Annual Report on the Privacy Act—2023–24

Office of the Auditor General of CanadaAnnual Report on the Privacy Act—2023–24

ISSN 2561-8571

Introduction

The Privacy Act gives individuals the right to access information about themselves that is held by the Office of the Auditor General of Canada (OAG), subject to certain specific and limited exceptions. The Privacy Act also protects individuals’ privacy by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.

Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.

This annual report on the Privacy Act at the OAG describes how we administered our responsibilities under the act during the 2023–24 fiscal year.

Who we are

The OAG audits federal government operations and provides Parliament with independent information, advice, and assurance regarding the federal government’s stewardship of public funds.

We are in the business of legislative auditing. We conduct

Since 1995, the OAG has also had a specific environmental and sustainable development mandate, which is carried out by the Commissioner of the Environment and Sustainable Development on behalf of the Auditor General of Canada. The Commissioner has additional responsibilities under the Federal Sustainable Development Act and the Canadian Net-Zero Emissions Accountability Act to review and monitor the Government of Canada’s sustainable development strategies and its implementation of measures aimed at mitigating climate change.

Access to Information and Privacy team

The Access to Information and Privacy (ATIP) Coordinator is a member of the Legal Services, ATIP, and Policy team headed by the OAG’s Senior General Counsel. The full-time ATIP Coordinator is supported by an ATIP analyst and paralegal, legal counsel, and administrative staff as required. The main activities of the ATIP team included

Delegation order under the Access to Information Act and the Privacy Act

I, Karen Hogan, Auditor General of Canada, pursuant to subsection 95(1) of the Access to Information Act and subsection 73(1) of the Privacy Act, hereby delegate to the persons holding the positions set out below or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions as the head of the Office of the Auditor General of Canada, under the provisions of the Act and related regulations set out in the schedule beside each position.  This delegation order replaces all previous delegation orders.

9 March 2023

Schedule
Position Access to Information Act and Regulations Privacy Act and Regulations
Senior General Counsel Full authority Full authority
ATIP Coordinator Full authority Full authority

[Original signed by]

Karen Hogan, Fellow Chartered Professional AccountantFCPA
Auditor General of Canada
240 Sparks Street
Ottawa, Ontario  K1A 0G6

Performance in 2023–24

During the reporting period, from 1 April 2023 to 31 March 2024, the OAG did not receive any formal requests for personal information under the Privacy Act. However, the OAG received multiple requests for personal information under the Access to Information Act and a significant number of informal requests for personal information.

The OAG did not receive any complaints during the reporting period.

Trends

The OAG responds to multiple requests throughout the year from individuals seeking informal feedback, input, or advice regarding whether they should submit a formal request for their personal information, either to the OAG or to another institution.

The OAG processed and completed a total of 5 formal requests for personal information during the past 4 reporting periods, including the period of this report.

The OAG assists with or redirects multiple requests for personal information annually, as many individuals believe that the OAG either has their personal information or through the course of audits, has collected their personal information. Additionally, many individuals believe that the OAG should audit the subject of their grievances against the federal government. While these are not processed as formal requests for information, they can often result in prolonged efforts to address individuals’ concerns and ascertain which department, if any, should receive their request.

Training and awareness

The OAG requires that all employees complete mandatory ATIP training, offered by the Canada School of Public Service as an online, self-paced course.

All new OAG employees are required to complete the training within 3 months of the start date of their employment.

During the reporting period, 115 employees completed this training.

The ATIP Coordinator regularly provides OAG employees with guidance and briefings on the processing of ATIP requests. Furthermore, information is available on the OAG’s internal website to help raise employees’ awareness of privacy issues, such as the collection, retention, use, and disclosure of personal information.

Policies, guidelines, and procedures

To help employees identify and mitigate privacy breaches, during the reporting period, the OAG drafted and has since internally published a privacy breach protocol that includes links to helpful resources from the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat.

Initiatives and projects to improve privacy

The OAG has engaged outside parties and is planning the procurement of request processing software. Our current plans are to join other federal government organizations in using a platform hosted by Shared Services Canada.

The OAG continues to progress toward further implementation of anonymization (or de-identification) measures for personal information found in audit records.

Complaints and investigations

The OAG did not receive any complaints pursuant to the Privacy Act during this reporting period, and no investigations regarding the OAG were carried out.

Material privacy breaches

One material privacy breach occurred during the reporting period. The OAG was notified of a privacy breach at Brookfield Global Relocation Services on 20 October 2023. The breach of information affected all federal government departments that had relocated employees using Brookfield Global Relocation Services since 2001. The OAG notified potentially affected employees individually by email except for individuals on extended leave, who had departed the OAG, or whose contact information was unavailable. On request, potentially affected employees were provided with activation codes for credit monitoring and identity theft protection offered by Equifax. The Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat were notified as recommended by both entities in government-wide communications.

Completed privacy impact assessments

Retain system upgrade

The purpose of implementing Retain Corporate Software version 7 was to continue to be able to efficiently schedule audit resources, define and store comprehensive skills information, produce various reports, and allow real-time access to audit schedules through a standard web browser. The new version of Retain includes several features and utilities, which include the use of some personal information, which is used for audit planning purposes and will not be shared outside of the OAG.

Learning management system—Modified assessment

The Learning Management System replaced the OAG’s professional development and learning tool, Learning Management Solution and OAG Campus. The new system is an amalgamation of internal and external training and compliance management and monitoring. Although the system mostly uses non-personal employee information, it does use some personal information of OAG employees. The new system also uses some cloud-based data storage.

The privacy impact assessment completed in the 2022–23 reporting period was modified during the 2023–24 reporting period because of updates to the OAG Campus offerings and certain surveys and questionnaires offered to employees.

Preliminary (informal) assessments

For all new or amended projects, the OAG has implemented a mandatory process that requires the completion of a preliminary privacy assessment checklist. This document ensures that personal information elements are considered before and during the completion of the project.

This process also identifies the required elements for a formal privacy impact assessment, which is initiated if the preliminary assessment identifies the need for one.

During the reporting period, the OAG completed 27 preliminary assessments.

Public interest disclosures

The OAG did not disclose any personal information pursuant to section 8(2) during the reporting period.

Monitoring compliance

The OAG uses time tracking software to monitor and track privacy-related activities and functions, including employees’ attendance at privacy information and training sessions.

As noted in this report, preliminary privacy assessments are completed when projects may include elements of personal information collection or use. The ATIP team uses software to track and monitor these projects.

The OAG uses standard language in contracts, agreements, and arrangements, which include requirements for the protection and provision of personal information.

The OAG complies with Treasury Board directives, policies, and guidelines where applicable. The OAG Information and Data Management group ensures that all necessary actions are taken within the legislated or recommended deadline or time frame.

Requests for correction of personal information

No requests for correction of personal information were received during the reporting period.

Appendix—Statistical Report on the Privacy Act

Statistical Report on the Privacy Act

Name of institution: Office of the Auditor General of Canada

Reporting period: 2023-04-01 to 2024-03-31

Section 1: Requests Under the Privacy Act

1.1 Number of requests received

Number of requests received
Number of Requests
Received during reporting period 0
Outstanding from previous reporting periods
  • Outstanding from previous reporting period: 0
  • Outstanding from more than one reporting period: 0
0
Total 0
Closed during reporting period 0
Carried over to next reporting period
  • Carried over within legislated timeline: 0
  • Carried over beyond legislated timeline: 0
0

1.2 Channels of requests

Channels of requests
Source Number of Requests
Online 0
Email 0
Mail 0
In person 0
Phone 0
Fax 0
Total 0

Section 2: Informal requests

2.1 Number of informal requests

Number of informal requests
Number of Requests
Received during reporting period 42
Outstanding from previous reporting periods
  • Outstanding from previous reporting period: 0
  • Outstanding from more than one reporting period: 0
0
Total 42
Closed during reporting period 42
Carried over to next reporting period 0

2.2 Channels of informal requests

Channels of informal requests
Source Number of Requests
Online 0
Email 42
Mail 0
In person 0
Phone 0
Fax 0
Total 42

2.3 Completion time of informal requests

Completion time of informal requests
Completion Time
0 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
27 6 3 6 0 0 0 42

2.4 Pages released informally

Pages released informally
Less Than 100 Pages Released 100 to 500
Pages Released
501 to 1000
Pages Released
1001 to 5000
Pages Released
More Than 5000
Pages Released
Number of Requests Pages Released Number of Requests Pages Released Number of Requests Pages Released Number of Requests Pages Released Number of Requests Pages Released
42 2,944 0 0 0 0 0 0 0 0

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time

Disposition and completion time
Disposition of Requests Completion Time
0 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

3.2 Exemptions

Exemptions
Section Number of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 0
27 0
27.1 0
28 0

3.3 Exclusions

Exclusions
Section Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

3.4 Format of information released

Format of information released
Paper Electronic Other
E-record Data set Video Audio
0 0 0 0 0 0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper, e‑record and dataset formats
Relevant pages processed and disclosed for paper, e-record and dataset formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
0 0 0
3.5.2 Relevant pages processed by request disposition for paper, e‑record and dataset formats by size of requests
Relevant pages processed by request disposition for paper, e-record and dataset formats by size of requests
Disposition Less Than 100 Pages Processed 100 to 500 Pages Processed 501 to 1000 Pages Processed 1001 to 5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Processed Number of Requests Pages Processed Number of Requests Pages Processed Number of Requests Pages Processed Number of Requests Pages Processed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
3.5.3 Relevant minutes processed and disclosed for audio formats
Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Relevant minutes processed per request disposition for audio formats by size of requests
Less Than 60 Minutes Processed 60 to 120 Minutes Processed More Than 120 Minutes Processed
Disposition Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Relevant minutes processed per request disposition for video formats by size of requests
Less Than 60 Minutes Processed 60 to 120 Minutes Processed More Than 120 Minutes Processed
Disposition Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines
Number of requests closed within legislated timelines
Number of requests closed within legislated timelines 0
Percentage of requests closed within legislated timelines (%) 0

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines
Reasons for not meeting legislated timelines
Number of requests closed past the legislated timelines Principal Reason
Interference with Operations / Workload External Consultation Internal Consultation Other
0 0 0 0 0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Requests closed beyond legislated timelines
Number of days past legislated timelines Number of requests past legislated timeline where no extension was taken Number of requests past legislated timeline where an extension was taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0

3.8 Requests for translation

Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Section 5: Requests for Correction of Personal Information and Notations

Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 6: Extensions

6.1 Reasons for extensions

Reasons for extensions
15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes or conversion
Number of extensions taken Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet
Confidence Section (Section 70)
External Internal
1 0 1 0 0 0 0 0 0

6.2 Length of extensions

Length of extensions
Length of Extensions 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes or conversion
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
1 to 15 days 0 0 0 0 0 0 0 0
16 to 30 days 0 0 0 0 0 0 0 0
31 days or greater this span of 7 table cell are blacked out intentionally  0
Total 0 0 0 0 0 0 0 0

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

Consultations received from other Government of Canada institutions and organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Carried over within negotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
0 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
0 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services

Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 100 to 500 Pages Processed 501 to 1000 Pages Processed 1001 to 5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

8.2 Requests with Privy Council Office

Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 100 to 500 Pages Processed 501 to 1000 Pages Processed 1001 to 5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Complaints and Investigations Notices Received

Complaints and Investigations Notices Received
Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy impact assessments

Privacy impact assessments
Number of PIAs completed 1
Number of PIAs modified 1

10.2 Institution-specific and central personal information banks

Institution-specific and central personal information banks
Personal Information Banks Active Created Terminated Modified
Institution-specific 4 0 0 0
Central 0 0 0 0
Total 4 0 0 0

Section 11: Privacy Breaches

11.1 Material privacy breaches reported

Material privacy breaches reported
Number of material privacy breaches reported to Treasury Board of Canada SecretariatTBS 1
Number of material privacy breaches reported to Office of the Privacy Commissioner of CanadaOPC 1

11.2 Non-material privacy breaches

Non-material privacy breaches
Number of non-material privacy breaches 0

Section 12: Resources Related to the Privacy Act

12.1 Allocated costs

Allocated costs
Expenditures Amount
Salaries $9,977
Overtime $0
Goods and services
  • Professional services contracts $0
  • Other $0
$0
Total $9,977

12.2 Human resources

Human Resources
Resources Person Years Dedicated to Privacy Activities
Full-time employees 0.685
Part-time and casual employees 0.000
Regional staff 0.000
Consultants and agency personnel 0.000
Students 0.000
Total 0.685