Annual Report to Parliament on the Administration of the Privacy Act 2021-2022

Introduction

The purpose of the Privacy Act is to extend the laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal government institution, and to provide individuals with a right of access to that information.

Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust.

This is the ninth annual report prepared by the Communications Security Establishment (CSE) and tabled in Parliament in accordance with section 72 of the Act. It presents an overview of the agency’s activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Privacy Act during the reporting period 1 April 2021 to 31 March 2022.

Mandate of the Communications Security Establishment

On August 1st, 2019 the Communications Security Establishment Act (CSE Act) entered into force as part of Bill C-59 (An Act respecting national security matters). The CSE Act sets out the five aspects of CSE’s mandate:

• helping to protect and defend Canada’s most important cyber systems;
• acquiring foreign intelligence in support of the Government of Canada’s intelligence priorities;
• conducting defensive foreign cyber operations;
• conducting active foreign cyber operations; and
• providing technical and operational assistance to federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence.

The CSE Act provides CSE with a modern set of authorities and also enhances the accountability framework with new oversight and review functions.

Structure of the Access to Information and Privacy Office

The ATIP Office is part of the Transparency and Information Sharing group in CSE’s Authorities, Compliance and Transparency Branch. This is a change from the previous reporting period and stems from organizational changes made within CSE as part of the strategic goal to uphold the highest standards of compliance, lawfulness, and respect for the privacy of Canadians. The delegation order in effect at the end of 2021-2022 reflects the previous structure and a copy can be found in Appendix I of this report. The Minister of National Defence delegated all authorities under section 73 of the Privacy Act to the Deputy Chief, Policy and Communications, the Director General, Policy, Disclosure and Review, the Director, Disclosures and Information Sharing, and to the Manager, Disclosures. He also delegated limited authorities to the Supervisor, Access to Information and Privacy Operations and the Supervisor, Privacy, Policy and Governance The delegation order is being revised to reflect the organizational changes.

The Access to Information and Privacy Offices include a manager responsible for thirteen (13) mandated full-time positions working in two distinct teams: ATIP Operations and, Privacy Policy and Governance. At the end of the reporting period, the ATIP Operations team consisted of one (1) supervisor, and six (6) analysts, while the Privacy Policy and Governance team consisted of one (1) supervisor, five (5) analysts and two (2) coop students.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS, and representatives of the federal Information and Privacy Commissioners regarding CSE’s administration of the Access to Information Act and Privacy Act.

Specifically, the ATIP Operations team is responsible for the following activities:

• Processing requests under the Access to Information Act and Privacy Act;
• Responding to consultation requests from other government institutions;
• Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
• Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
• Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
• Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
• Providing training to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

• Providing advice and guidance to senior management and staff of CSE on privacy legislation and policy-related matters;
• Providing expert privacy advice and assistance to business lines in the undertaking of Privacy Impact Assessments, privacy breach management, drafting of Privacy Notice Statements, and maintenance of Personal Information Banks;
• Supporting CSE’s legislative compliance obligations under the Privacy Act, including the application of associated regulations, policies and guidelines;
• Representing CSE in privacy protection communities of practice;
• Coordinating the annual update of the institution’s Info Source publication, which includes a description of the agency’s organizational structure and record holdings;
• Drafting and implementing privacy-related policies, internal procedures, guidance documents and working aids; and,
• Providing training to CSE staff on the administration of the Privacy Act focusing on the protection of personal information.

Key activities and accomplishments

Other initiatives

CSE was onboarded into the ATIP Online Request Service (AORS) late in FY2018-19, giving CSE the ability to receive requests under section 12(1) directly online from the requestor. The AORS is a centralized website developed by TBS that enables users to complete access to information and privacy requests and submit them to any of the institutions that are subject to the Government of Canada’s Privacy Act. The current reporting period includes the third full year CSE has accepted requests through the AORS system. CSE received nineteen (19) requests in this manner, representing approximately 79% of the total requests received, a slight decrease from the 91% received through AORS in the previous reporting period.

In 2021-2022, the ATIP Operations team also collaborated with CSE Offices of Primary Interest (OPIs) to address the challenges and restrictions created by the COVID-19 pandemic and impacts to the regular operational posture. The pandemic limited access of staff to CSE facilities and infrastructure, which in turn restricted access to classified information responsive to requests, as well as ATIP analysts’ ability to review the classified material and process the requests.

Privacy impact assessments

During the 2021-2022 reporting period, CSE completed two (2) Privacy Impact Assessments (PIA): The Counselling and Advisory Program (CAP) PIA, and Human Resources and Pay Information System PIA.

The Privacy Policy and Governance team intends to post the unclassified summaries for PIAs completed to date on the CSE website in the fall of 2022. PPGO continued to provide support to the Cyber Centre’s review of existing PIAs to fulfill the Treasury Board Secretariat’s three-year review. Six (6) PIAs were in progress during 2021-2022 related to various operational and corporate activities.

Statistical report on the administration of the Privacy Act

Number of formal requests

During this reporting period, CSE received 22 requests under section 12(1) the Privacy Act, which is a decrease from the previous fiscal year when 23 new requests were received. In addition, nineteen (19) requests outstanding from the previous reporting period were carried over, giving CSE a total of 41 requests to process. By the end of 2021-2022, CSE closed 16 requests and carried forward 25 into 2022-2023.

 

Long description - Table: 1

Received requests

	Number of received requests
	2017 to 2018	2018 to 2019	2019 to 2020	2020 to 2021	2021 to 2022
Privacy	10	12	36	23	22
Privacy consultations	2	1	1	0	2

Disposition of completed requests

CSE closed 16 requests during this reporting period. Of these, eight (8) (50%) were disclosed in part, none were disclosed in full and six (6) were abandoned by the applicants. There were also two (2) requests where the existence of records was neither confirmed nor denied. This can be attributed to requests for records which, if they exist, would be located in CSE’s exempt personal information bank (CSE PPU 040) which contains records relating to CSE’s foreign intelligence files. There were no requests which were exempted or excluded in full.

 

Long description - Table: 2

Closed requests

	Number of closed requests
	2017 to 2018	2018 to 2019	2019 to 2020	2020 to 2021	2021 to 2022
Privacy	8	8	28	23	16
Privacy Consultations	2	1	1	0	2

 

Long description - Table: 3

Disposition of completed requests

Disposition	Number of requests
	2017 to 2018	2018 to 2019	2019 to 2020	2020 to 2021	2021 to 2022
All disclosed	0%	0%	0%	0%	0%
Disclosed in part	50%	50%	61%	57%	50%
All exempted	0%	0%	4%	0%	0%
All excluded	0%	0%	0%	0%	0%
No records exist	13%	0%	7%	0%	0%
Request abandoned	25%	25%	11%	9%	38%
Neither confirm nor Deny	13%	25%	18%	35%	13%

Neither confirm nor deny

Section 16(2) of the Act indicates that institutions do not have to tell a requester whether personal information exists. Section 16(2) was designed to address situations in which the mere confirmation of a record’s existence (or non-existence) would reveal information that could be protected under the Act. It is recommended that the application of section 16(2) be limited to circumstances where the confirmation or denial of the existence of a record would be injurious to Canada’s foreign relations, the defence of Canada, law enforcement activities, or the safety of individuals. When notifying a requester that it is invoking this provision, institutions must also indicate the part of the Act on which a refusal could reasonably be expected to be based if the record existed. The application of subsection 16(2) was used on two (2) occasions during the 2021-2022 fiscal year.

Completion time

During the 2021-2022 fiscal year, nine (9) of the completed Privacy Requests were closed within the 30-day legislative timeframe, representing 56% of all completed Privacy Requests. In general, the requests received during 2021-2022 involved information of a highly sensitive nature resulting in greater complexity in fulfilling them. CSE processed a total of 1,340 pages in 2021-2022 compared to 10,870 pages in the previous reporting period.

 

Long description - Table: 4

Completion time

Completion time	Number of requests
	2017 to 2018	2018 to 2019	2019 to 2020	2020 to 2021	2021 to 2022
Closed within 30 days	88%	75%	50%	35%	56%
31 to 60 days	0%	13%	18%	0%	6%
61 to 120 days	13%	0%	14%	9%	19%
121 to 180 days	0%	0%	18%	22%	6%
181 to 365 days	0%	13%	0%	26%	0%
More than 365 days	0%	0%	0%	9%	13%

Exemptions to the release of information

The most common exemptions applied at CSE were sections 21 and 26 of the Privacy Act. Of the eight (8) requests that were disclosed in part, section 21 was applied in all cases to protect information which could be reasonably expected to be injurious to the defense of Canada. Section 26 was applied in six (6) requests to protect information about an individual other than the applicant. The application of these exemptions is consistent with previous reporting periods.

Extension of the time limit

Two (2) extensions, based on Section 15 (a)(ii) of the Privacy Act relating to internal consultation, were taken on requests under the Privacy Act during the 2021-2022 fiscal year.

Consultations

CSE received two consultations from other government departments, totaling 20 pages. Both consultations were completed within 30 days.

Disclosure of personal information under paragraph 8(2)(m)

Subsection 8(2) of the Privacy Act describes the circumstances under which a government institution may disclose personal information under its control without the consent of the individual to whom the information relates. Such disclosures are discretionary and are subject to any other Act of Parliament.

Paragraph 8(2)(m) stipulates that an institution may disclose personal information for any purpose where, in the opinion of the head of the institution, the public interest in the disclosure clearly outweighs any invasion of privacy that could result from it or where the disclosure would clearly benefit the individual to whom the information relates. CSE did not disclose any personal information pursuant to paragraph 8(2)(m) during the reporting period.

Fees and costs

Total expenditures to administer the Privacy Act were $732,324. This represents an increase in expenditures from the previous fiscal year due to an expansion of the Privacy Policy and Governance team.

Complaints, judicial review and audits

Individuals who are not satisfied with the processing of their privacy request or who feel that their personal information has been improperly collected, used or disclosed can file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

CSE received five (5) complaints during the fiscal year. One (1) privacy complaint carried over from 2017-2018 continued to be under judicial review in 2021-2022. Two (2) complaints were closed during the reporting period, both of which were received in 2021-2022.

The closed complaints were delay complaints from the same individual on two separate requests. Both were received in April of 2021 and closed in August of the same year. As CSE did not meet its legislated deadlines on the requests, the OPC found both to be well founded and resolved.

The remaining complaints received in the current reporting period consist of one (1) delay complaint and two (2) where the complainants have alleged that CSE has not provided all responsive records. CSE has made representations to the OPC regarding all complaints and will continue to work with the OPC to resolve them in a timely manner.

CSE has also continued to work with the OPC to resolve complaints received in previous reporting periods.

Monitoring compliance

Using our case management software, the ATIP Office continued to produce reports on the time taken to process requests. These reports were shared with our ATIP Coordinator throughout the fiscal year. CSE’s Executive Committee (made up of DM and ADM level executives) is also informed of the status of Privacy Act requests on a weekly basis.

Material privacy breaches

There were no material privacy breaches reported during the 2021-2022 fiscal year.

Appendix I: Delegation of Authority

Communications Security Establishment

Privacy Act Delegation Order

The Minister of National Defense, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister of National Defense as the head of the Communications Security Establishment, under the provisions of the Act and related regulations set out below for each position.

• Chief, Communications Security Establishment: joint authority under paragraph 8(2) (m) (public interest disclosure) with the Deputy Chief, Policy and Communications.
• Deputy Chief, Policy and Communication: full authority, except joint authority under paragraph 8(2) (m) (public interest disclosure) with the Chief, Communications Security Establishment.
• Director General, Policy. Disclosure and Review: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Director, Disclosures, and Information Sharing: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Manager, Disclosures: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Supervisor, Access to Information and Privacy Operations: subsection 8(2) (use and disclosure) except for paragraph 8(2)(m) (public interest disclosure), subsection I 4(a) only when no records exist (notice) and section IS (extension of time limits).
• Supervisor, Privacy, Policy and Governance: subsection 8(2) (use and disclosure) except for paragraph 8(2) (m) (public interest disclosure)
• Manager, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.
• Counsellor, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.

This delegation order replaces all previous delegation orders.

Dated at Ottawa this 26 day of April 2018

The Hon. Harijit S. Saijan. PC. OMM, MSM. CD. MP

Appendix II: Statistical Report on the Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2021-04-01 to 2022-03-31

Section 1: Requests Under the Privacy Act

Section 2: informal requests

Section 3: Requests closed during the reporting period

3.5 Complexity

3.6 Closed requests

3.6.1 Deemed refusals

Section 6: Extensions

Section 7: Consultations received from other institutions and organizations

Section 8: Completion time of consultations on Cabinet Confidences

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

Section 11: Privacy breaches

Section 12: Resources related to the Privacy Act

Note: Enter values to three decimal places.