Annual Report to Parliament on the Administration of the Privacy Act 2021-2022

Pursuant to subsection 72(1) of the Privacy Act, this document contains the Annual Report to Parliament on the Administration of the Privacy Act for 2021-2022 as submitted by the Minister of National Defence.

Alternate format: Annual Report to Parliament on the Administration of the Privacy Act 2021-2022 (PDF, 842 KB)

Table of contents

Introduction

The purpose of the Privacy Act is to extend the laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal government institution, and to provide individuals with a right of access to that information.

Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust.

This is the ninth annual report prepared by the Communications Security Establishment (CSE) and tabled in Parliament in accordance with section 72 of the Act. It presents an overview of the agency’s activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Privacy Act during the reporting period 1 April 2021 to 31 March 2022.

Mandate of the Communications Security Establishment

On August 1st, 2019 the Communications Security Establishment Act (CSE Act) entered into force as part of Bill C-59 (An Act respecting national security matters). The CSE Act sets out the five aspects of CSE’s mandate:

  • helping to protect and defend Canada’s most important cyber systems;
  • acquiring foreign intelligence in support of the Government of Canada’s intelligence priorities;
  • conducting defensive foreign cyber operations;
  • conducting active foreign cyber operations; and
  • providing technical and operational assistance to federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence.

The CSE Act provides CSE with a modern set of authorities and also enhances the accountability framework with new oversight and review functions.

Structure of the Access to Information and Privacy Office

The ATIP Office is part of the Transparency and Information Sharing group in CSE’s Authorities, Compliance and Transparency Branch. This is a change from the previous reporting period and stems from organizational changes made within CSE as part of the strategic goal to uphold the highest standards of compliance, lawfulness, and respect for the privacy of Canadians. The delegation order in effect at the end of 2021-2022 reflects the previous structure and a copy can be found in Appendix I of this report. The Minister of National Defence delegated all authorities under section 73 of the Privacy Act to the Deputy Chief, Policy and Communications, the Director General, Policy, Disclosure and Review, the Director, Disclosures and Information Sharing, and to the Manager, Disclosures. He also delegated limited authorities to the Supervisor, Access to Information and Privacy Operations and the Supervisor, Privacy, Policy and Governance The delegation order is being revised to reflect the organizational changes.

The Access to Information and Privacy Offices include a manager responsible for thirteen (13) mandated full-time positions working in two distinct teams: ATIP Operations and, Privacy Policy and Governance. At the end of the reporting period, the ATIP Operations team consisted of one (1) supervisor, and six (6) analysts, while the Privacy Policy and Governance team consisted of one (1) supervisor, five (5) analysts and two (2) coop students.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS, and representatives of the federal Information and Privacy Commissioners regarding CSE’s administration of the Access to Information Act and Privacy Act.

Specifically, the ATIP Operations team is responsible for the following activities:

  • Processing requests under the Access to Information Act and Privacy Act;
  • Responding to consultation requests from other government institutions;
  • Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
  • Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
  • Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
  • Providing training to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

  • Providing advice and guidance to senior management and staff of CSE on privacy legislation and policy-related matters;
  • Providing expert privacy advice and assistance to business lines in the undertaking of Privacy Impact Assessments, privacy breach management, drafting of Privacy Notice Statements, and maintenance of Personal Information Banks;
  • Supporting CSE’s legislative compliance obligations under the Privacy Act, including the application of associated regulations, policies and guidelines;
  • Representing CSE in privacy protection communities of practice;
  • Coordinating the annual update of the institution’s Info Source publication, which includes a description of the agency’s organizational structure and record holdings;
  • Drafting and implementing privacy-related policies, internal procedures, guidance documents and working aids; and,
  • Providing training to CSE staff on the administration of the Privacy Act focusing on the protection of personal information.

Key activities and accomplishments

Education and training

CSE continues its commitment to the learning and development of its employees and provides comprehensive privacy awareness training sessions to ensure all employees are up to date on their responsibilities regarding the management of personal information in both mission and non-mission related activities.

