Annual Report to Parliament on the Administration of the Privacy Act 2023-2024

Alternate format: Annual Report to Parliament on the Administration of the Privacy Act 2022-2023 (PDF, 948 KB)

Pursuant to subsection 72(1) of the Privacy Act, this document contains the Annual Report to Parliament on the Administration of the Privacy Act for 2023-2024 as submitted by the Minister of National Defence.

Table of contents

Introduction

The purpose of the Privacy Act is to extend the laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal government institution, and to provide individuals with a right of access to that information.

Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust.

This is the eleventh annual report prepared by the Communications Security Establishment Canada (CSE) and tabled in Parliament in accordance with section 72 of the Act. It presents an overview of the agency’s activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Privacy Act during the reporting period 1 April 2023 to 31 March 2024.

Mandate of the Communications Security Establishment

On August 1st, 2019, the Communications Security Establishment Act (CSE Act) entered into force as part of Bill C-59 (An Act respecting national security matters). The CSE Act sets out the five (5) aspects of CSE’s mandate:

  • helping to protect and defend Canada’s most important cyber systems;
  • acquiring foreign intelligence in support of the Government of Canada’s intelligence priorities;
  • conducting defensive foreign cyber operations;
  • conducting active foreign cyber operations; and
  • providing technical and operational assistance to federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence.

The CSE Act provides CSE with a modern set of authorities and enhances the accountability framework with new oversight and review functions.

Organizational structure

The ATIP Office is part of the Transparency and Information Sharing (TIS) group in CSE’s Authorities, Compliance and Transparency (ACT) Branch. As noted in the previous annual report, this new restructuring was part of CSE’s strategic goal to uphold the highest standards of compliance, lawfulness, and respect for the privacy of Canadians.

The Access to Information and Privacy Office include a manager responsible for twelve (12) full-time positions working in two (2) separate teams: ATIP Operations and, Privacy Policy and Governance. At the end of the reporting period, the ATIP Operations team consisted of one (1) supervisor, five (5) analysts and one (1) support officer, while the Privacy Policy and Governance team consisted of one (1) supervisor and four (4) analysts.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS , and representatives of the federal Information and Privacy Commissioners regarding CSE’s administration of the Access to Information Act and Privacy Act.

Specifically, the ATIP Operations team is responsible for the following activities:

  • Processing requests under the Access to Information Act and Privacy Act;
  • Responding to consultation requests from other government institutions;
  • Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
  • Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
  • Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
  • Providing training and other outreach initiatives to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

  • Supporting Deputy Chief, Authorities, Compliance and Transparency, CSE’s Chief Privacy Officer in ensuring the institution's programs and activities are in accordance with the requirements of the Privacy Act and related policy instruments;
  • Identifying and managing privacy risks across the institution, partly by leading or supporting the development of Privacy Impact Assessments, Privacy Needs Analyses, System Identification Documents, Privacy Notice Statements, and maintenance of Personal Information Banks;
  • Supporting CSE’s legislative compliance obligations under the Privacy Act, including the application of associated regulations, policies and guidelines;
  • Identifying and managing privacy breaches and material privacy breaches;
  • Representing CSE in privacy protection communities of practice;
  • Coordinating the annual update of the institution’s Info Source publication, which includes a description of the agency’s organizational structure and record holdings;
  • Drafting and implementing privacy-related policies, internal procedures, guidance documents and working aids; and,
  • Providing training to CSE staff on the administration of the Privacy Act focusing on the protection of personal information.

Delegation order

The delegation order in effect at the end of 2023-2024 has been updated from an earlier organizational structure at CSE and a copy can be found in Appendix I of this report. The Minister of National Defence, the Honourable Bill Blair, delegated all authorities under section 73 of the Privacy Act to the Chief, CSE, the Deputy Chief, Authorities, Compliance and Transparency, the Director, Transparency and Information Sharing, and to the Manager, Transparency and Disclosures. He also delegated limited authorities to the Supervisor, Access to Information and Privacy Operations and the Supervisor, Privacy Policy and Governance as well as the Manager, Employee and Organization Wellness.

Performance 2023-2024

CSE's 2022-2023 Statistical Report on the Privacy Act and Supplemental ATIP Statistical Report for 2023-2024 (both of which were validated by TBS ) can be found in Appendix II.

Number of formal requests

During this reporting period, CSE received thirty (30) requests under section 12(1) the Privacy Act, which is an increase from the previous fiscal year when nineteen (19) new requests were received. In addition, nine (9) requests outstanding from the previous reporting period were carried over and fourteen (14) from more than one reporting period ago, giving CSE a total of fifty-three (53) requests to process. By the end of 2023-2024, CSE closed twenty-one (21) requests and carried forward thirty-two (32) into 2024-2025.

Long description immediately follows
 
Long description - Received requests
Received requests
Requests 2019 to 2020 2020 to 2021 2021 to 2022 2022 to 2023 2023 to 2024
Privacy 36 23 22 19 30
Privacy consultations 1 0 2 1 0
 
 

Disposition of completed requests

CSE closed 21 requests during this reporting period. Of these, nine (9) (43%) were disclosed in part, none (0%) were disclosed in full and seven (7) were abandoned by the applicants. There were also five (5) requests where the existence of records was neither confirmed nor denied which is a significant decrease from eleven (11) records in 2022-2023. There were no requests which were exempted or excluded in full.

Long description immediately follows
 
Long description - Closed requests
Closed requests
Requests 2019 to 2020 2020 to 2021 2021 to 2022 2022 to 2023 2023 to 2024
Privacy 28 23 16 22 21
Privacy consultations 1 0 2 1 0
 
Long description immediately follows
 
Long description - Disposition of completed
Disposition of completed requests
Disposition 2019 to 2020 2020 to 2021 2021 to 2022 2022 to 2023 2023 to 2024
All disclosed 0% 0% 0% 0% 0%
Disclosed in part 61% 57% 50% 27% 43%
All exempted 4% 0% 0% 0% 0%
All excluded 0% 0% 0% 0% 0%
No records exist 7% 0% 0% 0% 0%
Request abandoned 11% 9% 38% 23% 33%
Neither confirm nor deny 18% 35% 13% 50% 24%
 

Neither confirm nor deny

Section 16(2) of the Act indicates that institutions do not have to tell a requester whether personal information exists. Section 16(2) was designed to address situations in which the mere confirmation of a record’s existence (or non-existence) would reveal information that could be protected under the Act. It is recommended that the application of section 16(2) be limited to circumstances where the confirmation or denial of the existence of a record would be injurious to Canada’s foreign relations, the defence of Canada, law enforcement activities, or the safety of individuals. When notifying a requester that it is invoking this provision, institutions must also indicate the part of the Act on which a refusal could reasonably be expected to be based if the record existed. As noted above, the application of subsection 16(2) was used five (5) times during the 2023-2024 fiscal year.

Completion time

During the 2023-2024 fiscal year, eight (8) of the completed requests made under the Privacy Act were closed within the legislative timeframe, representing 38% of all completed requests. None of these requests included extensions beyond the initial 30 days. CSE closed eight (8) requests within 1-30 days; three (3) between 31 and 60 days; seven (7) between 61 and 120 days; one (1) between 121 and 180 days; two (2) between 181 and 365 days; and zero (0) took more than 365 days to process. In general, the requests received during 2023-2024 involved information of a highly sensitive nature resulting in greater complexity in fulfilling them. CSE processed a total of 1,666 pages in 2023-2024 compared to 1,092 pages in 2022-2023. Of the total requests carried over into 2024-2025, fourteen (14) (44%) were received during the 2023-2024 reporting period.

Open requests outstanding from previous reporting periods
Reporting period received Within legislated timelines Beyond legislated timelines Total
2014 to 2015 or earlier 0 3 3
2015 to 2016 0 0 0
2016 to 2017 0 1 1
2017 to 2018 0 0 0
2018 to 2019 0 0 0
2019 to 2020 0 2 2
2020 to 2021 0 4 4
2021 to 2022 0 4 4
2022 to 2023 0 4 4
2023 to 2024 5 9 14
Total 5 27 32
 
Long description immediately follows
 
Long description - Completion time
Completion time
Completion time 2019 to 2020 2020 to 2021 2021 to 2022 2022 to 2023 2023 to 2024
Closed within 30 days 50% 35% 56% 27% 38%
31 to 60 days 18% 0% 6% 18% 14%
61 to 120 days 14% 9% 19% 18% 33%
121 to 180 days 18% 22% 6% 9% 5%
181 to 365 days 0% 26% 0% 18% 10%
More than 365 days 0% 9% 13% 9% 0%
 

Exemptions to the release of information

The most common exemptions applied at CSE were sections 21 and 26 of the Privacy Act. Section 21 was applied in ten (10) requests to protect information which could be reasonably expected to be injurious to the defense of Canada. Section 26 was applied in seven (7) requests to protect information about an individual other than the applicant. The application of these exemptions is consistent with previous reporting periods.

Extension of the time limit

One (1) extension, based on Section 15 (a)(i) of the Privacy Act relating to external consultation, was taken on requests under the Privacy Act during the 2023-2024 fiscal year.

Consultations

CSE received no (0) consultations from other government departments.

Summary of key issues and actions taken on complaints

Individuals who are not satisfied with the processing of their privacy request or who feel that their personal information has been improperly collected, used or disclosed can file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

CSE received six (6) complaints during fiscal year 2023-2024 and closed four (4) complaints against CSE. CSE provided information to the OPC in relation to all complaints as requested.

Four (4) of the complaints received in the current reporting period alleged that CSE had not provided responsive records within the prescribed time periods. One (1) included an allegation of denial of the right of access as well as not responding within prescribed time limits. The final complaint received was a general refusal complaint alleging that CSE had contravened the complainant’s right of access. CSE made representations to the OPC regarding complaints as requested and will continue to work with the OPC to resolve them in a timely manner.

Two (2) of the closed complaints were found to be well founded and resolved. The remaining two (2) were closed at the early resolution stage with no findings.

At the end of the reporting period, the OPC had eight (8) complaints pending with CSE. CSE continues to work closely with the OPC to resolve complaints received in previous reporting periods in an efficient manner.

Active complaints from previous reporting periods
Reporting period received Number of open complaints
2013 to 2014 or earlier 0
2014 to 2015 0
2015 to 2016 0
2016 to 2017 0
2017 to 2018 0
2018 to 2019 0
2019 to 2020 0
2020 to 2021 0
2021 to 2022 3
2022 to 2023 2
2023 to 2024 3
Total 8
 

Education and training

CSE continues its commitment to the ongoing learning and development of its employees and provides comprehensive privacy awareness training sessions to ensure all employees are up to date on their responsibilities regarding the management of personal information in both mission and non-mission related activities.

These training sessions were delivered to specific audience groups such as operational units, corporate teams, new staff and coop students on a regular and ad hoc basis.

In 2023-2024, 471 employees completed the online privacy awareness training module, which is a training program deployed in 2019-2020 that aims to improve the availability of privacy awareness training to CSE employees. All CSE employees are required to complete this training module at the beginning of their career at CSE and then once every two years.

Additional privacy educational initiatives in 2023-2024 included promoting privacy awareness through the organization of Privacy Awareness Week (PAW) at CSE from May 23 to 26, 2023. The Privacy Policy and Governance team planned a full calendar of activities including privacy-focused announcements, interactive posts and two (2) live privacy-focused presentations by knowledgeable guest speakers. Privacy Awareness Week is an event that provides CSE’s Privacy Policy and Governance team with the opportunity to educate and raise employee awareness of their responsibilities regarding personal information and of the various resources available to them, including the team itself and privacy awareness training.

The 2023 PAW included a discussion with a guest expert speaker which was attended by more than 250 employees. Additionally, PPGO published resources to raise privacy awareness during this week.

Separately, PPGO provided training to Corporate Security management on the identification and management of privacy breaches. The presentation, which was attended by the program area’s Deputy Chief, Director General, Director, and multiple managers and supervisors, explored the steps needed to identify and respond to privacy breaches, including the policy requirements pertaining to notifications to TBS and OPC .

Collectively, these efforts provided opportunities to showcase privacy across the organization, resulting in a greater number of program managers and stakeholders consulting with CSE’s ATIP Operations Office and Privacy Policy and Governance team. The teams’ support included guidance on CSE privacy policies, procedures, and best practices for managing personal information.

In addition, new employees are required to complete an online training session “Privacy Awareness” within three months of their start date. In addition, CSE encourages employees to take advantage of access to information and privacy courses offered through the Canada School for Public Service (CSPS).

Policies, guidelines, and procedures

The CSE privacy policy suite includes a broad-scoped CSE Administrative Privacy Policy which outlines CSE’s obligations to manage and protect personal information during its corporate functions in accordance with the Privacy Act, its regulations, and Treasury Board Secretariat (TBS) policies relating to privacy. Note that the policy clarifies that privacy awareness training is mandatory for all CSE staff.

In 2023-24, PPGO updated its standard operating procedures for managing privacy breaches. This update included lessons learned from recent privacy breaches affecting non-governmental partners which involved malicious cyber actors. PPGO also clarified Privacy Act requirements in an update to CSE’s Operational policy.

The ATIP Operations team continues to seek new opportunities to improve the efficiency and timeliness of processing requests. In fiscal year 2023-2024, this included improvements to the ATIP Manual outlining how to respond to access requests, access consultations, privacy requests and privacy consultations; and flow charts illustrating the ATIP Operations team’s processes.

The teams are also actively recruiting new hires both internal and external to the federal government. It is important to note though that CSE’s hiring process is conducted in three phases which can take anywhere from 6-12 months or longer thereby making it challenging to respond quickly to staffing needs.

Other key initiatives

It is important to note that the ATIP Operations team also supports the work of the National Security Intelligence Review Agency (NSIRA), the National Security and Intelligence Committee of Parliamentarians (NSICOP), and the Intelligence Commissioner (IC) by reviewing their documents, which contain sensitive CSE information, and providing unclassified versions that can be shared openly with the public.

There has been an increase in non- ATIP related requests which has impacted the time the team can devote to access and privacy requests. This time is not represented in the statistical reporting, but accounts for approximately 2 FTE for the reporting period, an increase from 1.36 in 2022-2023.

Initiatives and projects to improve privacy

CSE has been using the ATIP Online Management Tool (AOMT) which replaced the ATIP Online Request Service (AORS) in this reporting period. The AOMT is a centralized website developed by TBS that enables users to complete access to information requests and submit them to any of the institutions that are subject to the Government of Canada’s Privacy Act. CSE received 23 requests via this service, representing approximately 77% of the total requests received. 20% of requests were received by email and the remaining 3% through regular mail.

Material privacy breaches

Three (3) material privacy breaches were reported to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat related to the reporting period of April 1, 2023, to March 31, 2024. Two of them were caused by human error where personal information of one individual was accidently sent to unintended recipients via email. The emails were recalled where possible, and a follow up was conducted to request the deletion of information. The third breach involved improper access controls on some of the documents, stored on CSE’s protected B system, that contained employee personal information. Several steps were taken to reduce the likelihood of similar events. PPGO is continuing to develop measures to reduce the likelihood of similar breaches occurring in the future. This includes modifying CSE's internal privacy policy and training to include privacy and information management best practices, and updating the mandatory Privacy Awareness Training to be every two years instead of three. A quarterly validation of gcdocs access controls has been instituted by CSE.

Privacy impact assessments

During the 2023-2024 reporting period, CSE did not complete any Privacy Impact Assessments (PIA).

Public interest disclosure

Subsection 8(2) of the Privacy Act describes the circumstances under which a government institution may disclose personal information under its control without the consent of the individual to whom the information relates. Such disclosures are discretionary and are subject to any other Act of Parliament.

Paragraph 8(2)(m) stipulates that an institution may disclose personal information for any purpose where, in the opinion of the head of the institution, the public interest in the disclosure clearly outweighs any invasion of privacy that could result from it or where the disclosure would clearly benefit the individual to whom the information relates.

CSE made one public interest disclosure in the year 2023-2024. During the security screening process, an individual admitted having possession of illegal internet content. The public interest disclosure was made to the police to help ensure the safety of others. A detailed notice was provided to the OPC prior to the disclosure omitting identifiable information to the extent possible.

Monitoring compliance

Using our case management software, the ATIP Office continues to produce reports on the time taken to process requests. These reports are shared with our ATIP Coordinator throughout the fiscal year. The ATIP Operations team tracks all requests and reports bi-weekly to the team manager on any issues and/or delays in processing requests. This provides an opportunity for the manager to triage requests or allocate resources, for example, in order to meet legislated timelines. CSE’s Executive Committee (made up of DM and ADM level executives) is also informed of the status of Privacy Act requests on a weekly basis.

Like many other government departments, CSE is experiencing a backlog in responding to requests for information. The ATIP Operations team has implemented mechanisms and tools to address this backlog such as the team’s bi-weekly tracker for requests for information and access consultations. The ATIP supervisor and manager are briefed weekly on the number of new requests, closed requests, and are alerted to any backlogs by ATIP analysts. This is an opportunity to discuss how best to triage requests and allocate resources as required to meet legislated timelines.

Three (3) material privacy breaches occurred at CSE during the related reporting period of April 1, 2023, to March 31, 2024. As part of PPGO ’s obligations, all breaches were reported to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat.

Appendix I: Delegation of Authority

Communications Security Establishment

Privacy Act Delegation Order

The Minister of National Defense, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out below, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister of National Defense as the head of the Communications Security Establishment, under the provisions of the Privacy Act and related regulations set out below for each position.

  • Chief, Communications Security Establishment: full authority, except joint authority under paragraph 8(2)(m) (public interest disclosure) with the Deputy Chief, Authorities, Compliance and Transparency.
  • Deputy Chief, Authnrities, Compliance and Transparency: full authority, except joint authority under paragraph 8(2)(m) (public interest disclosure) with the Chief, Communications Security Establishment.
  • Director, Transparency and Disclosures: full authority, except for paragraph 8(2)(m) (public interest disclosure).
  • Manager, Transparency and Disclosures: full authority, except for paragraph 8(2)(m) (public interest disclosure).
  • Supervisor, Access to Information and Privacy Operations: subsection 8(2) (use and disclosure) except for paragraph 8(2)(m) (public interest disclosure), paragraph 14(a) only when no records exist (notice) and section 1S (extension of time limits).
  • Supervisor, Privacy, Policy and Governance: subsection 8(2) (use and disclosure) except for paragraph 8(2)(m) (public interest disclosure).
  • Manager, Employee and Organizational Wellness: paragraph 8(2)(m) (public interest disclosure) when it is believed that there is a duty to report child abuse under provincial or territorial legislation as part of their official duties; or where it is believed that there is a threat of harm to self or other.

This delegation order replaces all previous delegation orders.

Dated at Ottawa this 20 day of March 2024.

The Hon. Bill Blair, P.C. C.O.M., M.P.
Minister of National Defence

Appendix II: Statistical Report on the Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2023-04-01 to 2024-03-31

Section 1: Requests Under the Privacy Act

Section 1.1: Number of requests received
Requests Number of requests
Received during reporting period 30
Outstanding from previous reporting periods 23
  • Outstanding from previous reporting periods: 9
  • Outstanding from more than one reporting period: 14
Total 53
Closed during reporting period 21
Carried over to next reporting period 32
  • Carried over within legislated timeline: 5
  • Carried over beyond legislated timeline : 27
Section 1.2: Channels of requests
Source Number of requests
Online 23
E-mail 6
Mail 1
In person 0
Phone 0
Fax 0
Total 30

Section 2: Informal requests

Section 2.1: Number of informal requests
Requests Number of requests
Received during reporting period 0
Outstanding from previous reporting periods 0
Outstanding from previous reporting period 0
Outstanding from more than one reporting period 0
Total 0
Closed during reporting period 0
Carried over to next reporting period 0
Section 2.2: Channels of informal requests
Source Number of requests
Online 0
E-mail 0
in person 0
Phone 0
Fax 0
Total 0
2.3 Completion time of informal requests
Completion time
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
0 0 0 0 0 0 0 0
2.4 Pages released informally
Less than 100 pages released 100 to 500 pages released 501 to 1000 pages released 1001 to 5000 pages released More than 5000 pages released
Number of requests Pages released Number of requests Pages released Number of requests Pages released Number of requests Pages released Number of requests Pages released
0 0 0 0 0 0 0 0 0 0
 

Section 3: Requests closed during the reporting period

3.1 Disposition and completion time
Disposition of requests Completion time
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 1 1 2 2 1 2 0 9
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 0 0 0 0 0 0 0
Request abandoned 5 0 0 2 0 0 0 7
Neither confirmed nor denied 0 1 1 3 0 0 0 5
Total 6 2 3 7 1 2 0 21
3.2 Exemptions
Section Number of requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 10
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 7
27 1
27.1 0
28 2
 
3.3 Exclusions
Section Number of requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
 
3.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
0 9 0 0 0 0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of pages processed Number of pages disclosed Number of requests
1666 1074 21
3.5.2 Relevant pages processed by request disposition for paper and e-record format by size of requests
Disposition Less than 100
pages
processed
101 to 500
pages
processed
501 to 1000
pages
processed
1001 to 5000
pages
processed
More than 5000
pages
processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 6 261 2 638 1 767 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 7 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 5 0 0 0 0 0 0 0 0 0
Total 18 261 2 638 1 767 0 0 0 0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of minutes processed Number of minutes disclosed Number of requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less than 60 minutes processed 60 to 120 minutes processed More than 120 minutes processed
Number of requests Minutes processed Number of requests Minutes processed Number of requests Minutes processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of minutes processed Number of minutes disclosed Number of requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less than 60 minutes processed 60 to 120 minutes processed More than 120 minutes processed
Number of requests Minutes processed Number of requests Minutes processed Number of requests Minutes processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Disposition Consultation required Legal advice sought Interwoven information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 1 0 0 0 1
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 1 0 0 0 1

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines
Number of requests closed within legislated timelines 8
Percentage of requests closed within legislated timelines (%) 38.0952381

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines
Number of requests closed past the legislated timelines Principal reason
Interference with operations / workload External consultation Internal consultation Other
13 8 0 2 3
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of days past legislated timelines Number of requests past legislated timeline where no extension was taken Number of requests past legislated timelines where an extension was taken Total
1 to 15 days 2 0 2
16 to 30 days 1 1 2
31 to 60 days 4 0 4
61 to 120 days 3 0 3
121 to 180 days 0 0 0
181 to 365 days 2 0 2
More than 365 days 0 0 0
Total 12 1 13
3.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0
 
Section 4: Disclosures under subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 1 0 1
Section 5: Requests for correction of personal information and notations
Disposition for correction requests received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 6: Extensions

6.1 Reasons for extensions
Number of extensions taken 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes or conversion
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet confidence section
(Section 70)
External Internal
1 0 1 0 0 0 0 0 0
6.2 Length of extensions
Length of extensions 15(a)(i) Interference with operations 15(a)(ii)
Consultation
15(b)
Translation purposes or conversion
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are
difficult to obtain
Cabinet
Confidence Section
(Section 70)
External Internal
1 to 15 days 0 0 0 0 0 0 0 0
16 to 30 days 0 1 0 0 0 0 0 0
31 days or greater nil nil nil nil nil nil nil 0
Total 0 1 0 0 0 0 0 0
 

Section 7: Consultations received from other institutions and organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of
Canada institutions
Number of pages
to review
Other
organizations
Number of pages
to review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Carried over within negotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of days required to complete consultation requests
0 to 15
days
16 to 30
days
31 to 60
days
61 to 120
days
121 to 180
days
181 to 365
days
More than 365
days
Total
Disclosed entirely 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0
7.3 Recommendations and completion time for consultations received from other organizations
Recommendation Number of days required to complete consultation requests
0 to 15
days
16 to 30
days
31 to 60
days
61 to 120
days
121 to 180
days
181 to 365
days
More than 365
days
Total
Disclosed entirely 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0
 

Section 8: Completion time of consultations on cabinet confidences

8.1 Requests with Legal Services
Number of days Fewer than 100
pages processed
100 to 500
pages processed
501 to 1000
pages processed
1001 to 5000
pages processed
More than 5000
pages processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of days Fewer than 100
pages processed
100 to 500
pages processed
501 to 1000
pages processed
1001 to 5000
pages processed
More than 5000
pages processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
182 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
Section 9: Complaints and investigations notices received
Section 31 Section 33 Section 35 Court action Total
4 0 2 0 6

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy impact assessments
Number of PIAs completed 0
Number of PIAs modified 0
10.2 Institution-specific and central personal information banks
Personal information banks Active Created Terminated Modified
Institution-specific 2 0 0 0
Central 0 0 0 0
Total 2 0 0 0

Section 11: Privacy breaches

11.1 Material privacy breaches reported
Number of material privacy breaches reported to TBS 3
Number of material privacy breaches reported to OPC 3
11.2 Non-material privacy breaches
Number of non-material privacy breaches 14

Section 12: Resources related to the Privacy Act

12.1 Allocated costs
Expenditures Amount
Salaries $616,871
Overtime $875
Goods and Services $35,800
  • Professional services contracts: $0
  • Other: $35,800
Total $653,546
12.2 Human Resources
Resources Person years dedicated to privacy activities
Full-time employees 5.666
Part-time and casual employees 0.000
Regional staff 0.000
Consultants and agency personnel 0.000
Students 0.415
Total 6.081

Note: Enter values to three decimal places.

 

Supplemental statistical report on the Access to Information Act and the Privacy Act

Name of institution: Communications Security Establishment

Reporting period: 2023-04-01 to 2024-03-31

Section 1: Capacity to receive requests under the Access to Information Act and the Privacy Act

1.1 Enter the number of open requests that are outstanding from previous reporting periods.
Fiscal year open
requests were received
Open requests
that are within
legislated timelines
as of March 31, 2024
Open requests
that are beyond
legislated timelines
as of March 31, 2024
Total
Received in 2023-2024 7 30 37
Received in 2022-2023 2 16 18
Received in 2021-2022 0 23 23
Received in 2020-2021 1 12 13
Received in 2019-2020 0 16 16
Received in 2018-2019 1 7 8
Received in 2017-2018 0 17 17
Received in 2016-2017 0 18 18
Received in 2015-2016 0 4 4
Received in 2014-2015 or earlier 0 11 11
Total 11 154 165
1.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal year open
complaints were received
by institution
Number of open complaints
Received in 2023-2024 12
Received in 2022-2023 1
Received in 2021-2022 0
Received in 2020-2021 0
Received in 2019-2020 0
Received in 2018-2019 0
Received in 2017-2018 1
Received in 2016-2017 0
Received in 2015-2016 0
Received in 2014-2015 or earlier 0
Total 14
 

Section 2: Open requests and complaints under the Privacy Act

2.1 Enter the number of open requests that are outstanding from previous reporting periods.
Fiscal year open
requests were received
Open requests
that are within
legislated timelines
as of March 31, 2024
Open requests
that are beyond
legislated timelines
as of March 31, 2024
Total
Received in 2023-2024 5 9 14
Received in 2022-2023 0 4 4
Received in 2021-2022 0 4 4
Received in 2020-2021 0 4 4
Received in 2019-2020 0 2 2
Received in 2018-2019 0 0 0
Received in 2017-2018 0 0 0
Received in 2016-2017 0 1 1
Received in 2015-2016 0 0 0
Received in 2014-2015 or earlier 0 3 3
Total 5 27 32
2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal year open
complaints were received
by institution
Number of open complaints
Received in 2023-2024 3
Received in 2022-2023 2
Received in 2021-2022 3
Received in 2020-2021 0
Received in 2019-2020 0
Received in 2018-2019 0
Received in 2017-2018 0
Received in 2016-2017 0
Received in 2015-2016 0
Received in 2014-2015 or earlier 0
Total 8
 

Section 3: Social Insurance Number

Did your institution receive authority for a new collection or new consistent use of the SIN in 2023 to 2024 No

Section 4: Universal Access under the Privacy Act

How many requests were received from confirmed foreign nationals outside of Canada in 2023 to 2024? 0
Date modified: