Annual Report on the Privacy Act—2022–23

Office of the Auditor General of CanadaAnnual Report on the Privacy Act—2022–23

ISSN 2561-8571

Introduction

The Privacy Act gives individuals the right to access information about themselves that is held by the Office of the Auditor General of Canada (OAG), subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.

Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.

This annual report on the Privacy Act at the OAG describes how we administered our responsibilities under the act during the 2022–23 fiscal year.

The OAG audits federal government operations and provides Parliament with independent information, advice, and assurance regarding the federal government’s stewardship of public funds.

We are in the business of legislative auditing. We conduct

Since 1995, the OAG has also had a specific environmental and sustainable development mandate, which is carried out by the Commissioner of the Environment and Sustainable Development on behalf of the Auditor General of Canada. The Commissioner has additional responsibilities under the Federal Sustainable Development Act and the Canadian Net-Zero Emissions Accountability Act to review and monitor the Government of Canada’s sustainable development strategies and its implementation of measures aimed at mitigating climate change.

Access to Information and Privacy team

The Access to Information and Privacy (ATIP) Coordinator is a member of the Legal Services, ATIP, and Policy team headed by the OAG’s Senior General Counsel. The full-time ATIP Coordinator is supported by a junior analyst, counsel, and administrative staff as required. The main activities of the ATIP Coordinator included

The OAG was not a party to any service agreements under section 73.1 of the act during the 2022–23 reporting period.

Delegation order under the Access to Information Act and the Privacy Act

I, Karen Hogan, Auditor General of Canada, pursuant to subsection 95(1) of the Access to Information Act and subsection 73(1) of the Privacy Act, hereby delegate to the persons holding the positions set out below or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions as the head of the Office of the Auditor General of Canada, under the provisions of the Act and related regulations set out in the schedule beside each position.  This delegation order replaces all previous delegation orders.

9 March 2023

Schedule
Position Access to Information Act and Regulations Privacy Act and Regulations
Senior General Counsel Full authority Full authority
ATIP Coordinator Full authority Full authority

[Original signed by]

Karen Hogan, Fellow Chartered Professional AccountantFCPA
Auditor General of Canada
240 Sparks Street
Ottawa, Ontario  K1A 0G6

Performance in 2022–23

Completion time for closed requests

During the reporting period, from 1 April 2022 to 31 March 2023, the OAG received 1 formal Privacy Act request and completed a request that had been carried over from the previous reporting period. Both requests were completed within legislated timelines. One request was completed in less than 30 days, and the other request was completed within 60 days.

There were no outstanding formal requests carried over to the next reporting period.

Trends

The OAG responds to multiple requests throughout the year from individuals seeking informal feedback, input, or advice regarding whether they should submit a formal request for their personal information, either to the OAG or to another institution.

The OAG processed and completed a total of 6 formal requests for personal information during the past 4 reporting periods, including the period of this report.

The OAG assists with or redirects multiple requests for personal information annually, as many individuals believe that the OAG either has their personal information or through the course of audits has collected their personal information. Additionally, many individuals believe that the OAG should audit the subject of their grievances against the federal government. While these are not processed as formal requests for information, they can often result in prolonged efforts to address individuals’ concerns and ascertain which department, if any, should receive their request.

Training and awareness

The OAG requires that all employees complete mandatory ATIP training, offered by the Canada School of Public Service as an online, self-paced course.

All new OAG employees are required to complete the training within 3 months of the start date of their employment.

During the reporting period, 50 employees completed this training.

OAG employees were offered an informal information session regarding definitions of personal information.

To ensure in-depth training is taken by employees of the OAG who have functional or delegated responsibility for the administration of the Privacy Act and Privacy Regulations, the OAG ATIP Coordinator participated in the 2022 Canadian Privacy Symposium offered by the International Association of Privacy Professionals, and the OAG Junior ATIP Analyst attended the 2022 Canadian Access and Privacy Association Conference.

The ATIP Coordinator regularly provides OAG employees with guidance and briefings on the processing of ATIP requests. Furthermore, information is available on the OAG’s internal website to help raise employees’ awareness of privacy issues, such as the collection, retention, use, and disclosure of personal information.

Policies, guidelines, and procedures

The OAG did not revise policies, guidelines, or procedures related to the act or implement new ones during the reporting period.

Initiatives and projects to improve privacy

The OAG plans to procure and use request tracking and reporting software to modernize our ability to receive and process formal and informal requests.

The OAG has been included in the Treasury Board of Canada Secretariat’s ATIP online program.

Summary of key issues and actions taken on complaints

The OAG did not receive any complaints pursuant to the Privacy Act during this reporting period, and no investigations regarding the OAG were carried out.

Material privacy breaches

One material privacy breach occurred during the reporting period. A security clearance form containing an individual’s sensitive personal information was mistakenly sent to another individual by email. The affected individual was notified, and the recipient of the incorrect form confirmed it was deleted. The OAG notified the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat.

Privacy impact assessments

Audit resource management system

The objective of the project was to update Retain corporate software, an audit resource management software, from version 5 to version 7 as the previous version is not supported by the vendor anymore. To efficiently coordinate and manage audits, resource planning is required. The OAG implemented Retain corporate software version 7 to continue to be able to efficiently schedule audit resources, define and store comprehensive skills information, produce various reports, and allow real-time viewing of audit schedules through a standard web browser. Personal information is used for planning purposes and is not shared outside of the OAG.

Learning management system

The new learning management system replaces the OAG’s professional development and learning tool, Learning Management Solution and OAG Campus. The system is an amalgamation of internal and external training and compliance management and monitoring. Although the system mostly uses non-personal employee information, it does use some personal information of OAG employees. The system also uses some cloud-based data storage.

Preliminary (informal) assessments

For all new or amended projects, the OAG has implemented a mandatory process that requires the completion of a Preliminary Privacy Assessment checklist. This document ensures that personal information elements are considered before and during the completion of the project.

This process also identifies the required elements for a formal privacy impact assessment, which is initiated if the preliminary assessment identifies the need for one.

During the reporting period, the OAG completed 18 preliminary assessments, 2 of which resulted in formal privacy impact assessments.

Public interest disclosure

The OAG did not disclose any personal information pursuant to paragraph 8(2)(m) during the reporting period.

Monitoring compliance

The OAG uses a case management system that tracks both active and closed requests. The system is designed to track legislative deadlines. The OAG also uses a time code system to track and monitor all OAG activities, including Privacy Act–related functions.

The costs directly associated with the administration of the Privacy Act for the reporting period are estimated to be $11,453 for salaries. This salary amount includes time spent by the ATIP Coordinator, part-time members of the ATIP team, and all OAG employees on all privacy-related activities. The OAG is able to estimate salary costs for time spent on all ATIP-related activities because of the OAG’s timekeeping software and practices, which require all employees to charge time spent on ATIP matters.

The OAG conducts inter-institutional consultations if required, such as in the case of the collection of personal information during an audit or special examination. This activity is monitored in the ATIP file management system.

The OAG encourages informal disclosure of personal information, such as human resourcesHR personnel files to employees when requested. If personal information is not available by informal means, the ATIP Coordinator assists the requester with the submission of a formal request.

The OAG uses standard language in all contracts, agreements, and arrangements ensuring the protection and appropriate management of personal information. Standard contract clauses are reviewed periodically, as required.

Impact of COVID-19 measures

The OAG was not affected by COVID-19–related measures during the reporting period.

Administration of the Privacy Act

Requests under the Privacy Act

Received during the reporting period 1
Outstanding from the previous period 1
Total 2

Disposition of completed requests

One request was disclosed in its entirety, and the other was disclosed in part.

Exemptions invoked

For the request that was partially disclosed, the OAG exempted certain portions of the records pursuant to section 26 (personal information of other individuals) and section 27 (solicitor-client privileged information).

Exclusions cited

The OAG did not cite any exclusions during the reporting period.

Completion time

One request was completed within 30 days, and the other request was completed within 60 days.

Extension of time limits

The OAG extended 1 request by 30 days to process a large volume of records.

Method of access

For both formal requests closed during this reporting period, copies of records were provided in digital format.

Appendix—Statistical Report on the Privacy Act

Statistical Report on the Privacy Act

Name of institution: Office of the Auditor General of Canada

Reporting period: 2022-04-01 to 2023-03-31

Section 1: Requests Under the Privacy Act

1.1 Number of requests received

Number of requests received
Number of Requests
Received during reporting period 1
Outstanding from previous reporting periods 1
  • Outstanding from previous reporting period: 1
  • Outstanding from more than one reporting period: 0
Total 2
Closed during reporting period 2
Carried over to next reporting period 0
  • Carried over within legislated timeline: 0
  • Carried over beyond legislated timeline: 0

1.2 Channels of requests

Channels of requests
Source Number of Requests
Online 0
Email 1
Mail 0
In person 0
Phone 0
Fax 0
Total 1

Section 2: Informal requests

2.1 Number of informal requests

Number of informal requests
Number of Requests
Received during reporting period 39
Outstanding from previous reporting periods 0
  • Outstanding from previous reporting period: 0
  • Outstanding from more than one reporting period: 0
Total 39
Closed during reporting period 39
Carried over to next reporting period 0

2.2 Channels of informal requests

Channels of informal requests
Source Number of Requests
Online 0
Email 39
Mail 0
In person 0
Phone 0
Fax 0
Total 39

2.3 Completion time of informal requests

Completion time of informal requests
Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
7 28 4 0 0 0 0 39

2.4 Pages released informally

Pages released informally
Less Than 100 Pages Released 100 to 500
Pages Released
501 to 1000
Pages Released
1001 to 5000
Pages Released
More Than 5000
Pages Released
Number of Requests Pages Released Number of Requests Pages Released Number of Requests Pages Released Number of Requests Pages Released Number of Requests Pages Released
33 918 6 802 0 0 0 0 0 0

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time

Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 1 0 0 0 0 0 1
Disclosed in part 0 0 1 0 0 0 0 1
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 0 1 1 0 0 0 0 2

3.2 Exemptions

Exemptions
Section Number of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 1
27 1
27.1 0
28 0

3.3 Exclusions

Exclusions
Section Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

3.4 Format of information released

Format of information released
Paper Electronic Other
E-record Data set Video Audio
0 2 0 0 0 0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e‑record formats
Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
711 434 2
3.5.2 Relevant pages processed by request disposition for paper and e‑record formats by size of requests
Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition Less Than 100 Pages Processed 100 to 500 Pages Processed 501 to 1000 Pages Processed 1001 to 5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Processed Number of Requests Pages Processed Number of Requests Pages Processed Number of Requests Pages Processed Number of Requests Pages Processed
All disclosed 1 24 0 0 0 0 0 0 0 0
Disclosed in part 1 687 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 2 711 0 0 0 0 0 0 0 0
3.5.3 Relevant minutes processed and disclosed for audio formats
Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Relevant minutes processed per request disposition for audio formats by size of requests
Less Than 60 Minutes Processed 60 to 120 Minutes Processed More Than 120 Minutes Processed
Disposition Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Relevant minutes processed per request disposition for video formats by size of requests
Less Than 60 Minutes Processed 60 to 120 Minutes Processed More Than 120 Minutes Processed
Disposition Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines
Number of requests closed within legislated timelines
Number of requests closed within legislated timelines 2
Percentage of requests closed within legislated timelines (%) 100

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines
Reasons for not meeting legislated timelines
Number of requests closed past the legislated timelines Principal Reason
Interference with Operations / Workload External Consultation Internal Consultation Other
0 0 0 0 0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Requests closed beyond legislated timelines
Number of days past legislated timelines Number of requests past legislated timeline where no extension was taken Number of requests past legislated timeline where an extension was taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0

3.8 Requests for translation

Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Section 5: Requests for Correction of Personal Information and Notations

Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 6: Extensions

6.1 Reasons for extensions

Reasons for extensions
15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes or conversion
Number of extensions taken Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet
Confidence Section (Section 70)
External Internal
1 0 1 0 0 0 0 0 0

6.2 Length of extensions

Length of extensions
Length of Extensions 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes or conversion
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
1 to 15 days 0 0 0 0 0 0 0 0
16 to 30 days 0 1 0 0 0 0 0 0
31 days or greater 0
Total 0 1 0 0 0 0 0 0

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

Consultations received from other Government of Canada institutions and organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Carried over within negotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services

Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 100 to 500 Pages Processed 501 to 1000 Pages Processed 1001 to 5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

8.2 Requests with Privy Council Office

Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 100 to 500 Pages Processed 501 to 1000 Pages Processed 1001 to 5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Complaints and Investigations Notices Received

Complaints and Investigations Notices Received
Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy impact assessments

Privacy impact assessments
Number of PIAs completed 2
Number of PIAs modified 0

10.2 Institution-specific and central personal information banks

Institution-specific and central personal information banks
Personal Information Banks Active Created Terminated Modified
Institution-specific 4 0 0 4
Central 0 0 0 0
Total 4 0 0 4

Section 11: Privacy Breaches

11.1 Material privacy breaches reported

Material privacy breaches reported
Number of material privacy breaches reported to Treasury Board of Canada SecretariatTBS 1
Number of material privacy breaches reported to Office of the Privacy Commissioner of CanadaOPC 1

11.2 Non-material privacy breaches

Non-material privacy breaches
Number of non-material privacy breaches 0

Section 12: Resources Related to the Privacy Act

12.1 Allocated costs

Costs
Expenditures Amount
Salaries $11,453
Overtime $0
Goods and Services
  • Professional services contracts $0
  • Other $0
$0
Total $11,453

12.2 Human Resources

Human Resources
Resources Person Years Dedicated to Privacy Activities
Full-time employees 0.750
Part-time and casual employees 0.000
Regional staff 0.000
Consultants and agency personnel 0.000
Students 0.000
Total 0.750