Annual Report on the Administration of the Privacy Act 2016-2017

Table of Contents

  1. Introduction
  2. Organizational Structure
  3. Delegation Order
  4. Highlights of the Statistical Report, 2016-2017
  5. Training
  6. Policies, Guidelines, Procedures and Initiatives
  7. Summary of Key Issues and Actions Taken on Complaints or Audits
  8. Monitoring Compliance
  9. Material Privacy Breaches
  10. Privacy Impact Assessments
  11. Public Interest Disclosures

1. Introduction

The Privacy Act (Act), proclaimed in 1983, protects the privacy of individuals who are Canadian citizens or permanent residents with respect to personal information about themselves held by the Canadian government. The Act provides individuals with the right to access their personal information and protects the privacy of individuals by prescribing the manner in which the government may collect, use, disclose, retain and dispose of personal information. Individuals may also request correction of personal information where they perceive inaccuracies or omissions and may have notations attached to the information where corrections are refused.

Section 72 of the Act requires that the head of every government institution prepare for submission to Parliament an annual report on the administration of the Act within the institution during the financial year. This report covers the period from April 1, 2016 to March 31, 2017.

The Canadian Transportation Agency (Agency) is an independent, quasi-judicial tribunal and regulator with the powers of a superior court.

The Agency has three core mandates:

  • to help ensure that the national transportation system runs efficiently and smoothly in the interests of all Canadians: those who work and invest in it; the producers, shippers, travellers and businesses who rely on it; and the communities where it operates.
  • to protect the human right of persons with disabilities to an accessible transportation network.
  • to provide consumer protection for air passengers.

To help advance these mandates, we have three tools at our disposal:

  • Rule-making: The Agency develops and applies ground rules that establish the rights and responsibilities of transportation service providers and users and that level the playing field among competitors. These rules can take the form of binding regulations or less formal guidelines, codes of practice or interpretation notes.
  • Dispute resolution: The Agency resolves disputes that arise between transportation service providers on the one hand, and their clients and neighbours on the other, using a range of tools from facilitation and mediation to arbitration and adjudication.
  • Information provision: The Agency provides information on the transportation system, the rights and responsibilities of transportation service providers and users, and the Agency's legislation and services.

2. Organizational Structure

The Chair and Chief Executive Officer of the Agency is responsible for the administration of and compliance with the Act, its Regulation and Policy.

During this reporting period, the Access to Information and Privacy (ATIP) Unit was positioned in the Information Management and Technology Services Directorate (IMTSD) and included the Director of IMTSD and a Coordinator.

All files were processed by the Coordinator. Agency staff actively participated in the retrieval and review of records. All final releases were reviewed by Legal Services prior to their approval by the Coordinator or Director of IMTSD.

Each application had an individual case file, and all actions were recorded in the ATIP case management system, PrivaSoft AccessPro.

Implementation of the privacy program

The focus for the ATIP Coordinator was to continue to foster awareness about the Act and policy requirements for the collection, use, disclosure, retention, and disposal of personal information.

The ATIP Coordinator implemented and monitored the results of action plans stemming from the two privacy impact assessments (PIA) that were completed in 2015-2016: a PIA on our case management system and a PIA on the forms that we use to collect personal information. Actions included: updating personal information collection statements; training and awareness; and preparing an information sharing agreement between the Agency and Statistics Canada.

3. Delegation Order

In May 2016, the Chair and CEO delegated partial authority to the ATIP Coordinator and full authority to the Director of IMTSD and the Chief Corporate Officer. A copy of the May 2016 delegation order is attached as Appendix B. Prior to May 2016, the ATIP Coordinator and General Counsel held full authority. The previous delegation order is attached as Appendix C.

All delegation orders were signed in the city of Gatineau.

4. Highlights of the Statistical Report, 2016-2017

Attached as Appendix A is the form entitled “Statistical Report on the Privacy Act”, which provides statistical data on formal requests under the Actreceived by the Agency.

During this reporting period, April 1, 2016 to March 31, 2017, the Agency received six formal requests for personal information. This represents an increase of five requests over the previous year. No requests were outstanding from 2015-2016. One request was carried over to 2017-2018.

Formal requests received and completed over the last five years

Demandes formelles reçues et traitées au cours des cinq derniers exercices
5 year history of requests
  • Détails
      2016-2017 2015-2015 2014-2015 2013-2014 2012-2013
    Requests Received 6 1 1 0 1
    Requests Completed 5 1 1 0 1
    Informal Request 1 0 0 0 0

Completion of Requests

Demandes formelles reçues et traitées au cours des cinq derniers exercices
Time to complete requests
  • Détails
      Response Time
    0-15 Days 1
    16-30 Days 3
    31-60 Days 1
    Carried Over 1

Four requests were completed within 30 days. One request was completed within 60 days and one was carried over to the following reporting year.

Disposition of Requests

Demandes formelles reçues et traitées au cours des cinq derniers exercices
Disposition of Requests
  • Détails
      All Disclosed Disclosed in part Carried Over
    Percentage 16.6% 66.6% 16.6%

A total of 4,413 pages were reviewed and 1,445 pages released in part or completely. Exemptions under sections 26 and 27 were applied, which is consistent with previous years. Section 12 was applied to any information contained in the record to which the applicant does not have the right of access.

5. Training

A formal presentation was made to the Members of the Agency on the application of the Privacy Act.

Further training on the management of personal information was provided to business areas across the Agency. For example, a presentation was made to the Agency's Business Information Management Advisor Working Group.

Advice and guidance was provided on an ad hoc basis in response to requests.

6. Policies, Guidelines, Procedures and Initiatives

There were no changes to the Agency's policies, guidelines and procedures with respect to the administration of the Act.

A new initiative was undertaken to communicate to all staff their responsibility to protect privacy. For example, reminders were sent through intranet messaging and included in on-boarding procedures.

7. Summary of Key Issues and Actions Taken on Complaints or Audits

There were no key issues in 2016-2017.

The Agency revised the personal information collection statements on its website to ensure that they are easily understood.

Complaints

There is one open complaint from 2014-2015.

The complainant alleges that the Agency contravened the use and disclosure provisions of the Act when it disclosed a personal e-mail address in the c.c. field of its e-mails to over 100 applicants involved in the adjudication of a dispute with an airline. The complainant is of the view that such a practice has highly negative impacts on the privacy of individuals and the security of their individual data systems, and it creates a potential financial hardship for them. All information in response to the complaint, including explanations as to why personal information may be shared amongst applicants during an adjudication proceeding, was provided to the Office of the Privacy Commissioner (OPC) in April 2015. Further to this, the OPC was advised in June 2015 of the Federal Court of Appeal Decision No. 2015-FCA-140, requiring the Agency to provide public access to all information on the public record, including what would otherwise be considered personal information.

In the reporting year, it was decided that a formal process was required, and the complaint remains open.

8. Monitoring Compliance

The Agency tracked all administrative activities related to requests under the Act in the PrivaSoft AccessPro case management system, including due dates in order to meet statutory timelines. Due dates for all actions were communicated to staff and reminders sent as required. All actions were also detailed in a separate tracking tool and the status of each request was communicated to the Chief Corporate Officer and the Director, IMTSD on a weekly basis. Processing time was not otherwise monitored except by Legal Services in support of their internal performance monitoring.

9. Material Privacy Breaches

No material privacy breaches were identified during the reporting period.

10. Privacy Impact Assessments

No new PIAs were conducted in 2016-2017. Two completed PIAs from the previous fiscal year were sent to the OPC. Neither PIA required further action.

11. Public Interest Disclosures

During the reporting period, the Agency did not disclose information pursuant to paragraph 8(2)(m) of the Act.

Appendix A: Statistical Report on the Privacy Act

Reporting Period: 2016 - 2017

Part 1: Requests Under the Privacy Act

  Number of Requests
Received during reporting period 6
Outstanding from previous reporting period 0
Total 6
Closed during reporting period 5
Carried over to next reporting period 1

Part 2: Requests Closed During the Reporting Period

2.1 Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 1 0 0 0 0 0 0 1
Disclosed in part 0 3 1 0 0 0 0 4
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 1 3 1 0 0 0 0 5
2.2 Exemptions
Section Number of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 3
27 3
28 0
2.3 Exclusions
Section Number of Requests
69(1) a) 0
69(1) b) 0
69.1 0
70(1) 1
70(1) a) 0
70(1) b) 0
70(1) c) 0
70(1) d) 0
70(1) e) 0
70(1) f) 0
70.1 0
2.4 Format of information released
Disposition Paper Electronic Other formats
All disclosed 0 1 0
Disclosed in part 0 4 0
Total 0 5 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed
Disposition of Requests Number of Pages Processed Number of Pages Disclosed Number of Requests
All disclosed 180 180 1
Disclosed in part 4233 1265 4
All exempted 0 0 0
All excluded 0 0 0
Request abandoned 0 0 0
Neither confirmed nor denied 0 0 0
Total 4413 1445 5
2.5.2 Relevant pages processed and disclosed by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 0 0 1 180 0 0 0 0 0 0
Disclosed in part 1 54 1 197 1 34 1 980 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 1 54 2 377 1 34 1 980 0 0
2.5.3 Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 1 0 0 1
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 1 0 0 1

