Annual Report on the Privacy Act—2021–22

Office of the Auditor General of CanadaAnnual Report on the Privacy Act—2021–22

ISSN 2561-8571

Introduction

The Privacy Act gives individuals the right to access information about themselves that is held by the Office of the Auditor General of Canada (OAG), subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.

Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.

This annual report on the Privacy Act at the OAG describes how we administered our responsibilities under the act during the 2021–22 fiscal year.

Who we are

The OAG audits federal government operations and provides Parliament with independent information, advice, and assurance regarding the federal government’s stewardship of public funds.

We are in the business of legislative auditing. We conduct

Since 1995, the OAG has also had a specific environmental and sustainable development mandate, which is carried out by the Commissioner of the Environment and Sustainable Development on behalf of the Auditor General of Canada. The Commissioner has additional responsibilities under the Federal Sustainable Development Act and the Canadian Net-Zero Emissions Accountability Act to review and monitor the Government of Canada’s sustainable development strategies and its implementation of measures aimed at mitigating climate change.

Access to Information and Privacy team

The Access to Information and Privacy (ATIP) Coordinator is a member of the Legal Services, ATIP, and Policy team headed by the OAG’s General Counsel. The full-time ATIP Coordinator is supported by a junior analyst, counsel, and administrative staff as required. The main activities of the ATIP Coordinator included

DELEGATION ORDER under the ACCESS TO INFORMATION ACT and the PRIVACY ACT

I, Karen Hogan, Auditor General of Canada, pursuant to subsection 95(1) of the Access to Information Act and subsection 73(1) of the Privacy Act, hereby delegate to the persons holding the positions set out below or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions as the head of the Office of the Auditor General of Canada, under the provisions of the Act and related regulations set out in the schedule beside each position.  This delegation order replaces all previous delegation orders.

29 November 2021

Schedule
Position Access to Information Act and Regulations Privacy Act and Regulations
General Counsel Full authority Full authority
ATIP Coordinator Full authority Full authority

[Original signed by]

Karen Hogan, Fellow Chartered Professional AccountantFCPA, Fellow Chartered AccountantFCA
Auditor General of Canada
240 Sparks Street
Ottawa Ontario  K1A 0G6

Performance

Completion time for closed requests

During the reporting period, from 1 April 2021 to 31 March 2022, the OAG received 2 formal Privacy Act requests. One of the requests was completed during the reporting period, and the other was carried over to the next reporting period.

Trends

The OAG responds to multiple requests throughout the year from individuals seeking informal feedback, input, or advice regarding whether they should submit a formal request for their personal information, either to the OAG or to another institution.

The OAG processed and completed a total of 4 formal requests for personal information during the past 3 reporting periods, including the period of this report.

Training and awareness

The OAG requires that all employees complete mandatory ATIP training, offered by the Canada School of Public Service as an online, self-paced course.

All new OAG employees are required to complete the training within 3 months of the start date of their employment.

During the reporting period, 150 employees completed this training.

The ATIP Coordinator regularly provides OAG employees with guidance and briefings on the processing of ATIP requests. Furthermore, information is available on the OAG’s internal website to help raise employees’ awareness of privacy issues, such as the collection, retention, use, and disclosure of personal information.

Impact of COVID‑19 measures

During the reporting period, the OAG was not affected by measures related to the COVID‑19 pandemic.

Administration of the Privacy Act

Requests under the Privacy Act

Received during the reporting period 2
Outstanding from the previous period 0
Total: 2

Disposition of completed requests

The OAG completed 1 formal Privacy Act request during the reporting period. The records were disclosed in their entirety.

Exemptions invoked

The OAG did not invoke any exemptions during the reporting period.

Exclusions cited

The OAG did not cite any exclusions during the reporting period.

Completion time

The request which was completed during the reporting period was completed within the 30‑day legislated time frame.

Extension of time limits

The OAG did not invoke any extensions during the reporting period.

Method of access

For the request which was closed during the reporting period, digital copies of the records were provided to the requester.

Operational costs

The costs directly associated with the administration of the Privacy Act for the reporting period are estimated to be $22,755 for salaries. This salary amount includes time spent by the ATIP Coordinator, part-time members of the ATIP team, and all OAG employees and contractors on all privacy-related activities. The OAG is able to estimate salary costs for time spent on all ATIP-related activities because of the OAG’s timekeeping software and practices, which require all employees to charge time spent on ATIP matters.

Complaints and investigations

The OAG did not receive any complaints pursuant to the Privacy Act during this reporting period, and no investigations regarding the OAG were carried out.

Disclosure of personal information under section 8(2)

The OAG did not disclose any personal information pursuant to section 8(2) during the reporting period.

Requests for correction of personal information

No requests for correction of personal information were received during the reporting period.

Monitoring compliance

The OAG uses a case management system that tracks both active and closed requests. The system is designed to track legislative deadlines.

The ATIP team holds biweekly meetings a to discuss request-related activities, determine timelines, and help ensure that all team members are informed of the status of files. Regular meetings are also held with the General Counsel as the executive member responsible for ATIP matters.

Senior officials, up to and including the Auditor General, are advised about compliance with legislative, policy, and regulatory obligations, as requested or required.

As reflected in part 12.2 of the Appendix, the OAG dedicated 0.520 person-years to Privacy Act–related activities.

Breaches

One material privacy breach occurred during the reporting period. An environmental petitioner’s personal information (email and telephone number) was inadvertently sent to the wrong person by email. The affected people were informed, and the breach was reported to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat.

Completed privacy impact assessments

Vaccine attestation reporting system

The Canadian government announced its plan for implementing a mandatory vaccination policy across the federal public service on 6 October 2021. As a separate employer, the OAG had to manage the implementation of this policy for its offices across Canada.

The goal of this project was to develop a strategy and tool for capturing, storing, and reporting data for the vaccination attestation process at the OAG.

Audit working paper software replacement project

The OAG has acquired CaseWare, an audit working paper software, to conduct its legislative audits of the federal government, Crown corporations, and the territorial governments.

The new audit working paper solution is expected to increase efficiencies and expand the OAG’s capabilities in conducting its operations.

The OAG has been using and relying on TeamMate AM as its core working paper software for over a decade. However, TeamMate AM will no longer be supported, and its end of life is expected in April 2023.

CaseWare alters the way in which personal information collected during the audit process is used, retained, or destroyed. For this reason, the OAG completed a privacy impact assessment to identify and mitigate the risks presented by using new methods of processing audit records.

Preliminary (informal) assessments

For all new or amended projects, the OAG has implemented a mandatory process that requires the completion of a Preliminary Privacy Assessment checklist. This document ensures that personal information elements are considered before and during the completion of the project.

This process also identifies the required elements for a formal privacy impact assessment, which is initiated if the preliminary assessment identifies the need for one.

During the reporting period, the OAG completed 15 preliminary assessments.

Appendix—Statistical Report on the Privacy Act

Statistical Report on the Privacy Act

Name of institution: Office of the Auditor General of Canada

Reporting period: 2021-04-01 to 2022-03-31

Section 1: Requests Under the Privacy Act

1.1 Number of requests received

Number of requests received
Number of Requests
Received during reporting period 2
Outstanding from previous reporting periods 0
  • Outstanding from previous reporting period: 0
  • Outstanding from more than one reporting period: 0
Total 2
Closed during reporting period 1
Carried over to next reporting period 1
  • Carried over within legislated timeline: 1
  • Carried over beyond legislated timeline: 0

1.2 Channels of requests

Channels of requests
Source Number of Requests
Online 0
Email 2
Mail 0
In person 0
Phone 0
Fax 0
Total 2

Section 2: Informal requests

2.1 Number of informal requests

Number of informal requests
Number of Requests
Received during reporting period 15
Outstanding from previous reporting periods 0
  • Outstanding from previous reporting period: 0
  • Outstanding from more than one reporting period: 0
Total 15
Closed during reporting period 15
Carried over to next reporting period 0

2.2 Channels of informal requests

Channels of informal requests
Source Number of Requests
Online 0
Email 15
Mail 0
In person 0
Phone 0
Fax 0
Total 15

2.3 Completion time of informal requests

Completion time of informal requests
Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
4 5 6 0 0 0 0 15

2.4 Pages released informally

Pages released informally
Less Than 100 Pages Released 100 to 500
Pages Released
501 to 1000
Pages Released
1001 to 5000
Pages Released
More Than 5000
Pages Released
Number of Requests Pages Released Number of Requests Pages Released Number of Requests Pages Released Number of Requests Pages Released Number of Requests Pages Released
11 113 4 282 0 0 0 0 0 0

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time

Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 1 0 0 0 0 0 1
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 0 1 0 0 0 0 0 1

3.2 Exemptions

Exemptions
Section Number of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 0
27 0
27.1 0
28 0

3.3 Exclusions

Exclusions
Section Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

3.4 Format of information released

Format of information released
Paper Electronic Other
E-record Data set Video Audio
0 1 0 0 0 0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e‑record formats
Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
5,583 5,583 1
3.5.2 Relevant pages processed per request disposition for paper and e‑record formats by size of requests
Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition Less Than 100 Pages Processed 101 to 500 Pages Processed 501 to 1000 Pages Processed 1001 to 5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 0 0 0 0 0 0 0 0 1 5,583
Disclosed in part 0 0 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 1 5,583
3.5.3 Relevant minutes processed and disclosed for audio formats
Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Relevant minutes processed per request disposition for audio formats by size of requests
Less Than 60 Minutes Processed 60 to 120 Minutes Processed More Than 120 Minutes Processed
Disposition Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Relevant minutes processed per request disposition for video formats by size of requests
Less Than 60 Minutes Processed 60 to 120 Minutes Processed More Than 120 Minutes Processed
Disposition Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines
Number of requests closed within legislated timelines
Number of requests closed within legislated timelines 1
Percentage of requests closed within legislated timelines (%) 100

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines
Reasons for not meeting legislated timelines
Number of requests closed past the legislated timelines Principal Reason
Interference with Operations / Workload External Consultation Internal Consultation Other
0 0 0 0 0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Requests closed beyond legislated timelines
Number of days past legislated timelines Number of requests past legislated timeline where no extension was taken Number of requests past legislated timeline where an extension was taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0

3.8 Requests for translation

Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Section 5: Requests for Correction of Personal Information and Notations

Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 6: Extensions

6.1 Reasons for extensions

Reasons for extensions
15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes or conversion
Number of requests where an extension was taken Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet
Confidence Section (Section 70)
External Internal
0 0 0 0 0 0 0 0 0

6.2 Length of extensions

Length of extensions
Length of Extensions 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes or conversion
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
1 to 15 days 0 0 0 0 0 0 0 0
16 to 30 days 0 0 0 0 0 0 0 0
31 days or greater 0
Total 0 0 0 0 0 0 0 0

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

Consultations received from other Government of Canada institutions and organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Carried over within negotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services

Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101 to 500 Pages Processed 501 to 1000 Pages Processed 1001 to 5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

8.2 Requests with Privy Council Office

Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101 to 500 Pages Processed 501 to 1000 Pages Processed 1001 to 5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Complaints and Investigations Notices Received

Complaints and Investigations Notices Received
Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy impact assessments

Privacy impact assessments
Number of PIAs completed 2
Number of PIAs modified 0

10.2 Institution-specific and central personal information banks

Institution-specific and central personal information banks
Personal Information Banks Active Created Terminated Modified
Institution-specific 4 0 0 0
Central 0 0 0 0
Total 4 0 0 0

Section 11: Privacy Breaches

11.1 Material privacy breaches reported

Material privacy breaches reported
Number of material privacy breaches reported to Treasury Board of Canada SecretariatTBS 1
Number of material privacy breaches reported to Office of the Privacy Commissioner of CanadaOPC 1

11.2 Non-material privacy breaches

Non-material privacy breaches
Number of non-material privacy breaches 0

Section 12: Resources Related to the Privacy Act

12.1 Allocated costs

Costs
Expenditures Amount
Salaries $22,755
Overtime $0
Goods and Services
  • Professional services contracts $0
  • Other $0
$0
Total $22,755

12.2 Human Resources

Human Resources
Resources Person Years Dedicated to Privacy Activities
Full-time employees 0.520
Part-time and casual employees 0.000
Regional staff 0.000
Consultants and agency personnel 0.000
Students 0.000
Total 0.520