Annual Report to Parliament on the Administration of the Privacy Act 2022-2023

Pursuant to subsection 72(1) of the Privacy Act, this document contains the Annual Report to Parliament on the Administration of the Privacy Act for 2022-2023 as submitted by the Minister of National Defence.

Alternate format: Annual Report to Parliament on the Administration of the Privacy Act 2022-2023 (PDF, 842 KB)

Table of contents

• Introduction
• Mandate of the Communications Security Establishment
• Organizational Structure
• Delegation order
• Performance 2022-2023
  • Number of Formal Requests
  • Disposition of completed requests
  • Neither confirm nor deny
  • Completion time
  • Exemptions to the release of information
  • Extension of the time limit
  • Consultations
  • Summary of key issues and actions taken on complaints
• Education and training
• Policies, Guidelines and Procedures
• Other key initiatives
• Initiatives and projects to improve Policy
• Material privacy breaches
• Privacy impact assessments
• Public interest disclosure
• Monitoring compliance
• Appendix I: Delegation of authority
• Appendix II: Statistical report

Introduction

The purpose of the Privacy Act is to extend the laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal government institution, and to provide individuals with a right of access to that information.

Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to personal information that is under the control of government institutions.

The government recognizes that this protection is an essential element in maintaining public trust.

This is the tenth annual report prepared by the Communications Security Establishment (CSE) and tabled in Parliament in accordance with section 72 of the Act. It presents an overview of the agency's activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Privacy Act during the reporting period 1 April 2022 to 31 March 2023.

Mandate of the Communications Security Establishment

On August 1st, 2019 the Communications Security Establishment Act (CSE Act) entered into force as part of Bill C-59 (An Act respecting national security matters). The CSE Act sets out the five aspects of CSE's mandate:

• helping to protect and defend Canada's most important cyber systems;
• acquiring foreign intelligence in support of the Government of Canada's intelligence priorities;
• conducting defensive foreign cyber operations;
• conducting active foreign cyber operations; and
• providing technical and operational assistance to federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence.

The CSE Act provides CSE with a modern set of authorities and enhances the accountability framework with new oversight and review functions.

Organizational Structure

The ATIP Office is part of the Transparency and Information Sharing group in CSE's Authorities, Compliance and Transparency (ACT) Branch. As noted in the previous annual report, this new restructuring was part of CSE's strategic goal to uphold the highest standards of compliance, lawfulness, and respect for the privacy of Canadians.

The Access to Information and Privacy Office include a manager responsible for eleven (11) full-time positions working in two (2) separate teams: ATIP Operations and, Privacy Policy and Governance. At the end of the reporting period, the ATIP Operations team consisted of one (1) supervisor and six (6) analysts, while the Privacy Policy and Governance team consisted of one (1) supervisor, three (3) analysts and two (2) coop students.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS, and representatives of the federal Information and Privacy Commissioners regarding CSE's administration of the Access to Information Act and Privacy Act.

Specifically, the ATIP Operations team is responsible for the following activities:

• Processing requests under the Access to Information Act and Privacy Act;
• Responding to consultation requests from other government institutions;
• Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
• Supporting CSE's legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
• Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
• Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
• Providing training and other outreach initiatives to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

• Providing advice and guidance to senior management and staff of CSE on privacy legislation and policy-related matters;
• Providing expert privacy advice and assistance to business lines in the undertaking of Privacy Impact Assessments, privacy breach management, drafting of Privacy Notice Statements, and maintenance of Personal Information Banks;
• Supporting CSE's legislative compliance obligations under the Privacy Act, including the application of associated regulations, policies and guidelines;
• Representing CSE in privacy protection communities of practice;
• Coordinating the annual update of the institution's Info Source publication, which includes a description of the agency's organizational structure and record holdings;
• Drafting and implementing privacy-related policies, internal procedures, guidance documents and working aids; and,
• Providing training to CSE staff on the administration of the Privacy Act focusing on the protection of personal information.

Delegation Order

The delegation order in effect at the end of 2022-2023 reflects an earlier organizational structure at CSE and a copy can be found in Appendix I of this report. The then-Minister of National Defence, the Honourable Harjit Sajjan, delegated all authorities under section 95 of the Access to Information Act to the Deputy Chief, Policy and Communications, the Director General, Policy, Disclosure and Review, the Director, Disclosures and Information Sharing, and to the Manager, Disclosures. He also delegated limited authorities to the Supervisor, Access to Information and Privacy Operations.  CSE is in the process of following up with the office of the current Minister of National Defence (the Honourable Bill Blair) on an updated delegation order which reflect recent changes to CSE titles and positions.

Performance 2022-2023

CSE's 2022-2023 Statistical Report on the Privacy Act and Supplemental ATIP Statistical Report for 2022-2023 (both of which were previously validated by TBS) can be found in Appendix II.

Number of Formal Requests

During this reporting period, CSE received nineteen (19) requests under section 12(1) the Privacy Act, which is a decrease from the previous fiscal year when twenty-two (22) new requests were received. In addition, thirteen (13) requests outstanding from the previous reporting period were carried over and twelve (12) from more than one reporting period ago, giving CSE a total of forty-four (44) requests to process. By the end of 2022-2023, CSE closed twenty-two (22) requests and carried forward twenty-two (22) into 2023-2024.

 

Long description - Table: 1

Received requests

	2018 to 2019	2019 to 2020	2020 to 2021	2021 to 2022	2022 to 2023
Privacy	12	36	23	22	19
Privacy consultations	1	1	0	2	1

 

Disposition of Completed Requests

CSE closed 22 requests during this reporting period. Of these, six (6) (27%) were disclosed in part, none (0%) were disclosed in full and five (5) were abandoned by the applicants. There were also eleven (11) requests where the existence of records was neither confirmed nor denied which is a significant increase from two (2) records in 2021-2022. There were no requests which were exempted or excluded in full.

 

Long description - Table: 2

Closed requests

	Number of closed requests
	2018 to 2019	2019 to 2020	2020 to 2021	2021 to 2022	2022 to 2023
Privacy	8	28	23	16	22
Privacy Consultations	1	1	0	2	1

 

 

Long description - Table: 3

Disposition of completed requests

Disposition	Number of requests
	2018 to 2019	2019 to 2020	2020 to 2021	2021 to 2022	2022 to 2023
All disclosed	0%	0%	0%	0%	0%
Disclosed in part	50%	61%	57%	50%	27%
All exempted	0%	4%	0%	0%	0%
All excluded	0%	0%	0%	0%	0%
No records exist	0%	7%	0%	0%	0%
Request abandoned	25%	11%	9%	38%	23%
Neither confirm nor deny	25%	18%	35%	13%	50%

Neither Confirm Nor Deny

Section 16(2) of the Act indicates that institutions do not have to tell a requester whether personal information exists. Section 16(2) was designed to address situations in which the mere confirmation of a record's existence (or non-existence) would reveal information that could be protected under the Act. It is recommended that the application of section 16(2) be limited to circumstances where the confirmation or denial of the existence of a record would be injurious to Canada's foreign relations, the defence of Canada, law enforcement activities, or the safety of individuals. When notifying a requester that it is invoking this provision, institutions must also indicate the part of the Act on which a refusal could reasonably be expected to be based if the record existed. As noted above, the application of subsection 16(2) was used eleven (11) times during the 2022-2023 fiscal year.

Completion Time

During the 2022-2023 fiscal year, seven (7) of the completed requests made under the Privacy Act were closed within the legislative timeframe, representing 32% of all completed requests. One (1) request was closed outside the initial 30 days.  CSE closed six (6) requests within 1-30 days; four (4) between 31 and 60 days; four (4) between 61 and 120 days; two (2) between 121 and 180 days; four (4) between 181 and 365 days; and two (2) took more than 365 days to process. In general, the requests received during 2022-2023 involved information of a highly sensitive nature resulting in greater complexity in fulfilling them. CSE processed a total of 1,092 pages in 2022-23 compared to 1,340 pages in 2021-2022. Of the total requests carried over into 2023-2024, eight (8) (36%) were received during the 2022-2023 reporting period.

Exemptions to the release of information

The most common exemptions applied at CSE were sections 21 and 26 of the Privacy Act. Section 21 was applied in six (6) requests to protect information which could be reasonably expected to be injurious to the defense of Canada. Section 26 was applied in five (5) requests to protect information about an individual other than the applicant. The application of these exemptions is consistent with previous reporting periods.

Extension of the time limit

One (1) extension, based on Section 15 (a)(ii) of the Privacy Act relating to external consultation, was taken on requests under the Privacy Act during the 2021-2022 fiscal year.

Consultations

CSE received one (1) consultation from other government departments, totaling 53 pages.

Summary of Key Issues and Actions Taken on Complaints

Individuals who are not satisfied with the processing of their privacy request or who feel that their personal information has been improperly collected, used or disclosed can file a complaint with the Office of the Privacy Commissioner of Canada (OPC). CSE received three (3) complaints during fiscal year 2022-23. One (1) privacy complaint carried over from 2017-2018 continued to be under judicial review in 2021-2022. One (1) complaint that was received in 2020-2021 was closed during the current reporting period.

The closed complaint was submitted directly to the OPC and not related to a specific request. The complainant alleged that CSE contravened the use and disclosure provisions of the Privacy Act when their personal information was used for a purpose contrary to that for which are was collected. CSE received notice of the complaint in November of 2020 and made representations to the OPC. Through their investigation, the OPC found the complaint to be not well founded in March of 2023.

The three (3) complaints received in the current reporting period all consist of complaints where the complainants have alleged that CSE has not provided responsive records within the prescribed time periods. CSE has made representations to the OPC regarding all complaints and will continue to work with the OPC to resolve them in a timely manner.

CSE has also continued to work with the OPC to resolve complaints received in previous reporting periods.

Education and Training

CSE continues its commitment to the ongoing learning and development of its employees and provides comprehensive privacy awareness training sessions to ensure all employees are up to date on their responsibilities regarding the management of personal information in both mission and non-mission related activities. 389 employees and students completed the standard mandatory privacy awareness training.

Additional privacy educational initiatives in 2022-2023 included promoting privacy awareness through the organization of Privacy Awareness Week at CSE from May 9 to 13, 2022. The Privacy Policy and Governance team planned a full calendar of activities including privacy-focused announcements, interactive posts and two (2) live privacy-focused presentations by knowledgeable guest speakers. Privacy Awareness Week is an event that provides CSE's Privacy Policy and Governance team with the opportunity to educate and raise employee awareness of their responsibilities regarding personal information and of the various resources available to them, including the team itself and privacy awareness training.

Collectively, these efforts provided opportunities to showcase privacy across the organization, resulting in a greater number of program managers and stakeholders consulting with CSE's ATIP Operations Office and Privacy Policy and Governance team. The teams' support included guidance on CSE privacy policies, procedures, and best practices for personal information management. 

In addition, new employees are required to complete an online training session "Privacy Awareness" within three months of their start date. In addition, CSE encourages employees to take advantage of access to information and privacy courses offered through the Canada School for Public Service (CSPS).

Policies, Guidelines, and Procedures

The CSE privacy policy suite includes a broad-scoped CSE Administrative Privacy Policy which outlines CSE's obligations to manage and protect personal information during its corporate functions in accordance with the Privacy Act, its regulations and Treasury Board Secretariat (TBS) policies relating to privacy. Note that the policy clarifies that privacy awareness training is mandatory for all CSE staff.

The PPGO team has continued to develop a series of standard operating procedures for completing various types of internal and external privacy assessment tools in order to support CSE's program areas (subject matter experts, privacy advisors) in their role of identifying and assessing privacy risks associated with a tool, initiative, and/or activity that involves personal information.

The ATIP Operations team continues to seek new opportunities to improve the efficiency and timeliness of processing requests. In fiscal year 2022-2023, the team created several internal documents to ensure consistency and continuity in processing requests as the team welcomed new staff members. This included an ATIP Manual outlining how to respond to access requests, access consultations, privacy requests and privacy consultations; and flow charts illustrating the ATIP Operations team's processes.

Other Key Initiatives

It is important to note that the ATIP Operations team also supports the work of the National Security Intelligence Review Agency (NSIRA), the National Security and Intelligence Committee of Parliamentarians (NSICOP), and the Intelligence Commissioner (IC) by reviewing their documents, which contain sensitive CSE information, and providing unclassified versions that can be shared openly with the public.

There has been an increase in non-ATIP related requests which has impacted the time the team can devote to access and privacy requests. This time is not represented in the statistical reporting, but accounts for approximately 1.36 FTE for the reporting period.  

Initiatives and Projects to Improve Privacy

CSE has been using the ATIP Online Management Tool (AOMT) which replaced the ATIP Online Request Service (AORS) in this reporting period.  The AOMT is a centralized website developed by TBS that enables users to complete access to information requests and submit them to any of the institutions that are subject to the Government of Canada's Privacy Act. CSE received 14 requests via this service, representing approximately 74% of the total requests received. 16% of requests were received by email and the remaining 10% through regular mail. 

Material Privacy Breaches

Two (2) material privacy breaches were reported to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat related to the reporting period of April 1, 2022, to March 31, 2023.  Both reported breaches are related as a contractor was responsible for the unauthorized collection of the personal information of individuals working at CSE on two occasions. The contractor's access to personal information of employees was revoked. The impacted individuals were formally notified, provided with the contact information of the OPC and provided with internal resources to manage the potential harm caused by the breaches.

Privacy Impact Assessments

During the 2022-2023 reporting period, CSE did not complete any Privacy Impact Assessments (PIA).

Public Interest Disclosure

Subsection 8(2) of the Privacy Act describes the circumstances under which a government institution may disclose personal information under its control without the consent of the individual to whom the information relates. Such disclosures are discretionary and are subject to any other Act of Parliament.

Paragraph 8(2)(m) stipulates that an institution may disclose personal information for any purpose where, in the opinion of the head of the institution, the public interest in the disclosure clearly outweighs any invasion of privacy that could result from it or where the disclosure would clearly benefit the individual to whom the information relates.

There was one occurrence where CSE submitted an 8 (2)(m) Public Interest Disclosure to the Office of the Privacy Commissioner. The nature of the disclosure was due to a material privacy breach that occurred mid-December 2022.

Monitoring Compliance

Using our case management software, the ATIP Office continues to produce reports on the time taken to process requests. These reports are shared with our ATIP Coordinator throughout the fiscal year. The ATIP Operations team tracks all requests and reports bi-weekly to the team manager on any issues and/or delays in processing requests. This provides an opportunity for the manager to triage requests or allocate resources, for example, in order to meet legislated timelines.  CSE's Executive Committee (made up of DM and ADM level executives) is also informed of the status of Privacy Act requests on a weekly basis.

Like many other government departments, CSE is experiencing a backlog in responding to requests for information. The ATIP Operations team has implemented mechanisms and tools to address this backlog such as the team's bi-weekly tracker for requests for information and access consultations. The ATIP supervisor and manager check in bi-weekly on the number of new requests, closed requests, and are alerted to any backlogs by ATIP analysts. This is an opportunity to discuss how best to triage requests and allocate resources as required to meet legislated timelines.

Two (2) material privacy breaches occurred at CSE during the related reporting period of April 1, 2022, to March 31, 2023. As part of PPGO's obligations, both breaches were reported to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat.

Appendix I: Delegation of Authority

Communications Security Establishment

Privacy Act Delegation Order

The Minister of National Defense, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister of National Defense as the head of the Communications Security Establishment, under the provisions of the Act and related regulations set out below for each position.

• Chief, Communications Security Establishment: joint authority under paragraph 8(2) (m) (public interest disclosure) with the Deputy Chief, Policy and Communications.
• Deputy Chief, Policy and Communication: full authority, except joint authority under paragraph 8(2) (m) (public interest disclosure) with the Chief, Communications Security Establishment.
• Director General, Policy. Disclosure and Review: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Director, Disclosures, and Information Sharing: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Manager, Disclosures: full authority, except for paragraph 8(2) (m) (public interest disclosure).
• Supervisor, Access to Information and Privacy Operations: subsection 8(2) (use and disclosure) except for paragraph 8(2)(m) (public interest disclosure), subsection I 4(a) only when no records exist (notice) and section IS (extension of time limits).
• Supervisor, Privacy, Policy and Governance: subsection 8(2) (use and disclosure) except for paragraph 8(2) (m) (public interest disclosure)
• Manager, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.
• Counsellor, Counselling and Advisory Program: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.

This delegation order replaces all previous delegation orders.

Dated at Ottawa this 26 day of April 2018

The Hon. Harijit S. Saijan. PC. OMM, MSM. CD. MP

Appendix II: Statistical Report on the Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2022-04-01 to 2023-03-31

Section 1: Requests Under the Privacy Act

Section 1.1: Number of requests received

	Number of requests
Received during reporting period	19
Outstanding from previous reporting periods	25 Outstanding from previous reporting periods: 13 Outstanding from more than one reporting period: 12
Total	44
Closed during reporting period	22
Carried over to next reporting period	22 Carried over within legislated timeline: 1 Carried over beyond legislated timeline : 21

Section 1.2: Channels of requests

Source	Number of requests
Online	14
E-mail	3
Mail	2
In person	0
Phone	0
Fax	0
Total	19

Section 2: Informal requests

Section 2.1: Number of informal requests

	Number of requests
Received during reporting period	0
Outstanding from previous reporting periods	0
Outstanding from previous reporting period	0
Outstanding from more than one reporting period	0
Total	0
Closed during reporting period	0
Carried over to next reporting period	0

Section 2.2: Channels of informal requests

Source	Number of requests
Online	0
E-mail	0
in person	0
Phone	0
Fax	0
Total	0

2.3 Completion time of informal requests

Completion time
1 to 15 Days	16 to 30 Days	31 to 60 Days	61 to 120 Days	121 to 180 Days	181 to 365 Days	More Than 365 Days	Total
0	0	0	0	0	0	0	0

2.4 Pages released informally

Less than 100 pages released		100 to 500 pages released		501 to 1000 pages released		1001 to 5000 pages released		More than 5000 pages released
Number of requests	Pages released	Number of requests	Pages released	Number of requests	Pages released	Number of requests	Pages released	Number of requests	Pages released
0	0	0	0	0	0	0	0	0	0

Section 3: Requests closed during the reporting period

3.1 Disposition and completion time

Disposition of requests	Completion time
	1 to 15 Days	16 to 30 Days	31 to 60 Days	61 to 120 Days	121 to 180 Days	181 to 365 Days	More Than 365 Days	Total
All disclosed	0	0	0	0	0	0	0	0
Disclosed in part	0	0	2	2	1	1	0	6
All exempted	0	0	0	0	0	0	0	0
All excluded	0	0	0	0	0	0	0	0
No records exist	0	0	0	0	0	0	0	0
Request abandoned	2	0	0	1	0	2	0	5
Neither confirmed nor denied	0	4	2	1	1	1	2	11
Total	2	4	4	4	2	4	2	22

3.2 Exemptions

Section	Number of requests
18(2)	0
19(1)(a)	0
19(1)(b)	0
19(1)(c)	0
19(1)(d)	0
19(1)(e)	0
19(1)(f)	0
20	0
21	6
22(1)(a)(i)	0
22(1)(a)(ii)	0
22(1)(a)(iii)	0
22(1)(b)	0
22(1)(c)	0
22(2)	0
22.1	0
22.2	0
22.3	1
22.4	0
23(a)	0
23(b)	0
24(a)	0
24(b)	0
25	0
26	5
27	2
27.1	0
28	0

 

3.3 Exclusions

Section	Number of requests
69(1)(a)	0
69(1)(b)	0
69.1	0
70(1)	0
70(1)(a)	0
70(1)(b)	0
70(1)(c)	0
70(1)(d)	0
70(1)(e)	0
70(1)(f)	0
70.1	0

 

3.4 Format of information released

Paper	Electronic				Other
	E-record	Data set	Video	Audio
0	6	0	0	0	0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats

Number of pages processed	Number of pages disclosed	Number of requests
1092	891	22

3.5.2 Relevant pages processed by request disposition for paper and e-record format by size of requests

Disposition	Less than 100 pages processed		101 to 500 pages processed		501 to 1000 pages processed		1001 to 5000 pages processed		More than 5000 pages processed
	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed
All disclosed	0	0	0	0	0	0	0	0	0	0
Disclosed in part	2	178	4	914	0	0	0	0	0
All exempted	0	0	0	0	0	0	0	0	0	0
All excluded	0	0	0	0	0	0	0	0	0	0
Request abandoned	5	0	0	0	0	0	0	0	0	0
Neither confirmed nor denied	11	0	0	0	0	0	0	0	0	0
Total	18	178	4	914	0	0	0	0	0	0

3.5.3 Relevant minutes processed and disclosed for audio formats

Number of minutes processed	Number of minutes disclosed	Number of requests
0	0	0

3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests

Disposition	Less than 60 minutes processed		60 to 120 minutes processed		More than 120 minutes processed
	Number of requests	Minutes processed	Number of requests	Minutes processed	Number of requests	Minutes processed
All disclosed	0	0	0	0	0	0
Disclosed in part	0	0	0	0	0	0
All exempted	0	0	0	0	0	0
All excluded	0	0	0	0	0	0
Request abandoned	0	0	0	0	0	0
Neither confirmed nor denied	0	0	0	0	0	0
Total	0	0	0	0	0	0

3.5.5 Relevant minutes processed and disclosed for video formats

Number of minutes processed	Number of minutes disclosed	Number of requests
0	0	0

3.5.6 Relevant minutes processed per request disposition for video formats by size of requests

Disposition	Less than 60 minutes processed		60 to 120 minutes processed		More than 120 minutes processed
	Number of requests	Minutes processed	Number of requests	Minutes processed	Number of requests	Minutes processed
All disclosed	0	0	0	0	0	0
Disclosed in part	0	0	0	0	0	0
All exempted	0	0	0	0	0	0
All excluded	0	0	0	0	0	0
Request abandoned	0	0	0	0	0	0
Neither confirmed nor denied	0	0	0	0	0	0
Total	0	0	0	0	0	0

3.5.7 Other complexities

Disposition	Consultation required	Legal advice sought	Interwoven information	Other	Total
All disclosed	0	0	0	0	0
Disclosed in part	1	0	0	0	1
All exempted	0	0	0	0	0
All excluded	0	0	0	0	0
Request abandoned	0	0	0	0	0
Neither confirmed nor denied	0	0	0	0	0
Total	1	0	0	0	1

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines

Number of requests closed within legislated timelines	7
Percentage of requests closed within legislated timelines (%)	31.81818182

3.6.1 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

Number of Requests Closed Past the Legislated Timelines	Principal Reason
	Interference with Operations / Workload	External Consultation	Internal Consultation	Other
15	4	0	2	9

3.7.2 Requests closed beyond legislated timelines (including any extension taken)

Number of Days Past Legislated Timelines	Number of Requests Past Legislated Timeline Where No Extension Was Taken	Number of Requests Past Legislated Timelines Where an Extension Was Taken	Total
1 to 15 days	1	0	1
16 to 30 days	3	0	3
31 to 60 days	2	0	2
61 to 120 days	2	0	2
121 to 180 days	3	0	3
181 to 365 days	2	0	2
More than 365 days	2	0	2
Total	15	0	15

3.8 Requests for translation

Translation Requests	Accepted	Refused	Total
English to French	0	0	0
French to English	0	0	0
Total	0	0	0

Section 4: Disclosures under subsections 8(2) and 8(5)

Paragraph 8(2)(e)	Paragraph 8(2)(m)	Subsection 8(5)	Total
0	1	0	1

Section 5: Requests for correction of personal information and notations

Disposition for correction requests received	Number
Notations attached	0
Requests for correction accepted	0
total	0

Section 6: Extensions

6.1 Reasons for extensions

Number of extensions taken	15(a)(i) Interference with operations				15 (a)(ii) Consultation
	Further review required to determine exemptions	Large volume of pages	Large volume of requests	Documents are difficult to obtain	Cabinet Confidence Section (Section 70)	External	Internal	15(b) Translation purposes or conversion
1	0	0	0	0	0	1	0	0

6.2 Length of extensions

Length of extensions	15(a)(i) Interference with operations					15 (a)(ii) Consultation
	Further review required to determine exemptions	Large volume of pages	Large volume of requests	Documents are difficult to obtain	Cabinet Confidence Section (Section 70)	External	Internal	15(b) Translation purposes or conversion
1 to 15 days	0	0	0	0	0	0	0	0
16 to 30 days	0	0	0	0	0	0	1	0
31 days or greater								0
Total	0	0	0	0	0	0	1	0

Section 7: Consultations received from other institutions and organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

Consultations	Other Government of Canada institutions	Number of pages to review	Other organizations	Number of pages to review
Received during the reporting period	1	53	0	0
Outstanding from the previous reporting period	0	0	0	0
Total	1	53	0	0
Closed during the reporting period	1	53	0	0
Carried over within negotiated timelines	0	0	0	0
Carried over beyond negotiated timelines	0	0	0	0

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendation	Number of days required to complete consultation requests
	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
Disclosed entirely	0	0	0	0	0	0	0	1
Disclosed in part	0	0	1	0	0	0	0	1
Exempt entirely	0	0	0	0	0	0	0	0
Exclude entirely	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	0	0	0	0	0	0	0	0
Total	0	0	1	0	0	0	0	1

7.3 Recommendations and completion time for consultations received from other organizations

Recommendation	Number of days required to complete consultation requests
	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
Disclosed entirely	0	0	0	0	0	0	0	0
Disclose in part	0	0	0	0	0	0	0	0
Exempt entirely	0	0	0	0	0	0	0	0
Exclude entirely	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0

Section 8: Completion time of consultations on Cabinet Confidences

8.1 Requests with legal services

Number of days	Fewer than 100 pages processed		101 to 500 pages processed		501 to 1000 pages processed		1001 to 5000 pages processed		More than 5000 pages processed
	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365 days	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

8.2 Requests with Privy Council Office

Number of days	Fewer than 100 pages processed		101 to 500 pages processed		501 to 1000 pages processed		1001 to 5000 pages processed		More than 5000 pages processed
	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365 days	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

Section 9: Complaints and investigations notices received

Section 31	Section 33	Section 35	Court action	Total
3	3	0	0	6

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy impact assessments

Number of PIAs completed	0
Number of PIAs modified	0

10.2 Institution-specific and Central Personal Information Banks

Personal Information Banks	Active	Created	Terminated	Modified
Institution-specific	2	0	0	0
Central	55	0	0	0
Total	57	0	0	0

Section 11: Privacy breaches

11.1 Material privacy breaches reported

Number of material privacy breaches reported to TBS	2
Number of material privacy breaches reported to OPC	2

11.2 Non-material privacy breaches

Number of non-material privacy breaches	9

Section 12: Resources related to the Privacy Act

12.1 Allocated costs

Expenditures	Amount
Salaries	$505,090
Overtime	$1,797
Goods and Services	$6,984
Goods and Services - Professional services contracts	$0
Goods and Services - Other	$6,985
Total	$513,871

12.2 Human Resources

Resources	Person years dedicated to privacy activities
Full-time employees	4.521
Part-time and casual employees	0.000
Regional staff	0.000
Consultants and agency personnel	0.000
Students	1.062
Total	5.583

Note: Enter values to three decimal places.

Supplemental Statistical Report on the Access to Information Act and Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2022-04-01 to 2023-03-31

Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act

Enter the number of weeks your institution your institution was able to receive ATIP requests through the different channels.

	Number of Weeks
Able to receive requests by mail	52
Able to receive requests by email	52
Able to receive requests through the digital request service	52

Section 2: Capacity to Process Records under the Access to Information Act and Privacy Act

2.1 Enter the number of weeks your institution was able to process paper records in different classification levels.

	No Capacity	Partial Capacity	Full Capacity	Total
Unclassified paper records	0	0	52	52
Protected B paper records	0	0	52	52
Secret and Top Secret paper records	0	0	52	52

2.2 Enter the number of weeks your institution was able to process electronic records in different classification levels.

	No Capacity	Partial Capacity	Full Capacity	Total
Unclassified paper records	0	0	52	52
Protected B electronic records	0	0	52	52
Secret and Top Secret electronic records	0	0	52	52

Section 3: Open requests and complaints under the Access to Information Act

3.1 Enter the number of open requests that are outstanding from previous reporting periods.

Fiscal year open requests were received	Open requests that are Within Legislated Timelines as of March 31, 2023	Open requests that are Beyond Legislated Timelines as of March 31, 2023	Total
Received in 2022 to 2023	7	21	28
Received in 2021 to 2022	0	26	26
Received in 2020 to 2021	1	15	16
Received in 2019 to 2020	0	17	17
Received in 2018 to 2019	1	8	9
Received in 2017 to 2018	0	17	17
Received in 2016 to 2017 or earlier	0	18	18
Received in 2015 to 2016	0	4	4
Received in 2014 to 2015	0	8	8
Received in 2013 to 2014 or earlier	0	3	3
Total	0	137	146

3.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.

Fiscal year open complaints were received by Institution	Number of open complaints
Received in 2022 to 2023	6
Received in 2021 to 2022	1
Received in 2020 to 2021	0
Received en 2019 to 2020	0
Received in 2018 to 2019	0
Received in 2017 to 2018	1
Received in 2016 to 2017	0
Received in 2015 to 2016	0
Received in 2014 to 2015	0
Received in 2013 to 2014 or earlier	0
Total	8

Section 4 : Open requests and complaints under the Privacy Act

4.1 Enter the number of open requests that are outstanding from previous reporting periods.

Fiscal year open requests were received	Open requests that are Within Legislated Timelines as of March 31, 2023	Open requests that are Beyond Legislated Timelines as of March 31, 2023	Total
Received in 2022 to 2023	1	7	8
Received in 2021 to 2022	0	4	4
Received in 2020 to 2021	0	4	4
Received in 2019 to 2020	0	2	2
Received in 2018 to 2019	0	0	0
Received in 2017 to 2018	0	0	0
Received in 2016 to 2017	0	1	1
Received in 2015 to 2016	0	0	0
Received in 2015 to 2014	0	2	2
Received in 2013 to 2014 or earlier	0	1	1
Total	1	21	22

4.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.

Fiscal year open complaints were received by Institution	Number of open complaints
Received in 2022 to 2023	3
Received in 2021 to 2022	4
Received in 2020 to 2021	0
Received in 2019 to 2020	1
Received in 2018 to 2019	1
Received in 2017 to 2018	0
Received in 2016 to 2017	0
Received in 2015 to 2016	0
Received in 2014 to 2015	0
Received in 2013 to 2014 or earlier	0
Total	9

Section 5: Social Insurance Number (SIN)

Did your institution received authority for a new collection or new consistent use of the SIN in 2022 to 2023?	No

Universal Access under the Privacy Act

How many requests were received from confirmed foreign nationals outside of Canada in 2022-2023?	0