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline
Number of Requests Closed Past the Statutory Deadline Principal Reason
Workload External Consultation Internal Consultation Other
0 0 0 0 0
2.6.2 Number of days past deadline
Number of Days Past Deadline Number of Requests Past Deadline Where No Extension Was Taken Number of Requests Past Deadline Where An Extension Was Taken Total
1 to 15 days 0 0 0
16 to 30 days 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 0 0 0
2.7 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0
Part 3: Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0
Part 4: Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Part 5: Extensions

5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was Taken 15(a)(i)Interference with operations 15(a)(ii)Consultation 15(b)Translation purposes
Section 70 Other
All disclosed 0 0 0 0
Disclosed in part 1 0 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
No records exist 0 0 0 0
Request abandoned 0 0 0 0
Total 1 0 0 0
5.2 Length of extensions
Length of Extensions 15(a)(i)Interference with operations 15(a)(ii)Consultation 15(b)Translation purposes
Section 70 Other
1 to 15 days 0 0 0 0
16 to 30 days 1 0 0 0
Total 1 0 0 0

Part 6: Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Pending at the end of the reporting period 0 0 0 0
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0
6.3 Recommendations and completion time for consultations received from other organizations
Recommendation Number of days required to complete consultation requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Ddays More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
7.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101‒500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Part 8: Complaints and Investigations Notices Received

Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Part 9: Privacy Impact Assessments (PIAs)

Number of PIA(s)completed 0

Part 10: Resources Related to the Privacy Act

10.1 Costs
Expenditures Amount
Salaries $33,675
Overtime $0
Goods and Services $11,161
Professional services contracts $990
Other $10,171
Total $44,836
10.2 Human Resources
Resources Person Years Dedicated to Privacy Activities
Full-time employees 0.56
Part-time and casual employees 0.00
Regional staff 0.00
Consultants and agency personnel 0.04
Students 0.00
Total 0.60

Appendix B: May 2016 Delegation Order

Section of the Privacy Act Description Authority Delegated to
Chief Corporate Officer Director IMITSD ATIP Coordinator ATIP Analyst
8(2)(j)(m) Disclosure of personal information
  • authorize the disclosure of personal information for research purposes and in the public interest or the interest of the individual
X X    
8(4) Requests from investigative bodies
  • retain a copy of the requests and the disclosed records
X X    
8(5) Notify Privacy Commissioner of 8(2)(m) disclosures
  • notify Commissioner of public interest disclosures and disclosure which would clearly benefit individuals to whom the information relates
X X X  
9(1) Retain record of disclosures
  • retain a record of use or disclosure of personal information where the use or disclosure is not included in InfoSource, and attach the record to the personal information
X X X  
9(4) Notify Privacy Commissioner of consistent use
  • notify Commissioner of consistent use or disclosure where the use or disclosure is not included in InfoSource and update in next publication
X X X  
10 Include personal information in Personal Information Banks
  • include all personal information under the control of the Agency in Personal Information Banks
X X X  
14(a) Notice where access requested
  • give written notice to individuals, as to whether or not access to the records will be given and provide access if access is to be given
X X X X
14(b) Giving access to the record X X X  
15 Extension of time limits
  • extend time limits for responding to requests for access
X X X X
17(2)(b) Language of access
  • decide whether to translate information
X X X  
17(3)(b) Access in an alternative format
  • determine if the giving of access in an alternative format to a person with a sensory disability is necessary and reasonable
X X X  
18(2) Exempt banks
  • Refuse to disclose information contained in an exempt bank
X X X  
  Invoking exemptions:
  • determine whether or not to invoke the following exemptions, for requests not filed by Agency employees or their agents, to refuse access and exercising discretion where appropriate:
       
19(1)(2) Personal information obtained in confidence\ X X X  
20 Federal-provincial affairs X X    
21 International affairs and defence X X    
22 Law enforcement and investigation X X    
23 Information prepared by an investigative body for security clearances X X    
24 Information collected by the Canadian Penitentiary Services, National Parole Services or National Parole Board X X    
25 Safety of individuals X X    
26 Personal information about other individuals X X X  
27 Solicitor-client privilege X X    
28 Medical records X X    
31 Receive notice of investigations
  • receive notice of investigations by the Privacy Commissioner
X X X  
33(2) Right to make representations
  • make representations to the Privacy Commissioner during investigation
X X X  
35(1) Privacy Commissioner’s Report
  • receive Commissioner’s report of findings, give notice of action taken
X X X  
35(4) Access to be given to complainant
  • give complainant access to information after 35(1)(b) notice
X X X  
36(3) Review of exempt banks
  • receive Commissioner’s findings of investigation of exempt bank
X X X  
37(3) Compliance investigation
  • receive report of Privacy Commissioner’s findings after compliance investigations of sections 4 to 8
X X X  
51(2)(b) Special rules for hearings
  • request that section 51 hearings be held in NCR
X X X  
51(3) Representations in hearings
  • request and be given right to make representations in section 51 hearings
X X X  
70 Cabinet Confidences X X    
72(1) Annual Report
  • submit Annual Report to Parliament
X X X  
  Responsibilities under sections 9, 11, 13 and 14 of the Privacy Regulations:        
9 Provide reasonable facilities and time for examination of information X X X  
11(2) Upon receipt of Correction Request Form, provide notification to individual that correction has been made and provide notifications in 11(2)(b) and (c) X X X  
11(4) Where a request for correction is refused, attach notification to the personal information that a correction was refused and provide notifications in 11(4)(b)(c) and (d) X X X  
13(1) Authorize the disclosure of medical records to a qualified medical practitioner or psychologist for opinion as to whether disclosure would be contrary to the best interests of the individual X X    
14 Examination in presence of medical practitioner of psychologist X X X  

