2022-2023 Annual Report on the Privacy Act
PDF version: Privacy Act, Annual Report 2022-2023 (PDF, 878 KB)
Table of Contents
- Introduction
- I. Overview of IRCC’s ATIP Program
- II. Performance
- Compliance rate and completion times
- Active requests from previous reporting periods
- Active complaints from previous reporting periods
- Reasons for extensions
- Consultations received from other government departments and institutions
- Disposition of completed requests
- Impact of COVID-19 on IRCC’s ability to fulfill its obligations under the Privacy Act
- III. Initiatives to promote awareness, training and policies in relation to the Privacy Act
- Moving forward
- Annex A: Copy of the signed delegation order in effect March 31, 2023
- Annex B: Copy of the delegation of authority under the Privacy Act and the Privacy Regulations in effect March 31, 2023
- Annex C: Validated Statistical Report on the Administration of the Privacy Act and Supplemental Statistical Report on the Access to Information Act and the Privacy Act
Introduction
Immigration, Refugees and Citizenship Canada (IRCC) is pleased to present to Parliament its annual report on the administration of the Privacy Act. The purpose of the Privacy Act is to protect the personal information of individuals under the responsibility and control of federal institutions, and to provide individuals with a right of access to that information. The Privacy Act came into effect on July 1, 1983, and was amended by Bill C-58 on June 21, 2019.
This report outlines how IRCC administered its obligations under the Privacy Act during the reporting period beginning on April 1, 2022 and ending on March 31, 2023. It is tabled in Parliament in accordance with section 72 of the Privacy Act.
IRCC was created to facilitate the entry of temporary residents, manage the selection, settlement and integration of newcomers, grant citizenship and issue passports to eligible citizens.
IRCC’s mandate comes from the Department of Citizenship and Immigration Act. The Minister of IRCC is responsible for the Citizenship Act of 1977 and shares responsibility with the Minister of Public Safety for the Immigration and Refugee Protection Act (IRPA). Effective July 2, 2013, primary responsibility for Passport Canada and the administration of the Canadian Passport Order and the Order Respecting the Issuance of Diplomatic and Special Passports moved from the Department of Foreign Affairs and International Trade to IRCC.
IRCC judiciously protects individuals’ privacy and ensures proper handling of personal information in accordance with the legislation.
This report comprises three sections:
- Overview of IRCC’s ATIP program, including organizational structure and delegation order
- Outline of IRCC ’s overall performance by highlighting key points from the statistical report on the administration of the Privacy Act
- Description of IRCC’s initiatives and activities to promote awareness, training and policies related to privacy, as well as departmental mechanisms to ensure monitoring and compliance of its obligations under the Privacy Act.
I. Overview of IRCC’s ATIP program
As the most solicited ATIP program in the Government of Canada, IRCC receives approximately 28.3% of all requests for personal information made to the ATIP regime across federal institutions. During the reporting period, IRCC received over 208,000 ATIP requests (184,587 under the ATIA and 24,164 under the Privacy Act). Of the 24,164 requests for personal information IRCC receives, the vast majority pertain to clients’ immigration applications.
IRCC acknowledges that compared to last fiscal year, its 2022-2023 compliance rate for requests under the Privacy Act decreased significantly as a result of high volumes of requests, antiquated technology, and ongoing challenges attracting and retaining human resources in a highly competitive environment. IRCC has realigned its structure and implemented new strategies that have resulted in marked increases in compliance this fiscal year to date.
To address its growing ATIP volumes, IRCC has adopted a three-pronged approach to ATIP improvement centered on enhancing client experience by improving client correspondence, leveraging technological improvements to enhance service delivery and focusing on our people. This strategy incorporates short and long term initiatives to address the root causes driving up ATIP volumes while simultaneously improving ATIP processing capabilities and efficiencies, as well as privacy protection and awareness.
Organizational structure
During the reporting period, IRCC restructured its ATIP program to provide dedicated management attention to its main lines of business. As shown in Figure 1, IRCC’s ATIP program is now administered by three divisions: the Client Records Division, the Corporate Records and Complaints Division, and the Privacy Program Management Division. The three divisions report directly to the Director General and Chief Privacy Officer of the Integrated Corporate Business (ICB) branch within the Corporate Services Sector.
Text version: Structure of the ATIP Program
| Division | Number of employees | Responsibilities |
|---|---|---|
| Client Records Division | 149 employees |
|
| Corporate Records and Complaints Division | 24 employees |
|
| Privacy Program Management Division | 14 employees |
|
| Parliamentary Affairs and Briefings Division: Proactive Disclosures Unit | 2 employees |
|
At the end of the reporting period, the ATIP program comprised 189 full-time employees and one consultant, all in the National Capital Region. There are also 256 ATIP liaison officers throughout the Department who support to the ATIP program by gathering records and recommendations. While these officers are essential to the administration of the program, they are funded by other program areas.
Privacy at IRCC
The Privacy Program Management Division (PPMD) was created in July 2022 following a Privacy Governance Review of IRCC’s privacy program. The review recommended changes to better serve the Department’s needs and evolving privacy landscape, including restructuring the privacy program to support key risk management functions within clear lines of business. The new Division advances a more holistic framework for managing and mitigating privacy issues, and marks the first step towards a “privacy by design” model that actively supports the Department in protecting personal information while embracing innovation and transformation. At the end of this reporting period, the PPMD Division comprised two teams:
The Privacy Management Team, responsible for managing the lifecycle of privacy breaches, providing training and awareness on privacy breaches, and providing privacy guidance, advice and support on Privacy Impact Assessments (PIAs), Privacy Needs Consultations (PNCs) and Public Interest Disclosure Inquiries related to 8(2)(m) of the Privacy Act.
The Projects Team, responsible for preparing the Department for the coming into force of Privacy Act Extension Order, No. 3, overseeing the initial stages of the ATIP case management software replacement project, and writing the first drafts of the Level of Assurance Assessments as part of the ATIP Division ID Verification Working Group. It also assists the division with a number of ad hoc projects throughout the fiscal year.
While PPMD is responsible for overseeing the privacy guidance program at IRCC, the Client Records and Corporate Records Divisions are responsible for processing requests for personal information, as well as disclosures under subsections 8(2)(d,e,f).
During the reporting period, IRCC had no service agreements under section 73.1 of the Privacy Act.
Delegation order
The Minister of IRCC is responsible for administering requests made to the Department under the Access to Information Act and the Privacy Act. In accordance to section 95(1) of the Access to Information Act and section 73 of the Privacy Act, the Minister delegates authority to departmental senior management, including the ATIP Coordinator (the Director of the ATIP Corporate Records and Complaints Division) to carry out the Minister’s powers, duties, or functions under the Acts in relation to ATIP requests.
For a more information, refer to Annex A: Copy of the signed delegation order in effect March 31, 2023 and Annex B: Copy of the Delegation of Authority under the Privacy Act and the Privacy Regulations in effect March 31, 2023.
II. Performance
IRCC received 24,164 requests under the Privacy Act in 2022-23, which represents a decrease of 10.9% from the previous fiscal year, even with the coming into force of Privacy Act Extension Order (PAEO), No. 3 on July 13, 2022. This order extends the right of access to personal information under subsection 12(1) of the Privacy Act to all individuals outside Canada. As the majority of IRCC’s clients reside outside of Canada, this right enables foreign nationals to request personal information themselves instead of requiring a Canadian representative to make the request on their behalf, as is the case with ATIA requests.
The Department expects the number of personal information requests will rise as media attention continues to raise public awareness and education about the ATIP program.
Overall, the ATIP program closed 18,273 requests and processed 661,429 pages under the Privacy Act.
Compliance rate and completion times
The compliance rate (percentage of requests responded to within legislated timelines) for Privacy Act requests completed within legislated timelines was 20.14% for the reporting period. This rate represents a decrease of 17.86% from the previous reporting period, which ended with a compliance rate of 38.00%.
As Table 1 shows, approximately 17% of IRCC’s requests under the Privacy Act were closed within 30 days. The majority of requests took between 31-60 days to close.
| Completion time | Number of requests closed | Percentage of requests closed |
|---|---|---|
| 1 to 15 Days | 407 | 2.2% |
| 16 to 30 Days | 2,724 | 14.9% |
| 31 to 60 Days | 4,871 | 26.7% |
| 61 to 120 Days | 3,973 | 21.7% |
| 121 to 180 Days | 1,642 | 9% |
| 181 to 365 Days | 2,881 | 15.8% |
| More than 365 Days | 1,775 | 9.7% |
| Total | 18,273 | 100% |
Active requests from previous reporting periods
At the end of the reporting period, IRCC had 13,964 open requests from previous reporting periods. As shown in Table 2, most of these requests were received within the last two years, and 3,093 (22%) were still within the legislative timeframe.
| Fiscal year open privacy requests were received | Open requests that are within legislated timelines as of March 31, 2023 | Open requests that are beyond legislated timelines as of March 31, 2023 | Total |
|---|---|---|---|
| 2022-2023 | 2,935 | 9,336 | 12,271 |
| 2021-2022 | 158 | 1,499 | 1,657 |
| 2020-2021 | 0 | 35 | 35 |
| 2019-2020 | 0 | 1 | 1 |
| Total | 3,093 | 10,871 | 13,964 |
Active complaints from previous reporting periods
As Table 3 demonstrates, IRCC carried 40 active Privacy Act complaints from previous reporting periods, none predating fiscal year 2021-2022.
| Fiscal Year Open Complaints Were Received | Number of Open Complaints |
|---|---|
| 2022-2023 | 38 |
| 2021-2022 | 2 |
| Total | 40 |
Reasons for extensions
Section 15 of the Privacy Act permits the statutory time limits to be extended if consultations are necessary, translation is required, or the request involves a large volume of records that cannot be processed within the original time limit without unreasonably interfering with the operations of the Department. During the reporting period, IRCC invoked extensions pursuant to section 15 a total of 1,176 times:
- 4 times pursuant to 15(a)(i) for interference with government operations (documents are difficult to obtain)
- 1,172 times pursuant to 15(a)(ii) to undertake internal consultations
When necessary, IRCC conducts internal consultations to ensure the proper exercise of discretion, particularly for (but not limited to) requests that may involve litigation, investigations, or security concerns.
Consultations received from other government departments and institutions
Other government departments (OGDs) consulted IRCC 54 times under the Privacy Act. Table 4 gives the number of days IRCC took to complete OGD consultations. Overall, IRCC responded to 41 consultation requests (75.9%) within 30 days.
| Completion times | Consultations |
|---|---|
| 1 to 15 Days | 22 |
| 16 to 30 Days | 19 |
| 31 to 60 Days | 9 |
| 61 to 120 Days | 1 |
| 121 to 180 Day | 1 |
| 181 to 365 Days | 1 |
| More than 365 Days | 1 |
| Total | 54 |
Disposition of completed requests
As shown in Table 5, IRCC released records in their entirety in 4,023 requests (22%) and invoked one or more exemptions in 9,685 requests (53%). The remaining requests were abandoned, had no existing records, or the existence of these records could neither be confirmed nor denied as doing so could reveal information that is protected under the Privacy Act.
| Disposition | Requests | Percentage |
|---|---|---|
| All disclosed | 4,023 | 22% |
| Disclosed in part | 9,685 | 53% |
| All exempted | 3 | 0% |
| All excluded | 0 | 0% |
| No records exist | 152 | 1% |
| Request abandoned | 4,215 | 23% |
| Neither confirmed nor denied | 195 | 1% |
| Total | 18,273 | 100% |
The most frequently used exemptions were
- Section 21 – International relations, defense and subversive activities (invoked 5,674 times)
- Section 26 – Personal Information (invoked 5,488 times)
- Section 22(1)(b) – Law enforcement criminal investigations (invoked 3,162 times).
The Privacy Act does not apply to records that are already available to the public (Section 69), nor to confidences of the King’s Privy Council (Section 70). IRCC did not exclude any information under these sections of the Act during the reporting period.
Impact of COVID-19 on IRCC’s ability to fulfill its obligations under the Privacy Act
The ATIP program was not disrupted by the COVID-19 pandemic in this reporting period and remained fully operational in a mostly telework capacity. Only a limited number of employees worked on-site to process files containing secret information, process mail out requests and provide Information Technology (IT) support.
As of January 16, 2023, IRCC announced a phased approach to have employees return to the office in accordance to the TBS-mandated common hybrid model.
For more information on IRCC’s administering of the Privacy Act, refer to Annex C: Validated Statistical Report on the Administration of the Privacy Act and Supplemental Statistical Report on the Access to Information Act and the Privacy Act.
III. Initiatives to promote awareness, training and policies in relation to the Privacy Act
During the reporting period, IRCC focused on initiatives to improve client services, promote privacy protection and awareness in training, modernize request processing, and finalize the Privacy Policy Suite.
Training and awareness
Through its training delivery and awareness activities, IRCC strives to enhance the institution-wide culture of respect for access to information alongside a strong commitment to increased privacy vigilance. To stay current and proactive, IRCC regularly revises its ATIP training materials to reflect the latest requirements under the ATIA and Privacy Act, as well as the evolving needs of the Department and its clients. In the last five years, IRCC’s ATIP training initiatives centered on virtual learning, enhanced privacy and security awareness, and the PAEO.
Security and privacy awareness in teleworking
In March 2020, IRCC began transitioning its ATIP training to a virtual platform (Microsoft Teams) to accommodate the new reality of teleworking. The virtual platform fully launched in mid-June 2020, and although virtual training has its challenges, these are outweighed by the elimination of physical location as a barrier to training. Since June 2020, IRCC has prioritized security and privacy training to inform employees (ATIP and non-ATIP) of the potential security and privacy breach risks associated with remote work.
Privacy Act Extension Order
Most recently, IRCC ATIP updated its Privacy training to account for the coming into force of the PAEO in July 2022. PAEO, No. 3, extends the right to be given access to personal information under subsection 12(1) of the Privacy Act to all individuals outside Canada.
Due to the nature of the Department’s mandate, IRCC handles and retains sensitive personal information from millions of applicants around the globe. As such, the Department is responsible for protecting and safeguarding the personal information it has under its control. The PAEO poses risks for information shared in areas of the world where the rights to access to information and privacy protection are not as robust as in Canada. To mitigate these challenges, IRCC expanded its Privacy training to ensure employees who share information overseas understand these risks.
ATIP course catalogue and sessions given
As shown in Table 6, the ATIP program trained a total of 5,569 employees. Of these, 3,797 were non-ATIP officials trained in one or more of the following ATIP training courses:
Understanding and Managing ATIP Requests is designed to provide a greater understanding of the roles and responsibilities of the ATIP program, the ATIP liaison officer as well as various departmental officials in the processing of an ATIP request. The course is intended primarily for ATIP liaison officers and anyone directly involved in the ATIP process. It is mandatory for all new ATIP liaison officers. A total of 343 employees attended 22 sessions.
ATIP Training for Middle Managers and Executives provides an overview of key ATIP principles and practices, and a greater understanding of the roles and responsibilities of managers and executives. This course is part of the Learning Roadmap for IRCC Executives and should be completed within the first year of joining IRCC or being appointed as a new executive. There is a requirement to renew this training every three years. A total of 108 managers and executives attended 8 sessions.
Protecting and Giving Access to Information at IRCC is a mandatory online course for all employees. It provides a brief overview of key ATIP principles and practices and fosters a greater understanding of the roles and responsibilities of all employees. During the year, 2,238 employees took the online training session.
Protect, Secure, and Manage Information is comprised of three modules from IT Security, Information Management and ATIP that intertwine and complement each other. A total of 654 employees attended 26 sessions.
Privacy Breach Training provides a basic understanding of privacy, privacy breaches, how to prevent and react to breaches, and informs employees of their associated roles and responsibilities. A total of 454 employees attended 24 sessions.
The ATIP program also provides tailored training sessions and workshop presentations to reinforce and increase knowledge and understanding of access to information, privacy and personal information. These ad hoc sessions, or informal training sessions, are independent of formal and mandatory courses and are tailored to a group’s specific needs. A total of 924 employees were provided tailored ATIP training over 96 sessions last fiscal year.
| Course name | Platform | Access or privacy training | Number of sessions | Number of participants | |
|---|---|---|---|---|---|
Protecting and Giving Access to Information at IRCC (CC5540) Mandatory for all new employees |
Online | Both | Self-paced | 2,238 | |
| Total: | N/A | ||||
| Formal training | ATIP Privacy Breach (CC4540) | In person/ virtual | Privacy | 24 | 454 |
| ATIP Training for Middle Managers and Executives (CC4440) | Both | 8 | 108 | ||
| Protect, Secure, and Manage Information (CC4416) | Privacy | 26 | 654 | ||
| Understanding and Managing ATIP Requests (CC4340) | Access | 22 | 343 | ||
| ATIP 101 (CC4425) | Both | 19 | 336 | ||
| Appropriate Access to and Use of Personal Information (CC4426) | Privacy | 0 | 0 | ||
| Privacy 101 (CC4427) | Privacy | 4 | 94 | ||
| Exemptions and Exclusions 101 (CC4429) | Access | 11 | 361 | ||
| Information Sharing (CC4430) | Privacy | 3 | 57 | ||
| Total: | 117 | 2,407 | |||
| Informal training | One-on-One ATIP Liaison Training/CRCI Administrative Process | In person/ virtual | Access | 41 | 386 |
| How to fill-out the Response To ATIP Request Form (RAR) | Access | 9 | 174 | ||
| Exemptions and Exclusions 102 | Access | 5 | 71 | ||
| Refresher on “How to provide records to ATIP” | Access | 6 | 94 | ||
| Customized Training (other) | Both | 35 | 199 | ||
| Total: | 96 | 924 | |||
| Total Formal and Informal: | 213 | 3,331 | |||
| Total participants trained: | 5,569 | ||||
While the Training, Project and ATIP Support Team (under the ATIP Corporate Records and Complaints Division) monitors the training of all ATIP employees and ATIP liaison officers, it is the responsibility of IRCC managers to monitor mandatory training requirements identified in their employees’ Learning Roadmaps. (Learning Roadmaps are tools that guide the learning and development of IRCC employees based on the Department’s competency profiles and the core competencies of the Public Service Performance Agreement.)
The Training, Project and ATIP Support Team is also responsible for ensuring that all new ATIP Liaison Officers attend mandatory training and are equipped with a Kofax PDF license to assist Subject Matter Experts in the conversion of large quantities of corporate records.
Policies, guidelines, procedures and initiatives
During the reporting period, the Privacy Program Management Division (PPMD) developed a Privacy Policy Suite and revised the privacy assessment procedures to assist the Department in its efforts to protect personal information, promote privacy awareness and support privacy policy:
Privacy Policy Suite
The Privacy Policy Suite is a collection of mandatory policy instruments that contain rules for the management and protection of personal information. It includes a new Privacy Framework that communicates the Department’s culture, values, and philosophy in relation to the protection of privacy and a new Privacy Policy that informs employees of their privacy obligations. The Privacy Framework will be published on our external webpage in the 2023-2024 fiscal year, allowing the public access to IRCC’s privacy practices, further promoting transparency.
As a suite, it encompasses the mandatory procedures for managing privacy breaches, tools to assist in the management of privacy breaches, and a tool on embedding privacy by design. These procedures and tools that were developed during the reporting period are described below.
Managing Privacy Breaches
PPMD revised its procedures for managing privacy breaches to align with the Treasury Board Secretariat of Canada’s Directive on Privacy Practices, and created new tools to assist in assessing, containing, and documenting breaches.
In partnership with Global Affairs Canada and Employment Services and Development Canada, PPMD revised its guidelines for Assessing Materiality of Passport Breaches.
Development of new tools
Four tools were developed to improve privacy protection and privacy by design principles:
- A documentation tool to assist program areas in recording relevant information concerning a privacy breach, and an assessment and containment checklist was developed to assist program areas in containing breaches.
- A privacy breach risk assessment internal tool to assist PPMD in assessing the materiality and level of risk of privacy breaches.
- A credit monitoring risk assessment tool to assist PPMD in determining instances when an individual affected by a privacy breach may benefit from credit monitoring services.
- An embedding privacy by design tool to assist program areas in designing programs with privacy principles embedded at the outset when designing a program involving personal information.
Revision of privacy assessment procedures
PPMD developed a comprehensive Privacy Impact Assessment template and a Technology Privacy Assessment template for initiatives involving new technologies.
As well, the Division streamlined their process for assessing initiatives involving personal information and used it to complete a review of a backlog of over 200 Privacy Needs Assessments.
Initiatives and projects to improve privacy
In addition to the privacy policy, guidelines and tools described above, IRCC continues to develop initiatives to modernize the delivery of services within the ATIP program, including the expansion of Robotic Process Automation (RPA) and migration to the mandated ATIP Online Request Service (i.e., Treasury Board Secretariat’s online platform for the public to file ATIP requests with the Government of Canada) and replacement of the ATIP case management software.
Robotic Process Automation (RPA)
During the reporting period, the Department incorporated two more phases of RPA into its ATIP Processing. The expansion builds on the success of the first phase, which was implemented in 2021. The RPA performs low-complexity / high-volume tasks, including data entry, file and folder operations, and other non-decision making tasks, allowing IRCC to realign resources to focus on decision-based work, while also improving data integrity, timeliness, and end-to-end business processes with minimal disruption in the operations processing.
TBS ATIP Online Request service (ATIP Online)
On March 8, 2023, IRCC formally sought an exception to sections
- 4.3.9.1 of the Policy on Access to Information
- 4.2.25.1 of the Policy on Privacy Protection
- 4.1.16 of the Directive on Access to Information Requests and
- 4.1.15 of the Directive on Personal Information Requests and Correction of Personal Information
to delay migration to the prescribed TBS Access to Information and Privacy (ATIP) Online Request Service(ATIP Online). The TBS platform ATIP Online, first launched in 2018, was created to simplify the process of making ATIP requests to, and receiving responses from, federal government institutions. While TBS policies and directives require that all federal institutions onboard by the end of the reporting period, additional preparations are needed for ATIP Online to absorb IRCC’s high ATIP volumes.
Based on recommendations stemming from the Information Commissioner’s systemic investigation, IRCC’s ATIP online request portal uses a customized ATIP request form that has been tailored to facilitate submitting a request. While some institution-specific customization is possible in ATIP Online, the request flows currently in use on the IRCC portal cannot be replicated on the TBS platform without significant effort.
IRCC is working with TBS Office of the Chief Information Officer to develop a transition plan, with a goal of onboarding IRCC to the TBS platform by the end of fiscal year 2023-2024. Until the migration is complete, clients will continue to submit ATIP requests to IRCC via the IRCC ATIP online request portal.
Replacement of the ATIP case management software
To process ATIP volumes more efficiently, IRCC is working with TBS to replace the existing ATIP case management software with a TBS-approved modern platform with several upgrades and features. The new software, which will interface directly with ATIP Online, has built-in artificial intelligence that can be trained to automate repetitive tasks, and has business analytics capabilities to enable IRCC to more effectively and efficiently create reports (statistics, trends, performance reporting, etc.).
The Department aims to procure, test, and deploy the new software by the end of fiscal year 2024-2025.
Summary of key issues and actions taken on complaints
The Office of the Privacy Commissioner (OPC) notified the Department of 150 formal complaints under the Privacy Act and 3 informal complaints (i.e., complaints that are not formally investigated under section 31 of the Privacy Act). The majority of complaints were related to delays.
IRCC responded to 121 formal and 3 informal OPC complaint investigations. Of the formal complaints,
- 10 were discontinued
- 9 were not substantiated
- 1 was not well founded
- 101 were settled or resolved to the satisfaction of the requester
Of the informal complaints, 1 was not well founded and 2 were settled or resolved to the satisfaction of the requester.
The rise in IRCC’s delay complaints (in spite of a 10.9% decrease in personal information requests) can be attributed to the Department’s overall high ATIP volumes, and exacerbated by the use of the same resources to process both ATI and Privacy requests. In response, IRCC has allocated specific resources to the complaints process under both the Client Records and Corporate Records Divisions.
Material privacy breaches
The Policy on Privacy Protection defines a privacy breach as “the improper or unauthorized collection, use, disclosure, retention or disposition of personal information.” A material privacy breach is a privacy breach that could reasonably be expected to create a real risk of significant harm to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
In 2022-2023, IRCC notified the Office of the Privacy Commissioner and TBS of seven material privacy breaches. The majority of material breaches were of small scale and affected a limited number of individuals.
PPMD monitors all privacy breaches closely and has established notifications and remedial measures to address each situation. The Division also:
- reviews how and where breaches are occurring within the Department
- addresses trends and provides tailored privacy breach training sessions to raise awareness and increase privacy breach prevention
- conducts preliminary risk assessments on all privacy breaches to determine risk and materiality level
- provides advice and guidance to departmental staff on containment and mitigation strategies to improve the protection of personal information.
A summary of the seven material breaches can be found below. Senior officials were notified of all material breaches to facilitate communication within the Department, raise awareness of issues and to bolster departmental response to serious privacy breaches.
- Three material breaches involved personal information that had gone missing or lost. Despite extensive searches, the information could not be located. The affected individuals were notified.
- Three material breaches involved personal information disclosed to another individual(s). In two cases the affected individuals were notified. However, in one case IRCC did not have current contact information to inform them of the incident.
- One material breach involved personal information being disposed of too soon. Affected individuals were notified. Changes have been implemented to prevent further premature purging of this information.
Privacy Impact Assessments (PIAs)
To fulfil its mandate and effectively deliver its programs and services, IRCC collects, uses and discloses personal information. In accordance with the Directive on Privacy Impact Assessment, the Department undertakes PIAs to ensure compliance with the Privacy Act and to identify privacy risks present in new or existing departmental programs, initiatives or projects that involve personal information.
Summary of PIAs completed in 2022-2023
Descriptions of PIAs completed during the 2022-2023 fiscal year are found below and full summaries can be found here: Privacy Impact Assessment Summaries.
Interview Facilitation Service (IFS)
The scope of this PIA is narrowly limited to the deployment of Microsoft Teams (called the IFS solution) and its use in the immigration examination process. The PIA identified three low privacy risks and corresponding recommendations.
Pilot of an Online Passport Application Solution
The scope of the PIA is limited to the solution developed by IBM and the use of Amazon Web Services, as well as how that intake solution interacts with the applicant and is used to support data entry in the Global Case Management System (GCMS). It is noted that a PIA on the Passport Program’s migration to GCMS as the passport system of record was provided to the OPC in December 2020. Therefore, this PIA is an extension of that PIA and provides a variance description in the work flow – how the online application and processing workflow differs from a typical mail-in simplified renewal application. This PIA identifies only four low risks with one of those being speculative.
Privacy Analysis for IT Solutions (PAITS) on the Passport Application Status Checker
In collaboration with IRCC, Service Canada (part of Employment and Social Development Canada) launched the Passport Application Status Checker. This project is part of the Passport Program, and it enables passport applicants to request their application file number and check their passport application status online. The assessment examines the privacy risks and strategies related to the management and protection of personal information collected and used by the Passport Application Status Checker. The PAITS identified two low risks and 1 medium risk. In addition, there were two compliance issues. The strategies to address these risks and issues are scheduled for completion by the end of March 2024.
Public interest disclosures
Subsection 8(2)(m) of the Privacy Act provides that personal information may be disclosed for any purpose where, in the opinion of the head of an institution, (i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or (ii) disclosure would clearly benefit the individual to whom the information relates.
As shown in Table 7 , IRCC disclosed personal information in 108 instances under subsection 8(2)(m) of the Privacy Act during the reporting period.
| Nature of disclosure | Requests processed where at least one individual’s personal information was disclosed | Individuals affected | OPC notification in accordance with subsection 8(5) |
|---|---|---|---|
| Disclosure of contact information to the Public Health Agency of Canada of individuals who were COVID-19 cases or had been in close proximity to a person with COVID-19 | 101 | 443 | The OPC was notified after the disclosure in all cases, except four, because of the urgent nature of the disclosures and the volume of requests received. These reasons were no longer applicable for the four cases, as such, the OPC was notified before the disclosure. |
| Disclosure of contact information to municipal law enforcement services to notify next of kin of deceased individuals | 4 | 7 | The OPC was notified before the disclosure in all cases. |
| Disclosure of contact information to a provincial law enforcement service to notify the family of a missing person | 1 | 3 | The OPC was notified before the disclosure. |
| Disclosure of individuals’ Canadian permanent residence/citizenship status to Global Affairs Canada for the application of the Special Economic Measures Act (SEMA) | 2 | 25 | For one case, the OPC was notified after the disclosure because of the urgent nature of the disclosure. For the other, the notification was not sent before the end of the fiscal year due to the nature of the file. The OPC has been made aware and is working with IRCC to finalize the notification within the 2023-2024 fiscal year. |
| Total | 108 | 478 |
Monitoring compliance
The ATIP program makes use of frequent and comprehensive reporting tools to monitor compliance and maintain accountability, as well as to identify process improvements.
Time taken to process requests for personal information
IRCC monitors the time taken to process personal information requests by retrieving statistics from the ATIP case management software on a daily, weekly, biweekly and quarterly basis. These statistics, which provide information on ATIP request volumes received and processed, compliance rates, and backlog volumes, feed into various reports intended for different levels of officials: daily updates are shared with managers, weekly reports with directors and the ICB Director General, biweekly reports with the deputy ministers, and a quarterly report was shared with assistant deputy ministers across IRCC during the reporting period.
Although the primary goal of the ATIP program’s statistical reporting is to monitor compliance, IRCC ATIP also relies on these statistics to monitor workflows, address current challenges and identify trends in ATIP requests.
During the reporting period, the ATIP program also produced monthly reports on sectors’ compliance for providing responsive records to the ATIP Divisions, privacy breaches and public disclosures pursuant to subsection 8(2)(m) of the Privacy Act:
| Report | Audience | Frequency |
|---|---|---|
| Response to ATIP Taskings Report (Sector Compliance) | Assistant Deputy Ministers | Monthly |
| Privacy Breach Report | Deputy Ministers | Monthly |
| IRCC disclosures in the public interest—Privacy Act 8(2)(m) | Deputy Ministers | Monthly |
None of these reports discloses personal information.
Inter-institutional consultations
Team leads and managers within the ATIP program regularly monitor extensions taken, responses to internal tasking reports, and complaints that do, in turn, identify areas in need of improvement, including consultations, to ensure the proper exercise of discretion.
Frequently requested types of Information
The vast majority of IRCC’s ATIP requests under both the Access to Information Act and the Privacy Act are for client immigration records. IRCC is currently developing initiatives to improve clients’ access to their own information through means other than the ATIP program:
Proactive Release of Officer Decision Notes (ODN)
The ODN project proactively provides officer decision notes to some refused applicants in the Temporary Resident Visa e-application caseload to give clients additional information regarding the reason(s) for their refusal, including a breakdown of the officer’s rationale when finalizing the application. The first Validation Exercise targeted Temporary Resident Visas (TRVs) with the Central Network’s Case Processing Centre in Ottawa and was launched in February of 2022. This showed promising results with a 57% reduction of ATIP requests received for files that had an ODN released to the client. As of March 31, 2023, IRCC is preparing to transition the project to a steady state for Temporary Resident Visa caseload, and recently launched a second Validation Exercise for Study Permit caseload prior to implementation.
Client Correspondence Project
The Client Correspondence Project will review client-facing communications identified as problematic by clients. The Client Correspondence Unit (CCU) was created to provide clearer, more concise written correspondence.
To date, three key letters were revised (Procedural Fairness, Request for Supplementary Information, and Temporary Resident Refusal Letter). The revised Temporary Resident Refusal Letter launched in June 2022 with improved language, additional detail, and removal of the location of the decision maker. The current focus is on the enhancement of the Study Permit refusal letter along with the refusal grounds. The CCU, as part of its future work objectives, plans to analyze end-to-end client communications throughout the client journey.
Application Status Tracker
The Application Status Tracker project will improve the clarity on the status of client applications. For clients, the Tracker provides more transparency about the history and processing activities related to their applications, as well as more efficiency since the Tracker is a “one-stop shop” for the latest case status information.
Launched in 2021 and 2022 for the Citizenship Grant and Permanent Residence (Family Class) lines of business, IRCC expanded the project to now include Express Entry clients (Canadian Experience Class, Federal Skilled Worker, Federal Skilled Trades, Provincial Nominee Program), as well as additional Temporary Resident lines of business (Study Permit, Work Permit, and Temporary Resident Visa).
Client Experience Platform (previously My Account 2.0)
This project describes the implementation of a new Client Experience Platform (CXP) to support the delivery of seamless digital client experiences across multiple channels and devices. The new CXP will provide clients with a single online window to access IRCC services, with a suite of tools to facilitate the client’s journey to be informed, to apply for programs and services, to receive real-time status of applications, to communicate with IRCC and provide feedback on their experience.
As of the end of the reporting period, IRCC remains on track to procure the new CXP in FY 2023-2024.
IRCC anticipates that collectively, these client service initiatives will have the greatest impact on decreasing IRCC’s ATIP volumes. By providing clients with seamless client experience where they have one-stop shop access to their own information, IRCC will be alleviating pressure on the ATIP regime.
Privacy protections in contracts, agreements and arrangements
The Privacy Protection and Management Division advised various partners within IRCC of new requirements, including new TBS requirements for contracts, information sharing agreements and information sharing arrangements as published in the Directive on Privacy Practices.
The departmental practice for agreements and arrangements is for program areas to consult PPMD on all new or changing agreements and arrangements that involve personal information. PPMD has tools and processes in place to evaluate documents for compliance with TBS requirements and provide feedback to program areas on how to meet those requirements. At a minimum, directors are advised and often director generals are involved when making recommendations for compliance on Information Sharing Agreements. PPMD will continue to improve these tools in 2023-2024.
PPMD developed similar tools and processes for contacts, and will reach out to the contracting branch in 2023-2024 to ensure this requirement is better met.
Moving forward
During the reporting period, IRCC took significant first steps to reshape its ATIP program, beginning with a structural reorganization into three separate divisions. The reorganization provides increased director-level attention to specific lines of business, and is anticipated to help improve delivery of IRCC’s ATIP services, while also expediting key projects and initiatives to advance privacy protection and awareness.
This year, the focus was restructuring and stabilizing ATIP resources, the completion of the Privacy Policy Suite, expanding the use of RPA in ATIP request processing and implementing departmental client services initiatives.
Moving forward, IRCC will continue improving services to provide clients with better access to their own immigration information through other means than the ATIP program. From a privacy lens, the ATIP Program has set out priorities to complete the following initiatives in fiscal year 2023-2024:
- Procuring an effective privacy breach case management software
- Developing online modules for privacy training
- Developing a privacy work plan and a privacy risk register to help organize privacy assessment resources more effectively, and to develop a holistic monitoring of departmental risk and mitigation strategies.
In tandem, IRCC will work with internal and external partners to replace the ATIP case management software, migrate to the TBS ATIP Online Request Service, and collaborate with TBS to find solutions that will benefit the wider ATIP community.
IRCC recognizes its low compliance rate for requests under the Privacy Act during this reporting period. The Department is already noting marked improvements in key metrics (e.g. increased compliance rates and decreased complaints) as a result of the measures that have been implemented, including further realigning its organizational structure and devoting additional resources to processing requests within legislated timeframes.
IRCC recognizes that the right to privacy protection is a fundamental human right, and that the right to access to one’s personal information is a means to promote openness and transparency.
The Department continues to improve how it upholds its responsibilities under the Privacy Act.
Annex A: Copy of the signed delegation order in effect March 31, 2023
Annex A: Copy of the signed delegation order in effect March 31, 2023
Text version: Signed Delegation
Official Document
Department of Immigration, Refugees and Citizenship of Canada
Delegation of Authority
Access to Information Act and Privacy Act
I, Minister of Immigration, Refugees and Citizenship, pursuant to section 95 of the Access to Information Act and section 73 of the Privacy Act, hereby authorize the officer and employee of Immigration, Refugees and Citizenship whose position or classification is set out in the attached Schedule to carry out those of my power, duties or functions under the Acts that are set in the Schedule in relation to that officer and employee.
Dated at Ottawa
This 30 day of August 2019
Ahmed Hussen, P.C., M.P.
Minister of Immigration, Refugees and Citizenship
Annex B: Copy of the Delegation of Authority under the Privacy Act and the Privacy Regulations in effect March 31, 2023
Delegation of Authority under the Privacy Act and the Privacy Regulations
The delegation includes acting appointments and assignments to these positions made pursuant to the Public Service Employment Act and regulations.
| Position | Delegation |
|---|---|
| Deputy Minister / Associate Deputy Minister | Full Authority |
| Assistant Deputy Minister, Corporate Management Sector | Full Authority |
| Director General, ATIP & Accountability Branch | Full Authority, except the following sections of the Privacy Act:
|
| Director, ATIP Division | Full Authority, except the following sections of the Privacy Act:
|
| Assistant Director, ATIP CRCI | Full Authority, except the following sections of the Privacy Act:
|
| Assistant Director, ATIP OPS | Same as Assistant Director for ATIP CRCI, except the position does have 8(4) – record of consistent uses |
| Position | Delegation |
|---|---|
| Assistant Deputy Minister / Associate Assistant Deputy Minister, Strategic and Program Policy Sector | Only 8(2)(j) of the Privacy Act– disclosure of personal information for research and statistics |
| Director General, Research and Evaluation Branch | Only 8(2)(j) of the Privacy Act– disclosure of personal information for research and statistics |
| Descriptions | Section | ATIP / PM-05 OPS | ATIP / PM-05 CRCI | ATIP / PM-04 OPS | ATIP / PM-04 CRCI | ATIP / PM-03 OPS | ATIP / PM-03 CRCI |
|---|---|---|---|---|---|---|---|
| Disclosure for research and statistics | 8(2)(j) | No | No | No | No | No | No |
| Disclosure in public interest clearly outweighs any invasion of privacy | 8(2)(m)(i) | No | No | No | No | No | No |
| Disclosure in public interest, benefit of individual | 8(2)(m)(ii) | No | No | No | No | No | No |
| Record of disclosure for investigations | 8(4) | Yes | No | No | No | No | No |
| Notify Privacy Commissioner of 8(2)(m) | 8(5) | No | No | No | No | No | No |
| Record of consistent uses | 9(1) | No | No | No | No | No | No |
| Notify Privacy Commissioner of consistent uses | 9(4) | No | No | No | No | No | No |
| Personal information in banks | 10 | No | No | No | No | No | No |
| Notice where access requested | 14 | Yes | Yes | Yes | Yes | Yes | Yes |
| Extension of time limits | 15 | Yes | Yes | Yes | No | Yes | No |
| Decision regarding translation | 17(2)(b) | No | No | No | No | No | No |
| Conversion to alternate format | 17(3)(b) | No | No | No | No | No | No |
| Refuse access: exempt bank | 18(2) | Yes | Yes | No | No | No | No |
| Refuse access: confidential information | 19(1) | Yes | No | Yes | No | No | No |
| Disclose confidential information | 19(2) | Yes | No | Yes | No | No | No |
| Refuse access: federal-provincial affairs | 20 | No | No | No | No | No | No |
| Refuse access: international affairs, defence, subversive activities | 21 | Yes | No | Yes | No | No | No |
| Refuse access: law enforcement and investigation | 22 | Yes | No | Yes | No | Yes | No |
| Refuse access: Public Servants Disclosure Protection Act | 22.3 | No | No | No | No | No | No |
| Refuse access: security clearance | 23 | Yes | No | Yes | No | Yes | No |
| Refuse access: person under sentence | 24 | Yes | No | No | No | No | No |
| Refuse access: safety of individuals | 25 | Yes | Yes | Yes | No | Yes | No |
| Refuse access: another person’s information | 26 | Yes | Yes | Yes | Yes | Yes | Yes |
| Refuse access: solicitor-client privilege | 27 | Yes | No | Yes | No | No | No |
| Refuse access: patent or trademark privilege | 27.1 | No | No | No | No | No | No |
| Refuse access: medical record | 28 | Yes | No | Yes | No | No | No |
| Receive notice of investigation | 31 | Yes | Yes | No | Yes | No | No |
| Representation to Privacy Commissioner | 33(2) | Yes | Yes | No | Yes | No | No |
| Response to findings and recommendations of the Privacy Commissioner within a specified time | 35(1) | Yes | Yes | No | Yes | No | No |
| Access given to complainant | 35(4) | Yes | No | No | No | No | No |
| Response to review of exempt banks | 36(3)(b) | No | No | No | No | No | No |
| Response to review of compliance | 37(3) | No | No | No | No | No | No |
| Request of court hearing in the National Capital Region | 51(2)(b) | No | No | No | No | No | No |
| Ex parte representation to court | 51(3) | No | No | No | No | No | No |
| Annual Report to Parliament | 72 | No | No | No | No | No | No |
| Descriptions | Section | ATIP / PM-05 OPS | ATIP / PM-05 CRCI | ATIP / PM-04 OPS | ATIP / PM-04 CRCI | ATIP / PM-03 OPS | ATIP / PM-03 CRCI |
|---|---|---|---|---|---|---|---|
| Examination of records | 9 | Yes | Yes | Yes | Yes | Yes | Yes |
| Correction of personal information | 11(2) | Yes | Yes | No | No | No | No |
| Notification of refusal to correct personal information | 11(4) | Yes | Yes | No | No | No | No |
| Disclosure: medical information | 13(1) | No | No | No | No | No | No |
| Disclosure: medical information – examine in person, in the presence of a duly qualified medical practitioner | 14 | No | No | No | No | No | No |
Legend:
- ATIP / PM-05 OPS
- Senior ATIP Administrator, ATIP Operations (OPS)
- ATIP / PM-05 CRCI
- Senior ATIP Administrators, Corporate Records, Complaints and Informals (CRCI)
- ATIP / PM-04 OPS
- ATIP Administrators, ATIP Operations (OPS)
- ATIP / PM-04 CRCI
- ATIP Administrators, Corporate Records, Complaints and Informals (CRCI)
- ATIP / PM-03 OPS
- ATIP Officers, ATIP Operations (OPS)
- ATIP / PM-03 CRCI
- ATIP Officers, Corporate Records, Complaints and Informals (CRCI)
Annex C: Validated Statistical Report on the Administration of the Privacy Act and Supplemental Statistical Report on the Access to Information Act and the Privacy Act
Name of institution: Immigration, Refugees and Citizenship Canada
Reporting period: 2022-04-01 to 2023-03-31
Section 1: Requests under the Privacy Act
| Number of requests | ||
|---|---|---|
| Received during reporting period | 24,164 | |
| Outstanding from previous reporting period | 8,098 | |
|
8,044 | n/a |
|
54 | n/a |
| Total | 32,262 | |
| Closed during reporting period | 18,273 | |
| Carried over to next reporting period | 13,964Footnote * | |
|
3,093 | n/a |
|
10,871 | n/a |
| Source | Number of requests |
|---|---|
| Online | 22,899 |
| 877 | |
| 388 | |
| In person | 0 |
| Phone | 0 |
| Fax | 0 |
| Total | 24,164 |
Section 2: Informal requests
| Source | Number of requests | |
|---|---|---|
| Received during reporting period | 0 | |
| Outstanding from previous reporting period | 0 | |
|
0 | n/a |
|
0 | n/a |
| Total | 0 | |
| Closed during reporting period | 0 | |
| Carried over to next reporting period | 0 | |
| Source | Number of requests |
|---|---|
| Online | 0 |
| 0 | |
| 0 | |
| In person | 0 |
| Phone | 0 |
| Fax | 0 |
| Total | 0 |
| Completion time | |||||||
|---|---|---|---|---|---|---|---|
| 1-15 days | 16-30 days | 31-60 days | 61-120 days | 121-180 days | 181-365 days | More than 365 days | Total |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Less pages than 100 pages released |
101-500 pages released |
501-1,000 pages released |
1,001-5,000 pages released |
5,000 pages released |
|||||
|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages released | Number of requests | Pages released | Number of requests | Pages released | Number of requests | Pages released | Number of requests | Pages released |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 3: Requests closed during the reporting period
| Disposition of requests | Completion time | |||||||
|---|---|---|---|---|---|---|---|---|
| 1-15 days | 16-30 days | 31-60 days | 61-120 days | 121-180 days | 181-365 days | More than 365 days | Total | |
| All disclosed | 107 | 650 | 1,358 | 1,230 | 284 | 276 | 118 | 4,023 |
| Disclosed in part | 109 | 1,174 | 2,901 | 1,849 | 903 | 1,333 | 1,416 | 9,685 |
| All exempted | 0 | 0 | 0 | 1 | 0 | 0 | 2 | 3 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 20 | 9 | 34 | 32 | 19 | 22 | 16 | 152 |
| Request abandoned | 154 | 889 | 572 | 792 | 381 | 1,207 | 220 | 4,215 |
| Neither confirmed nor denied | 17 | 2 | 6 | 69 | 55 | 43 | 3 | 195 |
| Total | 407 | 2,724 | 4,871 | 3,973 | 1,642 | 2,881 | 1,775 | 18,273 |
| Section | Number of requests | Section | Number of requests | Section | Number of requests |
|---|---|---|---|---|---|
| 18(2) | 0 | 22(1)(a)(i) | 0 | 23(a) | 0 |
| 19(1)(a) | 448 | 22(1)(a)(ii) | 0 | 23(b) | 0 |
| 19(1)(b) | 1 | 22(1)(a)(iii) | 0 | 24(a) | 0 |
| 19(1)(c) | 1 | 22(1)(b) | 3,162 | 24(b) | 0 |
| 19(1)(d) | 3 | 22(1)(c) | 5 | 25 | 331 |
| 19(1)(e) | 0 | 22(2) | 0 | 26 | 5,488 |
| 19(1)(f) | 0 | 22.1 | 0 | 27 | 4 |
| 20 | 0 | 22.2 | 0 | 27.1 | 0 |
| 21 | 5,674 | 22.3 | 0 | 28 | 2 |
| n/a | n/a | 22.4 | 0 | n/a | n/a |
| Section | Number of requests | Section | Number of requests | Section | Number of requests |
|---|---|---|---|---|---|
| 69(1)(a) | 0 | 70(1) | 0 | 70(1)(d) | 0 |
| 69(1)(b) | 0 | 70(1)(a) | 0 | 70(1)(e) | 0 |
| 69.1 | 0 | 70(1)(b) | 0 | 70(1)(f) | 0 |
| n/a | n/a | 70(1)(c) | 0 | 70.1 | 0 |
| Paper | Electronic | Other | |||
|---|---|---|---|---|---|
| E-record | Data set | Video | Audio | ||
| 0 | 13,708 | 6 | 0 | 0 | 0 |
| Number of pages processed | Number of pages disclosed | Number of requests |
|---|---|---|
| 661,429 | 549,079 | 18,273 |
| Disposition | Less than 100 pages processed |
101-500 pages processed |
501-1,000 pages processed |
1,001-5,000 pages processed |
More than 5,000 pages processed |
|||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | |
| All disclosed | 3,945 | 69,321 | 77 | 13,248 | 0 | 0 | 1 | 2,754 | n/a | 0 |
| Disclosed in part | 8,665 | 264,879 | 911 | 186,318 | 85 | 56,052 | 22 | 33,332 | 2 | 14,554 |
| All exempted | 3 | 62 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 4,148 | 9,618 | 66 | 10,295 | 1 | 996 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 195 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 16,956 | 343,880 | 1,054 | 209,861 | 86 | 57,048 | 23 | 36,086 | 2 | 14,554 |
| Number of minutes processed | Number of minutes disclosed | Number of requests |
|---|---|---|
| 0 | 0 | 0 |
| Disposition | Less than 60 minutes processed | 60-120 minutes processed | More than 120 minutes processed | |||
|---|---|---|---|---|---|---|
| Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 |
| Number of minutes processed | Number of minutes disclosed | Number of requests |
|---|---|---|
| 0 | 0 | 0 |
| Disposition | Less than 60 minutes processed | 60-120 minutes processed | ||
|---|---|---|---|---|
| Number of requests | Minutes processed | Number of requests | Minutes processed | |
| All disclosed | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 |
| Declined to act with the approval of the Information Commissioner | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 |
| Disposition | Consultation required | Legal advice sought | Interwoven information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 |
| Number of requests closed within legislated timelines | 3,680 |
|---|---|
| Percentage of requests closed within legislated timelines (%) | 20.139 |
| Number of requests closed past the legislated timelines | Principal reason | |||
|---|---|---|---|---|
| Interference with operations/workload | External consultation | Internal consultation | Other | |
| 14,593 | 14,593 | 0 | 0 | 0 |
| Number of days past legislated timelines | Number of requests past legislated timeline where no extension was taken | Number of requests past legislated timeline where an extension was taken | Total |
|---|---|---|---|
| 1-15 days | 2,996 | 166 | 3,162 |
| 16-30 days | 1,433 | 94 | 1,527 |
| 31-60 days | 2,200 | 78 | 2,278 |
| 61-120 days | 2,263 | 73 | 2,336 |
| 121-180 days | 1,122 | 59 | 1,181 |
| 181-365 days | 2,502 | 156 | 2,658 |
| More than 365 days | 1,302 | 149 | 1,451 |
| Total | 13,818 | 775 | 14,593 |
| Translation requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
Section 4: Disclosures under subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 1,941 | 478 | 472 | 2,891 |
Section 5: Requests for correction of personal information and notations
| Disposition for correction requests received | Number |
|---|---|
| Notations attached | 0 |
| Requests for correction accepted | 0 |
| Total | 0 |
Section 6: Extensions
| Number of extensions | 15(a)(i) Interference with operations | 15 (a)(ii) Consultation | 15 (b) Translation purposes or conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet confidence section (Section 70) |
External | Internal | ||
| 1,176 | 0 | 0 | 0 | 4 | 0 | 0 | 1,172 | 0 |
| Length of Extensions | 15(a)(i) Interference with operations | 15 (a)(ii) Consultation | 15(b) Translation purposes or conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet confidence section (Section 70) |
External | Internal | ||
| 1-15 days | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16-30 days | 0 | 0 | 0 | 4 | 0 | 0 | 1,172 | 0 |
| 31 days or greater | n/a | n/a | n/a | n/a | n/a | n/a | n/a | 0 |
| Total | 0 | 0 | 0 | 4 | 0 | 0 | 1,172 | 0 |
Section 7: Consultations received from other institutions and organizations
| Consultations | Other Government of Canada institutions | Number of pages to review | Other organizations | Number of pages to review |
|---|---|---|---|---|
| Received during reporting period | 54 | 1,610 | 0 | 0 |
| Outstanding from the previous reporting period | 2 | 56 | 0 | 0 |
| Total | 56 | 1,666 | 0 | 0 |
| Closed during the reporting period | 54 | 1,599 | 0 | 0 |
| Carried over within negotiated timelines | 2 | 67 | 0 | 0 |
| Carried over beyond negotiated timelines | 0 | 0 | 0 | 0 |
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1-15 days | 16-30 days | 31-60 days | 61-120 days | 121-180 days | 181-365 days | More than 365 days | Total | |
| Disclose entirely | 8 | 4 | 1 | 0 | 0 | 0 | 0 | 13 |
| Disclose in part | 14 | 15 | 8 | 1 | 1 | 1 | 1 | 41 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 22 | 19 | 9 | 1 | 1 | 1 | 1 | 54 |
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1-15 days | 16-30 days | 31-60 days | 61-120 days | 121-180 days | 181-365 days | More than 365 days | Total | |
| Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 8: Completion time of consultations on Cabinet Confidences
| Number of days | Fewer than 100 pages processed |
100-500 pages processed |
501-1,000 pages processed |
1,001-5,000 pages processed |
More than 5,000 pages processed |
|||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1-15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16-30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31-60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61-120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121-180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181-365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Number of days | Fewer than 100 pages processed |
100-500 pages processed |
501-1,000 pages processed |
1,001-5,000 pages processed |
More than 5,000 pages processed |
|||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1-15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16-30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31-60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61-120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121-180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181-365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 9: Complaints and investigations notices received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 150 | 110 | 29 | 0 | 289 |
Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)
| Number of PIAs completed | 3 |
|---|---|
| Number of PIAs modified | 0 |
| Personal information banks | Active | Created | Terminated | Modified |
|---|---|---|---|---|
| Institution-specific | 18 | 0 | 0 | 4 |
| Central | 0 | 0 | 0 | 0 |
| Total | 18 | 0 | 0 | 4 |
Section 11: Privacy breaches
| Number of material privacy breaches reported to TBS | 7 |
|---|---|
| Number of material privacy breaches reported to OPC | 7 |
| Number of non-material privacy breaches | 7,397 |
|---|
Section 12: Resources related to the Privacy Act
| Expenditures | Amount | |
|---|---|---|
| Salaries | $1,400,484 | |
| Overtime | $66,183 | |
| Goods and Services | $43,821 | |
| Professional services contracts | $8,050 | n/a |
| Other | $35,771 | |
| Total | $1,510,488 | |
| Resources | Person years dedicated to privacy activities |
|---|---|
| Full-time employees | 12.690 |
| Part-time and casual employees | 2.180 |
| Regional staff | 0.000 |
| Consultants and agency personnel | 0.000 |
| Students | 1.660 |
| Total | 16.530 |
Supplemental Statistical Report on the Access to Information Act and the Privacy Act
Name of institution: Immigration, Refugees and Citizenship Canada
Reporting period: 2022-04-01 to 2023-03-31
Section 1: Capacity to receive requests under the Access to Information Act and the Privacy Act
| Number of weeks | |
|---|---|
| Able to receive requests by mail | 52 |
| Able to receive requests by email | 52 |
| Able to receive requests through the digital request service | 52 |
Section 2: Capacity to process records under the Access to Information Act and the Privacy Act
| No capacity | Partial capacity | Full capacity | Total | |
|---|---|---|---|---|
| Unclassified paper records | 0 | 0 | 52 | 52 |
| Protected B paper records | 0 | 0 | 52 | 52 |
| Secret and Top Secret paper records | 0 | 0 | 52 | 52 |
| No capacity | Partial capacity | Full capacity | Total | |
|---|---|---|---|---|
| Unclassified electronic records | 0 | 0 | 52 | 52 |
| Protected B electronic records | 0 | 0 | 52 | 52 |
| Secret and Top Secret electronic records | 0 | 0 | 52 | 52 |
Section 3: Open requests and complaints under the Access to Information Act
| Fiscal year open requests were received | Open requests that are within legislated timelines as of March 31, 2023 | Open requests that are beyond legislated timelines as of March 31, 2023 | Total |
|---|---|---|---|
| Received in 2022-2023 | 12,254 | 51,510 | 63,764 |
| Received in 2021-2022 | 254 | 8,598 | 8,852 |
| Received in 2020-2021 | 3 | 299 | 302 |
| Received in 2019-2020 | 0 | 0 | 0 |
| Received in 2018-2019 | 0 | 0 | 0 |
| Received in 2017-2018 | 0 | 0 | 0 |
| Received in 2016-2017 | 0 | 0 | 0 |
| Received in 2015-2016 | 0 | 0 | 0 |
| Received in 2014-2015 | 0 | 0 | 0 |
| Received in 2013-2014 or earlier | 0 | 0 | 0 |
| Total | 12,511 | 60,407 | 72,918 |
| Fiscal year open complaints were received by institution | Number of open complaints |
|---|---|
| Received in 2022-2023 | 512 |
| Received in 2021-2022 | 38 |
| Received in 2020-2021 | 18 |
| Received in 2019-2020 | 1 |
| Received in 2018-2019 | 1 |
| Received in 2017-2018 | 1 |
| Received in 2016-2017 | 0 |
| Received in 2015-2016 | 0 |
| Received in 2014-2015 | 0 |
| Received in 2013-2014 or earlier | 0 |
| Total | 571 |
Section 4: Open requests and complaints under the Privacy Act
| Fiscal year open requests were received | Open requests that are within legislated timelines as of March 31, 2023 | Open requests that are beyond legislated timelines as of March 31, 2023 | Total |
|---|---|---|---|
| Received in 2022-2023 | 2,935 | 9,336 | 12,271 |
| Received in 2021-2022 | 158 | 1,499 | 1,657 |
| Received in 2020-2021 | 0 | 35 | 35 |
| Received in 2019-2020 | 0 | 1 | 1 |
| Received in 2018-2019 | 0 | 0 | 0 |
| Received in 2017-2018 | 0 | 0 | 0 |
| Received in 2016-2017 | 0 | 0 | 0 |
| Received in 2015-2016 | 0 | 0 | 0 |
| Received in 2014-2015 | 0 | 0 | 0 |
| Received in 2013-2014 or earlier | 0 | 0 | 0 |
| Total | 3,093 | 10,871 | 13,964 |
| Fiscal Year open complaints were received by institution | Number of open complaints |
|---|---|
| Received in 2022-2023 | 38 |
| Received in 2021-2022 | 2 |
| Received in 2020-2021 | 0 |
| Received in 2019-2020 | 0 |
| Received in 2018-2019 | 0 |
| Received in 2017-2018 | 0 |
| Received in 2016-2017 | 0 |
| Received in 2015-2016 | 0 |
| Received in 2014-2015 | 0 |
| Received in 2013-2014 or earlier | 0 |
| Total | 40 |
Section 5: Social Insurance Number
| Has your institution begun a new collection or a new consistent use of the SIN in 2022-2023? | No |
|---|
Section 6: Universal access under the Privacy Act
| How many requests were received from confirmedFootnote * foreign nationals outside of Canada in 2022-2023? | 6,425 |
|---|
Page details
- Date modified: