Annual Report on the Privacy Act—2019–20
Office of the Auditor General of CanadaAnnual Report on the Privacy Act—2019–20
Introduction
The Privacy Act gives individuals the right to access information about themselves that is held by the Office of the Auditor General of Canada (OAG), subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.
Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.
This annual report on the Privacy Act at the OAG describes how we administered our responsibilities under the act during the 2019–20 fiscal year.
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Coordinator
Office of the Auditor General of Canada
240 Sparks Street
Ottawa, Ontario K1A 0G6
Tel.: 613-952-0213 (ext. 6455)
Fax: 613-954-0441
Email: privacy@oag-bvg.gc.ca
Who we are
The OAG audits federal government operations and provides Parliament with independent information, advice, and assurance regarding the federal government’s stewardship of public funds. While the OAG may comment on policy implementation in an audit, it does not comment on policy itself.
We are in the business of legislative auditing. We conduct
- performance audits of federal departments and agencies
- annual financial audits of the government’s financial statements
- special examinations and annual financial audits of Crown corporations
- audits of the governments of Nunavut, Yukon, and the Northwest Territories
Since 1995, the OAG has also had a specific environmental and sustainable development mandate, which was established through amendments to the Auditor General Act.
The Auditor General of Canada is the designated head of the institution for the Privacy Act. Pursuant to section 73 of the act, the Auditor General delegated full authority to the Access to Information and Privacy (ATIP) Coordinator.
Access to Information and Privacy team
The ATIP Coordinator is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the OAG meets its responsibilities under the Access to Information Act and the Privacy Act.
For the reporting period, the ATIP team at the OAG consisted of
- 1 full-time ATIP Coordinator
- 1 full-time Public Disclosure of Information and Privacy Protection Manager, who performed ATIP duties as required
- 1 full-time employee from the Legal Services group, who helped the ATIP team on a part-time, ad hoc basis
- 1 full-time Legal Counsel, who managed the ATIP team in addition to fulfilling normal duties as OAG Legal Counsel
The main activities of the ATIP Coordinator included
- monitoring compliance with ATIP legislation and relevant procedures and policies
- processing requests under both the Access to Information Act and the Privacy Act
- developing and maintaining policies, procedures, and guidelines to ensure that the OAG respects the Access to Information Act and the Privacy Act
- promoting awareness of the Access to Information Act and the Privacy Act within the OAG to ensure that employees are aware of their responsibilities
- preparing annual reports to Parliament and other statutory reports, as well as other material that may be required by central agencies
- representing the OAG in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act
- helping the OAG meet its commitments to ensure openness and transparency, through proactive and informal disclosure of information
DELEGATION ORDER
ACCESS TO INFORMATION ACT AND PRIVACY ACT
I, Michael Ferguson, Auditor General of Canada, pursuant to section 73 of the Access to Information Act and section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions as the head of Office of the Auditor General of Canada, under the provisions of the Act and related regulations set out in the schedule opposite each position. This designation replaces all previous delegation orders.
| Position | Access to Information Act and Regulations | Privacy Act and Regulations |
|---|---|---|
| Senior General Counsel | Full authority | Full authority |
| Access to Information and Privacy Coordinator | Full authority | Full authority |
Dated at the City of Ottawa this 10 day of July 2015
[Original signed by]
Michael Ferguson, Chartered Professional AccountantCPA, Chartered AccountantCA
Fellow Chartered AccountantFCA (New Brunswick)
Auditor General of Canada
Performance
Completion time for closed requests
The OAG completed 2 Privacy Act requests during the reporting period. Neither of the requests required an extension of the legislated time frame, and both were closed on or before the legislated due date.
The OAG is proud to have maintained 100% compliance with legislative deadlines.
Trends
Formal Privacy Act requests received by the OAG continue to be infrequent. The OAG closed 2 formal requests during the 2019–20 fiscal year and 2 formal requests in the prior reporting period.
However, the OAG responds to multiple requests throughout the year from individuals seeking informal feedback, input, or advice regarding whether they should submit a formal request for their personal information, either to the OAG or to another institution.
Completed privacy impact assessments
Use of biometrics on smartphones
New smartphones are being distributed at the OAG, and this is introducing the possibility of the use of biometrics, specifically fingerprints, as a method of authentication. The use of fingerprints to “autocomplete” the complex password process is deemed more secure and more efficient when using a mobile device. However, although it is more secure, using the fingerprint scanner is not mandatory; both typing a complex password and using the fingerprint scanner are acceptable.
Biometrics authentication and verification can be one of the most secure ways to control access to restricted systems and information. Unlike authentication based on traditional passwords, authentication using biometric data, which is unique to an individual, is easier to use in practice. However, as a result of its uniqueness and intrinsic value to a specific individual, biometric data is particularly sensitive.
Therefore, additional effort must be made to ensure that the biometric data is secure. Employees can decide whether to enable the feature, and they will be informed of how they may disable or delete biometric data on the device.
A summary of this privacy impact assessment is available on the OAG’s website.
Preliminary (informal) assessments
The OAG has implemented a mandatory process for all new or amended projects that requires the completion of a “Preliminary Privacy Assessment” checklist. This document ensures that personal information elements are being considered prior to, and during, the completion of the project.
This process also identifies the required elements for a formal privacy impact assessment, which is initiated if the preliminary assessment identifies the need to conduct the formal assessment.
During the reporting period, the OAG completed 33 preliminary assessments.
Training
The OAG requires that all employees complete mandatory ATIP training, offered by the Canada School of Public Service as an online, self-paced course.
All OAG employees had either completed or enrolled in the mandatory training by 1 April 2020, and new employees are required to complete the training within 3 months of the start date of their employment.
During the reporting period, 517 employees completed this training.
Impact of COVID-19 measures
The OAG reminds employees of the importance of performing proper information management regularly and requires that information with corporate value is saved in central data systems. These systems are accessible remotely.
The OAG required that all employees work from home as of 16 March 2020, granting access to the office only in exceptional circumstances. Because of this measure, the OAG is unable to conduct searches for physical records. However, the OAG considers the contents of notebooks or printed material that is also available digitally to be transitory. Therefore, the OAG is still able to conduct thorough searches for records in response to Access to Information Act requests, and measures taken to restrict employee access to OAG offices have not affected the ability to respond to these requests.
Administration of the Privacy Act
Requests under the Privacy Act
| Received during the reporting period: | 2 |
| Outstanding from the previous period: | 0 |
| Total: | 2 |
Disposition of completed requests
The OAG completed 2 requests during the reporting period. Of these requests, 1 was disclosed in part and 1 was abandoned by the requester; however, the latter was due to the completion of a search for the requester’s personal information, which resulted in the requester obtaining the information outside of the formal process.
Exemptions invoked
Section 22.3 was invoked in the request that was disclosed in part.
Exclusions cited
The OAG did not invoke any exclusions for the reporting period.
Completion time
The OAG completed both requests from the reporting period within the legislated 30-day time frame.
Extension of time limits
The OAG did not extend either of the requests received during the reporting period.
Method of access
One request was disclosed in electronic format.
Costs
The costs directly associated with the administration of the Privacy Act for the reporting period are estimated to be $31,797 for salaries. Please see the “Monitoring compliance” section for more information.
Complaints and investigations
The OAG did not receive any complaints pursuant to the Privacy Act during this reporting period, and no investigations regarding the OAG were carried out.
Disclosure of personal information under section 8(2)
The OAG did not disclose any personal information pursuant to section 8(2) during the reporting period.
Requests for correction of personal information
No requests for correction of personal information were received during the reporting period.
Monitoring compliance
The OAG uses time-code (product-code) management software, essentially a digital “timesheet,” to track all audit and audit-service activities, including
- management of the ATIP team
- management of Access to Information cases (treatment of formal Access to Information Act requests and consultations)
- management of privacy cases (treatment of formal and informal Privacy Act requests)
- privacy impact assessments
Whenever employees or contractors of the OAG participate in any ATIP-related activity, they must track the time they spend on the activity by entering the number of hours or partial hours into the product-code management software. These records are monitored regularly for human resource and financial purposes. Any employee with access to the OAG network can use the OAG’s INTRAnet (internal Internet) to view this data.
Senior officials, up to and including the Auditor General, are advised about compliance with legislative, policy, and regulatory obligations, as requested or required.
As reflected in part 11.2 of the Appendix, the OAG dedicated 1.25 person-years to ATIP-related activities.
Breaches
No material privacy breaches occurred during the reporting period.
Privacy impact assessment
The OAG completed 1 privacy impact assessment during the reporting period, as described earlier in this report.
However, the OAG conducted multiple preliminary privacy assessments related to projects that did not require a privacy impact assessment.
Appendix—Statistical Report on the Privacy Act
Name of institution: Office of the Auditor General of Canada
Reporting period: 2019-04-01 to 2020-03-31
Section 1: Requests Under the Privacy Act
1.1 Number of requests
| Number of Requests | |
|---|---|
| Received during reporting period | 2 |
| Outstanding from previous reporting period | 0 |
| Total | 2 |
| Closed during reporting period | 2 |
| Carried over to next reporting period | 0 |
Section 2: Requests Closed During the Reporting Period
2.1 Disposition and completion time
| Disposition of Requests | Completion Time | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 2 |
2.2 Exemptions
| Section | Number of Requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 0 |
| 19(1)(b) | 0 |
| 19(1)(c) | 0 |
| 19(1)(d) | 0 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 0 |
| 21 | 0 |
| 22(1)(a)(i) | 0 |
| 22(1)(a)(ii) | 0 |
| 22(1)(a)(iii) | 0 |
| 22(1)(b) | 0 |
| 22(1)(c) | 0 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 1 |
| 22.4 | 0 |
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 0 |
| 26 | 0 |
| 27 | 0 |
| 27.1 | 0 |
| 28 | 0 |
2.3 Exclusions
| Section | Number of Requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
2.4 Format of information released
| Paper | Electronic | Other Formats |
|---|---|---|
| 0 | 1 | 0 |
2.5 Complexity
2.5.1 Relevant pages processed and disclosed
| Number of Pages Processed | Number of Pages Disclosed | Number of Requests |
|---|---|---|
| 356 | 82 | 2 |
2.5.2 Relevant pages processed and disclosed by size of requests
| Disposition | Less Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 1 | 82 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 0 | 1 | 82 | 0 | 0 | 0 | 0 | 0 | 0 |
2.5.3 Other complexities
| Disposition | Consultation Required | Legal Advice Sought | Interwoven Information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 1 | 0 | 0 | 1 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 1 | 0 | 0 | 1 |
2.6 Closed requests
2.6.1 Number of requests closed within legislated timelines
| Requests closed within legislated timelines | |
|---|---|
| Number of requests closed within legislated timelines | 2 |
| Percentage of requests closed within legislated timelines (%) | 100 |
2.7 Deemed refusals
2.7.1 Reasons for not meeting legislated deadline
| Number of Requests Closed Past the Legislated Timelines | Principal Reason | |||
|---|---|---|---|---|
| Interference with Operations / Workload | External Consultation | Internal Consultation | Other | |
| 0 | 0 | 0 | 0 | 0 |
2.7.2 Requests closed beyond legislated timelines (including any extension taken)
| Number of Days Past Legislated Timelines | Number of Requests Past Legislated Timeline Where No Extension Was Taken | Number of Requests Past Legislated Timelines Where an Extension Was Taken | Total |
|---|---|---|---|
| 1 to 15 days | 0 | 0 | 0 |
| 16 to 30 days | 0 | 0 | 0 |
| 31 to 60 days | 0 | 0 | 0 |
| 61 to 120 days | 0 | 0 | 0 |
| 121 to 180 days | 0 | 0 | 0 |
| 181 to 365 days | 0 | 0 | 0 |
| More than 365 days | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
2.8 Requests for translation
| Translation Requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
Section 3: Disclosures Under Subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
Section 4: Requests for Correction of Personal Information and Notations
| Disposition for Correction Requests Received | Number |
|---|---|
| Notations attached | 0 |
| Requests for correction accepted | 0 |
| Total | 0 |
Section 5: Extensions
5.1 Reasons for extensions and disposition of requests
| Number of requests where an extension was taken | 15(a)(i) Interference with operations | 15(a)(ii) Consultation | 15(b) Translation purposes or conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidence Section (Section 70) | External | Internal | ||
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
5.2 Length of extensions
| Length of Extensions | 15(a)(i) Interference with operations | 15(a)(ii) Consultation | 15(b) Translation purposes or conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidence Section (Section 70) | External | Internal | ||
| 1 to 15 days | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 days | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 days or greater | 0 | |||||||
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 6: Consultations Received From Other Institutions and Organizations
6.1 Consultations received from other Government of Canada institutions and other organizations
| Consultations | Other Government of Canada Institutions | Number of Pages to Review | Other Organizations | Number of Pages to Review |
|---|---|---|---|---|
| Received during the reporting period | 0 | 0 | 0 | 0 |
| Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 |
| Closed during the reporting period | 0 | 0 | 0 | 0 |
| Carried over to the next reporting period | 0 | 0 | 0 | 0 |
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
| Recommendation | Number of Days Required to Complete Consultation Requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
6.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 7: Completion Time of Consultations on Cabinet Confidences
7.1 Requests with Legal Services
| Number of Days | Fewer Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
| Number of Days | Fewer Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 8: Complaints and Investigations Notices Received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 |
Section 9: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIB)
9.1 Privacy Impact Assessments
| Number of PIA(s) completed | 1 |
|---|
9.2 Personal Information Banks
| Personal Information Banks | Active | Created | Terminated | Modified |
|---|---|---|---|---|
| 4 | 0 | 0 | 0 |
Section 10: Material Privacy Breaches
| Number of material privacy breaches reported to Treasury Board of Canada SecretariatTBS | 0 |
|---|---|
| Number of material privacy breaches reported to Office of the Privacy Commissioner of CanadaOPC | 0 |
Section 11: Resources related to the Privacy Act
11.1 Costs
| Expenditures | Amount |
|---|---|
| Salaries | $31,797 |
| Overtime | $0 |
Goods and Services
|
$0 |
| Total | $31,797 |
11.2 Human Resources
| Resources | Person Years Dedicated to Privacy Activities |
|---|---|
| Full-time employees | 1.25 |
| Part-time and casual employees | 0.00 |
| Regional staff | 0.00 |
| Consultants and agency personnel | 0.00 |
| Students | 0.00 |
| Total | 1.25 |