In addition to continuing to deliver the standard mandatory privacy awareness training, the Privacy Policy and Governance team delivered three (3) live customized privacy training sessions to 170 employees in the Cyber Centre pertaining to the use of a system that handles personal information. The training signifies the importance of proper collection, use, access, retention, and disposition of personal information along with the necessity of appropriate administrative, physical and technical safeguards to protect personal information under CSE’s control. During this fiscal year, the Privacy Policy and Governance team took part in recording the training session to make it accessible for users to take at any given time. The recorded training is mandatory for all users of the system. Furthermore, 295 employees and students completed the standard mandatory privacy awareness training.

Additional privacy educational initiatives in 2021-2022 included promoting privacy awareness through the organization of Privacy Awareness Week at CSE from May 18th, 2021, to May 25th, 2021. The Privacy Policy and Governance team planned a full calendar of activities including privacy-focused announcements, interactive posts and two (2) live privacy-focused presentations by knowledgeable guest speakers. Privacy Awareness Week is an event that provides CSE’s Privacy Policy and Governance team with the opportunity to educate and raise employee awareness of their responsibilities regarding personal information and of the various resources available to them, including the team itself and privacy awareness training.

Collectively, these efforts provided opportunities to showcase privacy across the organization, resulting in a greater number of program managers and stakeholders consulting with CSE’s ATIP Operations Office and Privacy Policy and Governance team. The teams’ support included guidance on CSE privacy policies, procedures, and best practices for personal information management.

Institutional privacy policies and procedures

The CSE privacy policy suite includes a broad-scoped CSE Administrative Privacy Policy which outlines CSE’s obligations to manage and protect personal information during its corporate functions in accordance with the Privacy Act, its regulations and Treasury Board Secretariat (TBS) policies relating to privacy. During this fiscal year, CSE’s Administrative Privacy Policy was approved and promulgated to all CSE employees. Note that the policy clarifies that privacy awareness training is mandatory for all CSE staff.

In 2021-2022, CSE continued to update its internal privacy compliance and impact assessment process, based on CSE client feedback, to further streamline the process in the development of new services and programs. The process examines how personal information is involved in a program or activity, and how the activity may affect the privacy of an individual. This allows CSE program managers to examine the effectiveness of privacy protection measures and identify appropriate additional measures to mitigate the impact where necessary.

The PPGO team has developed a series of standard operating procedures for completing various types of internal and external privacy assessment tools in order to support CSE's program areas (subject matter experts, privacy advisors) in their role of identifying and assessing privacy risks associated with a tool, initiative, and/or activity that involves personal information.

Other initiatives

CSE was onboarded into the ATIP Online Request Service (AORS) late in FY2018-19, giving CSE the ability to receive requests under section 12(1) directly online from the requestor. The AORS is a centralized website developed by TBS that enables users to complete access to information and privacy requests and submit them to any of the institutions that are subject to the Government of Canada’s Privacy Act. The current reporting period includes the third full year CSE has accepted requests through the AORS system. CSE received nineteen (19) requests in this manner, representing approximately 79% of the total requests received, a slight decrease from the 91% received through AORS in the previous reporting period.

In 2021-2022, the ATIP Operations team also collaborated with CSE Offices of Primary Interest (OPIs) to address the challenges and restrictions created by the COVID-19 pandemic and impacts to the regular operational posture. The pandemic limited access of staff to CSE facilities and infrastructure, which in turn restricted access to classified information responsive to requests, as well as ATIP analysts’ ability to review the classified material and process the requests.

COVID-19

During the 2021-2022 reporting period the Privacy Policy and Governance Team continued to adapt its business processes to effectively support its internal clients, and support CSE’s continuing compliance with the Privacy Act. In particular, the transition to a work-from-home posture for CSE led to an unprecedented use of cloud-based communications services and the deployment of a significant number of new in-house applications on its internal network. CSE’s Privacy Policy and Governance team continued to provide advice and guidance to support the initiative and ensure that privacy guidelines were integrated.