Appendix C: October 2015 Delegation Order

Section of the Privacy Act Description Authority Delegated to
General Counsel Access to Information and Privacy Coordinator ATIP Analyst IM/IT Director
8(2)(j)(m) Disclosure of personal information
  • authorize the disclosure of personal information for research purposes and in the public interest or the interest of the individual
X X    
8(4) Requests from investigative bodies
  • retain a copy of the requests and the disclosed records
X X    
8(5) Notify Privacy Commissioner of 8(2)(m) disclosures
  • notify Commissioner of public interest disclosures and disclosure which would clearly benefit individuals to whom the information relates
X X    
9(1) Retain record of disclosures
  • retain a record of use or disclosure of personal information where the use or disclosure is not included in InfoSource, and attach the record to the personal information
X X    
9(4) Notify Privacy Commissioner of consistent use
  • notify Commissioner of consistent use or disclosure where the use or disclosure is not included in InfoSource and update in next publication
      X
10 Include personal information in Personal Information Banks
  • include all personal information under the control of the Agency in Personal Information Banks
      X
14(a) Notice where access requested
  • give written notice to individuals, as to whether or not access to the records will be given and provide access if access is to be given
X X X  
14(b) Giving access to the record X X    
15 Extension of time limits
  • extend time limits for responding to requests for access
X X X  
17(2)(b) Language of access
  • decide whether to translate information
X X    
17(3)(b) Access in an alternative format
  • determine if the giving of access in an alternative format to a person with a sensory disability is necessary and reasonable
X X    
18(2) Exempt banks
  • Refuse to disclose information contained in an exempt bank
X X    
  Invoking exemptions:
  • determine whether or not to invoke the following exemptions, for requests not filed by Agency employees or their agents, to refuse access and exercising discretion where appropriate:
X X    
19(1)(2) Personal information obtained in confidence X X    
20 Federal-provincial affairs X X    
21 International affairs and defence X X    
22 Law enforcement and investigation X X    
23 Information prepared by an investigative body for security clearances X X    
24 Information collected by the Canadian Penitentiary Services, National Parole Services or National Parole Board X X    
25 Safety of individuals X X    
26 Personal information about other individuals X X    
27 Solicitor-client privilege X X    
28 Medical records X X    
31 Receive notice of investigations
  • receive notice of investigations by the Privacy Commissioner
X X    
33(2) Right to make representations
  • make representations to the Privacy Commissioner during investigation
X X    
35(1) Privacy Commissioner’s Report
  • receive Commissioner’s report of findings, give notice of action taken
X X    
35(4) Access to be given to complainant
  • give complainant access to information after 35(1)(b) notice
X X    
36(3) Review of exempt banks
  • receive Commissioner’s findings of investigation of exempt bank
X X    
37(3) Compliance investigation
  • receive report of Privacy Commissioner’s findings after compliance investigations of sections 4 to 8
X X    
51(2)(b) Special rules for hearings
  • request that section 51 hearings be held in NCR
X X    
51(3) Representations in hearings
  • request and be given right to make representations in section 51 hearings
X X    
72(1) Annual Report
  • submit Annual Report to Parliament
X X    
77 Responsibilities under sections 9, 11, 13 and 14 of the Privacy Regulations: X X    
9 Provide reasonable facilities and time for examination of information X X    
11(2) Upon receipt of Correction Request Form, provide notification to individual that correction has been made and provide notifications in 11(2)(b) and (c) X X    
11(4) Where a request for correction is refused, attach notification to the personal information that a correction was refused and provide notifications in 11(4)(b)(c) and (d) X X    
13(1) Authorize the disclosure of medical records to a qualified medical practitioner or psychologist for opinion as to whether disclosure would be contrary to the best interests of the individual X X    
Date modified: