Annual Report to Parliament on the Administration of the Privacy Act 2019-2020

Introduction

The purpose of the Privacy Act is to extend the laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal government institution, and to provide individuals with a right of access to that information.

Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust.

This is the seventh annual report prepared by the Communications Security Establishment (CSE) and tabled in Parliament in accordance with section 72 of the Act. It presents an overview of the agency’s activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Privacy Act during the reporting period 1 April 2019 to 31 March 2020.

Mandate of the Communications Security Establishment

On August 1^st, 2019 the Communications Security Establishment Act (CSE Act) entered into force as part of Bill C-59 (An Act respecting national security matters). The CSE Act sets out the five aspects of CSE’s mandate:

• helping to protect and defend Canada’s most important cyber systems;
• acquiring foreign intelligence in support of the Government of Canada’s intelligence priorities;
• conducting defensive foreign cyber operations;
• conducting active foreign cyber operations; and
• assisting federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence to carry out their lawful mandates.

The CSE Act provides CSE with a modern set of authorities and also enhances the accountability framework with new oversight and review functions.

Structure of the Access to Information and Privacy Office

The ATIP Office is part of the Policy, Disclosure and Review group in CSE’s Policy and Communications Branch. The Minister of National Defence delegated all authorities under section 73 of the Privacy Act to the Deputy Chief, Policy and Communications, the Director General, Policy, Disclosure and Review, the Director, Disclosures and Information Sharing, and to the Manager, Disclosures. He also delegated authorities to the Supervisor, Access to Information and Privacy Operations and the Supervisor, Privacy, Policy and Governance. A copy of the Delegation Order setting out the responsibilities under the Act appears in Appendix I of this report.

The protection of privacy is a fundamental part of our organizational culture and remains of paramount importance in all functions across the organization. The Access to Information and Privacy Office includes a manager responsible for twelve (12) mandated full-time positions working in two distinct teams: ATIP Operations and, Privacy Policy and Governance. At the end of the reporting period, the ATIP Operations team consisted of one (1) supervisor, and seven (7) analysts, while the Privacy Policy and Governance team consisted of one (1) supervisor and three (3) analysts.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS, and representatives of the federal Information and Privacy Commissioners regarding CSE’s administration of the Access to Information Act and Privacy Act.

Specifically, the ATIP Operations team is responsible for the following activities:

• Processing requests under the Access to Information Act and Privacy Act;
• Responding to consultation requests from other government institutions;
• Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
• Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
• Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
• Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
• Providing training to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

• Providing advice and guidance to senior management and staff of CSE on privacy legislation and policy-related matters;
• Providing expert privacy advice and assistance to business lines in the undertaking of Privacy Impact Assessments, privacy breach management, drafting of Privacy Notice Statements, and maintenance of Personal Information Banks;
• Supporting CSE’s legislative compliance obligations under the Privacy Act, including the application of associated regulations, policies and guidelines;
• Representing CSE in privacy protection communities of practice;
• Coordinating the annual update of the institution’s Info Source publication, which includes a description of the agency’s organizational structure and record holdings;
• Drafting and implementing privacy-related policies, internal procedures, guidance documents and working aids; and,
• Providing training to CSE staff on the administration of the Privacy Act focusing on the protection of personal information.

Key Activities and Accomplishments

Education and Training

CSE continues its commitment to the learning and development of its employees, and provides comprehensive privacy awareness training sessions to ensure all employees are up to date on their responsibilities with regard to the management of personal information in both mission and non-mission related activities. These training sessions were delivered to specific audience groups such as operational units, new staff and coop students on a regular and ad hoc basis, reaching 201 employees. This year, CSE also deployed an online privacy awareness training module to improve the availability of the training to its employees which was completed by an additional 103 employees.

Additional privacy educational initiatives in 2019-2020 included promoting privacy awareness through the organization of Privacy Awareness Week at CSE from May 27, 2019 to May 31, 2019. Privacy Awareness Week is an event that provides CSE’s Privacy Policy and Governance team with the opportunity to educate and raise employee awareness of their responsibilities with regard to personal information and of the various resources available to them, including the Privacy Policy and Governance team and privacy awareness training.

Collectively, these efforts provided opportunities to showcase privacy across the organization, resulting in a greater number of program managers and stakeholders consulting with CSE’s ATIP Operations Office and Privacy Policy and Governance team for guidance on CSE privacy policies, procedures, and best practices for personal information management.  

Institutional Privacy Policies and Procedures

The CSE privacy policy suite includes a broad-scoped CSE Administrative Privacy Policy which outlines CSE’s obligations to manage and protect personal information in the course of its corporate functions in accordance with the Privacy Act, its regulations and Treasury Board Secretariat (TBS) policies relating to privacy. The Policy on Privacy Breaches for Non-Mission Related Activities outlines CSE’s obligations in the event of a privacy breach relating to non-mission activities. CSE did not make any changes to the privacy policy suite during the reporting period.

In 2019-2020, the Privacy Policy and Governance team updated the Privacy Needs Analysis form based on CSE client feedback, to further streamline CSE’s privacy compliance assessment process in the development of new services and programs.  The Privacy Needs Assessment form examines how a program or activity may affect the privacy of an individual and helps identify appropriate measures to mitigate the impact where necessary.

In addition, CSE was onboarded into the ATIP Online Request Service (AORS) late in FY2018-19, giving CSE the ability to receive requests under section 12(1) directly online from the requestor. The AORS is a centralized website developed by TBS that enables users to complete access to information and privacy requests and submit them to any of the institutions that are subject to the Government of Canada’s Privacy Act. The current reporting period includes the first full year CSE has accepted the requests through AORS system. CSE received twenty (20) requests in this manner, representing 56% of the total requests received.

Other Initiatives

The Privacy Policy and Governance internal website provides CSE employees with information on privacy accountabilities, responsibilities and activities. CSE employees can access important resources and tools via the website to support the development of Privacy Notice Statements, Privacy Needs Analysis, Privacy Impact Assessments, Privacy Breach investigations, Personal Information Banks and to request Privacy Awareness Training.

In 2019-2020, the ATIP Operations team continued to streamline its procedures through an initiative with its Offices of Primary Interest (OPIs) to increase efficiency and timeliness in the processing of requests by maintaining the initial review of records by the ATIP Office. This initiative will continue to be monitored while exploring new opportunities for increased efficiency.

Privacy Impact Assessments

During the 2019-2020 reporting period, CSE completed two (2) Privacy Impact Assessments and continued work on four (4). Privacy Policy and Governance is currently drafting summaries for Privacy Impact Assessments completed to date, with the intention of posting unclassified summaries of them online.

Statistical Report on the Administration of the Privacy Act

Number of Formal Requests

During this reporting period, CSE received 36 requests under section 12(1) the Privacy Act. In addition, eleven (11) requests outstanding from the previous reporting period were carried over, giving CSE a total of 47 requests to process. This is a significant increase from the previous fiscal year when 12 new requests were received, although it seems this is simply year-to-year fluctuation. By the end of 2019-2020, CSE closed 28 requests and carried forward 19 into 2020-2021.

Long description - Table: 1

Table: Received Requests

	Number of Received Requests
	2015-2016	2016-2017	2017-2018	2018-2019	2019-2020
Privacy	10	23	10	12	36
Privacy Consultations	2	1	2	1	1

Disposition of Completed Requests

CSE closed 28 requests during this reporting period. Of these, 17 were disclosed in part, one (1) was fully exempted, two (2) resulted in no records and three (3) were abandoned by the applicant. There were also five (5) requests where the existence of records was neither confirmed nor denied. This can be attributed to requests for records which, if they exist, would be located in CSE’s exempt personal information bank (CSE PPU 040) which contains records relating to CSE’s foreign intelligence files. No requests were disclosed in full.

Long description - Table: 2

Table: Closed Requests

	Number of Closed Requests
	2015-2016	2016-2017	2017-2018	2018-2019	2019-2020
Privacy	16	22	8	8	28
Privacy Consultations	2	1	2	1	1

Long description - Table: 3

Table: Disposition of Completed Requests

Disposition	Number of Requests
	2015-2016	2016-2017	2017-2018	2018-2019	2019-2020
All disclosed	0%	0%	0%	0%	0%
Disclosed in part	44%	27%	50%	50%	61%
All Exempted	0%	0%	0%	0%	4%
All Excluded	0%	0%	0%	0%	0%
No records exist	19%	36%	13%	0%	7%
Request abandoned	31%	9%	25%	25%	11%
Neither confirm nor Deny	6%	27%	13%	25%	18%

Neither Confirm Nor Deny

Section 16(2) of the Act states that institutions do not have to tell a requester whether a record exists. Section 16(2) was designed to address situations in which the mere confirmation of a record’s existence (or non-existence) would reveal information that could be protected under the Act. It is recommended that the application of section 16(2) be limited to circumstances where the confirmation or denial of the existence of a record would be injurious to Canada’s foreign relations, the defence of Canada, law enforcement activities and the safety of individuals, and the possible disclosure of personal information. When notifying a requester that it is invoking this provision, institutions must also indicate the part of the Act on which a refusal could reasonably be expected to be based if the record existed. The application of subsection 16(2) was used on five (5) occasions during the 2019-2020 fiscal year.

Completion Time

During the 2019-2020 fiscal year, 14 of the completed Privacy Requests were closed within the 30 day legislative timeframe. In general, the requests received during 2019-2020 involved information of a more sensitive nature and encompassed a greater volume of records than requests received in previous years, resulting in greater complexity in fulfilling them. CSE processed a total of 5,845 pages in 2019-2020 compared to 1,355 pages in the previous reporting period. Although the proportion of requests closed within legislative timelines decreased, the number of requests closed has increased to 28 from 8 in 2018-2019.

Long description - Table: 4

Table: Completion Time

Completion Time	Number of Requests
	2015-2016	2016-2017	2017-2018	2018-2018	2018-2020
Closed within 30 days	75%	100%	88%	75%	50%
31 to 60 days	0%	0%	0%	13%	18%
61 to 120 days	13%	0%	13%	0%	14%
121 to 180 days	0%	0%	0%	0%	18%
181 to 365 days	6%	0%	0%	13%	0%
More than 365 days	6%	0%	0%	0%	0%

Exemptions to the Release of Information

The most common exemptions applied at CSE were sections 21 and 26 of the Privacy Act. Of the 17 requests that were disclosed in part, section 21 was applied in all cases to protect information which could be reasonably expected to be injurious to the defence of Canada. Section 26 was applied in 16 requests to protect information about an individual other than the applicant. The application of these exemptions is consistent with previous reporting periods.

Extension of the Time Limit

Two (2) extensions, based on Section 15 (a)(i) of the Privacy Act relating to interference of operations, was taken on requests under the Privacy Act during the 2019-2020 fiscal year. Extensions were taken on two (2) additional requests under Section 15(a)(ii) due to the need for external consultations.

Consultations

CSE was consulted on one (1) request during 2019-2020. This request was received from another federal government institution, contained a total of 3 pages and was closed during the reporting period. This number is consistent with consultations that were received in previous reporting periods.

COVID-19

CSE was impacted by COVID-19 during the reporting period and transitioned its activities to a work-from-home posture. While the Privacy Policy and Governance Team continued to provide policy guidance, support and advice to CSE during the work-from-home posture, the ATIP Operations team experienced significant challenges to continue regular operations from March 13, 2020 to March 31, 2020 due to the inability to access classified information responsive to requests. CSE is examining ways in which to modify its processes to further enable analysts to perform some of their duties remotely as needed in 2020-2021.

Disclosure of Personal Information Under Paragraph 8(2)(m)

Subsection 8(2) of the Privacy Act describes the circumstances under which a government institution may disclose personal information under its control without the consent of the individual to whom the information relates. Such disclosures are discretionary and are subject to any other Act of Parliament.

Paragraph 8(2)(m) stipulates that an institution may disclose personal information for any purpose where, in the opinion of the head of the institution, the public interest in the disclosure clearly outweighs any invasion of privacy that could result from it or where the disclosure would clearly benefit the individual to whom the information relates.

CSE did not disclose any personal information pursuant to paragraph 8(2)(m) during the reporting period.

Fees and Costs

Total expenditures to administer the Privacy Act were $528,105. This represents an increase in expenditures from the previous fiscal year due to an expansion of the Privacy Policy and Governance team.

Complaints, Judicial Review and Audits

Individuals who are not satisfied with the processing of their privacy request or who feel that their personal information has been improperly collected, used or disclosed can file a complaint with the Office of the Privacy Commissioner of Canada.

CSE received two (2) complaints during the fiscal year. One (1) privacy request carried over from 2017-2018 continued to be under judicial review in 2019-2020. No complaints were closed during the reporting period.

Monitoring Compliance

Using our case management software, the ATIP Office continued to produce reports on the time taken to process requests.  These reports were shared with our ATIP Coordinator throughout the fiscal year.  CSE’s Executive Committee (made up of DM and ADM level executives) is also informed of the status of Privacy Act requests on a weekly basis.

Material Privacy Breaches

There were no material privacy breaches reported during the 2019-2020 fiscal year.

Appendix I: Delegation of Authority

Communications Security Establishment

Privacy Act Delegation Order

The Minister of National Defense, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister of National Defense as the head of the Communications Security Establishment, under the provisions of the Act and related regulations set out below for each position.

• Chief, Communications Security Establishment: joint authority under paragraph 8(2) (m) (public interest disclosure) with the Deputy Chief, Policy and Communications.
• Deputy Chief, Policy and Communication: full authority, except joint authority under paragraph 8(2) (m) (public interest disclosure) with the Chief, Communications Security Establishment.
• Director General, Policy. Disclosure and Review: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Director, Disclosures, and Information Sharing: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Manager, Disclosures: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Supervisor, Access to Information and Privacy Operations: subsection 8(2) (use and disclosure) except for paragraph 8(2)(m) (public interest disclosure), subsection I 4(a) only when no records exist (notice) and section IS (extension of time limits).
• Supervisor, Privacy, Policy and Governance: subsection 8(2) (use and disclosure) except for paragraph 8(2) (m) (public interest disclosure)
• Manager, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.
• Counsellor, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.

This delegation order replaces all previous delegation orders.

Dated at Ottawa this 26 day of April 2018

The Hon. Harijit S. Saijan. PC. OMM, MSM. CD. MP

Appendix II: Statistical Report on the Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2019-04-01 to 2020-03-31

Section 2: Requests Closed During the Reporting Period

2.4 Format of information released

2.5 Complexity

2.6 Closed requests

2.7 Deemed refusals

Section 5: Extensions

Section 6: Consulations Received From Other Institutions and Organizations

Section 7: Completion Time of Consultations on Cabinet Confidences

Section 10: Material Privacy Breaches

Section 11: Resources related to the Privacy Act

Note: Enter values to two decimal places.

2019-2020 Supplemental Statistical Report – Requests affected by COVID-19 measures

In addition to completing the forms for the Statistical Reports on the ATIA and Privacy Act for 2019-20, institutions are asked to complete this Supplemental Report to help identify the impact of COVID-19 measures on institutional performance for 2019-20 and going forward. The data requirements are set out in the tables below.

Supplemental Statistical Report on the Privacy Act

The following table reports the total number of formal requests received during two periods; 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

The following table reports the total number of requests closed within the legislated timelines and the number of closed requests that were deemed refusals during two periods 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

The following table reports the total number of requests carried over during two periods; 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.