Due to the nature of CSE’s national security operations, CSE operates in a high-security environment and manages large volumes of classified information. For this reason, the ATIP software is currently only available in the classified environment. The restrictions and health guidelines introduced in response to the pandemic challenged regular business continuity planning procedures by limiting the number of people operating in CSE facilities and, in turn, access to the records responsive to requests. In addition, the pandemic impacted regular operations by limiting access of staff to CSE facilities and infrastructure, which in turn restricted ATIP analysts’ ability to review the classified material and process classified and unclassified requests.

The ATIP Operations team was able to return to pre-pandemic capabilities by the end of the reporting period. The team also began a one-year trial of a hybrid approach whereby employees were able to telework for 20% of their working hours, when their duties could be performed remotely.

Privacy impact assessments

During the 2021-2022 reporting period, CSE completed two (2) Privacy Impact Assessments (PIA): The Counselling and Advisory Program (CAP) PIA, and Human Resources and Pay Information System PIA.

The Privacy Policy and Governance team intends to post the unclassified summaries for PIAs completed to date on the CSE website in the fall of 2022. PPGO continued to provide support to the Cyber Centre’s review of existing PIAs to fulfill the Treasury Board Secretariat’s three-year review. Six (6) PIAs were in progress during 2021-2022 related to various operational and corporate activities.

Statistical report on the administration of the Privacy Act

Number of formal requests

During this reporting period, CSE received 22 requests under section 12(1) the Privacy Act, which is a decrease from the previous fiscal year when 23 new requests were received. In addition, nineteen (19) requests outstanding from the previous reporting period were carried over, giving CSE a total of 41 requests to process. By the end of 2021-2022, CSE closed 16 requests and carried forward 25 into 2022-2023.

Long description immediately follows
 
Long description - Table: 1
Received requests
  Number of received requests
2017 to 2018 2018 to 2019 2019 to 2020 2020 to 2021 2021 to 2022
Privacy 10 12 36 23 22
Privacy consultations 2 1 1 0 2
 

Disposition of completed requests

CSE closed 16 requests during this reporting period. Of these, eight (8) (50%) were disclosed in part, none were disclosed in full and six (6) were abandoned by the applicants. There were also two (2) requests where the existence of records was neither confirmed nor denied. This can be attributed to requests for records which, if they exist, would be located in CSE’s exempt personal information bank (CSE PPU 040) which contains records relating to CSE’s foreign intelligence files. There were no requests which were exempted or excluded in full.

Long description immediately follows
 
Long description - Table: 2
Closed requests
  Number of closed requests
2017 to 2018 2018 to 2019 2019 to 2020 2020 to 2021 2021 to 2022
Privacy 8 8 28 23 16
Privacy Consultations 2 1 1 0 2
 
Long description immediately follows
 
Long description - Table: 3
Disposition of completed requests
Disposition Number of requests
2017 to 2018 2018 to 2019 2019 to 2020 2020 to 2021 2021 to 2022
All disclosed 0% 0% 0% 0% 0%
Disclosed in part 50% 50% 61% 57% 50%
All exempted 0% 0% 4% 0% 0%
All excluded 0% 0% 0% 0% 0%
No records exist 13% 0% 7% 0% 0%
Request abandoned 25% 25% 11% 9% 38%
Neither confirm nor Deny 13% 25% 18% 35% 13%
 

Neither confirm nor deny

Section 16(2) of the Act indicates that institutions do not have to tell a requester whether personal information exists. Section 16(2) was designed to address situations in which the mere confirmation of a record’s existence (or non-existence) would reveal information that could be protected under the Act. It is recommended that the application of section 16(2) be limited to circumstances where the confirmation or denial of the existence of a record would be injurious to Canada’s foreign relations, the defence of Canada, law enforcement activities, or the safety of individuals. When notifying a requester that it is invoking this provision, institutions must also indicate the part of the Act on which a refusal could reasonably be expected to be based if the record existed. The application of subsection 16(2) was used on two (2) occasions during the 2021-2022 fiscal year.

