Annual Report on the Privacy Act—2018–19
Office of the Auditor General of CanadaAnnual Report on the Privacy Act—2018–19
Introduction
The Privacy Act gives individuals the right to access information about themselves that is held by the Office of the Auditor General of Canada (OAG), subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.
Section 72 of the Act requires the head of each government institution to prepare an annual report on the administration of the Act within the institution and to submit the report to Parliament.
This annual report on the administration of the Privacy Act at the OAG describes how we administered our responsibilities under the Act during the 2018–19 fiscal year.
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Coordinator
Office of the Auditor General of Canada
240 Sparks Street
Ottawa, Ontario K1A 0G6
Telephone: 613-952-0213 (ext. 6455)
Fax: 613-954-0441
Email: privacy@oag-bvg.gc.ca
Who we are
The Office of the Auditor General of Canada (OAG) audits federal government operations and provides Parliament with independent information, advice, and assurance regarding the federal government’s stewardship of public funds. While the OAG may comment on policy implementation in an audit, it does not comment on policy itself.
We are in the business of legislative auditing. We conduct
- performance audits of federal departments and agencies;
- annual financial audits of the government’s financial statements;
- special examinations and annual financial audits of Crown corporations; and
- audits of the governments of Nunavut, Yukon, and the Northwest Territories.
Since 1995, the OAG has also had a specific environmental and sustainable development mandate, which was established through amendments to the Auditor General Act.
The Auditor General of Canada is the designated head of the institution for the Access to Information Act as well as the Privacy Act. Pursuant to section 73 of both acts, the Auditor General delegated full authority to the Access to Information and Privacy Coordinator.
Access to Information and Privacy team
The Access to Information and Privacy (ATIP) Coordinator is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Office of the Auditor General of Canada (OAG) meets its responsibilities under the Access to Information Act and the Privacy Act.
The ATIP team at the OAG consists of
- one full-time ATIP Coordinator;
- one full-time Public Disclosure of Information and Privacy Protection Manager, who performs ATIP duties as required;
- one full-time employee from the Legal Services group, who helps the ATIP team on a part-time, ad hoc basis; and
- one full-time Legal Counsel, who manages the ATIP team in addition to fulfilling normal duties as OAG Legal Counsel.
The main activities of the ATIP Coordinator include
- monitoring compliance with ATIP legislation, regulations, and relevant procedures and policies;
- processing requests under both the Access to Information Act and the Privacy Act;
- developing and maintaining policies, procedures, and guidelines to ensure that the OAG respects the Access to Information Act and the Privacy Act;
- promoting awareness of the Access to Information Act and the Privacy Act within the OAG to ensure that employees are aware of their responsibilities;
- preparing annual reports to Parliament and other statutory reports, as well as other material that may be required by central agencies;
- representing the OAG in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act; and
- helping the OAG meet its commitments to ensure openness and transparency, through proactive and informal disclosure of information.
Highlights and accomplishments for the 2018–19 fiscal year
100% compliance
No formal Privacy Act requests exceeded their legislative deadlines during the 2018–19 fiscal year. The Office of the Auditor General of Canada (OAG) is proud to have maintained 100% compliance with legislative deadlines.
Creation of Public Disclosure of Information and Privacy Protection Manager position
In October 2018, the OAG created the position of Public Disclosure of Information and Privacy Protection Manager, who is responsible for privacy impact assessments (PIAs) and the review of OAG policies, processes, and practices to ensure compliance with legal and policy requirements.
Completed privacy impact assessment—Quanta
In March 2019, the OAG completed a PIA for its use of Quanta, a new web-based application for tracking employees’ time and leave usage. The OAG has consulted with the Office of the Privacy Commissioner of Canada regarding this PIA and has received no further comments or recommendations. A summary of the PIA is now published on the OAG website.
Trends
There are no multi-year trends to report.
Training
The OAG now requires that all employees complete mandatory Access to Information and Privacy (ATIP) training, offered by the Canada School of Public Service as an online self-paced service.
Current employees are required to complete the training within two years of 1 April 2018, and new employees are required to complete the training within one year of the start of their employment.
During the reporting period, 162 employees completed this training.
Administration of the Privacy Act
Requests under the Privacy Act
| Received during the reporting period: | 1 |
| Outstanding from the previous period: | 1 |
| Total: | 2 |
Disposition of completed requests
The Office of the Auditor General of Canada (OAG) finalized 2 requests during the reporting period. Of these requests, 1 was disclosed in its entirety, and 1 was disclosed in part.
Exemptions invoked
Section 26 was invoked in the request that was disclosed in part.
Exclusions cited
The OAG did not invoke any exclusions for the 2018–19 fiscal year.
Completion time
Both requests were extended for 30 days.
Extension of time limits
The OAG invoked extensions of 30 days for both requests, pursuant to Section 15(a)(i).
Method of access
Both requests were disclosed in electronic format.
Costs
The costs directly associated with administration of the Privacy Act for the reporting period are estimated to be $36,070 for salaries. A total of $912 was incurred for goods and services, contracts, or other expenses.
Complaints and investigations
The OAG did not receive any complaints pursuant to the Privacy Act during this reporting period, and no investigations regarding the OAG were carried out.
Disclosure of personal information under section 8(2)
The OAG did not disclose any personal information pursuant to section 8(2) during the reporting period.
Requests for correction of personal information
The OAG received two requests to correct personal information during the reporting period. For both requests, correction of personal information was not deemed to be reasonable or necessary. Physical files containing the personal information were annotated, and a record of the correction request was added to the Access to Information and Privacy (ATIP) file management system.
Monitoring compliance
The OAG uses time-code (product-code) management software, essentially a digital “timesheet,” to track all audit and audit-service activities, including
- management of the ATIP team,
- management of Access to Information cases (treatment of formal Access to Information Act requests and consultations),
- management of privacy cases (treatment of formal and informal Privacy Act requests), and
- privacy impact assessments.
Whenever employees or contractors of the OAG participate in any ATIP-related activity, they must track the time they spend on the activity by entering the number of hours or partial hours into the product-code management software. These records are monitored on a regular basis for human resource and financial purposes. Any employee with access to the OAG network can use the OAG’s INTRAnet (internal Internet) to view this data.
Senior officials, up to and including the Auditor General, are advised about compliance with legislative, policy, and regulatory obligations, as requested or required.
As reflected in part 10.2 of the Appendix, the OAG dedicated 1.25 person-years to ATIP-related activities.
Breaches
No material privacy breaches occurred during the reporting period.
Privacy impact assessment
The OAG completed one PIA during the reporting period, as described earlier in this report.
Appendix—Statistical Report on the Privacy Act
Name of institution: Office of the Auditor General of Canada
Reporting period: 2018-04-01 to 2019-03-31
Part 1: Requests Under the Privacy Act
| Number of Requests | |
|---|---|
| Received during reporting period | 1 |
| Outstanding from previous reporting period | 1 |
| Total | 2 |
| Closed during reporting period | 2 |
| Carried over to next reporting period | 0 |
Part 2: Requests Closed During the Reporting Period
2.1 Disposition and completion time
| Disposition of Requests | Completion Time | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 |
| Disclosed in part | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 2 | 0 | 0 | 0 | 0 | 2 |
2.2 Exemptions
| Section | Number of Requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 0 |
| 19(1)(b) | 0 |
| 19(1)(c) | 0 |
| 19(1)(d) | 0 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 0 |
| 21 | 0 |
| 22(1)(a)(i) | 0 |
| 22(1)(a)(ii) | 0 |
| 22(1)(a)(iii) | 0 |
| 22(1)(b) | 0 |
| 22(1)(c) | 0 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 0 |
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 0 |
| 26 | 1 |
| 27 | 0 |
| 28 | 0 |
2.3 Exclusions
| Section | Number of Requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
2.4 Format of information released
| Disposition | Paper | Electronic | Other Formats |
|---|---|---|---|
| All disclosed | 0 | 1 | 0 |
| Disclosed in part | 0 | 1 | 0 |
| Total | 0 | 2 | 0 |
2.5 Complexity
2.5.1 Relevant pages processed and disclosed
| Disposition of Requests | Number of Pages Processed | Number of Pages Disclosed | Number of Requests |
|---|---|---|---|
| All disclosed | 16 | 14 | 1 |
| Disclosed in part | 204 | 162 | 1 |
| All exempted | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 |
| Total | 220 | 176 | 2 |
2.5.2 Relevant pages processed and disclosed by size of requests
| Disposition | Less Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| All disclosed | 1 | 14 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 1 | 162 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 14 | 1 | 162 | 0 | 0 | 0 | 0 | 0 | 0 |
2.5.3 Other complexities
| Disposition | Consultation Required | Legal Advice Sought | Interwoven Information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 |
2.6 Deemed refusals
2.6.1 Reasons for not meeting statutory deadline
| Number of Requests Closed Past the Statutory Deadline |
Principal Reason | |||
|---|---|---|---|---|
| Workload | External Consultation | Internal Consultation | Other | |
| 0 | 0 | 0 | 0 | 0 |
2.6.2 Number of days past deadline
| Number of Days Past Deadline | Number of Requests Past Deadline Where No Extension Was Taken | Number of Requests Past Deadline Where An Extension Was Taken | Total |
|---|---|---|---|
| 1 to 15 days | 0 | 0 | 0 |
| 16 to 30 days | 0 | 0 | 0 |
| 31 to 60 days | 0 | 0 | 0 |
| 61 to 120 days | 0 | 0 | 0 |
| 121 to 180 days | 0 | 0 | 0 |
| 181 to 365 days | 0 | 0 | 0 |
| More than 365 days | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
2.7 Requests for translation
| Translation Requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
Part 3: Disclosures Under Subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
Part 4: Requests for Correction of Personal Information and Notations
| Disposition for Correction Requests Received | Number |
|---|---|
| Notations attached | 2 |
| Requests for correction accepted | 0 |
| Total | 2 |
Part 5: Extensions
5.1 Reasons for extensions and disposition of requests
| Disposition of Requests Where an Extension Was Taken | 15(a)(i) Interference With Operations |
15(a)(ii) Consultation |
15(b) Translation or Conversion |
|
|---|---|---|---|---|
| Section 70 | Other | |||
| All disclosed | 1 | 0 | 0 | 0 |
| Disclosed in part | 1 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 |
| No records exist | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 |
| Total | 2 | 0 | 0 | 0 |
5.2 Length of extensions
| Length of Extensions | 15(a)(i) Interference with operations |
15(a)(ii) Consultation |
15(b) Translation purposes |
|
|---|---|---|---|---|
| Section 70 | Other | |||
| 1 to 15 days | 0 | 0 | 0 | 0 |
| 16 to 30 days | 2 | 0 | 0 | 0 |
| Total | 2 | 0 | 0 | 0 |
Part 6: Consultations Received From Other Institutions and Organizations
6.1 Consultations received from other Government of Canada institutions and other organizations
| Consultations | Other Government of Canada Institutions | Number of Pages to Review | Other Organizations | Number of Pages to Review |
|---|---|---|---|---|
| Received during the reporting period | 0 | 0 | 0 | 0 |
| Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 |
| Closed during the reporting period | 0 | 0 | 0 | 0 |
| Pending at the end of the reporting period | 0 | 0 | 0 | 0 |
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
| Recommendation | Number of Days Required to Complete Consultation Requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
6.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 7: Completion Time of Consultations on Cabinet Confidences
7.1 Requests with Legal Services
| Number of Days | Fewer Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
| Number of Days | Fewer Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 8: Complaints and Investigations Notices Received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 |
Part 9: Privacy Impact Assessments (PIAs)
| Number of PIA(s) completed | 1 |
|---|
Part 10: Resources related to the Privacy Act
10.1 Costs
| Expenditures | Amount |
|---|---|
| Salaries | $36,070 |
| Overtime | $0 |
| Goods and Services | $912 |
| Professional services contracts$0 | $0 |
| Other | $912 |
| Total | $36,982 |
10.2 Human Resources
| Resources | Person Years Dedicated to Privacy Activities |
|---|---|
| Full-time employees | 1.25 |
| Part-time and casual employees | 0.00 |
| Regional staff | 0.00 |
| Consultants and agency personnel | 0.00 |
| Students | 0.00 |
| Total | 1.25 |