Annual Report to Parliament 2023-2024 Administration of the Privacy Act

1. Introduction

The Department of National Defence and the Canadian Armed Forces are pleased to present to Parliament their annual report on the administration of the Privacy Act^{Footnote 1}. Section 72 of the Act requires the head of every federal government institution to submit an annual report to Parliament on its administration each financial year. This report describes National Defence activities that support compliance with the Privacy Act for the fiscal year (FY) commencing 1 April 2023 and ending 31 March 2024.

1.1 Purpose of the Privacy Act

The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and provide individuals with a right of access to that information.

These rights of protection and access are in accordance with the principles that individuals should have a right to know why their information is collected by the government, how it will be used, how long it will be kept and who will have access to it.

Service Agreements

The Department of National Defence and the Canadian Armed Forces had no service agreements pursuant to section 73.1 of the Privacy Act.

2. Access to Information and Privacy at National Defence

2.1 Mandate of National Defence

Who we are

The Department of National Defence (DND) and the Canadian Armed Forces (CAF) support a strategic vision for defence in which Canada is strong at home, secure in North America and engaged in the world. From regular forces to reserve forces and civilian employees, the Defence Team stretches from coast to coast to coast. Its membership represents the strength, skills and diversity of Canada, and brings the experience necessary to protect and support Canadians no matter what is asked of them.

What we do

DND and the CAF have complementary roles to play in:

• Providing advice and support to the Minister of National Defence
• Implementing Government decisions regarding the defence of Canadian interests at home and abroad.

The CAF serves on the sea, on land, in the air, and in space and cyberspace with the Royal Canadian Navy, the Canadian Army, the Royal Canadian Air Force and the Canadian Special Operations Forces Command.

In 2024, Canada released its renewed defence policy, Our North, Strong and Free, which outlines Canada's plan to ensure the CAF remains ready, resilient and relevant in the context of increasing global uncertainty. This means doing more to keep us strong at home, secure in North America and engaged in the world, under six themes including:

• Supporting our people by placing focus on recruitment, retention and personal management, as well as investments into the quality of life for military members in form of support for health, housing and childcare. For all that CAF members give up for Canadians they all deserve to feel safe and valued in their workplace, it is our priority progress culture change.
• Strengthening the foundations of our military to ensure CAF members have the tools they need to do their job effectively and keep them safe. This will include modernizing existing capabilities and acquiring new ones; building civilian capacity; reviewing and reforming defence procurement; accelerating digital transformation.
• Building an innovative industrial base by leveraging innovation and fostering relationships with industry partners to sustain existing equipment and accelerate production capacity in Canada. This will allow the CAF to make reliable and valuable contributions to our allies and partners, particularly in the Euro-Atlantic and Indo-Pacific regions, in support of a more stable, peaceful world.
• Defending Canada in the Arctic and northern regions, where the changing physical and geopolitical landscapes have created new threats and vulnerabilities. By upgrading our continental defences to better detect incoming threats we can remain ready to assist when Canadians face natural disasters and other emergencies or are in need of search and rescue support.
• Defending North America as an active partner with the United States to restore continental defence and deterrence in all domains: sea, land, air, space and cyber, and through a modernized NORAD.
• Advancing Canada's global interests and values through continuing valuable Canadian Armed Forces contributions to global efforts to deter major power conflict, confront terrorism and insurgency, and address instability.

2.2 National Defence Organization

The National Defence Act (NDA) establishes DND and the CAF as separate entities, operating within an integrated National Defence Headquarters as they pursue their primary responsibility of providing defence for Canada and Canadians.

