Annual Report on the Privacy Act—2019–20

Office of the Auditor General of CanadaAnnual Report on the Privacy Act—2019–20

ISSN 2561-8571

Introduction

The Privacy Act gives individuals the right to access information about themselves that is held by the Office of the Auditor General of Canada (OAG), subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.

Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.

This annual report on the Privacy Act at the OAG describes how we administered our responsibilities under the act during the 2019–20 fiscal year.

If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:

Access to Information and Privacy Coordinator
Office of the Auditor General of Canada
240 Sparks Street
Ottawa, Ontario K1A 0G6

Tel.: 613-952-0213 (ext. 6455)
Fax: 613-954-0441
Email: privacy@oag-bvg.gc.ca

Who we are

The OAG audits federal government operations and provides Parliament with independent information, advice, and assurance regarding the federal government’s stewardship of public funds. While the OAG may comment on policy implementation in an audit, it does not comment on policy itself.

We are in the business of legislative auditing. We conduct

Since 1995, the OAG has also had a specific environmental and sustainable development mandate, which was established through amendments to the Auditor General Act.

The Auditor General of Canada is the designated head of the institution for the Privacy Act. Pursuant to section 73 of the act, the Auditor General delegated full authority to the Access to Information and Privacy (ATIP) Coordinator.

Access to Information and Privacy team

The ATIP Coordinator is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the OAG meets its responsibilities under the Access to Information Act and the Privacy Act.

For the reporting period, the ATIP team at the OAG consisted of

The main activities of the ATIP Coordinator included

DELEGATION ORDER

ACCESS TO INFORMATION ACT AND PRIVACY ACT

I, Michael Ferguson, Auditor General of Canada, pursuant to section 73 of the Access to Information Act and section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions as the head of Office of the Auditor General of Canada, under the provisions of the Act and related regulations set out in the schedule opposite each position. This designation replaces all previous delegation orders.

Schedule
Position Access to Information Act and Regulations Privacy Act and Regulations
Senior General Counsel Full authority Full authority
Access to Information and Privacy Coordinator Full authority Full authority

Dated at the City of Ottawa this 10 day of July 2015

[Original signed by]

Michael Ferguson, Chartered Professional AccountantCPA, Chartered AccountantCA
Fellow Chartered AccountantFCA (New Brunswick)
Auditor General of Canada

Performance

Completion time for closed requests

The OAG completed 2 Privacy Act requests during the reporting period. Neither of the requests required an extension of the legislated time frame, and both were closed on or before the legislated due date.

The OAG is proud to have maintained 100% compliance with legislative deadlines.

Trends

Formal Privacy Act requests received by the OAG continue to be infrequent. The OAG closed 2 formal requests during the 2019–20 fiscal year and 2 formal requests in the prior reporting period.

However, the OAG responds to multiple requests throughout the year from individuals seeking informal feedback, input, or advice regarding whether they should submit a formal request for their personal information, either to the OAG or to another institution.

Completed privacy impact assessments

Use of biometrics on smartphones

New smartphones are being distributed at the OAG, and this is introducing the possibility of the use of biometrics, specifically fingerprints, as a method of authentication. The use of fingerprints to “autocomplete” the complex password process is deemed more secure and more efficient when using a mobile device. However, although it is more secure, using the fingerprint scanner is not mandatory; both typing a complex password and using the fingerprint scanner are acceptable.

Biometrics authentication and verification can be one of the most secure ways to control access to restricted systems and information. Unlike authentication based on traditional passwords, authentication using biometric data, which is unique to an individual, is easier to use in practice. However, as a result of its uniqueness and intrinsic value to a specific individual, biometric data is particularly sensitive.

Therefore, additional effort must be made to ensure that the biometric data is secure. Employees can decide whether to enable the feature, and they will be informed of how they may disable or delete biometric data on the device.

A summary of this privacy impact assessment is available on the OAG’s website.

Preliminary (informal) assessments

The OAG has implemented a mandatory process for all new or amended projects that requires the completion of a “Preliminary Privacy Assessment” checklist. This document ensures that personal information elements are being considered prior to, and during, the completion of the project.

This process also identifies the required elements for a formal privacy impact assessment, which is initiated if the preliminary assessment identifies the need to conduct the formal assessment.

During the reporting period, the OAG completed 33 preliminary assessments.

Training

The OAG requires that all employees complete mandatory ATIP training, offered by the Canada School of Public Service as an online, self-paced course.

All OAG employees had either completed or enrolled in the mandatory training by 1 April 2020, and new employees are required to complete the training within 3 months of the start date of their employment.

During the reporting period, 517 employees completed this training.

Impact of COVID-19 measures

The OAG reminds employees of the importance of performing proper information management regularly and requires that information with corporate value is saved in central data systems. These systems are accessible remotely.

The OAG required that all employees work from home as of 16 March 2020, granting access to the office only in exceptional circumstances. Because of this measure, the OAG is unable to conduct searches for physical records. However, the OAG considers the contents of notebooks or printed material that is also available digitally to be transitory. Therefore, the OAG is still able to conduct thorough searches for records in response to Access to Information Act requests, and measures taken to restrict employee access to OAG offices have not affected the ability to respond to these requests.

Administration of the Privacy Act

Requests under the Privacy Act

Received during the reporting period: 2
Outstanding from the previous period: 0
Total: 2

Disposition of completed requests

The OAG completed 2 requests during the reporting period. Of these requests, 1 was disclosed in part and 1 was abandoned by the requester; however, the latter was due to the completion of a search for the requester’s personal information, which resulted in the requester obtaining the information outside of the formal process.

Exemptions invoked

Section 22.3 was invoked in the request that was disclosed in part.

Exclusions cited

The OAG did not invoke any exclusions for the reporting period.

Completion time

The OAG completed both requests from the reporting period within the legislated 30-day time frame.

Extension of time limits

The OAG did not extend either of the requests received during the reporting period.

Method of access

One request was disclosed in electronic format.

Costs

The costs directly associated with the administration of the Privacy Act for the reporting period are estimated to be $31,797 for salaries. Please see the “Monitoring compliance” section for more information.

Complaints and investigations

The OAG did not receive any complaints pursuant to the Privacy Act during this reporting period, and no investigations regarding the OAG were carried out.

Disclosure of personal information under section 8(2)

The OAG did not disclose any personal information pursuant to section 8(2) during the reporting period.

Requests for correction of personal information

No requests for correction of personal information were received during the reporting period.

Monitoring compliance

The OAG uses time-code (product-code) management software, essentially a digital “timesheet,” to track all audit and audit-service activities, including

Whenever employees or contractors of the OAG participate in any ATIP-related activity, they must track the time they spend on the activity by entering the number of hours or partial hours into the product-code management software. These records are monitored regularly for human resource and financial purposes. Any employee with access to the OAG network can use the OAG’s INTRAnet (internal Internet) to view this data.

Senior officials, up to and including the Auditor General, are advised about compliance with legislative, policy, and regulatory obligations, as requested or required.

As reflected in part 11.2 of the Appendix, the OAG dedicated 1.25 person-years to ATIP-related activities.

Breaches

No material privacy breaches occurred during the reporting period.

Privacy impact assessment

The OAG completed 1 privacy impact assessment during the reporting period, as described earlier in this report.

However, the OAG conducted multiple preliminary privacy assessments related to projects that did not require a privacy impact assessment.

Appendix—Statistical Report on the Privacy Act

Name of institution: Office of the Auditor General of Canada

Reporting period: 2019-04-01 to 2020-03-31

Section 1: Requests Under the Privacy Act

1.1 Number of requests

Requests Under the Privacy Act
Number of Requests
Received during reporting period 2
Outstanding from previous reporting period 0
Total 2
Closed during reporting period 2
Carried over to next reporting period 0

Section 2: Requests Closed During the Reporting Period

2.1 Disposition and completion time

Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 1 0 0 0 0 0 1
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 0 0 0 0 0 0 0
Request abandoned 1 0 0 0 0 0 0 1
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 1 1 0 0 0 0 0 2

2.2 Exemptions

Exemptions
Section Number of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 1
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 0
27 0
27.1 0
28 0

2.3 Exclusions

Exclusions
Section Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

2.4 Format of information released

Format of information released
Paper Electronic Other Formats
0 1 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed
Relevant pages processed and disclosed
Number of Pages Processed Number of Pages Disclosed Number of Requests
356 82 2
2.5.2 Relevant pages processed and disclosed by size of requests
Relevant pages processed and disclosed by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 0 0 1 82 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 1 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 1 0 1 82 0 0 0 0 0 0
2.5.3 Other complexities
Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 1 0 0 1
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 1 0 0 1

2.6 Closed requests

2.6.1 Number of requests closed within legislated timelines
Number of requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines 2
Percentage of requests closed within legislated timelines (%) 100

2.7 Deemed refusals

2.7.1 Reasons for not meeting legislated deadline
Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations / Workload External Consultation Internal Consultation Other
0 0 0 0 0
2.7.2 Requests closed beyond legislated timelines (including any extension taken)
Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timelines Where an Extension Was Taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0

2.8 Requests for translation

Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 3: Disclosures Under Subsections 8(2) and 8(5)

Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Section 4: Requests for Correction of Personal Information and Notations

Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 5: Extensions

5.1 Reasons for extensions and disposition of requests

Reasons for extensions and disposition of requests
Number of requests where an extension was taken 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes or conversion
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
0 0 0 0 0 0 0 0 0

5.2 Length of extensions

Length of extensions
Length of Extensions 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes or conversion
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
1 to 15 days 0 0 0 0 0 0 0 0
16 to 30 days 0 0 0 0 0 0 0 0
31 days or greater 0
Total 0 0 0 0 0 0 0 0

Section 6: Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and other organizations

Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Carried over to the next reporting period 0 0 0 0

6.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

6.3 Recommendations and completion time for consultations received from other organizations

Recommendations and completion time for consultations received from other organizations
Recommendation Number of days required to complete consultation requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services

Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

7.2 Requests with Privy Council Office

Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 8: Complaints and Investigations Notices Received

Complaints and Investigations Notices Received
Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Section 9: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIB)

9.1 Privacy Impact Assessments

Privacy Impact Assessments (PIAs)
Number of PIA(s) completed 1

9.2 Personal Information Banks

Personal Information Banks
Personal Information Banks Active Created Terminated Modified
4 0 0 0

Section 10: Material Privacy Breaches

Material Privacy Breaches
Number of material privacy breaches reported to Treasury Board of Canada SecretariatTBS 0
Number of material privacy breaches reported to Office of the Privacy Commissioner of CanadaOPC 0

Section 11: Resources related to the Privacy Act

11.1 Costs

Costs
Expenditures Amount
Salaries $31,797
Overtime $0
Goods and Services
  • Professional services contracts $0
  • Other $0
$0
Total $31,797

11.2 Human Resources

Human Resources
Resources Person Years Dedicated to Privacy Activities
Full-time employees 1.25
Part-time and casual employees 0.00
Regional staff 0.00
Consultants and agency personnel 0.00
Students 0.00
Total 1.25