRMS) for official unclassified and classified documents. CERRID2 allows authorized users to create, save, share, find and protect records through the application of business rules, roles and access-based authentication controls.

In addition to the Privacy Impact Assessments, Privacy Policy and Governance received forty-three (43) Privacy Needs Analyses, and completed forty-two (42), during the 2017-2018 reporting period of activities and systems that CSE is considering to implement to support its programs.

Statistical Report on the Administration of the Privacy Act

Number of Formal Requests

During this reporting period, CSE received 10 requests under the Privacy Act. In addition, five (5) requests outstanding from the previous reporting period were carried over, giving CSE a total of 15 requests to process. This is a decrease from the previous fiscal year, when 23 new requests were received. By the end of 2017-2018, CSE closed eight (8) requests and carried forward seven (7) into 2018-2019.

Disposition of Completed Requests

CSE closed 8 requests during this reporting period. Of these, four (4) were disclosed in part, one (1) resulted in no records and two (2) were abandoned by the applicant. There was also one (1) request where the existence of records was neither confirmed nor denied. This can be attributed to a request for records which, if they exist, would be located in CSE’s exempt personal information bank (CSE PPU 040) which contains records relating to CSE’s foreign intelligence files. No requests were disclosed in full.

Table: Disposition of Completed Requests - Long description follows
Long description - Table: 1
Table: Disposition of Completed Requests
Disposition Number of Requests
2013-2014 2014-2015 2015-2016 2016-2017 2017-2018
Disclosed in part 10 7 7 6 4
All Exempted 8 0 0 0 0
No records exist 39 10 3 8 1
Request abandoned 10 5 5 2 2
Neither confirm nor Deny   2 1 6 1
 

Neither Confirm Nor Deny

Section 16(2) of the Act states that institutions do not have to tell a requester whether a record exists. When notifying a requester that it is invoking this provision, institutions must also indicate the part of the Act on which a refusal could reasonably be expected to be based if the record existed. Section 16(2) was designed to address situations in which the mere confirmation of a record’s existence (or non-existence) would reveal information that could be protected under the Act. It is recommended that the application of section 16(2) be limited to circumstances where the confirmation or denial of the existence of a record would be injurious to Canada’s foreign relations, the defence of Canada, law enforcement activities and the safety of individuals, and the possible disclosure of personal information. The application of subsection 16(2) was used on one (1) occasion during the 2017-2018 fiscal year.

Completion Time

During the 2017-2018 Fiscal Year, seven (7) of the completed Privacy Requests were closed within the legislative timeframe. The efficiency of the processing of Privacy Act requests has increased since CSE received its delegation in 2013. In general, the requests received during 2017-2018 were also less complex than those received in previous years.

Table: Completion Time - Long description follows
Long description - Table: 2
Table: Completion Time
Completion Time Number of Requests
2013-2014 2014-2015 2015-2016 2016-2017 2017-2018
Closed within 30 days 52 18 12 22 7
31 to 60 days 5 1 0 0 0
61 to 120 days 9 1 2 0 1
121 to 180 days 1 0 0 0 0
181 to 365 days 0 1 1 0 0
More than 365 days 0 3 1 0 0
 

Exemptions to the Release of Information

The most common exemptions applied at CSE were sections 21 and 26 of the Privacy Act. Of the four (4) requests that were disclosed in part, section 21 was applied in all cases to protect information which could be reasonably expected to be injurious to the defence of Canada. Section 26 was applied in three (3) requests to protect information about an individual other than the applicant. The application of these exemptions is consistent with previous reporting periods.

Extension of the Time Limit

One (1) extension, based on Section 15 (a)(i) of the Privacy Act relating to interference of operations, was taken on requests under the Privacy Act during the 2017-2018 fiscal year.

Consultations

CSE was consulted on two (2) requests during 2017-2018. These requests, received from another federal government institution, contained a total of 64 pages and were both closed during the reporting period. This number is consistent with consultations that were received in previous reporting periods.

Disclosure of Personal Information Under Paragraph 8(2)(m)

Subsection 8(2) of the Privacy Act describes the circumstances under which a government institution may disclose personal information under its control without the consent of the individual to whom the information relates. Such disclosures are discretionary and are subject to any other Act of Parliament.

Paragraph 8(2)(m) stipulates that an institution may disclose personal information for any purpose where, in the opinion of the head of the institution, the public interest in the disclosure clearly outweighs any invasion of privacy that could result from it or where the disclosure would clearly benefit the individual to whom the information relates.

CSE did not disclose any personal information pursuant to paragraph 8(2)(m) during the reporting period.

Fees and Costs

Total expenditures to administer the Privacy Act were $358,603. This represents the forecasted increase in expenditures from the previous fiscal year due to the establishment of the Privacy Policy and Governance team.

Complaints, Judicial Review and Audits

Individuals who are not satisfied with the processing of their privacy request or who feel that their personal information has been improperly collected, used or disclosed can file a complaint with the Office of the Privacy Commissioner of Canada.

CSE received two (2) complaints during the fiscal year. Two (2) previously-existing complaints were closed. One complaint was settled in the course of investigation, while the other was resolved, but is presently under judicial review in 2017-2018.

CSE’s Audit and Evaluation team continued their audit of CSE’s compliance with the Government of Canada Privacy Act and Privacy Regulations. The audit focuses on CSE’s compliance with the Privacy Act. It assess the extent to which CSE has developed and effectively uses its policy framework and administrative practices, ensuring sufficient governance, controls and risk management processes are in place to protect and manage personal information. The results and recommendations following this audit are expected in 2018-2019.

Monitoring Compliance

Using our case management software, the ATIP Office continued to produce reports on the time taken to process requests. These reports were shared with our ATIP Coordinator throughout the fiscal year. CSE’s Executive Committee (made up of DM and ADM level executives) is also informed of the status of Privacy Act requests on a weekly basis. CSE will continue to focus on improving our timeliness in 2018-2019.

Material Privacy Breaches

There were no material privacy breaches reported during the 2017-2018 fiscal year.

Appendix I: Delegation of Authority

Privacy Act Designation Order

The Minister of National Defence, pursuant to Sections 73 of the Privacy Act hereby designates the person holding the position of Director General, Policy and Communications to exercise the powers and perform the duties and functions of the Minister as head of a government institution under the Act. The Director, Disclosure, Policy and Review, the Manager, Disclosure Management and the Supervisor, ATIP Office will exercise all powers and duties under the Act, with the notable exception of the public interest override provision under paragraph 8(2)(m). The Chief, CSEC and Director General, Policy and Communications have the joint authority to invoke this provision.

The Minister also designates the following:

  • the person holding the position of Supervisor, Access to Information and Privacy, to perform the functions pursuant to the Privacy Act under:
    • section 15 (extensions to legislative deadlines);
    • subsection 8(2) (use and disclosure) with the exception of paragraph 8(2)(m) (disclosures in the public interest)
  • the person holding the position of Supervisor, Access to Information and Privacy, to respond to requests made under the Privacy Act if no records exist.
  • the person holding the position of Supervisor, Access to Information and Privacy, to respond to consultation requests from other government departments regarding documents they are processing under the Privacy Act.

This Designation Order comes into effect on 1 April 2013 and supersedes all previous designation orders.

Dated at Ottawa, Ont this 26th day of March 2013.

Original signed by:
Honourable Peter Mackay, P.C.,M.P.
Minister of National Defence

Appendix II: Statistical Report on the Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2017-04-01 to 2018-03-31

Part 1: Requests Under the Privacy Act
  Number of Requests
Received during reporting period 10
Outstanding from previous reporting period 5
Total 15
Closed during reporting period 8
Carried over to next reporting period 7

Part 2: Requests Closed During the Reporting Period

2.1 Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 1 2 0 1 0 0 0 4
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 1 0 0 0 0 0 1
Request abandoned 2 0 0 0 0 0 0 2
Neither confirmed nor denied 0 1 0 0 0 0 0 1
Total 3 4 0 1 0 0 0 8
2.2 Exemptions
Section Number of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 4
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 3
27 0
28 0
 
2.3 Exclusions
Section Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
 
2.4 Format of information released
Disposition Paper Electronic Other formats
All disclosed 0 0 0
Disclosed in part 3 1 0
Total 3 1 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed
Disposition of requests Number of pages processed Number of pages disclosed Number of requests
All disclosed 0 0 0
Disclosed in part 1514 1097 4
All exempted 0 0 0
All excluded 0 0 0
Request abandoned 0 0 2
Neither confirmed nor denied 0 0 1
Total 1514 1097 7
2.5.2 Relevant pages processed and disclosed by size of requests
Disposition Less than 100 pages processed 101-500 pages processed 501-1000 pages processed 1001-5000 pages processed More than 5000 pages processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 1 2 2 510 1 585 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 2 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 1 0 0 0 0 0 0 0 0 0
Total 4 2 2 510 1 585 0 0 0 0
2.5.3 Other complexities
Disposition Consultation required Assessment of fees Legal advice sought Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline
Number of requests closed past the statutory deadline Principal Reason
Workload External consultation Internal consultation Other
4 0 0 0 0
2.6.2 Number of days past deadline
Number of days past deadline Number of requests past deadline where no extension was taken Number of requests past deadline where an extension was taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0
2.7 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0
Part 3: Disclosures under subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0
Part 4: Requests for correction of personal information and notations
Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Part 5: Extensions

5.1 Reasons for extensions and disposition of requests
Disposition of requests where an extension was taken 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation or conversion
Section 70 Other
All disclosed 0 0 0 0
Disclosed in part 1 0 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
No records exist 0 0 0 0
Request abandoned 0 0 0 0
Total 1 0 0 0
5.2 Length of extensions
Length of extensions 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes
Section 70 Other
1 to 15 days 0 0 0 0
16 to 30 days 1 0 0 0
Total 1 0 0 0

Part 6: Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada institutions Number of pages to review Other organizations Number of pages to review
Received during the reporting period 2 64 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 2 64 0 0
Closed during the reporting period 2 64 0 0
Pending at the end of the reporting period 0 0 0 0
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of days required to complete consultation requests
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 2 0 0 0 0 0 2
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 2 0 0 0 0 0 2
6.3 Recommendations and completion time for consultations received from other organizations
Recommendation Number of days required to complete consultation requests
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
All disclosed 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services
Number of days Fewer than 100 pages processed 101-500 pages processed 501-1000 pages processed 1001-5000 pages processed More than 5000 pages processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 days 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
7.2 Requests with Privy Council Office
Number of days Fewer than 100 pages processed 101-500 pages processed 501-1000 pages processed 1001-5000 pages processed More than 5000 pages processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 days 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
Part 8: Complaints and Investigations Notices Received
Section 31 Section 33 Section 35 Court action Total
2 0 0 1 3
Part 9: Privacy Impact Assessments (PIAs)
Number of PIA(s) completed 1

Part 10: Resources related to the Privacy Act

10.1 Costs
Expenditures Amount
Salaries $353,949
Overtime $0
Goods and Services $4,654
Professional services contracts $0
Other $4,654
Total $358,603
10.2 Human Resources
Resources Person Years Dedicated to Privacy Activities
Full-time employees 3.97
Part-time and casual employees 0.00
Regional staff 0.00
Consultants and agency personnel 0.00
Students 0.00
Total 3.97

Mission

Mission

Discover CSE's impactful mission

Careers

Careers

Join our team and help keep Canadians safe

Culture and community

Culture and community

Learn how we support our employees and our community

Report a problem on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: