Annual Report to Parliament on the Administration of the Privacy Act 2018-2019

Introduction

The purpose of the Privacy Act is to extend the laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal government institution, and to provide individuals with a right of access to that information.

Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust.

This is the sixth annual report prepared by the Communications Security Establishment (CSE) and tabled in Parliament in accordance with section 72 of the Act. It presents an overview of the agency’s activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Privacy Act during the reporting period 1 April 2018 to 31 March 2019.

Mandate of the Communications Security Establishment

In accordance with subsection 273.64(1) of the National Defence Act, CSE has a three-part mandate:

1. To acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities;
2. To provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and
3. To provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.

The National Defence Act requires that CSE take appropriate measures to protect Canadians’ privacy. The independent CSE Commissioner reviews those measures to ensure they follow the requirements of the Act.

Structure of the Access to Information and Privacy Office

The ATIP Office is part of the Policy, Disclosure and Review group in CSE’s Policy and Communications Branch. The Minister of National Defence delegated all authorities under section 73 of the Privacy Act to the Deputy Chief, Policy and Communications, the Director General, Policy, Disclosure and Review, the Director, Disclosures and Information Sharing, and to the Manager, Disclosures. He also delegated authorities to the Supervisor, Access to Information and Privacy Operations and the Supervisor, Privacy, Policy and Governance. A copy of the Delegation Order setting out the responsibilities under the Act appears in Appendix I of this report.

The protection of privacy is a fundamental part of our organizational culture and remains of paramount importance in all functions across the organization.   The Access to Information and Privacy Office includes a manager responsible for twelve (12) mandated full-time positions working in two distinct teams: ATIP Operations and Privacy Policy and Governance (PPG). At the end of the reporting period, the ATIP Operations team consisted of one (1) supervisor, four (4) analysts and one (1) support officer, while the PPG consists of one (1) supervisor and two (2) analysts.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS, and representatives of the federal Information and Privacy Commissioners regarding CSE’s administration of legislation.

Specifically, the ATIP Operations team is responsible for the following activities:

• Processing requests under the Access to Information Act and Privacy Act;
• Responding to consultation requests from other government institutions;
• Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
• Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
• Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
• Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
• Providing training to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

• Providing advice and guidance to senior management and staff of CSE on privacy legislation and policy-related matters;
• Providing expert privacy advice and assistance to business lines in the undertaking of Privacy Impact Assessments, privacy breach management, drafting of Privacy Notice Statements, and maintenance of Personal Information Banks;
• Supporting CSE’s legislative compliance obligations under the Privacy Act, including the application of associated regulations, policies and guidelines;
• Representing CSE in privacy protection communities of practice;
• Coordinating the annual update of the institution’s Info Source publication, which includes a description of the agency’s organizational structure and record holdings;
• Drafting and implementing privacy-related internal procedures, guidance documents and working aids; and,
• Providing training to CSE staff on the administration of the Privacy Act focusing on the protection of personal information.

Key Activities and Accomplishments

Education and Training

Privacy training at CSE ensures all employees are informed of their responsibilities with regard to the management of personal information in both mission and non-mission related activities. In 2018-2019, the ATIP Office delivered 19 comprehensive privacy awareness training sessions, reaching a total of 499 personnel. CSE’s commitment to the learning and development of its employees will continue with additional sessions in 2019-2020.

Additional privacy educational initiatives in 2018-2019 included promoting privacy awareness through the organization of Privacy Awareness Week at CSE from May 7, 2018 to May 11, 2018. Privacy Awareness Week is an event that provides CSE’s PPG team with the opportunity to educate and raise employee awareness of their responsibilities with regard to personal information and of the various resources available to them, including the Privacy Policy and Governance team and privacy awareness training.

Collectively, these efforts have increased awareness across the organization, resulting in a greater number of program managers and stakeholders consulting with CSE’s ATIP Operations Office and Privacy Policy and Governance team for guidance on CSE privacy policies, procedures, and best practices for personal information management.  A number of new initiatives promoting privacy awareness are planned throughout 2019-2020, including the launch of internal online privacy awareness training

Institutional Privacy Policies and Procedures

The CSE privacy policy suite includes a broad-scoped CSE Administrative Privacy Policy which outlines CSE’s obligations to manage and protect personal information in the course of its corporate functions in accordance with the Privacy Act, its regulations and Treasury Board Secretariat (TBS) policies relating to privacy. The Policy on Privacy Breaches for Non-Mission Related Activities outlines CSE’s obligations in the event of a privacy breach relating to non-mission activities. CSE did not make any changes to the privacy policy suite during the reporting period.

In 2018-2019, PPG updated the Privacy Needs Analysis form based on CSE client feedback, in order to further streamline CSE’s privacy assessment process in the development of new services and programs.

In addition, CSE was onboarded into the ATIP Online Request Service (AORS) late in FY2018-19, giving CSE the ability to receive requests under section 12(1) directly online from the requestor. The AORS is a centralized website developed by TBS that enables users to complete access to information and privacy requests and submit them to any of the institutions that are subject to the Government of Canada’s Privacy Act.

Other Initiatives

The Privacy Policy and Governance Office internal website provides CSE employees with information on privacy accountabilities, responsibilities and activities. CSE employees can access important resources and tools via the website to support the development of Privacy Notice Statements, Privacy Needs Analysis, Privacy Impact Assessments, Privacy Breach investigations, Personal Information Banks and to request Privacy Awareness Training.

ATIP Operations implemented an initiative with its Offices of Primary Interest (OPIs) in order to increase efficiency and timeliness in the processing of requests by shifting the initial review of records to the ATIP Office. This initiative will continue to be monitored for effectiveness throughout the next fiscal year.

Privacy Impact Assessments

Privacy Policy and Governance is currently drafting summaries for Privacy Impact Assessments completed to date, with the intention of posting them online.

During the 2018-2019 reporting period, CSE continued work on eight (8) Privacy Impact Assessments.

Privacy Policy and Governance received sixty-three (63) new Privacy Needs Analyses during the 2018-2019 reporting period. These analyses allow for the evaluation of activities and systems being considered by CSE in support of its programs from a privacy perspective. During the reporting period, Privacy Policy and Governance completed its review of seventy-three (73) Privacy Needs Analyses that were received over the course of the 2016-2017, 2017-2018 and 2018-2019 reporting periods.

Statistical Report on the Administration of the Privacy Act

Number of Formal Requests

During this reporting period, CSE received 12 requests under section 12(1) the Privacy Act. In addition, seven (7) requests outstanding from the previous reporting period were carried over, giving CSE a total of 19 requests to process. This is an increase from the previous fiscal year, when 10 new requests were received. By the end of 2018-2019, CSE closed eight (8) requests and carried forward eleven (11) into 2019-2020.

Long description - Table: 1

Table: Received Requests

	Number of Received Requests
	2014-2015	2015-2016	2016-2017	2017-2018	2018-2019
Privacy	28	10	23	10	12
Privacy Consultations	2	2	1	2	1

Disposition of Completed Requests

CSE closed 8 requests during this reporting period. Of these, four (4) were disclosed in part, none (0) resulted in no records and two (2) were abandoned by the applicant. There were also two (2) requests where the existence of records was neither confirmed nor denied. This can be attributed to a request for records which, if they exist, would be located in CSE’s exempt personal information bank (CSE PPU 040) which contains records relating to CSE’s foreign intelligence files. No requests were disclosed in full.

Long description - Table: 2

Table: Closed Requests

	Number of Closed Requests
	2014-2015	2015-2016	2016-2017	2017-2018	2018-2019
Privacy	24	16	22	8	8
Privacy Consultations	2	2	1	2	1

Long description - Table: 3

Table: Disposition of Completed Requests

Disposition	Number of Requests
	2014-2015	2015-2016	2016-2017	2017-2018	2018-2019
All disclosed	0	0	0	0	0
Disclosed in part	7	7	6	4	4
All Exempted	0	0	0	0	0
No records exist	10	3	8	1	0
Request abandoned	5	5	2	2	2
Neither confirm nor Deny	2	1	6	1	2

Neither Confirm Nor Deny

Section 16(2) of the Act states that institutions do not have to tell a requester whether a record exists. Section 16(2) was designed to address situations in which the mere confirmation of a record’s existence (or non-existence) would reveal information that could be protected under the Act. It is recommended that the application of section 16(2) be limited to circumstances where the confirmation or denial of the existence of a record would be injurious to Canada’s foreign relations, the defence of Canada, law enforcement activities and the safety of individuals, and the possible disclosure of personal information. When notifying a requester that it is invoking this provision, institutions must also indicate the part of the Act on which a refusal could reasonably be expected to be based if the record existed. The application of subsection 16(2) was used on two (2) occasions during the 2018-2019 fiscal year.

Completion Time

During the 2018-2019 Fiscal Year, six (6) of the completed Privacy Requests were closed within the legislative timeframe. The efficiency of the processing of Privacy Act requests remains consistent since CSE received its delegation in 2013. In general, due to the sensitivity of the information and the volume of records, the requests received during 2018-2019 were more complex than those received in previous years.

Long description - Table: 4

Table: Completion Time

Completion Time	Number of Requests
	2014-2015	2015-2016	2016-2017	2017-2018	2018-2019
Closed within 30 days	18	12	22	7	6
31 to 60 days	1	0	0	0	1
61 to 120 days	1	2	0	1	0
121 to 180 days	0	0	0	0	0
181 to 365 days	1	1	0	0	1
More than 365 days	3	1	0	0	0

Exemptions to the Release of Information

The most common exemptions applied at CSE were sections 21 and 26 of the Privacy Act. Of the four (4) requests that were disclosed in part, section 21 was applied in all cases to protect information which could be reasonably expected to be injurious to the defence of Canada. Section 26 was applied in two (2) requests to protect information about an individual other than the applicant. The application of these exemptions is consistent with previous reporting periods.

Extension of the Time Limit

One (1) extension, based on Section 15 (a)(i) of the Privacy Act relating to interference of operations, was taken on requests under the Privacy Act during the 2018-2019 fiscal year.

Consultations

CSE was consulted on one (1) request during 2018-2019. This request was received from another federal government institution, contained a total of 2 pages and was closed during the reporting period. This number is consistent with consultations that were received in previous reporting periods.

Disclosure of Personal Information Under Paragraph 8(2)(m)

Subsection 8(2) of the Privacy Act describes the circumstances under which a government institution may disclose personal information under its control without the consent of the individual to whom the information relates. Such disclosures are discretionary and are subject to any other Act of Parliament.

Paragraph 8(2)(m) stipulates that an institution may disclose personal information for any purpose where, in the opinion of the head of the institution, the public interest in the disclosure clearly outweighs any invasion of privacy that could result from it or where the disclosure would clearly benefit the individual to whom the information relates.

CSE did not disclose any personal information pursuant to paragraph 8(2)(m) during the reporting period.

Fees and Costs

Total expenditures to administer the Privacy Act were $388,678. This represents an increase in expenditures from the previous fiscal year due to an expansion of the Privacy Policy and Governance team.

Complaints, Judicial Review and Audits

Individuals who are not satisfied with the processing of their privacy request or who feel that their personal information has been improperly collected, used or disclosed can file a complaint with the Office of the Privacy Commissioner of Canada.

CSE received two (2) complaints during the fiscal year. One (1) privacy request carried over from 2017-2018 continued to be under judicial review in 2018-2019. No complaints were closed during the reporting period.

Moreover, CSE’s Audit and Evaluation team completed its Privacy Audit in 2018-2019 of CSE’s compliance with the Privacy Act. The audit assessed the extent to which CSE had developed and effectively used its policy framework and administrative practices, ensuring sufficient governance, controls and risk management processes are in place to protect and manage personal information.

The audit concluded that CSE has made good progress in establishing and operating an independent administration of the Privacy Act, and that CSE has established a governance framework that is well positioned to oversee administrative privacy at CSE. The audit provided six recommendations to further strengthen CSE’s framework in the administration of the Act. The recommendations following this audit are being implemented.

Monitoring Compliance

Using our case management software, the ATIP Office continued to produce reports on the time taken to process requests. These reports were shared with our ATIP Coordinator throughout the fiscal year. CSE’s Executive Committee (made up of DM and ADM level executives) is also informed of the status of Privacy Act requests on a weekly basis. CSE will continue to focus on improving our timeliness in 2019-2020.

Material Privacy Breaches

CSE identified one (1) administrative privacy breach to report during the 2018-2019 reporting period that meets the material privacy breach criteria outlined in TBS’s Guidelines for Privacy Breaches. This breach involved an inadvertent incident of mailing sensitive information to the wrong recipient and was addressed by CSE, and subsequently reported to TBS and the Office of the Privacy Commissioner as required.

Appendix I: Delegation of Authority

Communications Security Establishment

Privacy Act Delegation Order

The Minister of National Defense, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister of National Defense as the head of the Communications Security Establishment, under the provisions of the Act and related regulations set out below for each position.

• Chief, Communications Security Establishment: joint authority under paragraph 8(2) (m) (public interest disclosure) with the Deputy Chief, Policy and Communications.
• Deputy Chief, Policy and Communication: full authority, except joint authority under paragraph 8(2) (m) (public interest disclosure) with the Chief, Communications Security Establishment.
• Director General, Policy. Disclosure and Review: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Director, Disclosures, and Information Sharing: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Manager, Disclosures: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Supervisor, Access to Information and Privacy Operations: subsection 8(2) (use and disclosure) except for paragraph 8(2)(m) (public interest disclosure), subsection I 4(a) only when no records exist (notice) and section IS (extension of time limits).
• Supervisor, Privacy, Policy and Governance: subsection 8(2) (use and disclosure) except for paragraph 8(2) (m) (public interest disclosure)
• Manager, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.
• Counsellor, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.

This delegation order replaces all previous delegation orders.

Dated at Ottawa this 26 day of April 2018

The Hon. Harijit S. Saijan. PC. OMM, MSM. CD. MP

Appendix II: Statistical Report on the Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2018-04-01 to 2019-03-31

Part 2: Requests Closed During the Reporting Period

2.5 Complexity

2.6 Deemed refusals

Part 5: Extensions

Part 6: Consultations Received From Other Institutions and Organizations

Part 7: Completion Time of Consultations on Cabinet Confidences

Part 10: Resources related to the Privacy Act