Completion time

During the 2021-2022 fiscal year, nine (9) of the completed Privacy Requests were closed within the 30-day legislative timeframe, representing 56% of all completed Privacy Requests. In general, the requests received during 2021-2022 involved information of a highly sensitive nature resulting in greater complexity in fulfilling them. CSE processed a total of 1,340 pages in 2021-2022 compared to 10,870 pages in the previous reporting period.

Open Requests outstanding from previous reporting periods
Reporting period received Within Legislated timelines Beyond Legislated timelines Total
2015 to 2016 or earlier 0 3 3
2016 to 2017 0 1 1
2017 to 2018 0 0 0
2018 to 2019 0 0 0
2019 to 2020 1 1 2
2020 to 2021 0 6 6
2021 to 2022 3 10 13
Total 4 21 25
 
Long description immediately follows
 
Long description - Table: 4
Completion time
Completion time Number of requests
2017 to 2018 2018 to 2019 2019 to 2020 2020 to 2021 2021 to 2022
Closed within 30 days 88% 75% 50% 35% 56%
31 to 60 days 0% 13% 18% 0% 6%
61 to 120 days 13% 0% 14% 9% 19%
121 to 180 days 0% 0% 18% 22% 6%
181 to 365 days 0% 13% 0% 26% 0%
More than 365 days 0% 0% 0% 9% 13%
 

Exemptions to the release of information

The most common exemptions applied at CSE were sections 21 and 26 of the Privacy Act. Of the eight (8) requests that were disclosed in part, section 21 was applied in all cases to protect information which could be reasonably expected to be injurious to the defense of Canada. Section 26 was applied in six (6) requests to protect information about an individual other than the applicant. The application of these exemptions is consistent with previous reporting periods.

Extension of the time limit

Two (2) extensions, based on Section 15 (a)(ii) of the Privacy Act relating to internal consultation, were taken on requests under the Privacy Act during the 2021-2022 fiscal year.

Consultations

CSE received two consultations from other government departments, totaling 20 pages. Both consultations were completed within 30 days.

Disclosure of personal information under paragraph 8(2)(m)

Subsection 8(2) of the Privacy Act describes the circumstances under which a government institution may disclose personal information under its control without the consent of the individual to whom the information relates. Such disclosures are discretionary and are subject to any other Act of Parliament.

Paragraph 8(2)(m) stipulates that an institution may disclose personal information for any purpose where, in the opinion of the head of the institution, the public interest in the disclosure clearly outweighs any invasion of privacy that could result from it or where the disclosure would clearly benefit the individual to whom the information relates. CSE did not disclose any personal information pursuant to paragraph 8(2)(m) during the reporting period.

Fees and costs

Total expenditures to administer the Privacy Act were $732,324. This represents an increase in expenditures from the previous fiscal year due to an expansion of the Privacy Policy and Governance team.

Complaints, judicial review and audits

Individuals who are not satisfied with the processing of their privacy request or who feel that their personal information has been improperly collected, used or disclosed can file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

CSE received five (5) complaints during the fiscal year. One (1) privacy complaint carried over from 2017-2018 continued to be under judicial review in 2021-2022. Two (2) complaints were closed during the reporting period, both of which were received in 2021-2022.

The closed complaints were delay complaints from the same individual on two separate requests. Both were received in April of 2021 and closed in August of the same year. As CSE did not meet its legislated deadlines on the requests, the OPC found both to be well founded and resolved.

The remaining complaints received in the current reporting period consist of one (1) delay complaint and two (2) where the complainants have alleged that CSE has not provided all responsive records. CSE has made representations to the OPC regarding all complaints and will continue to work with the OPC to resolve them in a timely manner.

CSE has also continued to work with the OPC to resolve complaints received in previous reporting periods.

Active Complaints from previous reporting periods
Reporting period received Number of Open Complaints
2015 to 2016 or earlier 0
2016 to 2017 0
2017 to 2018 0
2018 to 2019 1
2019 to 2020 1
2020 to 2021 1
2021 to 2022 4
Total 7
 

Monitoring compliance

Using our case management software, the ATIP Office continued to produce reports on the time taken to process requests. These reports were shared with our ATIP Coordinator throughout the fiscal year. CSE’s Executive Committee (made up of DM and ADM level executives) is also informed of the status of Privacy Act requests on a weekly basis.

Material privacy breaches

There were no material privacy breaches reported during the 2021-2022 fiscal year.

Appendix I: Delegation of Authority

Communications Security Establishment

Privacy Act Delegation Order

The Minister of National Defense, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister of National Defense as the head of the Communications Security Establishment, under the provisions of the Act and related regulations set out below for each position.

  • Chief, Communications Security Establishment: joint authority under paragraph 8(2) (m) (public interest disclosure) with the Deputy Chief, Policy and Communications.
  • Deputy Chief, Policy and Communication: full authority, except joint authority under paragraph 8(2) (m) (public interest disclosure) with the Chief, Communications Security Establishment.
  • Director General, Policy. Disclosure and Review: full authority, except for paragraph 8(2) (m) (public interest disclosure).
  • Director, Disclosures, and Information Sharing: full authority, except for paragraph 8(2) (m) (public interest disclosure).
  • Manager, Disclosures: full authority, except for paragraph 8(2) (m) (public interest disclosure).
  • Supervisor, Access to Information and Privacy Operations: subsection 8(2) (use and disclosure) except for paragraph 8(2)(m) (public interest disclosure), subsection I 4(a) only when no records exist (notice) and section IS (extension of time limits).
  • Supervisor, Privacy, Policy and Governance: subsection 8(2) (use and disclosure) except for paragraph 8(2) (m) (public interest disclosure)
  • Manager, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.
  • Counsellor, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.

This delegation order replaces all previous delegation orders.

Dated at Ottawa this 26 day of April 2018

The Hon. Harijit S. Saijan. PC. OMM, MSM. CD. MP

Appendix II: Statistical Report on the Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2021-04-01 to 2022-03-31

Section 1: Requests Under the Privacy Act

Section 1.1: Number of requests received
  Number of requests
Received during reporting period 22
Outstanding from previous reporting period 19
Total 41
Closed during reporting period 16
Carried over to next reporting period 25
Section 1.2: Channels of requests
Source Number of requests
Online 17
E-mail 5
Mail 0
In person 0
Phone 0
Fax 0
Total 22

Section 2: informal requests

Section 2.1: Number of informal received
  Number of requests
Received during reporting period 0
Outstanding from previous reporting period 0
Total 0
Closed during reporting period 0
Carried over to next reporting period 0
Section 2.2: Channels of informal requests
Source Number of requests
Online 0
E-mail 0
in person 0
Phone 0
Fax 0
Total 0
2.3 Completion time of informal requests
Completion time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
0 0 0 0 0 0 0 0
2.4 Pages released informally
Less than 100 pages released 100 to 500 pages released 501 to 1000 pages released 1001 to 5000 pages released More than 5000 pages released
Number of requests Pages released Number of requests Pages released Number of requests Pages released Number of requests Pages released Number of requests Pages released
0 0 0 0 0 0 0 0 0 0

Section 3: Requests closed during the reporting period

3.1 Disposition and completion time
Disposition of requests Completion time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 2 1 3 0 0 2 8
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 0 0 0 0 0 0 0
Request abandoned 5 0 0 0 1 0 0 6
Neither confirmed nor denied 0 2 0 0 0 0 0 2
Total 5 4 1 3 1 0 2 16
3.2 Exemptions
Section Number of requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 8
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 6
27 0
27.1 0
28 1
 
