Annual report to Parliament on the administration of the Privacy Act, 2024-2025
Table of Contents
- Introduction
- Organizational Structure
- Delegation Order
- Performance 2024-25
- Training and awareness
- Policies, guidelines, and procedures
- Initiatives and projects to improve privacy
- Summary of key issues and actions taken on complaints
- Material privacy breaches
- Privacy impact assessments
- Public interest disclosures
- Monitoring Compliance
- Appendix A: Delegation Order
- Appendix B: 2024-25 Statistical report on the Privacy Act
Introduction
Purpose of the Privacy Act
The Privacy Act (Act) came into effect on July 1, 1983. The Act protects the privacy of individuals with respect to their personal information by imposing limits on federal institutions’ collection, use, retention, disposition, disclosure, and accuracy of personal information. The Act also provides individuals with a right of access to their personal information held by federal institutions and the right to request correction to that information.
Section 72 of the Privacy Act requires that the head of every government institution prepare and submit an annual report to Parliament that details the administration of the Act within the institution each fiscal year.
This annual report describes how Fisheries and Oceans Canada (DFO) administered the Privacy Act from April 1, 2024, to March 31, 2025.
The report is tabled in both the House of Commons and the Senate on any of the first 15 sitting days on which the house is sitting after September 1, 2025.
Mandate of Fisheries and Oceans Canada
DFO is responsible for safeguarding Canadian waters and managing Canada's fisheries and oceans resources. DFO helps to ensure healthy and sustainable aquatic ecosystems through habitat protection and sound science. DFO supports economic growth in the marine and fisheries sectors, and innovation in areas such as aquaculture and biotechnology. DFO is committed to working with fishers, coastal, and Indigenous communities to enable their continued prosperity from fish and seafood.
The Canadian Coast Guard (CCG) is a special operating agency of DFO that works to ensure the safety of mariners in Canadian waters and protect Canada’s marine environment. It supports Canada’s economic growth through the safe and efficient movement of maritime trade. CCG helps to ensure our country’s sovereignty and security through its presence in Canadian waters. The CCG also supports other government organizations by providing a civilian fleet and a broadly distributed shore-based infrastructure.
Organizational structure
Departmental organization
DFO has a presence across Canada, with the majority of employees working outside the national headquarters in one of the seven DFO regions or four CCG operational regions. National objectives, policies, procedures, and standards for DFO and CCG are established at the national headquarters in Ottawa. Regions are responsible for delivering programs and activities according to national and regional priorities and within national performance parameters.
Access to Information and Privacy Secretariat
The Access to Information and Privacy (ATIP) Director reports to the Director General, Public Affairs Branch.
The ATIP Director is accountable for the development, coordination and implementation of effective ATIP-related policies, guidelines, systems and procedures. This accountability ensures that DFO’s responsibilities under the Access to Information Act and Privacy Act (Acts) are met and enables appropriate processing and proper disclosure of information.
The ATIP Secretariat is divided along two business lines according to their main functions, and the business lines are managed by Deputy Directors.
The Operations Division is responsible for the following activities:
- Processing requests under the Access to Information Act and Privacy Act;
- Responding to consultation requests from other governments or other federal institutions;
- Supporting DFO’s legislative compliance obligations under the Acts by providing advice and guidance to senior management and staff of DFO on ATIP legislation;
- Representing DFO in ATIP communities of practitioners, such as at the Treasury Board of Canada Secretariat (TBS) ATIP Community meetings;
- Drafting and implementing internal ATIP procedures, guidance documents, and working aids on the administration of the Acts.
The Operations Division is supported by:
- An Intake Unit, which oversees all incoming requests and liaises with requesters, programs, and regions;
- An Administrative Support Group, which handles scanning/uploading records, file management, and quality control;
- A team of analysts, which is responsible for the overall processing of requests including the review of records.
The Policy and Privacy Division (PPD) serves as the centre of expertise for policy and governance related to access to information and privacy at DFO. The Division is responsible for a broad range of functions that support the effective administration of the Acts. Specifically, the Division:
- Provides advice to departmental officials on access to information and privacy matters;
- Oversees proactive publication and reporting requirements which includes updating DFO’s Info Source chapter and producing statistical reports and annual reports on the administration of the Acts;
- Investigates and responds to suspected privacy breach incidents;
- Supports DFO programs in completing Privacy Impact Assessments, Personal Information Banks, and Privacy Notice Statements in compliance with TBS requirements;
- Advises senior management on changes related to the Act and relevant TBS policies;
- Liaises with the wider ATIP community;
- Supports the ATIP Program with staffing processes and hiring contracted resources;
- Maintains its case management tools, including leading strategic projects to improve the overall delivery of the ATIP program; and
- Tracks departmental performance and coordinates access to information training to ensure the ongoing sound application of the Acts.
The ATIP Secretariat works with a network of ATIP contacts from each Office of Primary Interest (OPI) within the Department who act as liaisons for their respective region, sector, or program.
In total, throughout the course of this reporting period, the ATIP Secretariat employed approximately 13.304 full-time equivalents (FTEs) devoted to Privacy Act activities. This included:
- 12.699 full-time employees
- 0.163 part-time and casual employees
- 0.472 students
During this reporting period, the DFO ATIP Secretariat was not party to any service agreements under section 73.1 of the Privacy Act.
Delegation Order
Responsibility for the administration of the Privacy Act at DFO is delegated from the Minister to the Director and Deputy Directors of the ATIP Secretariat. A copy of the signed Delegation Order is included as Appendix A.
Performance 2024-25
The Statistical Report on the Privacy Act is prepared by government institutions to assist TBS in analyzing trends and exercising oversight.
DFO’s complete 2024-25 Statistical Report on the Privacy Act is included as Appendix B. Reports from previous years are included as appendices within each year’s Annual Report on the Privacy Act, available on the DFO Corporate Reporting webpage.
Overview of 2024-25 requests under the Privacy Act
The analysis in this section compares data from DFO’s 2024-25 Statistical Report on the Privacy Act with data from the 2022-23 fiscal year to produce a three-year trend analysis.
In 2024-25, DFO received 106 requests under the Privacy Act, representing an increase of 6% compared to the previous reporting period. DFO also continued to process 18 outstanding requests carried over from previous reporting periods. Of the 124 total requests processed, 111 were completed, while 13 were carried forward into the next reporting period. This reflects a 19.4% increase in completed requests compared to 2023-24.
Compliance for responding to requests within legislated deadlines remained excellent for 2024-25. Of the 111 requests completed, 101 were closed within the statutory deadline.
As shown in Table 1 below, this corresponds to an on-time compliance rate of 91.0% for 2024-25, illustrating that even with the rise in requests since 2022-23, performance has remained consistently high over the last three years.
| Number of requests | 2022-23 | 2023-24 | 2024-25 |
|---|---|---|---|
| Received during reporting period | 80 | 100 | 106 |
| Outstanding from previous reporting period | 17 | 11 | 18 |
| Total requests to process during reporting period | 97 | 111 | 124 |
| Completed during reporting period | 86 | 93 | 111 |
| Carried over to next reporting period | 11 | 18 | 13 |
| On-time compliance rate | 86.0% | 92.5% | 91.0% |
Deemed refusals
When a government institution fails to respond to a request or give access to a record (in whole or in part) within the time limits set out in the Act (30 calendar days or the length of time taken under an extension), the institution is deemed to have refused access. This situation is commonly referred to as a deemed refusal.
During the 2024-25 reporting period, the ATIP Secretariat closed 10 requests (9.01%) past the legislated timeline.
The principal reason for delay in the requests closed past the statutory deadline is related to interference with operations/workload.Completion times
Section 14 of the Act requires institutions to provide a response to the requester within 30 days of receipt of the request, or to notify the requester that an extension is required. Of the 111 requests completed during the reporting period:
- 81 requests (73%) were completed within 30 days
- 16 requests (14%) were completed in 31 to 60 days
- 9 requests (8%) were completed in 61 to 120 days
- 1 request (1%) was completed in 121 to 180 days
- 1 request (1%) was completed in 181 to 365 days
- 3 requests (3%) required more than 365 days to process
Active requests that are outstanding from the previous reporting periods
As shown in Table 2, DFO carried over a total of 13 active requests to the next reporting period. The table provides an overview of these requests according to the reporting period in which they were received. Of the 13 requests carried forward into 2025-26, eight were received during the 2024-25 reporting period.
| Fiscal Year Active requests Were Received | Active requests that are within legislated timelines as of March 31, 2025 | Active requests that are beyond legislated timelines as of March 31, 2025 | Total |
|---|---|---|---|
| 2024-25 | 5 | 3 | 8 |
| 2023-24 | 0 | 1 | 1 |
| 2022-23 | 0 | 0 | 0 |
| 2021-22 | 0 | 2 | 2 |
| 2020-21 | 0 | 2 | 2 |
| Total | 5 | 8 | 13 |
Active complaints that are outstanding from previous reporting periods
As shown in Table 3, as of the last day of the reporting period, DFO had one active complaint with the Privacy Commissioner regarding a formal request under the Privacy Act. This complaint was carried over from the 2023-2024 reporting period.
| Fiscal year active complaints were received by institution | Number of active complaints |
|---|---|
| 2024-2025 | 0 |
| 2023-2024 | 1 |
| Total | 1 |
Extensions
Section 15 of the Act provides for the extension of statutory time limits if processing a request within the original time limit would unreasonably interfere with the Department’s operations, if consultations are necessary, if additional time is necessary for translation purposes, or for converting the personal information into an alternative format.
Reasons for extensions and disposition of requests
During the reporting period, a total of 29 extensions were taken under subsections 15(a)(i) and 15(a)(ii) of the Act. These extensions were taken for the following reasons:
- 27 extensions were taken under paragraph 15(a)(i), as responding within the original time limits would have interfered with departmental operations:
- 13 extensions were required to conduct further review to determine whether exemptions applied;
- 14 extensions were taken due to the large volume of records requiring processing.
- 2 extensions were taken under paragraph 15(a)(ii) to allow time for internal consultations.
Length of extensions
All extensions taken under the Act are applied for a period of up to 30 days beyond the initial 30-day statutory deadline. As shown in Table 4, there were 29 extensions taken by DFO during the reporting period. The table presents a breakdown of these extensions, categorized by their duration.
| Length of extensions | Number of extensions |
|---|---|
1 to 15 days |
1 |
16 to 30 days |
28 |
Total |
29 |
Completion time of consultation on Cabinet Confidences
The ATIP Secretariat consults with DFO’s Legal Services Unit regarding the application of exclusions under section 70 of the Act (Cabinet Confidence). On occasion, Legal Services will forward the consultation to the Privy Council Office (PCO) for additional advice. For the purposes of the Statistical Report, when a consultation is forwarded in this manner, it is recorded as a PCO consultation instead of a Legal Services consultation.
In 2024-25, the DFO Legal Services Unit was not consulted by the ATIP Secretariat regarding the application of Section 70 of the Act. Similarly, no consultations were forwarded to PCO during the reporting period.
Consultations
When other institutions and organizations retrieve information that concerns or originates from DFO in response to Privacy Act requests, they may consult the DFO ATIP Secretariat for recommendations on disclosure. Other institutions are defined as federal institutions subject to the Privacy Act. Organizations include the governments of Canadian provinces, territories, and municipalities, as well as governments of foreign states and international bodies of states.
In 2024-25, no consultation request was received or processed by DFO.
Overview of Information Released
In 2024-25, the ATIP Secretariat processed a total of 56,211 relevant pages under the Privacy Act. Of these, 24,238 (43.12%) pages were disclosed in whole or in part.
Among the 111 Privacy requests closed by DFO during the reporting period, 16 involved the processing of more than 1,001 pages each. These 16 requests accounted for a total of 47,093 pages, representing 83.8% of all pages processed during the reporting period.
When requests are complete, requesters may receive the information in paper or electronic formats, or they may view the records at a DFO office. Among the privacy requests completed during the reporting period, responses included the following formats:
- e-record format (in 50 responses)
- data set format (in 11 responses)
- video format (in 1 response)
- audio format (in 2 responses)
Disposition
Table 5 shows a breakdown by disposition of the 111 requests completed by DFO in 2024-25, including the percentage of requests by dispositions. This table also includes data from the two previous reporting periods.
| Disposition type | 2022-2023 | 2023-2024 | 2024-2025 | |||
|---|---|---|---|---|---|---|
| Number of requests | Percentage of total | Number of requests | Percentage of Total | Number of requests | Percentage of total | |
All disclosed |
10 |
12% |
13 |
14% |
16 |
14% |
Disclosed in part |
42 |
49% |
41 |
44% |
37 |
33% |
All exempted |
0 |
0% |
0 |
0% |
0 |
0% |
All excluded |
0 |
0% |
0 |
0% |
0 |
0% |
No records exist |
18 |
21% |
25 |
27% |
26 |
24% |
Request transferred |
0 |
0% |
0 |
0% |
0 |
0% |
Request abandoned |
16 |
18% |
13 |
14% |
32 |
29% |
Neither confirmed nor denied |
0 |
0% |
1 |
1 % |
0 |
0% |
Total |
86 |
100% |
93 |
100% |
111 |
100% |
During the reporting period, no request was treated for which the disposition was neither confirmed nor denied, nor were any requests transferred to another institution. Similarly, there were no requests for which all relevant information was completely exempted or excluded.
In 2024-25, the three most common dispositions for privacy requests were:
- disclosed in part with 37 requests (33%)
- request abandoned with 32 requests (29%)
- no records exist with 26 requests (24%)
A disposition of “no records exist” may be applied when the subject matter falls under the mandate of another federal institution or when DFO holds no responsive records. A request may be considered “abandoned” if the requester does not respond to DFO’s correspondence within a communicated timeframe or does not provide sufficient documentation when validating their identity.
DFO provided responsive records to requesters for 53 requests (47%) in 2024-25. As shown in Table 5, the proportion of requests resulting in full or partial disclosures has remained high since 2022-23, even as the overall number of completed requests had increased compared previous reporting periods.
Exemptions and exclusions
The Privacy Act gives individuals a right of access to their personal information under the control of government institutions, subject to limited and specific exceptions. These exceptions are referred to as exemptions and exclusions.
Exemptions are provisions of the Act that allow or require the heads of federal government institutions to withhold information requested under the legislation.
Exclusions are provisions of the Act that remove certain records from the application of the legislation. Records excluded from the requirements of the Act include published material and confidences of the Queen’s Privy Council (Cabinet Confidences).
Table 6 shows the three most frequently invoked exceptions by DFO in 2024-25, which have not changed when compared to the previous reporting period.
| Section | Description | Number of requests where the exception applies |
|---|---|---|
| 22(1) | Law enforcement and investigation | 9 |
| 26 | Information about another individual | 39 |
| 27 | Protected information – solicitors, advocated and notaries | 4 |
See Appendix B for further information on the exemptions and exclusions invoked by DFO in 2024-25, presented by section, subsection and paragraph of the Act. For the purposes of this report, each exemption or exclusion is counted only once per request, regardless of the number of times it was applied within that request.
Other requests
In addition to processing requests under the Act, developing policy tools, and delivering training, the ATIP Secretariat engages in a significant number of activities related to the administration of the Privacy Act. These activities include:
- Preventing, assessing, containing, mitigating, and reporting on privacy breach incidents in accordance with privacy breach management requirements;
- Overseeing disclosures pursuant to subsection 8(2) of the Act, such as to an investigative body under 8(2)(e);
- Supporting departmental processes for TB submissions;
- Providing advice and guidance to departmental officials on privacy impact assessments, privacy notice statements, and agreements that involve personal information such as in memorandums of understanding, information sharing agreements and contracts;
- Disclosing information outside of the formal ATIP request process, where appropriate;
- Reviewing investigation reports for privacy considerations, to protect personal information as needed, prior to making a disclosure to the involved parties. Examples include reports resulting from incidents of workplace harassment or violence, misconduct, and breaches of values and ethics.
Training and awareness
During the 2024-25 reporting period, DFO undertook various initiatives to ensure that employees were aware of their responsibilities under the Privacy Act, and that those with functional and delegated responsibilities received the required training.
Mandatory departmental training for all employees
As per the requirements of the DFO Privacy Policy, employees and managers at all levels must take privacy training at least once every five years. In support of this policy, DFO promotes awareness of federal access to information and privacy legislation and the corresponding responsibilities of DFO employees through ongoing training delivery, informative articles and awareness events.
Formal departmental training sessions
The ATIP Secretariat maintained a consistent 12-month training schedule, established in 2021-22, offering sessions to employees and managers in English, French, or bilingually. Training materials were updated to reflect changes to TBS instruments, as detailed in the Policies, Guidelines, and Procedures section. Upon conclusion of each session, participants were invited to complete evaluations to support the continuous enhancement of the training program.
Virtual training continued to allow DFO to address the learning needs of various employees across the Department, including regional offices. During the 2024-25 reporting period, a total of 905 participants received ATIP training, and 10 of these participants were Executives. These sessions covered processing ATIP requests and protecting and managing personal information, while executive training focused on legal obligations under both Acts, leadership accountability, and recent policy updates.
Table 7 highlights the number of formal ATIP training sessions held by DFO during the reporting period and the corresponding number of participants.
| Session type | Number of sessions | Number of participants |
|---|---|---|
| ATIP Essentials: Processing ATIP Requests | 10 | 475 |
| ATIP Essentials: Protecting and Managing Personal Information | 9 | 420 |
| ATIP Essentials for Executives | 1 | 10 |
| Total | 20 | 905 |
Departmental privacy training
During the reporting period, DFO’s ATIP Secretariat updated and delivered revised privacy training materials intended for all DFO and CCG employees. The training material covers key topics including the fundamental principles of privacy protection, the use of personal information banks, the management of privacy breaches, and the development of privacy impact assessments. A tailored session was also delivered to executives to reinforce accountability and support informed decision-making at the management level.
In accordance with Appendix B: Mandatory Procedures for Privacy Training outlined in the Directive on Personal Information Requests and Correction of Personal Information, all government employees are required to complete privacy training consistent with these standards.
DFO’s approach aligns with this directive through its ATIP Essentials training sessions, which cover:
- The purpose of the Privacy Act;
- Key definitions such as personal information and administrative purpose;
- Roles and responsibilities of employees and managers under the Act;
- Requirements for providing complete, accurate, and timely responses to information requests;
- Best practices for privacy and security in the handling of personal information, including creation, collection, retention, disposition, accuracy, and disclosure;
- Institutional processes and tools aligned with most recent government and TBS updates.
Additionally, DFO ensures that all employees with functional or delegated responsibilities under the Act and Privacy regulations receive targeted training, including information on:
- Relevant provisions concerning extensions;
- Public reporting obligations, such as annual reports to Parliament;
- The oversight roles of the Privacy and Information Commissioners.
Informal and ongoing awareness activities
In addition to formal training, the ATIP Secretariat shared internal articles and resources consistent with updates to policy instruments. This included the publication of articles to promote training and awareness about privacy protection principles as well as about ATIP request processes and best practices, and to ensure all employees have completed mandatory training and are aware of policies, procedures and legal responsibilities under both Acts.
The ATIP Secretariat equally remained available to deliver ad-hoc training sessions, tailored to programs’ needs and offered upon request. Training was also provided proactively to employees in response to ongoing files or emerging trends in Access to Information or Privacy, addressing specific subject areas as needed.
Canada School of Public Service courses
During the reporting period, the ATIP Secretariat also made additional efforts to promote courses offered by the Canada School of Public Service (CSPS) to DFO employees, including:
- Access to Information and Privacy Fundamentals (COR502);
- Access to Information in the Government of Canada (COR503);
- Privacy in the Government of Canada (COR504).
During this reporting period, 427 participants completed CSPS ATIP-related training courses.
Table 8 highlights CSPS ATIP-related courses promoted by DFO during the reporting period and the corresponding number of departmental participants.
| CSPS course | Number of participants |
|---|---|
Access to Information and Privacy Fundamentals (COR502) |
405 |
Privacy in the Government of Canada (COR504) |
14 |
Access to Information in the Government of Canada (COR503) |
8 |
Total |
427 |
ATIP contact meetings
The ATIP Secretariat additionally continued to engage ATIP contacts across the Department through regular monthly meetings. These meetings serve as an additional forum to share new information and guidance to ATIP contacts about a variety of topics, such as the records retrieval process, meeting proactive publication requirements, the Privacy Impact Assessment process, ATIP related responsibilities and expectations, and opportunities for improvements within the Department. These meetings also serve as a forum to provide training to OPI contacts on conducting effective record searches, thereby supporting the timely and efficient submission of responses to the ATIP Secretariat. This ongoing engagement is essential for consistent policy application, fostering collaboration, and strengthening transparency and compliance across the Department.
Right to Know Week
In September, the ATIP Secretariat observed Right To Know (RTK) Week, to raise awareness of the right of access to government information under the Access to Information Act, and to foster freedom of information as essential to both democracy and good governance. Events included a bilingual remote Speaker Panel featuring DFO ATIP professionals and collaborators from across the Department, who discussed various ATIP-related topics, including record retrieval processes, the impact of artificial intelligence on access to information and privacy, and best practice guidance for DFO employees when making recommendations on exemptions and exclusions under both Acts. RTK Week activities also featured an interactive magazine published on the departmental intranet page, along with a French and English interactive activity that enabled participants to test their knowledge on the Access to Information Act and its impact on the right to access government information.
Policies, guidelines, and procedures
Following the introduction of new and updated instruments by TBS during the reporting period, DFO’s ATIP Secretariat communicated these changes internally, integrated them into departmental operations, and updated departmental training materials accordingly.
The ATIP policy suite of tools was developed to help DFO employees understand their responsibilities with regards to the protection of personal information. Included in the policy suite are the DFO:
- Privacy Policy
- Directive on Privacy Practices
- Standard on Privacy Breaches
- Standard on Permissible Disclosures of Personal Information
- Framework for Proactive Disclosures and related tools such as Guidelines for the Informal Release of Information
- various forms and templates to ensure departmental compliance to legal ATIP requirements
Updates to privacy policy instruments
In October 2024, DFO adopted the new TBS policy instruments, including the Policy on Privacy Protection, the Directive on Privacy Practices, and the Standard on Privacy Impact Assessments (PIAs), which replaced the former Directive on PIAs. These updates were communicated internally and integrated into departmental privacy operations.
Privacy breach management
DFO continued to apply its internal Privacy Breach Protocol, which outlines procedures for containment, assessment, notification, and mitigation. During the reporting period, DFO equally adopted the new TBS breach reporting form and toolkit. These resources were integrated into the departmental ATIP policy suite and used to document and report privacy breach incidents in alignment with federal requirements. Although no new breach-specific policies were introduced, existing procedures and tools were reviewed and updated to align with the latest TBS tools.
Use of Social Insurance Numbers (SINs)
No new collections or consistent uses of Social Insurance Numbers (SINs) were initiated during the 2024-25 reporting period.
Initiatives and projects to improve privacy
Digital Strategy
The ATIP Secretariat continued to expand upon its Digital Strategy that was initiated in the 2019-20 reporting period. The ATIP Secretariat’s implementation of digital solutions over the years has resulted in the Department continuing to meet its legislative obligations to provide responsive records to requesters while reducing the departmental carbon footprint.
In 2024-25, the Department procured a new ATIP software solution which will replace its current ATIP Request Processing Software Solution (RPSS) and will serve both Access to Information Act and Privacy Act requests once implemented. The new solution will leverage new technology and will result in more efficient processing of all requests. Implementation is currently underway, with full deployment anticipated in fiscal year 2025-26.
DFO additionally continues to use the Access Online Management Tool (AOMT) which is administered by TBS. As of last fiscal year, the latest version of AOMT allows federal institutions to send documents such as extension letters and release packages, and to engage in multiple exchanges with requesters, which continue to enhance communication, improves efficiency, and supports timely responses under the Acts.
Privacy compliance reviews
DFO’s ATIP Secretariat launched a privacy compliance review initiative during the reporting period to evaluate departmental alignment with privacy requirements in order to ensure compliance with TBS policy instruments such as the Standard on Privacy Impact Assessment, as outlined in Appendix C of the Directive on Privacy Practices. This initiative aims to provide a structured approach for identifying gaps between legislative requirements and internal practices, and for recommending appropriate corrective actions.
Summary of key issues and actions taken on complaints
The Office of the Privacy Commissioner (OPC) reviews complaints resulting from either a refusal by the head of a government institution to disclose personal information or an institution’s handling of personal information. DFO reviews the outcomes of each OPC investigation or audit and where appropriate, DFO incorporates lessons learned into its business processes.
In 2024-25, DFO received three complaints from the OPC. The complaints related to alleged delays in responding to requests and concerns regarding the completeness of disclosed records. The three complaints received in 2024-25 were resolved through the early resolution process and required no further action.
Table 9 shows the number of active complaints with the OPC as of the last day of the 2024-25 reporting period.
| Fiscal year active complaints were received by institution | Number of active complaints |
|---|---|
| 2024-25 | 0 |
| 2023-24 | 1 |
| Total | 1 |
Material privacy breaches
A privacy breach is defined by TBS as the improper or unauthorized access to, creation, collection, use, disclosure, retention or disposal of personal information. A material privacy breach involves sensitive information that could reasonably be expected to create a real risk of significant harm to an individual.
In 2024-25, DFO reported one material privacy breach to the OPC and TBS.
The incident involved a lost USB flash drive containing sensitive personal information about two individuals.
In response to the material breach, ATIP recommended that the program involved work with Corporate Security to review and strengthen procedures for the secure transmission of personal information.
Privacy impact assessments
To fulfill its mandate, some DFO programs or activities require the collection, use, and disclosure of personal information. In accordance with the TBS Policy on Privacy Protection and Directive on Privacy Practices, which includes the Standard on Privacy Impact Assessments, a PIA must be conducted to assess and mitigate privacy risks in the following situations:
- Prior to undertaking a new program or activity that will involve the managing of personal information for an administrative purpose;
- When substantial modifications are made to an existing program or activity that uses personal information for an administrative purpose, including through
- The use of any new or modified information technology or other process;
- The involvement of any other institution or third party under contract, agreement or arrangement with the institution;
- The use of an automated decision system that would require compliance with the Directive on Automated Decision-Making;
- When the official responsible under section 10 of the Privacy Act determines that a PIA is warranted given the potential risks associated with any administrative or non-administrative use of personal information;
- When an existing program that uses personal information for an administrative purpose does not already have a PIB.
On all new initiatives involving personal information, a preliminary assessment equally takes place to determine whether a PIA is required.
During the 2024-25 reporting period, DFO completed a PIA to support the implementation of new regulatory requirements under the Possession and Export of Elvers Regulations (PEER). A summary of the PIA is available on the DFO website:
Summary of the Privacy Impact Assessment for the Possession and Export of Elver Licence
The PEER expands DFO oversight of the post-harvest elver supply chain by requiring new licences to possess and/or export domestic- or foreign-caught elvers. These regulations facilitate traceability of elver along the supply chain through new reporting requirements under the conditions of the possession and export licences, verifications and inspections. The intended outcome is to make it harder to possess, sell and export unlawfully harvested elver and, ultimately, to disincentivize unlawful harvesting.
In addition, during the reporting period, DFO updated the PIA for the Open Source Information Collection (OSIC) initiative. A summary of this PIA is also available on the DFO website:
Open Source Information Collection (OSIC) Initiative
DFO’s Conservation and Protection program’s OSIC technology relies on publicly accessible information to collect data which may consequently be used by DFO to detect and address violations to relevant legislation.
Public interest disclosures
Subsection 8(2) of the Privacy Act describes certain instances in which personal information under the control of a federal government institution may be disclosed without the consent of the individual to whom the information relates.
Paragraph 8(2)(m) allows institutions to disclose personal information in circumstances where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or where disclosure would clearly benefit the individual to whom the information relates.
In 2024-25, DFO made no disclosure in the public interest.
Monitoring mompliance
DFO makes every effort to meet statutory deadlines and actively monitors the time taken to process requests for personal information. Monitoring begins as soon as a request is received by the DFO ATIP Secretariat, where it is entered into the case management system and assigned to an analyst. All requests, including requests for consultations or advice on ATIP related matters are entered into the case management system for tracking. This tracking of deadlines is essential as analysts work on numerous requests at any given time, each with multiple actions with specific deadlines. Analysts meet with their respective team leaders on a weekly basis to identify issues with requests that might result in delays. Issues are raised with the ATIP management team, and if necessary the Director and / or Deputy Directors of the ATIP Secretariat get involved in files where they can use their authority as the Minister’s delegates under the Acts to promote compliance with deadlines and deliverables.
The Department also proactively discloses records to meet statutory requirements or in response to requests outside the formal ATIP process. Although proactive publication requirements are pursuant to Part 2 of the Access to Information Act, the ATIP program reviews all records before disclosures are made to ensure that information disclosed is in accordance with both the Acts.
Compliance reporting
To support oversight and continuous improvement, the ATIP Secretariat produces several compliance reports throughout the year.
- OPI Compliance Reports: Issued quarterly, these reports assess the performance of OPIs across DFO and CCG in responding to ATI and Privacy requests. Aggregated statistics are shared with program executives during training sessions to support oversight and accountability. They also provide the ATIP Secretariat with insight into program-specific performance and help identify areas where additional support may be required. Upon request, tailored compliance reports are also provided to OPIs to promote compliance.
- Weekly Progress Reports: These reports track year-to-date performance, including the number of requests received and closed, the percentage processed within legislated timelines, and comparisons with the previous fiscal year. They are reviewed by ATIP management to identify trends and areas requiring attention.
Ensuring privacy protections in contracts and agreements
DFO remains committed to protecting privacy and safeguarding personal information in accordance with the Privacy Act. The Department continues to take proactive measures to protect individuals’ privacy and ensure the proper handling of personal information in all contractual and information sharing practices.
The Department aligns its practices with Government of Canada policies and TBS guidance to ensure ongoing compliance with evolving access and privacy directives. The DFO ATIP Secretariat frequently addresses inquiries from departmental programs by providing case-by-case guidance on sound privacy practices. This support extends to reviewing departmental contracts and information sharing agreements or arrangements, where tailored advice is provided to ensure the protection of personal information and compliance with privacy requirements. By collaborating with programs, DFO reinforces its commitment to safeguarding privacy and handling personal information responsibly.Appendix A: Delegation Orders
Appendix B: 2024-25 Statistical report on the Privacy Act
Section 1: Requests under the Privacy Act
| Number of requests | ||
|---|---|---|
| Received during reporting period | 106 | |
| Outstanding from previous reporting periods | 18 | |
|
12 | |
|
6 | |
| Total | 124 | |
| Closed during reporting period | 111 | |
| Carried over to next reporting period | 13 | |
|
5 | |
|
8 | |
| Source | Number of requests |
|---|---|
| Online | 80 |
| 24 | |
| 1 | |
| In person | 0 |
| Phone | 0 |
| Fax | 1 |
| Total | 106 |
Section 2: Informal requests
| Number of requests | ||
|---|---|---|
| Received during reporting period | 0 | |
| Outstanding from previous reporting periods | 0 | |
|
0 | |
|
0 | |
| Total | 0 | |
| Closed during reporting period | 0 | |
| Carried over to next reporting period | 0 | |
| Source | Number of requests |
|---|---|
| Online | 0 |
| 0 | |
| 0 | |
| In person | 0 |
| Phone | 0 |
| Fax | 0 |
| Total | 0 |
| Completion Time | |||||||
|---|---|---|---|---|---|---|---|
| 0 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Less than 100 pages released | 100-500 pages released | 501-1000 pages released | 1001-5000 pages released | More than 5000 pages released | |||||
|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages released | Number of requests | Pages released | Number of requests | Pages released | Number of requests | Pages released | Number of requests | Pages released |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 3: Requests closed during the reporting period
| Disposition of requests | Completion Time | |||||||
|---|---|---|---|---|---|---|---|---|
| 0 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| All disclosed | 5 | 9 | 2 | 0 | 0 | 0 | 0 | 16 |
| Disclosed in part | 3 | 9 | 12 | 9 | 1 | 1 | 2 | 37 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 16 | 10 | 0 | 0 | 0 | 0 | 0 | 26 |
| Request abandoned | 29 | 0 | 2 | 0 | 0 | 0 | 1 | 32 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 53 | 28 | 16 | 9 | 1 | 1 | 3 | 111 |
| Section | Number of requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 0 |
| 19(1)(b) | 0 |
| 19(1)(c) | 0 |
| 19(1)(d) | 0 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 0 |
| 21 | 0 |
| 22(1)(a)(i) | 0 |
| 22(1)(a)(ii) | 0 |
| 22(1)(a)(iii) | 0 |
| 22(1)(b) | 9 |
| 22(1)(c) | 0 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 1 |
| 22.4 | 0 |
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 0 |
| 26 | 39 |
| 27 | 4 |
| 27.1 | 0 |
| 28 | 0 |
| Section | Number of requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
| Paper | Electronic | Other | |||
|---|---|---|---|---|---|
| E-record | Data set | Video | Audio | ||
| 0 | 50 | 16 | 1 | 2 | 0 |
3.5 Complexity
| Number of pages processed | Number of pages disclosed | Number of requests |
|---|---|---|
| 56211 | 24238 | 85 |
| Disposition | Less than 100 pages processed | 100-500 pages processed | 501-1000 pages processed | 1001-5000 pages processed | More than 5000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | |
| All disclosed | 12 | 266 | 2 | 652 | 2 | 1157 | 0 | 0 | 0 | 0 |
| Disclosed in part | 8 | 324 | 7 | 2138 | 6 | 3891 | 14 | 34329 | 2 | 12764 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 30 | 0 | 1 | 164 | 1 | 526 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 50 | 590 | 10 | 2954 | 9 | 5574 | 14 | 34329 | 2 | 12764 |
| Number of minutes processed | Number of minutes disclosed | Number of requests |
|---|---|---|
| 14 | 10 | 2 |
| Disposition | Less than 60 minutes processed | 60-120 m inutes processed | More than 120 minutes processed | |||
|---|---|---|---|---|---|---|
| Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
| All disclosed | 1 | 11 | 0 | 0 | 0 | 0 |
| Disclosed in part | 1 | 3 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 2 | 14 | 0 | 0 | 0 | 0 |
| Number of minutes processed | Number of minutes disclosed | Number of requests |
|---|---|---|
| 18 | 18 | 1 |
| Disposition | Less than 60 minutes processed | 60-120 minutes processed | More than 120 minutes processed | |||
|---|---|---|---|---|---|---|
| Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 1 | 18 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 18 | 0 | 0 | 0 | 0 |
| Disposition | Consultation required | Legal advice sought | Interwoven information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 |
3.6 Closed requests
| Number of requests closed within legislated timelines | 101 |
|---|---|
| Percentage of requests closed within legislated timelines (%) | 90.99099099 |
3.7 Deemed refusals
| Number of requests closed past the legislated timelines | Principal Reason | |||
|---|---|---|---|---|
| Interference with operations / workload | External consultation | Internal consultation | Other | |
| 10 | 10 | 0 | 0 | 0 |
| Number of days past legislated timelines | Number of requests past legislated timeline where no extension was taken | Number of requests past legislated timeline where an extension was taken | Total |
|---|---|---|---|
| 1 to 15 days | 0 | 2 | 2 |
| 16 to 30 days | 0 | 3 | 3 |
| 31 to 60 days | 0 | 0 | 0 |
| 61 to 120 days | 0 | 1 | 1 |
| 121 to 180 days | 0 | 1 | 1 |
| 181 to 365 days | 0 | 0 | 0 |
| More than 365 days | 0 | 3 | 3 |
| Total | 0 | 10 | 10 |
| Translation requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 1 | 0 | 1 |
| French to English | 0 | 0 | 0 |
| Total | 1 | 0 | 1 |
Section 4: Disclosures Under Subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 2 | 0 | 0 | 2 |
Section 5: Requests for correction of personal information and notations
| Disposition for Correction requests received | Number |
|---|---|
| Notations attached | 0 |
| Requests for correction accepted | 0 |
| Total | 0 |
Section 6: Extensions
| 15(a)(i) Interference with operations | 15 (a)(ii) Consultation | 15(b) Translation purposes or conversion | ||||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet confidence section (Section 70) | External | Internal | ||
| Number of extensions taken | ||||||||
| 29 | 13 | 14 | 0 | 0 | 0 | 0 | 2 | 0 |
| 15(a)(i) Interference with operations | 15 (a)(ii) Consultation | 15(b) Translation purposes or conversion | ||||||
|---|---|---|---|---|---|---|---|---|
| Length of Extensions | Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet ConfidenceSection (Section 70) | External | Internal | |
| 1 to 15 days | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 days | 12 | 14 | 0 | 0 | 0 | 0 | 2 | 0 |
| 31 days or greater | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 13 | 14 | 0 | 0 | 0 | 0 | 2 | 0 |
Section 7: Consultations received from other institutions and organizations
| Consultations | Other Government of Canada Institutions | Number of pages to review | Other organizations | Number of pages to review |
|---|---|---|---|---|
| Received during the reporting period | 0 | 0 | 0 | 0 |
| Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 |
| Closed during the reporting period | 0 | 0 | 0 | 0 |
| Carried over within negotiated timelines | 0 | 0 | 0 | |
| Carried over beyond negotiated timelines | 0 | 0 | 0 | 0 |
| Recommendation | Number of days Required to Complete Consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 0 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 0 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
| Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 8: Completion time of consultations on cabinet confidences
| Number of days | Fewer than 100 pages processed | 100-500 pages processed | 501-1000 pages processed | 1001-5000 pages processed | More than 5000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Number of days | Fewer than 100 pages processed | 100-500 pages processed | 501-1000 pages processed | 1001-5000 pages processed | More than 5000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 9: Complaints and investigations notices received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 3 | 4 | 0 | 0 | 7 |
Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)
| Number of PIAs completed | 1 |
|---|---|
| Number of PIAs modified | 1 |
| Personal information Banks | Active | Created | Terminated | Modified |
|---|---|---|---|---|
| Institution-specific | 54 | 0 | 0 | 2 |
| Central | 0 | 0 | 0 | 0 |
| Total | 54 | 0 | 0 | 2 |
Section 11: Privacy breaches
| Number of material privacy breaches reported to TBS | 1 |
|---|---|
| Number of material privacy breaches reported to OPC | 1 |
| Number of non-material privacy breaches | 16 |
|---|
Section 12: Resources related to the Privacy Act
| Expenditures | Amount | |
|---|---|---|
| Salaries | $1,484,623 | |
| Overtime | $0 | |
| Goods and Services | $33,427 | |
|
$0 | |
|
$33,427 | |
| Total | $1,518,050 | |
| Resources | Person years dedicated to privacy activities |
|---|---|
| Full-time employees | 12.669 |
| Part-time and casual employees | 0.163 |
| Regional staff | 0.000
|
| Consultants and agency personnel | 0.000
|
| Students | 0.472 |
| Total | 13.304 |
Note: Enter values to three decimal places.
- Date modified: