Annual Report to Parliament on the Administration of the Access to Information Act 2019-2020

INTRODUCTION

The purpose of the Access to Information Act is to extend the present laws of Canada to provide a right of access to information in records under the control of a federal government institution in accordance with the principles that:

  • government information should be available to the public;
  •  necessary exceptions to the right of access should be limited and specific; and
  • decisions on the disclosure of government information should be reviewed independently of government.

This is the seventh annual report prepared by the Communications Security Establishment (CSE) and tabled in Parliament in accordance with section 94 of the Access to Information Act and section 20 of the Service Fees Act. It presents an overview of the agency’s activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Access to Information Act during the reporting period 1 April 2019 to 31 March 2020.

MANDATE OF THE COMMUNICATIONS SECURITY ESTABLISHMENT

On August 1st, 2019 the Communications Security Establishment Act (CSE Act) entered into force as part of Bill C-59 (An Act respecting national security matters). The CSE Act sets out the five aspects of CSE’s mandate:

  • helping to protect and defend Canada’s most important cyber systems;
  • acquiring foreign intelligence in support of the Government of Canada’s intelligence priorities;
  • conducting defensive foreign cyber operations;
  • conducting active foreign cyber operations; and
  • assisting federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence to carry out their lawful mandates.

The CSE Act provides CSE with a modern set of authorities and also enhances the accountability framework with new oversight and review functions.

STRUCTURE OF THE ACCESS TO INFORMATION AND PRIVACY OFFICE

The ATIP Office is part of the Policy, Disclosure and Review group in CSE’s Policy and Communications Branch. The Minister of National Defence delegated all authorities under section 95 of the Access to Information Act to the Deputy Chief, Policy and Communications, the Director General, Policy, Disclosure and Review, the Director, Disclosures and Information Sharing, the Manager, Disclosures, and Supervisor, Access to Information and Privacy Operations.

A copy of the Delegation Order setting out the responsibilities under the Act appears in Appendix I of this report.

The Access to Information and Privacy Office includes a manager responsible for twelve (12) mandated full-time positions working in two distinct teams: ATIP Operations and, Privacy Policy and Governance. At the end of the reporting period, the ATIP Operations team consisted of one (1) supervisor and seven (7) analysts, while the Privacy Policy and Governance team consisted of one (1) supervisor and three (3) analysts.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS, and representatives of the federal Information and Privacy Commissioners regarding CSE’s administration of the Access to Information Act and Privacy Act.

Specifically, the ATIP Operations team is responsible for the following activities:

  • Processing requests under the Access to Information Act and Privacy Act;
  • Responding to consultation requests from other government institutions;
  • Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
  • Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
  • Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
  • Providing training and other outreach initiatives to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

  • Providing advice and guidance to senior management and staff of CSE on privacy legislation and policy related matters;
  • Providing expert privacy advice and assistance to business lines in the undertaking of Privacy Impact Assessments, privacy breach management, drafting of Privacy Notice Statements, and maintenance of Personal Information Banks;
  • Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in privacy protection communities of practice;
  • Coordinating the annual update of the institution’s Info Source publication, which includes a description of the agency’s organizational structure and record holdings;
  • Drafting and implementing privacy-related policies, internal procedures, guidance documents and working aids; and,
  • Providing training and other outreach initiatives to CSE staff on the administration of the Privacy Act with regards to the protection of personal information.