Annual Report to Parliament on the Administration of the Privacy Act 2022-2023

Table of contents

• Introduction
  • Purpose of the Privacy Act
  • Mandate of Fisheries and Oceans Canada
• Organizational structure
  • Departmental organization
  • Access to Information and Privacy Secretariat
• Delegation Order
• Performance 2022-23
  • Overview of 2022-23 requests under the Privacy Act
    • Deemed refusals
    • Completion times
    • Active requests carried over to next reporting period
    • Active complaints carried over to next reporting period
    • Extensions
    • Consultations
    • Overview of information released
    • Dispositions
    • Exemptions and exclusions
  • Impact of COVID-19 on the administration of the Privacy Act
  • Other requests
    • Workplace harassment and violence investigation reports
    • Disclosures to federal investigative bodies
• Training and awareness
• Policies, guidelines, and procedures
• Initiatives and projects to improve privacy
  • Digital strategy
• Summary of key issues and actions taken on complaints
• Material privacy breaches
• Privacy impact assessments
  • Pacific Salmon Strategy Initiative, Initiative 15.2
  • Pacific Salmon Strategy Initiative, Initiative 15.3
  • Fishery officer Body Worn Camera (“BWC”) pilot project
• Public interest disclosures
• Monitoring compliance
• Appendix A: Delegation orders
• Appendix B: 2022-23 statistical report on the Privacy Act

Introduction

Purpose of the Privacy Act

The Privacy Act (Act) came into effect on July 1, 1983. The Act protects individuals’ personal information that is held by government institutions and provides these individuals with a right of access to this information. In addition, the Privacy Act gives individuals rights over the collection, use and disclosure of their personal information.

Section 72 of the Privacy Act requires that the head of every government institution prepare and submit an annual report to Parliament that details the administration of the Act within the institution each fiscal year.

Mandate of Fisheries and Oceans Canada

DFO is responsible for safeguarding Canadian waters and managing Canada's fisheries and oceans resources. DFO helps to ensure healthy and sustainable aquatic ecosystems through habitat protection and sound science. DFO supports economic growth in the marine and fisheries sectors, and innovation in areas such as aquaculture and biotechnology. DFO is committed to working with fishers, coastal and Indigenous communities to enable their continued prosperity from fish and seafood.

The Canadian Coast Guard (CCG) is a special operating agency of DFO that works to ensure the safety of mariners in Canadian waters and protect Canada’s marine environment. It supports Canada’s economic growth through the safe and efficient movement of maritime trade. CCG helps to ensure our country’s sovereignty and security through its presence in Canadian waters. The CCG also supports other government organizations by providing a civilian fleet and a broadly distributed shore-based infrastructure.

Organizational structure

Departmental organization

DFO has a presence across Canada, with the majority of employees working outside the national headquarters in one of the seven DFO regions or four CCG operational regions. National objectives, policies, procedures, and standards for DFO and CCG are established at national headquarters in Ottawa. Regions are responsible for delivering programs and activities according to national and regional priorities and within national performance parameters.

Access to information and Privacy Secretariat

The Access to Information and Privacy (ATIP) Director reported to the Director General, Public Affairs Directorate during the reporting period.

The ATIP Director is accountable for the development, coordination and implementation of effective ATIP-related policies, guidelines, systems and procedures. This accountability ensures that DFO’s responsibilities under the Access to Information Act and Privacy Act (Acts) are met, and enables appropriate processing and proper disclosure of information.

The ATIP Secretariat is divided along two business lines according to their main functions, and the business lines are managed by Deputy Directors. One business line is responsible for processing requests under the Acts; the other is responsible for all other activities related to the administration of the Acts at DFO.

The Operations Division is responsible for processing requests and providing issues management and is supported by:

• an Intake Unit, which oversees all incoming requests and liaises with requesters, programs and regions
• an Administrative Support Group, which handles scanning/uploading records, file management and quality control
• a team of analysts and consultants, which is responsible for the overall processing of requests

The ATIP Policy and Privacy Division (PPD) is responsible for many of the remaining responsibilities related to the administration of the Act. PPD acts as the Policy Centre for the Secretariat and provides advice to departmental officials on complex access to information matters, updates DFO’s Info Source chapter, investigates and responds to suspected privacy breach incidents, provides guidance to and assists program areas in conducting privacy impact assessments, oversees DFO’s disclosures under subsection 8(2) of the Privacy Act, oversees proactive disclosures of information including requirements under Part 2 of the Act, advises senior management on changes related to the Act and relevant Treasury Board of Canada Secretariat (TBS) policies, and liaises with the wider ATIP community.

PPD is also responsible for tracking departmental performance, supporting the Operations Division with staffing processes, hiring contracted resources, maintaining case management technology, leading strategic projects to improve the overall delivery of the ATIP program, and coordinating access to information training to ensure the ongoing sound application of the Acts.

The ATIP Secretariat works with a network of ATIP contacts from each region and sector who act as liaisons for their respective programs within the Department.

In total, throughout the course of this reporting period, the ATIP Secretariat employed approximately 12 full-time equivalents (FTEs) devoted to Privacy Act activities; this included 11.3 full-time employees and 1.1 students.

During this reporting period, the DFO ATIP Secretariat was not party to any service agreements under section 73.1 of the Privacy Act.

Delegation order

Responsibility for the administration of the Privacy Act at DFO is delegated from the Minister to the Director and Deputy Directors of the ATIP Secretariat. A copy of the Delegation Order is included as Appendix A.

Performance 2022-23

The Statistical Report on the Privacy Act is prepared by government institutions to assist TBS to analyze trends and exercise oversight.

Overview of 2022-23 requests under the Privacy Act

The analysis in this section compares data found in DFO’s 2022-23 Statistical Report on the Privacy Act with data from 2020-21 to produce a three-year trend analysis.

In 2022-23, DFO received 80 requests under the Privacy Act and had 17 requests outstanding from previous reporting periods. Of these 97 requests, DFO completed 86 and carried forward 11 into the next reporting period.

The following table illustrates fluctuations in workload over the past three years.

Compliance for 2022-23 remains positive; figures show that 86.04% of privacy request files were closed on or before their statutory or extended deadline.

Deemed refusals

When a government institution fails to respond to a request or give access to a record (in whole or in part) within the time limits set out in the Act (30 calendar days or the length of time taken under an extension), the institution is deemed to have refused access. This situation is commonly referred to as a deemed refusal.

During the 2022-23 reporting period, the ATIP Secretariat closed 12 requests (14%) past the legislated timeline.

The principal reason for delay in the requests closed past the statutory deadline is related to interference with operations/workload.

Completion times

Section 14 of the Act requires institutions to provide a response to the requester within 30 days of receipt of the request, or to notify the requester that an extension is required. Of the 86 requests completed during the reporting period, 52 requests (60%) were completed within 30 days, 18 requests (21%) were completed in 31 to 60 days, eight requests (9%) were completed in 61 to 120 days, three requests (4%) were completed in 121 to 180 days, another three requests (4%) were completed in 181 to 365 days, and two requests (2%) required more than 365 days to process.

Active requests carried over to next reporting period

As shown in Table 2, DFO carried over 11 active requests to the next reporting period. Table 2 provides an overview of all active requests according to the reporting period in which they were received. Almost half (45.45%) of the active requests carried forward into 2022-23 were received during the 2022-23 reporting period.

Active complaints carried over to next reporting period

Table 3 shows the active number of complaints as of the end of the reporting period, broken down by the specific reporting period in which the complaints were received.

Extensions

Section 15 of the Act provides for the extension of statutory time limits if processing a request within the original time limit would unreasonably interfere with the Department’s operations, if consultations are necessary, if additional time is necessary for translation purposes, or for converting the personal information into an alternative format.

During the reporting period, 27 extensions were taken for the following reasons:

• all 27 extensions were taken under subparagraph 15(a)(i), because processing the request within the original time limit would unreasonably interfere with the operations of DFO.

All extensions were taken within a period of up to 30 days beyond the initial 30-day statutory deadline.

Consultations

When other institutions and organizations retrieve information that concerns or originates from DFO in response to Privacy Act requests, they may consult the DFO ATIP Secretariat for recommendations on disclosure. Other institutions are defined as federal institutions subject to the Privacy Act. Organizations include the governments of the provinces, territories and municipalities, and of other countries.

In 2022-23, DFO did not receive any consultation requests from other Government of Canada institutions nor from other organizations.

Overview of information released

In 2022-23, the ATIP Secretariat processed a total of 58,228 relevant pages under the Privacy Act, more than double last year’s figure. Of these, 22,487 (38.6%) were disclosed in whole or in part.

Of the 86 requests closed during the reporting period 68 of them had relevant records to process. Of these 68 requests with relevant records to process, three requests required the processing of more than 5,000 pages. The total number of pages processed for these three requests was 28,746. This represented 49% of the total number of pages processed.

When requests are complete, requesters may receive the information in paper or electronic formats, or they may view the records at a DFO office. During the reporting period, access to relevant documents was given, in whole or in part, for 52 requests. The information was released in paper format for 21 of these requests (40%) and electronically for 31 requests (60%).

Disposition

The 86 requests completed by DFO in 2022-23 were finalized in the following manner:

• all disclosed – for 10 requests (12%), all relevant information was released in full to the requester
• disclosed in part – for 42 requests (49%), requesters were granted partial access to information:
  • no records exist – for 18 requests (21%), no relevant records existed under the control of DFO and
  • request abandoned – for 16 requests (18%), the requester abandoned their request
• no request was processed where all relevant information was exempted, excluded or where DFO could neither confirm nor deny the existence of the requested information

Exemptions and exclusions

Exemptions are provisions of the Act that allow or require the heads of federal government institutions to withhold information requested under the legislation. For requests completed during the reporting period, DFO invoked exemptions pursuant to paragraph 23(a) as well as sections 26 and 27 of the Privacy Act.

In 2022-23, section 26 was the most frequently invoked provision. It was cited in 39 requests, and was used to protect personal information about individuals other than the requester.

Exclusions are provisions of the Act that remove certain records from the application of the legislation. Records excluded from the requirements of the Act include published material and confidences of the Queen’s Privy Council (Cabinet Confidences) pursuant to sections 69 and 70, respectively. In 2022-2023 there were no requests for which records were excluded from the application of the Act.

Impact of COVID-19 on the administration of the Privacy Act

During the reporting period, COVID-19 did not have any impact on DFO’s ATIP operations.

Other requests

In addition to processing requests under the Act, developing policy tools, and delivering training, the ATIP Secretariat engages in a significant amount of activities related to the administration of the Privacy Act. These activities include:

• working with departmental programs to mitigate privacy risks
• overseeing disclosures pursuant to subsection 8(2) of the Act
• reviewing administrative investigation reports for privacy considerations
• providing advice and guidance to departmental officials on privacy impact assessments, privacy notice statements, information sharing agreements and contracts that involve the sharing of personal information; and
• releasing information outside of the formal ATIP request process, where appropriate

During this reporting period, ATIP also completed investigations regarding incidents of potential privacy breaches of which four were considered material privacy breaches.

Workplace harassment and violence investigation reports

ATIP continues to review investigation reports for privacy consideration prior to the disclosure of said reports, including to the involved parties. This service provided by the ATIP Secretariat includes vetting workplace harassment and violence investigation reports in keeping with Bill C-65 requirements. These reports are reviewed to protect information which could directly or indirectly reveal the identity of persons involved.

Disclosures to federal investigative bodies

Subsection 8(2) of the Privacy Act describes certain instances in which personal information under the control of a federal government institution may be disclosed without the consent of the individual to whom the information relates.

Paragraph 8(2)(e) allows institutions to disclose personal information to a federal investigative body specified in Schedule II of the Privacy Regulations on the written request of the body for the purpose of enforcing any law of Canada or any province or carrying out a lawful investigation.

In 2022-23, DFO made no disclosures pursuant to paragraph 8(2)(e).

Training and awareness

As per the requirements of the DFO Privacy Policy, employees and managers at all levels must take privacy training at least once every five years. In support of this policy, DFO promotes awareness of federal access to information and privacy legislation and the corresponding responsibilities of DFO employees through ongoing training delivery, informative articles and awareness events.

The ATIP Secretariat continued offering training to employees and managers at all levels through a predictable 12-month training schedule which was implemented during the 2021-22 reporting period. The ATIP Secretariat also observed an increase in requests for ad-hoc training which was offered upon request and tailored to programs’ needs.

Training and awareness content was also updated regularly to enhance participants’ learning experience in a hybrid environment through the use of various interactive tools and in office technologies. Hybrid training also allowed DFO to meet the training needs of various groups across the Department including in the regions. During the 2022-23 reporting period, 2352 participants received ATIP training through the sessions offered by the ATIP Secretariat. These sessions focused on processing access to information requests; protecting and managing personal information; and meeting proactive publication requirements.

The ATIP Secretariat also made additional efforts to promote the Canada School of Public Service (CSPS) to DFO employees which resulted in a 9% increase in overall participation compared to the previous fiscal year. During this reporting period, 741 participants completed CSPS ATIP-related training courses.

Table 5 highlights all ATIP-related training activities undertaken during the reporting period.

The ATIP Secretariat continued to promote training awareness to ensure all employees have completed mandatory privacy training and are aware of policies, procedures, and legal responsibilities under the Privacy Act. ATIP also provides training further to files being treated or when trends in ATIP indicate a need for privacy awareness on a specific subject matter. As well, ATIP recognizes opportunities for training and awareness when drafting Privacy Impact Assessments and will offer specific training to the affected programs. Regularly, ATIP publishes articles in the departmental newsletter to provide employees with information and guidance about privacy protection principles and best practices. Activities were also organized throughout the reporting period in recognition of Data Privacy Day, Privacy Awareness Week, and Right to Know Week.

Policies, guidelines, and procedures

The ATIP Secretariat continues to revise DFO’s ATIP policy suite where appropriate. The suite of policy tools was developed to help DFO employees understand their responsibilities with regards to the protection of personal information. Included in the policy suite are DFO’s Privacy Policy, the Directive on Privacy Practices, the Standard on Privacy Breaches, the Standard on Permissible Disclosures of Personal Information and related tools such as Guidelines for the Informal Release of Information, the Privacy Impact Assessment: Needs Analysis, the Privacy Notice Template and Privacy Breach reporting forms.

Initiatives and projects to improve privacy

Digital strategy

The ATIP Secretariat continued to expand upon its Digital Strategy that was initiated in the 2019-2020 reporting period. Over the reporting period, there was an increase in the use of the Access Online Management Tool (AOMT) for requests submitted to DFO and response packages sent back to requesters. DFO continued to use digital solutions such as epost Connect, WeTransfer and email to facilitate the transmission of ATI responses to requesters.

The Secretariat’s implementation of digital solutions have resulted in the department continuing to meet its legislative obligations for providing responsive records to requesters while reducing the departmental carbon footprint.

Summary of key issues and actions taken on complaints

The Office of the Privacy Commissioner (OPC) reviews complaints resulting from: either a refusal by the head of a government institution to disclose personal information or an institution’s handling of personal information. DFO reviews the outcomes of each OPC investigation or audit and where appropriate, DFO incorporates lessons learned into business processes.

In 2022-23 DFO received nine complaints from the OPC relating to formal privacy requests, two of which have been completed. The two completed complaints were a result of prioritizing those files to complete the review of many pages of records subject to the requests. The remaining seven complaints are actively being reviewed, with one subject to litigation.

An additional six complaints were received from the OPC that did not relate to formal privacy requests. The complainants in these cases alleged improper or unauthorized collection, use, disclosure, or retention of their personal information. DFO worked with the OPC to resolve three of these complaints through the OPC’s early resolution process. The remaining three complaints, of which two relate to DFO’s implementation of the TBS Policy on COVID-19 Vaccination, remained active as of the end of the reporting period.

Material privacy breaches

A privacy breach is defined by the Office of the Privacy Commissioner as the loss of, unauthorized access to, or disclosure of, personal information. A material privacy breach is defined by TBS as involving sensitive information that could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.

During the reporting period, DFO ATIP Secretariat reported 4 material privacy breaches to the OPC and TBS. Below is a description of the nature of each material privacy breach and a summary of the actions taken as a result of each breach.

1. Improper or unauthorized disclosure - Personal information about student candidates sent to an unintended recipient. The breach was immediately contained by de-activating links.
2. Improper or unauthorized access and disclosure - Personal information disclosed without limiting information to the recipients' 'need to know'. Immediate measures were taken to contain the privacy breach including ensuring that the recipients deleted the information disclosed to them in error.
3. Improper or unauthorized access and retention - Personal information stored electronically without appropriate controls to limit access. The area responsible for the program that owns the affected folders was notified and access permissions were corrected.
4. Improper or unauthorised access and retention - Personal information stored electronically without appropriate controls to limit access. Immediate actions were taken to modify access controls.

In response to these material privacy breaches, ATIP recommended measures to prevent re-occurrences of each incident. Recommendations included updating privacy and security awareness training, consulting Information Management when appropriate, and testing new or modified electronic storage solutions prior to implementation.

Privacy impact assessments

To fulfill its mandate, many of DFO’s activities require the collection, use and disclosure of personal information. In accordance with TBS policies and directives, a privacy impact assessment (PIA) is completed as a risk management tool to determine whether privacy risks are present in new or substantially modified departmental programs or activities that collect, use, disclosure or retain personal information.

During the reporting period, three PIAs were completed. Two were related to the Pacific Salmon Strategy Initiative and one was related to the use of Body Worn Cameras by Fishery Officers. A brief description of each PIA and links to their web summaries on DFO’s web site are as follow:

Pacific Salmon Strategy Initiative, Initiative 15.2

PSSI Initiative 15.2 allows commercial fishing licence holders who leave the industry to receive market value compensation for their licence.

Pacific Salmon Strategy Initiative, Initiative 15.3

To support conservation of Pacific salmon and provide greater stability and clarity for commercial harvesters, DFO launched long-term commercial salmon fishery closures in areas of conservation concerns. Initiative 15.3 provides short-term financial support to Indigenous commercial fish harvesters in order to mitigate socio-economic impacts from the long-term closure of non-selective fishing in areas of concern.

Fishery Officer Body Worn Camera (“BWC”) Pilot Project

The Fishery Officer Body Worn Camera is a pilot project in which DFO’s Conservation and Protection will test the use of BWCs on a small-scale starting in the Maritime and Pacific regions.

Public interest disclosures

Subsection 8(2) of the Privacy Act describes certain instances in which personal information under the control of a federal government institution may be disclosed without the consent of the individual to whom the information relates.

Paragraph 8(2)(m) allows institutions to disclose personal information in circumstances where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or where disclosure would clearly benefit the individual to whom the information relates.

In 2022-23, DFO made one disclosure under paragraph 8(2)(m). This consisted of a disclosure of personal information about a DFO employee to their supervisor out of safety concerns for the employee. Consistent with the DFO Standard on Permissible Disclosures of Personal Information under Subsection 8(2) of the Privacy Act, the OPC was notified prior to the disclosure being made.

Monitoring compliance

DFO makes every effort to meet statutory deadlines and actively monitors the time taken to process access to information requests. Monitoring begins as soon as a request is received by the DFO ATIP Secretariat, entered into the case management system and assigned to an analyst. All requests, including requests for consultations and requests for informal advice or review of records, are entered into the case management system for tracking. This electronic tracking of deadlines is essential, as analysts work on numerous requests, each with multiple actions with specific deadlines, at any given time. Analysts meet with their respective team leaders on a weekly basis to identify issues with requests that might result in delays. Issues are raised with the ATIP management team, if necessary. The Director and Deputy Directors of the ATIP Secretariat get involved in files where they can use their authority as the Minister’s delegates under the Access to Information Act and the Privacy Act to promote compliance with deadlines and deliverables.

Appendix A: Delegation orders

Appendix B: 2022-23 statistical report on the Privacy Act

Section 1: Requests under the Privacy Act

1.1 Number of requests received

1.2 Channels of requests

Section 2: Informal requests

2.1 Number of informal requests

2.2 Channels of informal requests

2.3 Completion time of informal requests

2.4 Pages released informally

Section 3: Requests closed during the reporting period

3.1 Disposition and completion time

3.2 Exemptions

3.3 Exclusions

3.4 Format of information released

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats

3.5.2 Relevant pages processed by request disposition for paper and e-record formats by size of requests

3.5.3 Relevant minutes processed and disclosed for audio formats

3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests

3.5.5 Relevant minutes processed and disclosed for video formats

3.5.6 Relevant minutes processed per request disposition for video formats by size of requests

3.5.7 Other complexities

3.6 Closed requests

3.6.1 Number of requests closed within the statutory time limits

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

3.7.2 Request closed beyond legislated timelines (including any extension taken)

3.8 Requests for translation

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Section 5: Requests for correction of personal information and notations

Section 6: Extensions

6.1 Reasons for extensions

6.2 Length of extensions

Section 7: Consultations received from other institutions and organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Section 8: Completion time of consultations on Cabinet confidences

8.1 Requests with Legal Services

8.2 Requests with Privy Council Office

Section 9: Complaints and investigations notices received

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy Impact Assessments

10.2 Institution-specific and Central Personal Information Banks

Section 11: Privacy Breaches

11.1 Material Privacy Breaches reported

11.2 Non-Material Privacy Breaches

Section 12: Resources related to the Privacy Act

12.1 Allocated costs

12.2 Human resources

Note: Enter values to three decimal places.