Senior leadership

The Governor General of Canada is the Commander-in-Chief of Canada. DND is headed by the Minister of National Defence. The Associate Minister of National Defence supports the Minister of National Defence. The Deputy Minister of National Defence is the Department's senior civil servant. The CAF are headed by the Chief of the Defence Staff, Canada's senior serving officer. These senior leaders each have different responsibilities:

• The Governor General is responsible for appointing the Chief of the Defence Staff on the recommendation of the Prime Minister, awarding military honours, presenting colours to CAF regiments, approving new military badges and insignia, and signing commission scrolls;
• The Minister of National Defence presides over the Department and over all matters relating to national defence;
• The Associate Minister is also responsible for defence files, as mandated by the Prime Minister, with the specific priority of ensuring that CAF members have the equipment they need to do their jobs;
• The Deputy Minister is responsible for policy, resources, interdepartmental coordination and international defence relations; and
• The Chief of the Defence Staff is responsible for command, control and administration of the CAF, as well as military strategy, plans and requirements.

Defence Organization

The National Defence organizational structure is represented in the diagram below. Additional information about the National Defence organization is available online^{Footnote 2}.

Figure 1: National Defence Organization Chart

2.3 The Directorate of Access to Information and Privacy

Delegation of Authority

In accordance with section 73(1) of the Privacy Act, a delegation of authority, signed by the Minister, designates the Deputy Minister, Corporate Secretary, Executive Director of Access to Information and Privacy, and Access to Information and Privacy (ATIP) Deputy Directors to exercise all powers and functions of the Minister, as the head of institution under the Act. It also designates other specific powers and functions to employees within the Directorate Access to Information and Privacy.

Under the authority of the Corporate Secretary, the ATIP Executive Director administers and coordinates the Access to Information Act and the Privacy Act, and acts as the departmental ATIP Coordinator. In the administration of the Act, the ATIP Directorate seeks advice on legal, public affairs, policy, and operational security matters from other organizations and specialists as required.

A copy of the Access to Information Act and Privacy Act Designation Order is provided at Annex A.

The ATIP Directorate

The ATIP Directorate is responsible for matters regarding access to information and privacy protection within the National Defence portfolio, except for the following organizations: the Military Police Complaints Commission, the Military Grievances External Review Committee, the Communications Security Establishment, the Office of the National Defence and Canadian Forces Ombudsman, the Director of Defence Counsel Services, and the Canadian Forces Morale and Welfare Services.

The ATIP Directorate is managed by an Executive Director, and supported by a corporate services team that is responsible for the administrative and management functions of the directorate, including business planning, financial management, human resources, physical security, and information and records management (IM/RM). The workforce is divided functionally into three main areas, further supported by Defence organization liaison officers, as illustrated in the diagram at FIGURE 2.

The Chief of Operations oversees all activities related to access to information, including ATIP Intake; and is supported by Deputy Directors across ATI Operations. This ensures consistency in the execution of departmental processes and application of the ATI Act and allows for quality assurance activities, tracking, reporting, and monitoring of trends and rising issues.

Deputy Directors oversee Privacy Operations, Defence Privacy Management and Compliance (DPMC), and ATIP Program Support (ATIP-PS).

The DPMC section's key objective is to oversee departmental compliance with the Privacy Act; the section manages privacy risk assessments; resolution of privacy breaches and systemic issues; provides guidance on privacy policy obligations as well as expertise and advice to senior management on contentious and sensitive issues while ensuring continuous improvements of privacy policy and service delivery for the department.

The ATIP-PS section delivers training and promotes ATIP awareness, performs data analytics and reports on program performance, and provides ATIP related advice and guidance to the ATIP Directorate and the wider DND/CAF community.

In addition to access to information and privacy protection activities, the ATIP Directorate provides support to the Departmental Litigation Oversight-Litigation Implementation Team. The Directorate conducts an ATIP-like review of records in support of class action settlements as required.

During the reporting period the ATIP Directorate as a whole had the full-time equivalent of 68.5 employees and 5.25 consultants dedicated to Privacy Act activities.

Figure 2: National Defence Atip Operational Workforce

3. Highlights of the Statistical Report

The statistical report at Annex B consists of data submitted by National Defence as part of Treasury Board Secretariat (TBS) annual collection of ATIP-related statistics. The following sections contain highlights, trends and an analysis of notable statistical data from a departmental perspective.

3.1 Requests received

During the reporting period, National Defence received 6,857 requests for personal information under the Privacy Act, representing a 7.3% increase from the previous reporting period. Combined with a carry-over of 1,156 files from FY 2022-23, this represents a total workload of 8,013 requests during the reporting period. The number of requests carried over increased 25% to 1,445 in the current reporting period.

Figure 3: Privacy Request Workload (Last Five Years)

3.2 Requests completed

National Defence closed a total of 6,568 privacy requests during the reporting period. This represents an 8.5% increase over the previous FY. The total ATIP workload over the past five years is represented in FIGURE 4 below.

Figure 4: Disposition of Requests Completed and Total Requests Closed (Last Five Years)

Pages reviewed

This year, a total of 1,282,442 pages were reviewed to close 4,902 requests. This remains consistent with FY 2022-23 where 1,282,023 pages were processed (FIGURE 5).

This number does not include the number of pages processed for requests reviewed in the current FY that were carried over into the next reporting period.

Figure 5: Number of Pages Reviewed for Requests Closed, Where Records Existed (Last Three Years)

Exemptions and exclusions

Consistent with previous reporting periods, section 26 of the Privacy Act was the most frequently invoked exemption and was applied in 2,634 requests. This section of the Act protects personal information of individuals other than the requester.

Completion time

National Defence closed 3,034 requests within 30 days; this represents 46.2% of the total volume of requests closed. This equates to a 4.6% decrease of files closed within 30 days, compared to 3,181 files closed within 30 days during the last reporting period.

Figure 6: Time to Complete Requests (Last Five Years)

Files closed beyond 30 days were not necessarily late as legal extensions under the legislation may have been applied.

Extensions

Section 15 of the Privacy Act permits the statutory time limits to be extended if consultations are necessary, if translation is required or if the request is for a large volume of records and processing it within the original time limit would unreasonably interfere with the operations of the Department.

In total, 2010 extensions were applied during the FY 2023-24 reporting period. Each of the extensions were deemed necessary as meeting the original time limit would unreasonably interfere with the operations of the institution.

Number of Active Requests - Outstanding from Previous Reporting Periods

At the end of the FY 2023-24 reporting period, National Defence had 1,445 active requests. A breakdown of outstanding requests by the reporting period in which the request was received, and whether the request is still within the legislated timelines (including extensions) is provided below in FIGURE 7.

Figure 7: Number of Active Requests (as of 31 March 2024)

Number of Active Complaints - Outstanding from Previous Reporting Periods

At the end of the reporting period, National Defence had 47 active complaints with the Office of the Privacy Commissioner of Canada (OPC). A breakdown of active complaints by reporting period is provided at FIGURE 8.

On-time compliance

A total of 4,578 requests (69.7%) were closed within statutory deadlines in FY 2023-24. This represents a 11.6% decrease in on-time compliance over the previous reporting period.

The most common reason for deemed refusal was "Interference with Operations/Workload," cited for over 70% of requests closed late during the reporting period. As defined by TBS, this reason relates to requests where there is "interwoven information and review is required to determine exemptions, there were a large number of requests to be processed at the time, the request consisted of a high volume of records, there were difficulties in obtaining relevant information, or there were other ATIP-related tasks."

Impacts to productivity resulting from staffing challenges continues to impact compliance. There continues to be ATIP staff turnover at all levels due to a competitive job market. New employees require a learning and adjustment period to realize performance potential. The hiring and training of new employees during a remote posture has also created additional workload for ATIP management and support services. Over the past year efforts have continued to staff vacant positions and train new staff.

Disposition: Percentage of requests all disclosed vs. disclosed in part

During the reporting period, Defence responded to a total of 6,568 requests; of which 19.6% were "all disclosed" (1,285) and 41.3% (2,713) were "disclosed in part." The remaining requests were completed as all exempted, no records exist, or abandoned.

3.3 Consultations Received and Completed

Historically, National Defence does not receive many consultation requests relating to requests made under the Privacy Act. During the reporting period, National Defence received three requests for consultation; all three requests for consultation were received from other Government of Canada institutions. A total of four consultations were closed during the reporting period; two requests for consultation were completed within 15 days, and one was completed between 31 and 60 days.

4. Privacy Protection and Personal Information Management

4.1 Public Interest Disclosures

Paragraph 8(2)(m) of the Privacy Act permits the disclosure of personal information, without the consent of the individual to whom it relates, where the public interest in disclosure clearly outweighs any invasion of privacy that could result, or where the disclosure would clearly benefit the individual to whom the information relates.

During the reporting period, 60 disclosures of personal information were made in accordance with paragraph 8(2)(m). Disclosures made in the public interest included but were not limited to, disclosures to the media relating to departmental actions in response to allegations of Sexual Misconduct and Hateful Conduct, and disclosures to CAF member's family or representative relating to Boards of Inquiry or Summary Investigations into the death or serious injury of a CAF member.

For each of the 60 disclosures made in the public interest during FY 2023-24, the OPC was notified; wherever possible, notification occurred in advance of the disclosure.

4.2 Privacy Breaches

Privacy rights are a matter of increasing public concern. Personal information under the control of National Defence is subject to the Privacy Act, which governs the safeguarding, collection, retention, use and disclosure of personal information. The ATIP Directorate, Defence Privacy Management & Compliance (DPMC), Privacy Incident Management Team received 262 complaints regarding a contravention of one or more provisions of the Act. The ATIP Directorate's DPMC, Privacy Incident Management Team reviewed and resolved 191 complaints alleging a breach of privacy, of which 135 complaints were deemed to be well-founded.

Material Privacy Breaches

The Treasury Board Secretariat Policy on Privacy Protection defines a privacy breach as the improper or unauthorized access to, creation, collection, use, disclosure, retention, or disposal of personal information. A material breach is defined as a privacy breach that could reasonably be expected to create a real risk of significant harm to an individual. One material privacy breach was reported by National Defence to the Office of the Privacy Commissioner (OPC) and the Treasury Board of Canada Secretariat (TBS), as described below.

On September 29, 2023, the Government of Canada became aware of an incident affecting Brookfield Global Relocation Services (BGRS)/Sirva Canada. BGRS/Sirva Canada provides relocation services to members of the Canadian Armed Forces (CAF) and civilian employees of Department of National Defence (DND). Upon confirming the incident resulted in unauthorized access to personal information, notification of the incident was issued to Defence Team members. Individuals who had a relocation file with BGRS/Sirva Canada were advised to take precautionary measures, including enabling multi-factor authentication on accounts used for online transactions, and monitoring their financial and personal online accounts for unusual activity.

DND/CAF personnel were provided regular updates as the investigation into the incident proceeded. Individuals who may have been impacted were offered credit monitoring, dark web monitoring, and identity theft protection insurance. Given the number of Defence Team members who have relocated, access to these services was rolled out in waves; the final wave commenced in January 2024.

The examination into the full extent of the data breach remains ongoing.

4.3 Privacy Impact Assessments

National Defence collects, uses and discloses personal information in the delivery of mandated programs and services. In accordance with TB policy, the DND and the CAF undertake privacy impact assessments (PIA) to evaluate impacts to personal information in the administration of these activities. A PIA provides a framework to identify the extent to which proposals comply with the Privacy Act and applicable privacy policies, assist program officials in avoiding or mitigating privacy risks, and promote informed program and system design choices.

National Defence completed^{Footnote 3} eight PIAs during FY 2023-24. The descriptions of PIAs are found below.

Biometric Collection within the Defence Intelligence Enterprise (DIE) Program
The Defence Intelligence Program provides responsive, reliable and fully integrated intelligence capabilities, services and products to support and inform decisions and actions relating to potential and authorized military operations and activities assigned to National Defence, as well as any intelligence activities carried out by the Department in support of the Government of Canada's broader responsibilities with respect to national defence, national security or global affairs. This PIA has been developed to assess the biometric capability of the Defence Intelligence Enterprise (DIE) Program of the DND/CAF.

CAF Anthropometric Program for Soldier System Acquisition
DND/CAF began a process to review its efforts at improving the design, fit, and performance of military clothing and equipment. Central to this process was the need to establish requirements and definitions for the development of an enterprise-wide anthropometric program. Anthropometric data can be used to inform decisions regarding the design, fit, sustainment, development, and procurement of new soldier systems, and to improve the operation and effectiveness of existing systems.

Declaration of Victims Rights (DVR) Complaint Review Mechanism
In May 2018, the Government of Canada introduced Bill C-77, which amended the Code of Service Discipline, enhancing victims' rights in the military justice system and enshrining a 'Declaration of Victims Rights' into Part III, Division 1.1 of the National Defence Act. The new Declaration of Victims Rights (DVR) largely mirrors the Canadian Victims Bill of Rights and the civilian criminal justice system, strengthening rights for victims of service offences. In addition to providing fundamental rights to the victims of service offences, the DVR affords victims with the right to file a complaint. In any case where a victim of a service offence is of the opinion that their rights under the DVR have been infringed or denied, the victim has a right to file a complaint in accordance with the Code of Conduct's supporting regulations. Where a victim's concerns cannot be resolved through the chain of command, the victim may file a formal complaint with DND's Director External Review (DER) for review.

Federal Health Claims Processing Service (FHCPS)
DND/CAF provides a wide range of health benefits and services to its members. This includes coverage of medical, dental and other treatments provided by health professionals. It also includes preventive health care and supplies, prescribed drugs, health-related travel and rehabilitation related expenses, and long-term care. While health care services are provided to serving members primarily through CAF clinics, health care is sometimes provided through provincial health care systems, institutions, and private practitioners. PIA was to ensure that privacy risks specific to CAF clients are identified early in the new FHCPS Solution's design, and to reflect on privacy risks associated with the current FHCPS Contract and Service.

Independent Legal Assistance Program
The Sexual Misconduct Support and Resource Centre's (SMSRC's) deployment of the Independent Legal Assistance Program (ILAP) has provided free legal assistance to victims of military sexual misconduct. The ILAP is planned to be deployed across three phases and, once fully deployed, will provide eligible individuals with the following:

1. Legal information: legal information about the military justice system and criminal justice system, including reporting, investigations, administrative and judicial proceedings, victims' rights, criminal trial processes, etc.
2. Legal advice: up to four hours of confidential legal advice from a lawyer pertaining to issues of military sexual misconduct in the context of the military justice system or criminal justice system.
3. Legal representation: legal representation from a lawyer for criminal court proceedings pertaining to the disclosure of a victim's/survivor's private records and the admissibility of evidence concerning prior sexual activity and/or records of the victim/survivor – criminal code sections 276 and 278.92.

Litigation Claims Processing Program
The Department of National Defence and Canadian Armed Forces (DND/CAF) are governed by the National Defence Act. The Act establishes DND's mandate and authorities and stipulates that the Minister of National Defence has the management and direction of the CAF. DND is responsible for supporting the CAF in the defence of Canadian interests at home and abroad. Over the past several years, DND/CAF has been involved in multiple class action lawsuits filed by current and former members. Most of those claims center on workplace issues and alleged failures to properly address workplace misconduct, harassment, and discrimination. Others pertain to the administration of pensions and benefits or infrastructure issues (e.g., contaminated sites). Some lawsuits remain in a state of proposal or classification, while others have resulted in court decisions, judgements, or Final Settlement Agreements (FSAs), which provide compensation and other remedial measures for claimants.

Restorative Engagement Program
The Restorative Engagement Program (REP) was developed in accordance with the Final Settlement Agreement of the Department of National Defence-Canadian Armed Forces Sexual Misconduct class action lawsuit; commonly called the Heyder-Beattie FSA. The Heyder-Beattie FSA required DND/CAF to establish a REP to allow Class Members of the FSA to communicate their experience of sexual misconduct to senior representatives of DND and CAF. Restorative engagement provides opportunities to talk about the causes and impacts of sexual misconduct and to help change the culture that enables it.

Summary Investigations/Board of Inquiries
The Canadian Armed Forces (CAF) conducts Summary Investigations (SIs) and Boards of Inquiries (BOIs), which are administrative investigations into various matters that occur within the CAF. As administrative investigations, SIs and BOIs explore issues related to the command, control and administration of the CAF. These are a detailed search or inquiry to determine the facts, make findings, and develop recommendations to prevent the recurrence of an unfavourable occurrence, such as a serious injury, non-combat death (including suicide and attempted suicide), lost classified material, and others.

In addition, the ATIP Directorate continues to provide ongoing privacy advisory services to National Defence organizations assessing risks to personal information used in the administration of Defence programs.

4.4 Departmental personal information

Complex & Sensitive Personal Information

To ensure the appropriate protection of sensitive personal information within the Department, the ATIP Directorate provides review and redaction services to support a number of departmental administrative processes including Boards of Inquiry, Summary Investigations, Reports involving allegations of Workplace Violence, Harassment and Grievances. Although these are not formal requests made under the Privacy Act, the information is being released by the Department and privacy protection is a priority. The ATIP Directorate reviewed 76 files containing complex and sensitive personal information in FY 2023-24. This represents a total of 1,220 pages reviewed to ensure personal information is protected and not inappropriately disclosed.

5. Complaints, Audits and Reviews

5.1 Complaints from the Office of the Privacy Commissioner

In FY 2023-24, National Defence received a total of 82 formal complaints from the Office of the Privacy Commissioner (OPC); this represents less than two percent of all requests processed during the reporting period.

Statistical reporting requirements for complaints and investigations with the OPC are noted below:

• Section 31: When the OPC gives formal notice of their intention to investigate a complaint regarding the processing of a request under the Act.
  • Defence received 82 such notices during FY 2023-24, compared to 65 such notices during FY 2022-23.
• Section 33: When the OPC requests further representations from institutions pursuant to an ongoing complaint investigation.
  • Defence received 83 such notices during FY 2023-24 in comparison to 31 such notices in the previous reporting period.
• Section 35: When the OPC issues a findings report for a well-founded complaint upon conclusion of an investigation.
  • During the reporting period, 28 complaints were found to have merit. Note that these complaints are not necessarily from the 82 complaints received during the reporting period.

The 28 well-founded determinations represent 45.2% of all findings issued by the OPC to National Defence in Fiscal Year 2023-24. Of the well-founded determinations, 25 were administrative in nature (relating to delays and time extensions), one related to right of access and two related to an unauthorized disclosure. Figure 10.

Efforts continued to be placed on resolving outstanding complaints with the OPC received in previous reporting periods. The ATIP Directorate collaborated with the OPC to manage complaints effectively and consistently strives to maintain transparent communications to foster a positive working relationship with the OPC.

5.2 Court Decisions

In FY 2023-24, two court proceedings were actioned in respect of requests processed by National Defence.

5.3 Key Actions Taken on Complaints

National Defence took actions during the reporting period to address the issues raised by the Office of the Privacy Commissioner and the Standing Committee on National Defence.

A multi-disciplinary working group consisting of representatives from the ATIP Directorate, the Directorate of Enterprise Architecture, and Review Services evaluated the ATIP process to identify areas for improvement. Subsequently an agile project management approach was implemented to develop initiatives aimed at improving the ATIP process across National Defence.

National Defence is committed to addressing process challenges through this ongoing effort and will be monitoring the implementation and effectiveness of the initiatives undertaken.

6. Policies and Procedures

During the reporting period, National Defence implemented the following new or revised policies, guidelines, and procedures related to privacy:

6.1 Social Insurance Numbers

The Department of National Defence did not receive authority for new collection(s) or new consistent use(s) of Social Insurance Numbers during this reporting period.

The Defence Privacy Management and Compliance Section (DPMC) finalized and implemented internal procedures on the management of privacy breaches including a tool to guide employees across the department on steps to take to contain and report privacy breaches within the department or when involving external parties.

7. Training and Awareness

7.1 ATIP training program

Departmental ATIP training continued to be provided on a virtual platform. Directorate training staff delivered the following training sessions to Defence employees and CAF members with specific emphasis on those staff with ATIP responsibilities:

• Access to Information and Privacy Fundamentals (COR502 – Offered online by the Canada School of the Public Service, this course is a prerequisite for all departmental ATIP training);
• Introductory DND/CAF ATIP courses [ATIP at DND (formally ATIP 101 - General ATIP), or Privacy Fundamentals];
• Orientation session for new employees of the ATIP directorate;
• Advanced DND/CAF ATIP courses (ATIP 201 - Advanced ATIP or organization-specific content); and,
• ATIP awareness and engagement activities with the various branches and divisions.

7.2 Training and awareness activities

A total of 44 training sessions were delivered to approximately 1,077 individuals. This training was provided to Defence employees and CAF members on the administration of both the Access to Information Act and Privacy Act, as well as on appropriate management of personal information under the control of the institution. These virtual training sessions included ATIP 101, ATIP 201, and Privacy Protection and targeted training sessions for specific Defence organizations. Most training sessions were delivered by ATIP Directorate staff through video teleconference technologies. Mid-year a new online self-guided program (ATIP at DND) was launched to replace ATIP 101. This new program was instrumental to a 44% increase in participants over last year. Moreover, an additional 3,377 individuals from DND/CAF completed the CSPS ATIP fundamentals in the reporting period as it was a prerequisite for any DND specific ATIP training.

Privacy Impact Assessment (PIA) information sessions were provided to support program managers developing or modifying programs or activities that involve the collection, use, disclosure, retention, or disposal or personal information. The information sessions are being standardized and formalized to increase overall understanding of the PIA process, its benefits, as well as the legal and policy obligations under the Privacy Act. The sessions will enhance privacy knowledge and skills of employees and managers while fostering a culture of privacy within the department.

Canadian Forces Health Services training

The Canadian Forces Health Services (CFHS) operates a privacy office that is responsible for providing advice and support to the CFHS Group on policies and activities that involve personal health information. In accordance with their mandate, the CHFS privacy office maintains training modules to educate staff on the principles of "Privacy, Confidentiality and Security" to support appropriate use of the Canadian Forces Health Information System.

During this reporting period, 2,600 Canadian Forces Health Services staff attended training or completed mandatory modules offered specifically to the CFHS organization.

8. Initiatives and Projects

During the reporting year, the Defence Privacy Management and Compliance Section (DPMC) continued efforts to strengthen the Defence Privacy Management Program. Initiatives include:

A department wide Privacy Risk Assessment Benchmark Questionnaire was conducted to assess the sensitivity and complexity of programs involving personal information. The results of the questionnaire will help identify the strengths and gaps in privacy management and inform the development of targeted initiatives to enhance privacy protection and compliance. Furthermore, the results will be used to develop the DND/CAF Privacy Plans & Priorities to inform a risk-based approach to support Defence initiatives where personal information is involves.

With increasing complexity and volume of privacy breaches being reported, DPMC also piloted a project to minimize the administration for low-level privacy breaches. A process using a digital report of findings was tested; it resulted in increased ease and efficiency of case file administration for analysts and reduced the time required to describe, record, document and render a finding for low sensitivity, low risk privacy breaches. Efforts to streamline privacy breach management activities with DPMC and with the program areas will continue in the next reporting period.

Furthermore, enhancements were made to the case file management software to increase work efficiency and are expected to support increased tracking and reporting of privacy breaches across the department.

9. Monitoring Compliance

To provide effective oversight and reporting of ATIP performance within National Defence, the ATIP Directorate produces a monthly dashboard that measures the timeliness of OPI record retrieval, overall ATIP compliance, and critical indicators such as privacy breach complaints. Using Microsoft Power BI to publish the ATIP dashboard has enhanced its usability and visibility to senior leadership on key metrics and ATIP performance. The monthly dashboard serves to track ATIP performance across the Department and identify organizations who may require assistance or training, and to identify areas for process improvements.

Additionally, the ATIP Directorate responds to on-demand requests for statistics and performance reports to support program-specific requirements and departmental ATIP obligations.

Currently, the time to process requests for correction of personal information is not formally monitored as this number is regularly very low. In FY 2023-24, the ATIP Directorate did not receive any requests for correction.

Annex A: Deligation Order

Department of National Defence and the Canadian Armed Forces

Delegation of Authority Access to Information Act and Privacy Act

I, Minister of National Defence, pursuant to section 95 of the Access to Information Act and section 73 of the Privacy Act, hereby delegate the persons holding the positions set out in the Delegation of Authority Schedules attached hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and function of the Minister as head of National Defence, under the provisions of the Acts and related regulations set out in the schedule opposite each position.

This delegation supersedes all previous delegation orders.

Original signed by

The Honourable William Sterling Blair, P.C., C.O.M., M.P.
Minister of National Defence
Date: 2024-02-23

Delegation of Authority Schedule - Access to Information Act

Delegation of the powers, duties and functions of the Minister of National Defence as the head of the institution for the Department of National Defence and the Canadian Armed Forces under the Access to Information Act, R.S.C. 1985, c. A-1 (prior to and following June 21, 2019) and regulations.

To note: the Department of National Defence and the Canadian Armed Forces includes a number of organizations with varying degrees of independent authority. The powers, duties and functions in the present order shall not apply to the activities of the following organizations:

• The Military Police Complaints Commission;
• The National Defence and Canadian Forces Ombudsman;
• The Military Grievances External Review Committee;
• The Canadian Forces Morale and Welfare Services;
• The Director of Defence Counsel Services; and,
• Any other organization of the Department of National Defence and the Canadian Armed Forces to whom the Minister of National Defence may delegate such powers.

Delegation of Authority Schedule - Privacy Act

Delegation of the powers, duties and function of the Minister of National Defence as the head of the institution for the Department of National Defence and the Canadian Armed Forces under the Privacy Act, R.S.C. 1985, c. P-21 and regulation.

To note: the Department of National Defence and the Canadian Armed Forces includes a number of organizations with varying degrees of independent authority. The powers, duties and functions in the present order shall not apply to the activities of the following organizations:

• The Military Police Complaints Commission;
• The National Defence and Canadian Forces Ombudsman;
• The Military Grievances External Review Committee;
• The Canadian Forces Morale and Welfare Services;
• The Director of Defence Counsel Services; and,
• Any other organization of the Department of National Defence and the Canadian Armed Forces to whom the Minister of National Defence may delegate such powers.

Annex B: Statistical Report on the Privacy Act for 2023-2024

Statistical Report on the Privacy Act

Name of institution: Department of National Defence

Reporting period: 2023-04-01 to 2024-03-31

Section 1: Requests Under the Privacy Act

Section 2: Informal requests

Section 3: Requests Closed During the Reporting Period

3.5 Complexity

3.6 Closed requests

3.7 Deemed refusals

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Section 5: Requests for Correction of Personal Information and Notations

Section 6: Extensions

Section 7: Consultations Received From Other Institutions and Organizations

Section 8: Completion Time of Consultations on Cabinet Confidences

Section 9: Complaints and Investigations Notices Received

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

Section 11: Privacy Breaches

Section 12: Resources Related to the Privacy Act

Annex C: Supplemental Statistical Report on the Access to Information Act and Privacy Act for 2023-2024

Supplemental Statistical Report on the Access to Information Act and the Privacy Act

Name of institution: Department of National Defence

Reporting period: 2023-04-01 to 2024-03-31

Section 1: Open Requests and Complaints Under the Access to Information Act

Section 2: Open Requests and Complaints Under the Privacy Act

Section 3: Social Insurance Number

Has your institution begun a new collection or a new consistent use of the SIN in 2023-24? - No

Section 4: Universal Access under the Privacy Act

How many requests were received from foreign nationals outside of Canada in 2023-24? - 7