Annual Report on the Privacy Act—2017–18

Annual Report on the Privacy Act—2017–18

ISSN 2561-8571

Introduction

The Privacy Act gives individuals the right to access information about themselves that is held by the Office of the Auditor General of Canada (OAG), subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.

Section 72 of the Act requires the head of each government institution to prepare an annual report on the administration of the Act within the institution and to submit the report to Parliament.

This annual report on the administration of the Privacy Act at the OAG describes how we administered our responsibilities under the Act during the 2017–18 fiscal year.

If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:

Access to Information and Privacy Coordinator
Office of the Auditor General of Canada
240 Sparks Street
Ottawa, Ontario  K1A 0G6

Tel.: 613-952-0213 (ext. 6455)
Fax: 613-954-0441
Email: privacy@oag-bvg.gc.ca

Who we are

The Office of the Auditor General of Canada (OAG) audits federal government operations and provides Parliament with independent information, advice, and assurance regarding the federal government’s stewardship of public funds. While the OAG may comment on policy implementation in an audit, it does not comment on policy itself.

We are in the business of legislative auditing. We conduct

Since 1995, the OAG has also had a specific environmental and sustainable development mandate, which was established through amendments to the Auditor General Act.

The Auditor General of Canada is the designated head of the institution for the Access to Information Act as well as the Privacy Act. Pursuant to section 73 of both acts, the Auditor General has delegated full authority to the Access to Information and Privacy Coordinator.

Access to Information and Privacy Office

The Access to Information and Privacy (ATIP) Coordinator is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Office of the Auditor General of Canada (OAG) meets its responsibilities under the Access to Information Act and the Privacy Act.

The ATIP Office at the OAG consists of

The main activities of the ATIP Coordinator include

DELEGATION ORDER

ACCESS TO INFORMATION ACT AND PRIVACY ACT

I, Michael Ferguson, Auditor General of Canada, pursuant to section 73 of the Access to Information Act and section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions as the head of Office of the Auditor General of Canada, under the provisions of the Act and related regulations set out in the schedule opposite each position. This designation replaces all previous delegation orders.

Schedule
Position Access to Information Act and Regulations Privacy Act and Regulations
Senior General Counsel Full authority Full authority
Access to Information and Privacy Coordinator Full authority Full authority

Dated at the City of Ottawa this 10 day of July 2015

Michael Ferguson, Chartered Professional AccountantCPA, Chartered AccountantCA
Fellow Chartered AccountantFCA (New Brunswick)
Auditor General of Canada

Highlights and accomplishments for the 2017–18 fiscal year

One hundred percent compliance

No formal Privacy Act requests passed their legislative deadlines during the 2017–18 fiscal year. The Office of the Auditor General of Canada (OAG) is proud to have maintained 100 percent compliance with legislated deadlines.

Privacy notice and statement

During the 2017–18 fiscal year, the OAG published an updated privacy notice on its website that clarifies how the OAG processes user data collected from website visitors.

The OAG also published an updated privacy statement to clarify how the OAG processes personal information collected or obtained during mandated activities, such as financial audits, performance audits, and special examinations.

Training

The OAG requires that all employees attend mandatory Access to Information and Privacy (ATIP) training, separate from other information sessions or other forms of training. This ATIP-specific training focuses on employee requirements when the OAG receives a request, as well as a significant training component related to personal information handling and the legislation, policies, directives, and best practices related to privacy in the Canadian public sector.

During the reporting period, two training sessions were given, with a total attendance of 198.

Administration of the Privacy Act

Requests under the Privacy Act

Received during the reporting period: 7
Outstanding from the previous period: 1
Total: 8

Disposition of completed requests

The Office of the Auditor General of Canada (OAG) completed 6 requests in the 2017–18 fiscal year. Of these requests, 4 were disclosed in part, 1 was abandoned by the requester, and 1 resulted in no retrievable records.

Exemptions invoked

Of the 4 requests in which exemptions were invoked,

Exclusions cited

The OAG did not invoke any exclusions for the 2017–18 fiscal year.

Completion time

Of the 6 requests that were completed during the reporting period, 2 were completed within 30 days, and 4 were completed within 30 to 60 days.

Extension of time limits

The OAG invoked extensions of between 1 and 30 days for 2 requests pursuant to section 15(a)(i).

Method of access

All 4 of the requests that were disclosed in part were disclosed in an electronic format.

Costs

The costs directly associated with administration of the Privacy Act for the reporting period are estimated to be $32,883 for salaries. No costs were incurred for goods and services, contracts, or other expenses.

Complaints and investigations

The OAG did not receive any complaints pursuant to the Privacy Act during this reporting period, and no investigations regarding the OAG were carried out.

Disclosure of personal information under section 8(2)

The OAG did not disclose any personal information pursuant to section 8(2) during the reporting period.

Institution-specific policies, guidelines, and procedures

The OAG did not revise policies, guidelines, or procedures—or implement new ones—during the 2017–18 fiscal year. However, an employee privacy statement was drafted and was expected to be implemented during the 2018–19 fiscal year.

Monitoring

The OAG uses time-code (product-code) management software, essentially a digital “timesheet,” to track all audit and audit-service activities, including

Whenever employees or contractors of the OAG participate in any ATIP-related activity, they must track the time they spend on the activity by entering the number of hours or partial hours into the product-code management software. These records are monitored on a regular basis for human resource and financial purposes. Any employee with access to the OAG network can use the OAG’s INTRAnet (internal Internet) to view this data.

As reflected in part 10.2 of the Appendix, the OAG dedicated 1.75 person-years to ATIP-related activities.

Breaches

No breaches of privacy occurred as a result of any OAG activity during the 2017–18 fiscal year.

Privacy impact assessments

One privacy impact assessment was completed during the reporting period. The subject of the assessment was the telemetry function of Microsoft’s Windows 10 operating system. This function allows Windows 10 to collect user data and send it back to Microsoft.

Privacy impact assessments are not required by the Treasury Board’s Directive on Privacy Impact Assessments. However, the OAG determined that a thorough assessment should be conducted because all employees using Windows 10 would be subject to the operating system’s collection of their personal information. Although the OAG network would be the source of the transmission of this information, the OAG would not collect, use, or otherwise process any of the information for its own purposes.

The assessment concluded that the OAG took all available measures to limit the collection of OAG user data, even though Microsoft did not allow the complete interruption of the telemetry function.

Appendix—Statistical Report on the Privacy Act

Name of institution: Office of the Auditor General of Canada

Reporting period: 2017-04-01 to 2018-03-31

Part 1: Requests Under the Privacy Act

Number of Requests
Received during reporting period 7
Outstanding from previous reporting period 1
Total 8
Closed during reporting period 6
Carried over to next reporting period 2

Part 2: Requests Closed During the Reporting Period

2.1 Disposition and completion time

Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 4 0 0 0 0 4
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 1 0 0 0 0 0 1
Request abandoned 0 1 0 0 0 0 0 1
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 0 2 4 0 0 0 0 6

2.2 Exemptions

Section Number of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 2
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 4
27 0
28 0

2.3 Exclusions

Section Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

2.4 Format of information released

Disposition Paper Electronic Other Formats
All disclosed 0 0 0
Disclosed in part 0 4 0
Total 0 4 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed
Disposition of Requests Number of Pages Processed Number of Pages Disclosed Number of Requests
All disclosed 0 0 0
Disclosed in part 1,762 191 4
All exempted 0 0 0
All excluded 0 0 0
Request abandoned 0 0 1
Neither confirmed nor denied 0 0 0
Total 1,762 191 5
2.5.2 Relevant pages processed and disclosed by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 1 2 2 63 0 0 1 126 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 1 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 2 2 2 63 0 0 1 126 0 0
2.5.3 Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 1 1
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 1 1

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline
Number of Requests Closed
Past the Statutory Deadline
Principal Reason
Workload External Consultation Internal Consultation Other
0 0 0 0 0
2.6.2 Number of days past deadline
Number of Days Past Deadline Number of Requests Past Deadline Where No Extension Was Taken Number of Requests Past Deadline Where An Extension Was Taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0

2.7 Requests for translation

Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Part 3: Disclosures Under Subsections 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Part 4: Requests for Correction of Personal Information and Notations

Disposition for Correction Requests Received Number
Notations attached 2
Requests for correction accepted 0
Total 2

Part 5: Extensions

5.1 Reasons for extensions and disposition of requests

Disposition of Requests Where an Extension Was Taken 15(a)(i)
Interference With Operations
15(a)(ii)
Consultation
15(b)
Translation or Conversion
Section 70 Other
All disclosed 0 0 0 0
Disclosed in part 2 0 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
No records exist 0 0 0 0
Request abandoned 0 0 0 0
Total 2 0 0 0

5.2 Length of extensions

Length of Extensions 15(a)(i)
Interference with operations
15(a)(ii)
Consultation
15(b)
Translation purposes
Section 70 Other
1 to 15 days 2 0 0 0
16 to 30 days 0 0 0 0
Total 2 0 0 0

Part 6: Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and other organizations

Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Pending at the end of the reporting period 0 0 0 0

6.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

6.3 Recommendations and completion time for consultations received from other organizations

Recommendation Number of days required to complete consultation requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services

Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

7.2 Requests with Privy Council Office

Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Part 8: Complaints and Investigations Notices Received

Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Part 9: Privacy Impact Assessments (PIAs)

Number of PIA(s) completed 1

Part 10: Resources related to the Privacy Act

10.1 Costs

Expenditures Amount
Salaries $32,883
Overtime $0
Goods and Services $0
Professional services contracts $0
Other $0
Total $32,883

10.2 Human Resources

Resources Person Years Dedicated to Privacy Activities
Full-time employees 1.25
Part-time and casual employees 0.25
Regional staff 0.00
Consultants and agency personnel 0.00
Students 0.25
Total 1.75