3.3 Exclusions
Section Number of requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
 
3.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
3 5 0 0 0 0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed
Number of pages processed Number of pages disclosed Number of requests
1340 681 16
3.5.2 Relevant pages processed by request disposition for paper and e-record format by size of requests
Disposition Less than 100
pages
processed
101 to 500
pages
processed
501 to 1000
pages
processed
1001 to 5000
pages
processed
More than 5000
pages
processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 5 167 2 620 1 553 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 6 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 2 0 0 0 0 0 0 0 0 0
Total 13 167 2 620 1 553 0 0 0 0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of minutes processed Number of minutes disclosed Number of requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less than 60 minutes processed 60 to 120 minutes processed More than 120 minutes processed
Number of requests Minutes processed Number of requests Minutes processed Number of requests Minutes processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of minutes processed Number of minutes disclosed Number of requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less than 60 minutes processed 60 to 120 minutes processed More than 120 minutes processed
Number of requests Minutes processed Number of requests Minutes processed Number of requests Minutes processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Disposition Consultation required Legal advice sought Interwoven information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 1 0 0 0 1
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 1 0 0 0 1

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines
Number of requests closed within legislated timelines 10
Percentage of requests closed within legislated timelines (%) 62.5

3.6.1 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations / Workload External Consultation Internal Consultation Other
6 2 0 0 4
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timelines Where an Extension Was Taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 2 0 2
61 to 120 days 1 0 1
121 to 180 days 1 0 1
181 to 365 days 0 0 0
More than 365 days 0 2 2
Total 4 2 6
3.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0
Section 4: Disclosures under subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0
Section 5: Requests for correction of personal information and notations
Disposition for correction requests received Number
Notation attached 0
Requests for correction accepted 0
total 0

Section 6: Extensions

6.1 Reasons for extensions
Number of requests where an extension was taken 15(a)(i) Interference with operations 15 (a)(ii) Consultation 
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section
(Section 70)
External Internal 15(b)
Translation purposes or conversion
2 0 0 0 0 0 0 2 0
6.2 Length of extensions
Length of extensions 15(a)(i) Interference with operations 15 (a)(ii)
Consultation
Further review required to determine exemptions Large volume of pages Large volume of requests Documents
are difficult to obtain
Cabinet
Confidence
Section
(Section 70)
External Internal 15(b)
Translation purposes or conversion
1 to 15 days 0 0 0 0 0 0 0 0
16 to 30 days 0 0 0 0 0 0 2 0
31 days or greater    0
Total 0 0 0 0 0 0 2 0

Section 7: Consultations received from other institutions and organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of
Canada institutions
Number of pages
to review
Other
organizations
Number of pages
to review
Received during the reporting period 2 20 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 2 20 0 0
Closed during the reporting period 2 20 0 0
Carried over within negotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of days required to complete consultation requests
1 to 15
days
16 to 30
days
31 to 60
days
61 to 120
days
121 to 180
days
181 to 365
days
More than 365
days
Total
Disclosed entirely 1 0 0 0 0 0 0 1
Disclosed in part 0 1 0 0 0 0 0 1
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 1 1 0 0 0 0 0 2
7.3 Recommendations and completion time for consultations received from other organizations
Recommendation Number of days required to complete consultation requests
1 to 15
days
16 to 30
days
31 to 60
days
61 to 120
days
121 to 180
days
181 to 365
days
More than 365
days
Total
Disclosed entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion time of consultations on Cabinet Confidences

8.1 Requests with legal services
Number of days Fewer than 100
pages processed
101 to 500
pages processed
501 to 1000
pages processed
1001 to 5000
pages processed
More than 5000
pages processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 days 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of days Fewer than 100
pages processed
101 to 500
pages processed
501 to 1000
pages processed
1001 to 5000
pages processed
More than 5000
pages processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 days 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
Section 9: Complaints and investigations notices received
Section 31 Section 33 Section 35 Court action Total
5 5 2 0 12

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy impact assessments
Number of PIAs completed 2
Number of PIAs modified 0
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks Active Created Terminated Modified
Institution-specific 2 1 0 0
Central 55 0 0 0
Total 57 1 0 0

Section 11: Privacy breaches

11.1 Material privacy breaches reported
Number of material privacy breaches reported to TBS 0
Number of material privacy breaches reported to OPC 0
11.2 Non-material privacy breaches
Number of non-material privacy breaches 3

Section 12: Resources related to the Privacy Act

12.1 Allocated costs
Expenditures Amount
Salaries $712,706
Overtime $1,388
Goods and Services $18,230
Goods and Services - Professional services contracts $0
Goods and Services - Other $18,230
Total $732,324
12.2 Human Resources
Resources Person years dedicated to privacy activities
Full-time employees 6.174
Part-time and casual employees 0.791
Regional staff 0.00
Consultants and agency personnel 0.00
Students 0.774
Total 7.739

Note: Enter values to three decimal places.

Supplemental Statistical Report on the Access to Information Act and Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2021-04-01 to 2022-03-31

Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act

Enter the number of weeks your institution your institution was able to receive ATIP requests through the different channels.
  Number of Weeks
Able to receive requests by mail 52
Able to receive requests by email 52
Able to receive requests through the digital request service 52

Section 2: Capacity to Process Records under the Access to Information Act and Privacy Act

2.1 Enter the number of weeks your institution was able to process paper records in different classification levels.
  No Capacity Partial Capacity Full Capacity Total
Unclassified paper records 0 0 52 52
Protected B paper records 0 0 52 52
Secret and Top Secret paper records 0 48 4 52
2.2 Enter the number of weeks your institution was able to process electronic records in different classification levels.
  No Capacity Partial Capacity Full Capacity Total
Unclassified paper records 0 0 52 52
Protected B electronic records 0 0 52 52
Secret and Top Secret electronic records 0 48 4 52

Section 3: Open requests and complaints under the Access to Information Act

3.1 Enter the number of open requests that are outstanding from previous reporting periods.
Fiscal year open requests were received Open requests that are Within Legislated Timelines as of March 31, 2022 Open requests that are Beyond Legislated Timelines as of March 31, 2022 Total
Received in 2021 to 2022 9 41 50
Received in 2020 to 2021 1 21 22
Received in 2019 to 2020 0 17 17
Received in 2018 to 2019 1 9 10
Received in 2017 to 2018 0 17 17
Received in 2016 to 2017 0 18 18
Received in 2015 to 2016 or earlier 0 15 15
Total 11 138 149
3.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal year open complaints were received by Institution Number of open complaints
Received in 2021 to 2022 3
Received in 2020 to 2021 0
Received in 2019 to 2020 0
Received en 2018 to 2019 0
Received in 2017 to 2018 1
Received in 2016 to 2017 0
Received in 2015 to 2016 or earlier 0
Total 4

Section 4 : Open requests and complaints under the Privacy Act

4.1 Enter the number of open requests that are outstanding from previous reporting periods.
Fiscal year open requests were received Open requests that are Within Legislated Timelines as of March 31, 2022 Open requests that are Beyond Legislated Timelines as of March 31, 2022 Total
Received in 2021 to 2022 3 10 13
Received in 2020 to 2021 0 6 6
Received in 2019 to 2020 1 1 2
Received in 2018 to 2019 0 0 0
Received in 2017 to 2018 0 0 0
Received in 2016 to 2017 0 1 1
Received in 2015 to 2016 or earlier 0 3 3
Total 4 21 25
4.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal year open complaints were received by Institution Number of open complaints
Received in 2021 to 2022 4
Received in 2020 to 2021 1
Received in 2019 to 2020 1
Received in 2018 to 2019 1
Received in 2017 to 2018 0
Received in 2016 to 2017 0
Received in 2015 to 2016 or earlier 0
Total 7
Section 5: Social Insurance Number (SIN)
Did your institution received authority for a new collection or new consistent use of the SIN in 2021 to 2022? No

Mission

Mission

Discover CSE's impactful mission

Careers

Careers

Join our team and help keep Canadians safe

Culture and community

Culture and community

Learn how we support our employees and our community

Date modified: