Annual Report on the Privacy Act—2018–19

Office of the Auditor General of CanadaAnnual Report on the Privacy Act—2018–19

ISSN 2561-8571

Introduction

The Privacy Act gives individuals the right to access information about themselves that is held by the Office of the Auditor General of Canada (OAG), subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.

Section 72 of the Act requires the head of each government institution to prepare an annual report on the administration of the Act within the institution and to submit the report to Parliament.

This annual report on the administration of the Privacy Act at the OAG describes how we administered our responsibilities under the Act during the 2018–19 fiscal year.

If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:

Access to Information and Privacy Coordinator
Office of the Auditor General of Canada
240 Sparks Street
Ottawa, Ontario K1A 0G6

Telephone: 613-952-0213 (ext. 6455)
Fax: 613-954-0441
Email: privacy@oag-bvg.gc.ca

Who we are

The Office of the Auditor General of Canada (OAG) audits federal government operations and provides Parliament with independent information, advice, and assurance regarding the federal government’s stewardship of public funds. While the OAG may comment on policy implementation in an audit, it does not comment on policy itself.

We are in the business of legislative auditing. We conduct

Since 1995, the OAG has also had a specific environmental and sustainable development mandate, which was established through amendments to the Auditor General Act.

The Auditor General of Canada is the designated head of the institution for the Access to Information Act as well as the Privacy Act. Pursuant to section 73 of both acts, the Auditor General delegated full authority to the Access to Information and Privacy Coordinator.

Access to Information and Privacy team

The Access to Information and Privacy (ATIP) Coordinator is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Office of the Auditor General of Canada (OAG) meets its responsibilities under the Access to Information Act and the Privacy Act.

The ATIP team at the OAG consists of

The main activities of the ATIP Coordinator include

Highlights and accomplishments for the 2018–19 fiscal year

100% compliance

No formal Privacy Act requests exceeded their legislative deadlines during the 2018–19 fiscal year. The Office of the Auditor General of Canada (OAG) is proud to have maintained 100% compliance with legislative deadlines.

Creation of Public Disclosure of Information and Privacy Protection Manager position

In October 2018, the OAG created the position of Public Disclosure of Information and Privacy Protection Manager, who is responsible for privacy impact assessments (PIAs) and the review of OAG policies, processes, and practices to ensure compliance with legal and policy requirements.

Completed privacy impact assessment—Quanta

In March 2019, the OAG completed a PIA for its use of Quanta, a new web-based application for tracking employees’ time and leave usage. The OAG has consulted with the Office of the Privacy Commissioner of Canada regarding this PIA and has received no further comments or recommendations. A summary of the PIA is now published on the OAG website.

Trends

There are no multi-year trends to report.

Training

The OAG now requires that all employees complete mandatory Access to Information and Privacy (ATIP) training, offered by the Canada School of Public Service as an online self-paced service.

Current employees are required to complete the training within two years of 1 April 2018, and new employees are required to complete the training within one year of the start of their employment.

During the reporting period, 162 employees completed this training.

Administration of the Privacy Act

Requests under the Privacy Act

Received during the reporting period: 1
Outstanding from the previous period: 1
Total: 2

Disposition of completed requests

The Office of the Auditor General of Canada (OAG) finalized 2 requests during the reporting period. Of these requests, 1 was disclosed in its entirety, and 1 was disclosed in part.

Exemptions invoked

Section 26 was invoked in the request that was disclosed in part.

Exclusions cited

The OAG did not invoke any exclusions for the 2018–19 fiscal year.

Completion time

Both requests were extended for 30 days.

Extension of time limits

The OAG invoked extensions of 30 days for both requests, pursuant to Section 15(a)(i).

Method of access

Both requests were disclosed in electronic format.

Costs

The costs directly associated with administration of the Privacy Act for the reporting period are estimated to be $36,070 for salaries. A total of $912 was incurred for goods and services, contracts, or other expenses.

Complaints and investigations

The OAG did not receive any complaints pursuant to the Privacy Act during this reporting period, and no investigations regarding the OAG were carried out.

Disclosure of personal information under section 8(2)

The OAG did not disclose any personal information pursuant to section 8(2) during the reporting period.

Requests for correction of personal information

The OAG received two requests to correct personal information during the reporting period. For both requests, correction of personal information was not deemed to be reasonable or necessary. Physical files containing the personal information were annotated, and a record of the correction request was added to the Access to Information and Privacy (ATIP) file management system.

Monitoring compliance

The OAG uses time-code (product-code) management software, essentially a digital “timesheet,” to track all audit and audit-service activities, including

Whenever employees or contractors of the OAG participate in any ATIP-related activity, they must track the time they spend on the activity by entering the number of hours or partial hours into the product-code management software. These records are monitored on a regular basis for human resource and financial purposes. Any employee with access to the OAG network can use the OAG’s INTRAnet (internal Internet) to view this data.

Senior officials, up to and including the Auditor General, are advised about compliance with legislative, policy, and regulatory obligations, as requested or required.

As reflected in part 10.2 of the Appendix, the OAG dedicated 1.25 person-years to ATIP-related activities.

Breaches

No material privacy breaches occurred during the reporting period.

Privacy impact assessment

The OAG completed one PIA during the reporting period, as described earlier in this report.

Appendix—Statistical Report on the Privacy Act

Name of institution: Office of the Auditor General of Canada

Reporting period: 2018-04-01 to 2019-03-31

Part 1: Requests Under the Privacy Act

Requests Under the Privacy Act
Number of Requests
Received during reporting period 1
Outstanding from previous reporting period 1
Total 2
Closed during reporting period 2
Carried over to next reporting period 0

Part 2: Requests Closed During the Reporting Period

2.1 Disposition and completion time

Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 1 0 0 0 0 1
Disclosed in part 0 0 1 0 0 0 0 1
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 0 0 2 0 0 0 0 2

2.2 Exemptions

Exemptions
Section Number of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 1
27 0
28 0

2.3 Exclusions

Exclusions
Section Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

2.4 Format of information released

Format of information released
Disposition Paper Electronic Other Formats
All disclosed 0 1 0
Disclosed in part 0 1 0
Total 0 2 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed
Relevant pages processed and disclosed
Disposition of Requests Number of Pages Processed Number of Pages Disclosed Number of Requests
All disclosed 16 14 1
Disclosed in part 204 162 1
All exempted 0 0 0
All excluded 0 0 0
Request abandoned 0 0 0
Neither confirmed nor denied 0 0 0
Total 220 176 2
2.5.2 Relevant pages processed and disclosed by size of requests
Relevant pages processed and disclosed by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 1 14 0 0 0 0 0 0 0 0
Disclosed in part 0 0 1 162 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 1 14 1 162 0 0 0 0 0 0
2.5.3 Other complexities
Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline
Reasons for not meeting statutory deadline
Number of Requests Closed
Past the Statutory Deadline
Principal Reason
Workload External Consultation Internal Consultation Other
0 0 0 0 0
2.6.2 Number of days past deadline
Number of days past deadline
Number of Days Past Deadline Number of Requests Past Deadline Where No Extension Was Taken Number of Requests Past Deadline Where An Extension Was Taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0

2.7 Requests for translation

Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Part 3: Disclosures Under Subsections 8(2) and 8(5)

Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Part 4: Requests for Correction of Personal Information and Notations

Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received Number
Notations attached 2
Requests for correction accepted 0
Total 2

Part 5: Extensions

5.1 Reasons for extensions and disposition of requests

Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was Taken 15(a)(i)
Interference With Operations
15(a)(ii)
Consultation
15(b)
Translation or Conversion
Section 70 Other
All disclosed 1 0 0 0
Disclosed in part 1 0 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
No records exist 0 0 0 0
Request abandoned 0 0 0 0
Total 2 0 0 0

5.2 Length of extensions

Length of extensions
Length of Extensions 15(a)(i)
Interference with operations
15(a)(ii)
Consultation
15(b)
Translation purposes
Section 70 Other
1 to 15 days 0 0 0 0
16 to 30 days 2 0 0 0
Total 2 0 0 0

Part 6: Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and other organizations

Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Pending at the end of the reporting period 0 0 0 0

6.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

6.3 Recommendations and completion time for consultations received from other organizations

Recommendations and completion time for consultations received from other organizations
Recommendation Number of days required to complete consultation requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services

Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

7.2 Requests with Privy Council Office

Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Part 8: Complaints and Investigations Notices Received

Complaints and Investigations Notices Received
Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Part 9: Privacy Impact Assessments (PIAs)

Privacy Impact Assessments (PIAs)
Number of PIA(s) completed 1

Part 10: Resources related to the Privacy Act

10.1 Costs

Costs
Expenditures Amount
Salaries $36,070
Overtime $0
Goods and Services $912
Professional services contracts$0 $0
Other $912
Total $36,982

10.2 Human Resources

Human Resources
Resources Person Years Dedicated to Privacy Activities
Full-time employees 1.25
Part-time and casual employees 0.00
Regional staff 0.00
Consultants and agency personnel 0.00
Students 0.00
Total 1.25