Annual Report on the administration of the Access to Information Act and the Privacy Act for the 2018 to 2019

On this page

• Executive summary
• 1. Introduction
• 2. Organizational structure
• 3. The Privacy Management Framework and privacy governance in ESDC
• 4. Delegations
• 5. Initiatives and procedures
• 6. Performance reporting
• 7. Complaints, investigations and court actions
• 8. Internal audits
• 9. Public interest disclosures
• 10. Material privacy breaches
• 11. Training and awareness activities
• 12. Moving forward
• Annex A: Delegation orders
• Annex B: Summaries of completed Privacy Impact Assessments
• Annex C: Statistical reports

Executive summary

The mission of Employment and Social Development Canada (ESDC) including the Labour Program and Service Canada, is to build a stronger and more inclusive Canada to support Canadians to live productive and rewarding lives and to improve Canadians’ quality of life. Many of the federal government’s largest and most well known programs and services are provided by the Department in fulfillment of its broad mandate.

As a result, ESDC is a major user of personal information and other data in order to deliver key programs and services to Canadians as well as to deliver programs and services on behalf of other federal institutions. Moreover, ESDC operates within one of the most complex privacy regimes in government, within which it carries out the vast scale and scope of the Department’s collection, use, retention and disclosure activities. The protection of Canadians’ privacy rights and the safeguarding of personal information is a key priority for the Department.

As a federal institution, ESDC is subject to the Access to Information Act and the Privacy Act. Both Acts require the Department to submit an annual report to Parliament on their administration at the conclusion of every fiscal year. This consolidated report describes ESDC’s major strategic and operational highlights for both access to information and privacy during the reporting period.

Modernization and transformation were dominant themes again during the 2018 to 2019 fiscal year. The fiscal year was characterized by legislative and policy reform processes for both access to information and privacy. Change is underway in ESDC as well — the Department launched its Service Transformation Plan with the goal of leaping forward in the way programs and services are delivered in order to meet the needs of Canadians.

To complement this work, the Department moved to strengthen the management of privacy in ESDC by:

• supporting Privacy Act reform activities and undertaking extensive consultations within the Department to identify opportunities to improve programs and services for Canadians; and
• completed a review of ESDC’s privacy governance architecture to ensure that the Department is ready to respond proactively to advances in technology, the use of data, and the evolving nature of the risks to personal information.

The Department of Employment and Social Development Act was amended to broaden the Department’s mandate to include service delivery to the public with a view to improving services to Canadians. These changes provide ESDC with the authority to deliver services to the public for partners, including other federal institutions and jurisdictions, which also incorporated additional rules on the management of personal information.

With respect to access to information, activities focussed on departmental readiness to implement new proactive disclosure provisions stemming from Bill C-58 – An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts – and the evolving complexity of day-to-day access to information requests and processing functions. Initiatives to advance access to information included:

• engaging the Department to raise awareness about Bill C-58 to ensure that ESDC is prepared to comply;
• creating an adaptable organizational structure that can adjust to future administrative, operational and legislative needs; and
• modernizing and standardizing access to information procedures across the Department towards improving analysis, reporting and proactive practices for searches and processing.

ESDC continues to experience some of the largest volumes of access to information and privacy requests among federal institutions.

The Department’s initiatives to modernize and strengthen its business processes resulted in an 87% compliance rate for Access to Information Act requests, representing an improvement of 4 percentage points (83%) from the 2017 to 2018 fiscal year.

In the Treasury Board Secretariat’s 2017 to 2018 ranking of Government of Canada institutions, the Department ranked 7th with respect to the number of access to information requests received. During this fiscal year, ESDC received 1,409 requests under the Access to Information Act, a 27% decrease from the previous fiscal year when the Department received 1,942 requests. This decrease can be explained in part by new business processes, which convert, with the consent of the client, erroneously submitted Access to Information Act requests into more accurate Privacy Act access requests.

As for the Privacy Act, access requests, the Department ranked 3^rd in the Treasury Board Secretariat’s 2017 to 2018 ranking of Government of Canada institutions. During the 2018 to 2019 fiscal year, ESDC received 12,678 requests under the Privacy Act, a 43% increase from the previous fiscal year, when the Department received 8,852 requests. As previously noted, this increase is largely attributable to the Department’s efforts to convert Access to Information Act requests into more accurate Privacy Act access requests in addition to its efforts of changing informal requests into formal requests. This year again, the Department achieved a 99% compliance rate.

ESDC anticipates that targeted Privacy Act and Access to Information Act requests will increase in future years, in part due to proactive disclosure requirements for access to information of Bill C-58, as proactively publishing material facilitates public engagement and participation, which in turn could lead to more requests.

As in previous years, ensuring that ESDC’s access to information and privacy request processes are efficient and effective will be important in order to continue to respond to requests in a timely manner.

As this report demonstrates, ESDC is fully committed to making government more transparent and open by seeking an enhanced understanding of ESDC’s Access to Information and Privacy operations of Canadians.

1. Introduction

Presentation of the Report

Section 72 in both the Access to Information Act and the Privacy Act requires the head of a federal institution to submit an annual report to Parliament on the administration of each Act following the end of every fiscal year. Employment and Social Development Canada (ESDC) is pleased to present its consolidated annual report on the administration of the Access to Information Act and the Privacy Act for the 2018 to 2019 fiscal year to Parliament.

For the second year, the Department has developed a single report for its Access to Information Act and Privacy Act activities, which would otherwise be reflected in separate submissions. The consolidated format of this report provides a more comprehensive representation of the activities and accomplishments of ESDC.

About Employment and Social Development Canada

ESDC, which includes the Labour Program, and Service Canada, provides many federal programs and services. Because of the broad scope of its mandate, it is amongst the largest and most decentralized federal institutions, with 25,245 employees across the country. Each day, ESDC interacts with thousands of Canadians by delivering services and programs that play important roles in their lives. Canadians expect high-quality, easy-to-access, and secure services that are responsive to their needs, whether they are interacting online, through call centres, or in person.

ESDC’s programs and services affect Canadians throughout the course of their lives. For example, the Department assists parents who are raising young children, helps students finance their post-secondary education, and provides income support to unemployed and pension income to seniors. ESDC delivers many of the Government of Canada’s flagship programs, such as the Canada Student Loans Program, Employment Insurance, Old Age Security, and the Canada Pension Plan. Overall, the Department is responsible for delivering over $120 billion in benefits directly to individuals and organizations, which represent almost 5.5% of Canada’s Gross Domestic Product.

The Labour Program contributes to social and economic well-being by fostering safe, healthy, fair and inclusive work environments, and cooperative workplace relations in workplaces falling under federal jurisdiction. The Labour Program also supplies labour relations mediation services, enforces minimum working conditions, promotes decent work and fosters respect for international labour standards.

The Department’s service delivery arm, Service Canada, provides Canadians with a single point of access to ESDC programs and benefits, as well as to other Government of Canada programs and services. It operates a network of 590 in-person points of service across the country comprising of 318 Service Canada Centres, 247 scheduled outreach sites and 31 stand-alone Passport offices. In addition to in-person services, Service Canada also serves the needs of Canadians online at Canada.ca, through the My Service Canada Account, and by telephone through “1-800 O-Canada” and its network of call centres.

About the Access to Information Act and the Privacy Act

The Access to Information Act provides Canadian citizens, permanent residents, and any individual or corporation present in Canada a right to access records of government institutions that are subject to the Act^{Footnote 1}. This right is subject to limited and specific exemptions and exclusions, and in accordance with the principle that government information should be available to the public.

The Privacy Act protects the privacy of Canadian citizens, permanent residents and individuals present in Canada with respect to personal information about themselves held by a government institution that is subject to the Act, and provides them with a right of access to that information^{Footnote 2}. The Privacy Act sets out provisions for the collection, use, retention and disclosure of personal information by government institutions.

Personal information provisions in the Department of Employment and Social Development Act

In addition to the Privacy Act, the management of personal information by ESDC is governed by further statutory obligations set out in the Department’s enabling Act. The Department of Employment and Social Development Act sets out the rules that apply to personal information that is controlled by ESDC through its programs. These provisions set out the conditions for:

• disclosing personal information;
• making available information contained in the Social Insurance Register;
• using personal information for internal policy analysis, research and evaluation purposes; and
• disclosing personal information for research or statistical analysis.

The Department of Employment and Social Development Act also provides an offence provision for the inappropriate use and disclosure of personal information under the control of ESDC.

When the Department delivers services to the public on behalf of other federal institutions and jurisdictions, or when delivering select services for the Government of Canada, the partner’s privacy regime (normally the Privacy Act for federal partners) applies and not the personal information provisions contained in the Department of Employment and Social Development Act.

2. Organizational structure

Corporate Secretary and Chief Privacy Officer

The Corporate Secretariat is the Employment and Social Development Canada (ESDC) branch responsible for the management of access to information and privacy operations, the development of privacy policy, and the provision of privacy advice and guidance in ESDC. The Corporate Secretariat’s Access to Information and Privacy functions are organized into 2 divisions: the Access to Information and Privacy Operations Division and the Privacy Management Division.

The Branch is headed by the Corporate Secretary, who reports to the Associate Deputy Minister, and is also the Department’s Chief Privacy Officer. The Chief Privacy Officer is the Department’s functional authority on all privacy matters, which includes the provision of authoritative advice and functional direction to all ESDC branches and regions. The establishment of comprehensive privacy management policies, frameworks, programs, privacy review processes, and risk-assessment approaches concerning the management of personal information is also the responsibility of the Chief Privacy Officer. The Directors of the Privacy Management Division and the Access to Information and Privacy Operations Division report to the Corporate Secretary and provide support in the administration of the Privacy Act and the Access to Information Act within ESDC.

Text description of Figure 1

This organizational chart displays a hierarchy beginning with the Corporate Secretary and Chief Privacy Officer of ESDC at the top. Directly below the Corporate Secretary and Chief Privacy Officer are two levels: The Privacy Management Division and the Access to Information and Privacy Operations Division.

Directly below the Privacy Management Division are two units: The Policy and Risk Management and the Privacy Compliance and Advisory Services. Below these are two different units.

Directly below the Access to Information and Privacy Operations Division are also three units: the Operations Unit, the Incident Management and Legislative Disclosures Unit and the Strategic Issues Management Team. From this level, a dotted line leads to the bottom to the Regional Access to Information and Privacy Managers.

Access to Information and Privacy Operations Division

The Access to Information and Privacy Operations Division (ATIP Ops) carries out the Department’s legislated requirements under the Access to Information Act and the Privacy Act. It leads and advises on the processing of all ESDC requests under the Access to Information Act, performs line-by-line reviews of records requested under the Access to Information Act and the Privacy Act, and delivers training and awareness sessions to departmental employees on the administration of the Acts. The Director of ATIP Ops is ESDC’s designated ATIP Coordinator. Approximately 19 ATIP Ops employees were dedicated to processing access to information requests during the 2018 to 2019 fiscal year.

The day-to-day administration of the Access to Information Act is a collaborative endeavor between ATIP Ops and the Department’s network of Branches and regional Liaison Officers who support this work by undertaking searches, collecting records and making recommendations. The Liaison Officers play an intermediary role between ATIP analysts and subject matter experts located across ESDC. The regions also play an important role by processing the majority of privacy requests received at ESDC. Finally, the Division also provides departmental leadership on implementation of C-58 – An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts, which received Royal Assent on June 21, 2019.

In addition to processing requests under the Access to Information Act, ATIP Ops also contributed to other departmental-wide activities for which ATIP Ops advice and expertise was sought. For instance, ATIP Ops staff frequently reviews departmental material for proactive disclosure (for example, contracts, position reclassification, travel and hospitality expenses), informal requests (for example, audits and administrative investigations) and Open Government publications (for example, datasets) to identify sensitivities such as personal information and cabinet confidences. While these activities are not accounted for within this report’s statistical information, such activities are an important and growing part of strengthening transparency and accountability.

Privacy Management Division

The Privacy Management Division (PMD) is the departmental focal point for the management of ESDC’s privacy program. PMD supports the horizontal coordination and implementation of departmental privacy policies and initiatives. It also manages the Department’s privacy risk management functions; including, the privacy impact assessment process, provides guidance for the development of information sharing agreements involving personal information and delivers privacy compliance advice for the administration of ESDC’s programs and services. PMD is responsible for responding to legal instruments, public interest disclosures and privacy complaints not related to the processing of Privacy Act access requests, as well as overseeing the departmental response for security incidents involving personal information. In addition, PMD provides strategic and analytical privacy advice to ESDC’s senior leaders. The Department’s privacy awareness campaigns and personal information management training is also led by the Division. As of March 31, 2019, PMD had a complement of 28 full-time employees.

3. The Privacy Management Framework and privacy governance in ESDC

Privacy Management Framework

Given the importance of safeguarding personal information, the Department implements a risk-based and proactive approach to privacy management that promotes the integration of privacy into program design and project planning. This approach emphasizes the importance of building privacy directly into the architecture of programs, systems, technologies and business processes. Employment and Social Development Canada’s (ESDC) Privacy Management Framework consists of five key elements, as described in Figure 2.

Figure 2: Element definitions of ESDC’s Privacy Management framework

Governance and accountability: Roles and responsibilities for privacy management are clearly defined to meet legal requirements, regulations, policies, standards and public expectations.

Stewardship of personal information: Appropriate privacy protections are implemented to manage personal information through its life cycle.

Assurance of compliance: Formal processes and practices are established to ensure adherence to privacy specifications, policies, standards and laws.

Effective risk management: Structured and coordinated risk assessments are conducted to limit the probability and impact of negative events and maximize opportunities through risk identification, assessment and prioritization.

Culture, training and awareness: The protection of personal information is a core organizational value and is fundamental to maintaining the public’s trust. Formal privacy training and awareness activities promote a privacy-aware organization that values the protection and stewardship of personal information.

Departmental policy on privacy management

The Departmental Policy on Privacy Management sustains a robust privacy regime for the protection and judicious use of personal information within ESDC. The policy defines the roles and responsibilities for privacy, further stating that all employees are responsible for safeguarding and protecting personal information under their custody and control. The Departmental Policy on Privacy Management also specifies functional privacy or personal information management responsibilities and accountabilities for senior management, including the Chief Privacy Officer, the Departmental Security Officer, and the Departmental IT Security Coordinator.

The expected results from the application of the Departmental Policy on Privacy Management include the sound management and safeguarding of personal information within the Department, robust practices for the identification, assessment and management of risks to personal information, and the establishment of clear accountabilities, governance structures and mechanisms to protect and manage personal information in ESDC.

Privacy governance at ESDC

ESDC uses a committee structure to support privacy governance, risk oversight, and decision-making. The Department’s primary governance committee for privacy and the safeguarding of personal information is the director general-level Data and Privacy Committee. Co-chaired by the Chief Privacy Officer and the Chief Data Officer, the Data and Privacy Committee has the mandate to oversee the stewardship and management of data and the protection of personal information across the Department. The Committee supports the integration of data management, privacy and IT security; provides oversight of ESDC’s risk management processes with respect to personal information; and promotes a culture that recognizes that the protection of privacy is a core organizational value and is fundamental to maintaining the public’s trust.

The Data and Privacy Committee reports to the Assistant Deputy Minister-level Corporate Management Committee, which is responsible for overseeing the Department’s management agenda, including the operationalization of the ESDC’s security measures. Chaired by the Associate Deputy Minister, the Corporate Management Committee is composed of Branch and Regional heads as well as the Department’s senior leaders of key functional activities.

4. Delegations

Section 73 of both the Access to Information Act and the Privacy Act empower the head of an institution to delegate any of the powers, duties or functions assigned to him or her by these Acts to employees of that institution. Delegation Orders set out the powers, duties and functions for the administration for each Act that has been delegated by the head of the institution and to whom that delegation has been assigned.

The Minister of Employment and Social Development is the Minister responsible for the purposes of the Access to Information Act, the Privacy Act, and the Department’s enabling legislation — the Department of Employment and Social Development Act. The approved Delegation Orders are reproduced in Annex A.

5. Initiatives and procedures

Access to Information activities and initiatives

During the 2018 to 2019 fiscal year, the Access to Information and Privacy Operations (ATIP Ops) underwent a review of its operations to determine whether there were performance gaps and opportunities for improvement. As a result of the review, a reorganization to meet both evolving internal and external changes was implemented.

As part of the reorganization, a new intake unit to act as Employment and Social Development Canada’s (ESDC) main entry point for all access to information and privacy requests was created. This new team oversees all incoming requests before they are assigned to an analyst. Additionally, the division invested in its training strategy and developmental process to facilitate recruitment and retention of its employees.

The reorganization consolidated and integrated many of the current aspects of review, collaboration, training and quality assurance into a new, team-based approach. These improvements have permitted ATIP Ops to considerably reduce its backlog, address complaints and improve responsiveness.

ESDC also advanced and collaborated on a number of initiatives over the reporting period. Two of these initiatives are described below.

Bill C-58 – An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts: Implementation readiness

Bill C-58 amendments proposed several changes to the daily administration of the Act (Part I), as well as additional legal obligations for the proactive publication of information or materials (Part II) related to the Senate, the House of Commons, parliamentary entities, ministers’ offices, government institutions and institutions that support superior courts. These changes were designed to facilitate public engagement and participation, which, in turn, will promote greater transparency and government accountability.

ATIP Ops created an intradepartmental working group in fall 2017 to ensure ESDC’s readiness to comply with the legislative amendments. During the 2018 to 2019 fiscal year, the working group continued to revisit and adjust departmental business processes; identified volumetrics and peak publishing periods; and shared best practices for compliance with these new requirements. The working group also developed an internal communications plan, re-designed templates, and launched a single-window resource portal that provides ESDC employees with information and tools to support the Department’s proactive publication activities. ATIP Ops continued to engage ESDC Branches and regions to raise awareness, and collaborated with government of Canada partners and provide strategic support to the Treasury Board Secretariat by sharing issues and best practices.

Feasibility study on the ATIP community development project

During the 2018 to 2019 fiscal year, ESDC collaborated with the Canada Revenue Agency, Immigration, Refugees and Citizenship Canada, Transport Canada and Treasury Board of Canada Secretariat, to develop a feasibility study related to the creation of a dedicated team to support ATIP groups across government, and the advancement of the discipline. The result of the Feasibility Study was presented to the Assistant Deputy Ministers’ Access to Information and Privacy Committee in fall 2018. As this work advances, ESDC will seek to support this important initiative, given the benefits of having a dedicated team to facilitate greater support for horizontal collaboration, recruitment and community building.

Privacy activities and initiatives

During the 2018 to 2019 fiscal year, ESDC continued to advance a proactive, risk-based approach to privacy management and to support the development of a culture of stewardship within the Department for the personal information under its control. ESDC undertook several strategic activities designed to support the Department’s service delivery transformation and innovation activities as well as to meet the challenges of the evolving privacy environment that is being driven by rapid technological change.

Privacy Act Modernization

ESDC has been working closely with officials from the Department of Justice on its Privacy Act modernization initiative. This law reform process presents a unique opportunity for ESDC to share issues and exchange ideas on potential solutions. As part of these activities during the 2018 to 2019 fiscal year, ESDC completed an internal consultation that specifically focused on the Act’s influence on the design and delivery of its programs and services. The findings and recommendations were subsequently shared with the Department of Justice. Of note, the exercise indicated that privacy awareness has grown within the Department in recent years and that a strong privacy ethos — of the need to meet the obligations to respect privacy and safeguarding personal information — is a core value for ESDC’s employees.

Department of Employment and Social Development Act amendments

On June 21, 2018, the Department of Employment and Social Development Act was amended to broaden the Department’s mandate to include service delivery to the public with a view to improving services to Canadians. These changes provide the Department with the authorities to support the Government in improving the way services are available and accessed by Canadians and include, among other provisions, the legislative authority to deliver services to the public for partners including other federal institutions and jurisdictions on a cost-recovery basis and deliver select services for the Government of Canada. The amendments provide that, in these service delivery relationships, the personal information provisions set out in Part 4 of the Department of Employment and Social Development Act do not apply to partners when the information is shared with them. The partner’s privacy regime (normally the Privacy Act for federal partners) will govern their use of the information. As a service delivery partner, ESDC is restricted in using personal information for administering the partner’s program, for research and statistical purposes and for disclosure in the public interest. As such, the information cannot be used or disclosed for administering ESDC’s own programs.

Privacy governance review

A privacy governance review was completed during the 2018 to 2019 fiscal year. ESDC launched the examination of its privacy governance architecture and mechanisms to ensure that the Department would be able to respond to the evolving nature of, and risks to, the use of personal information resulting from the advances in technology and the increased use of data. The Department also wanted to ensure that its privacy governance mechanisms were positioned to support its transformation and innovation initiatives.

The review confirmed a shift in focus from only a privacy and security perspective to one that would complement the management of personal information with the implementation of ESDC’s Data Strategy. It also resulted in the establishment of the Data and Privacy Committee to oversee the stewardship and management of data and the protection of personal information across the Department. In addition to changes to the committee structure, the review recommended the creation of a new framework for ESDC’s privacy approval processes and strengthened risk assessments and oversight.

With these changes, the Department intends to realize the goal of managing data to maximize its value to Canadians while ensuring that their personal information is protected. It is supporting an organizational culture where privacy rights are proactively respected when data is leveraged for service delivery, analysis and decision-making. This means:

• promoting and sustaining an integrated approach to privacy, IT security and data management;
• overseeing the development and implementation of risk control frameworks for the management of personal information that are modernized and coordinated; and
• providing strategic advice that includes the early identification and analysis of privacy trends and emerging risks.

Privacy management service vision and roadmap

During the 2018 to 2019 fiscal year, ESDC introduced a new service vision for its privacy management function along with a multi-year roadmap for its implementation. Developed in response to the rapidly changing privacy environment and in support of the Department’s transformation and innovation initiatives, the vision articulates the creation of a privacy management regime that safeguards personal information and sustains robust privacy risk management processes while helping the Department achieve its mandate and objectives. Privacy management controls and risk management process will become more rigorous. At the same time, privacy analysis and advice will become more pragmatic and nuanced by taking into account the nature and scale of potential risks and threat and the level of organizational risk tolerance.

As part of the implementation of the Roadmap, the Privacy Management Division (PMD) has introduced a new suite of diagnostic and analytical tools to prepare privacy assessments that are tailored to the project or activity that is being supported. Additional initiatives are focused on supporting the Data Strategy such as developing privacy requirements for data matching, automated processes and artificial intelligence activities.

Organizational changes took place during the 2018 to 2019 fiscal year to create a single privacy policy centre within the Department, resulting in the integration of privacy analysis across functions. The Incident Management and Legislative Disclosures team, once part of ATIP Operations Division, is now operating within PMD. The privacy review of policy analysis, research and evaluation projects involving personal information, previously conducted by ESDC’s Evaluation Directorate, is also now being led by PMD. ESDC anticipates that these adjustments will result in better privacy advice and service to internal clients as well as strengthened privacy risk identification, assessment and monitoring through the consolidation of these functions within PMD.

Privacy Impact Assessments

In accordance with the Treasury Board’s Directive on Privacy Impact Assessments, ESDC is required to conduct a privacy impact assessment before establishing any new or substantially modified program or activity involving the administrative use of personal information. Among a privacy impact assessment’s purposes, the identification and assessment of risks to privacy and the articulation of a risk mitigation plan are the most important.

During the 2018 to 2019 fiscal year, ESDC completed five privacy impact assessments. Copies of these approved privacy impact assessment reports were provided to the Treasury Board Secretariat, and to the Office of the Privacy Commissioner. Summaries of these assessments can be found in Annex B. This information has been posted on the Privacy impact assessments. In addition, summaries of completed privacy impact assessments from the previous 2 fiscal years were posted on the ESDC website in winter 2018.

Provision of privacy advice and guidance

In addition to privacy impact assessments, the Privacy Management Division (PMD) provided privacy advice and undertook privacy compliance reviews for departmental programs and initiatives. The Division responded to 365 requests for privacy policy advice and compliance reviews on various products and material such as consent forms, privacy notice statements, contracts, statements of work, forms, and surveys and questionnaires. The Division also provided privacy policy advice for several Treasury Board submissions and Memoranda to Cabinet.

Information Sharing Agreements involving personal information

An information sharing agreement (ISA) is a written arrangement between parties that outlines the terms and conditions under which personal information is shared between them. Part 4 of the Department of Employment and Social Development Act sets out the provisions for the sharing of personal information under limited and specific circumstances. During the 2017 to 2018 fiscal year, the Privacy Management Division (PMD) provided advice and guidance to program areas on 66 ISAs.

Privacy breaches

During the 2018 to 2019 fiscal year, the Privacy Management Division (PMD) developed a Privacy Breach rating tool to enhance the consistency around the rating of material privacy breaches. This tool aligns with the Treasury Board definitions of breach and material breach and provides analysts with a more objective score with which to rate the impact of privacy breaches.

6. Performance reporting

The following section provides key statistics and information on Employment and Social Development Canada‘s (ESDC) accomplishments in the previous 3 fiscal years and how the Department contributed to the Government’s agenda in terms of Access to Information and Privacy. Figures 3 through 5 display a 4-year comparison to highlight performance trends as well as Access to Information Act and the Privacy Act integration. Detailed Statistical Reports for both Acts are found in Annex C.

Requests and consultations: Total volume

During the 2018 to 2019 fiscal year, ESDC experienced a sizeable increase (29.8%) in combined access to information, privacy and consultation requests, going from 11,049 requests in the 2017 to 2018 fiscal year to 14,347 in the 2018 to 2019 reporting period.

Text description for Figure 3

Year	Received
2015-2016	10,113
2016-2017	10,814
2017-2018	11,049
2018-2019	14,347

During the 2018 to 2019 fiscal year, although access to information requests decreased slightly, Privacy Act access requests increased and have done so since the 2015 to 2016 reporting period.

* Table note: Includes exceptionally large requests containing a very high number of fully released pages

The Privacy Commissioner is an Officer of Parliament who receives and independently investigates complaints from requesters who believe that government institutions have not respected their rights under the Act. The Commissioner reports findings and may make recommendations. As demonstrated in Figure 5, 9 complaints were made to the Privacy Commissioner during the 2018 to 2019 fiscal year, a decrease from last year when 29 complaints were made.

Total requests received and completed

To efficiently reduce backlog, ATIP Operations (ATIP Ops) designed a strategy that included the redistribution of dedicated resources to manage older voluminous files and complaints. This backlog strategy has allowed the Department to complete 100 files over the volume received during the 2018 to 2019 fiscal year (1,409 requests received and – please refer to figure 6).

Access to Information Act

During the 2018 to 2019 fiscal year, ESDC received 1,409 requests under the Access to Information Act, a 27% decrease from the previous fiscal year when the Department received 1,942 requests. This is the second time in recent years that ESDC has observed a decrease in the number of requests received. This decrease can be explained, in part, by new business processes, which convert, with the consent of the client, erroneously submitted Access to Information Act requests into more accurate Privacy Act access requests.

Text description for Figure 6

Year	Received	Completed
2015-2016	1,572	1,439
2016-2017	2,268	2,276
2017-2018	1,942	1,899
2018-2019	1,409	1,509

Privacy Act

Historically, ESDC would informally process various “simple” privacy requests in instances when requesters did not specify the Privacy Act as part of their requests. This practice was intended to reduce the administrative burden for both ESDC and the requestor. While the approach was effective, it unintentionally limited the requestor’s rights to complain to the Office of the Privacy Commissioner. To address this issue, ESDC initiated a new approach where informal requests are increasingly being treated as formal. Largely due to this new approach, ESDC received during the 2018 to 2019 fiscal year, 12,678 requests under the Privacy Act, a 43% increase from the previous fiscal year, when the Department received 8,852 requests.

Text description for Figure 7

Year	Received	Completed
2015-2016	8,353	8,240
2016-2017	8,353	8,510
2017-2018	8,852	8,817
2018-2019	12,678	12,260

Requests by calendar days taken to complete

Access to Information Act

During the 2018 to 2019 fiscal year, ESDC processed 57.4% (866) of all requests (1,509) completed under the Access to Information Act within the first 30 days of receipt, similar to last year when ESDC processed 56.9% (1,081) of all requests (1,899) under the Act within 30 days.

Text description of Figure 8

Year	30 Calendar Days	31-60 Calendar Days	61 or more Calendar  Days
2015 to 2016	787 (55%)	352 (24%)	300 (21%)
2016 to 2017	1,200 (53%)	516 (23%)	560 (24%)
2017 to 2018	1,081 (57%)	371 (19%)	447 (24%)
2018 to 2019	866 (57%)	232 (16%)	411 (27%)

Privacy Act

During the 2018 to 2019 fiscal year, ESDC processed 96% (11,832) of all requests (12,260) completed under the Privacy Act within the first 30 days of receipt, similar to last year when ESDC processed 97% (8,595) of all requests (8,817) under the Act within the first 30 days of receipt. It should be noted that the Department received 3,443 more requests than last fiscal year.

Text description of Figure 9

Year	30 Calendar Days	31-60 Calendar Days	61 or more Calendar  Days
2015 to 2016	7,169 (87%)	999 (12%)	72 (1%)
2016 to 2017	8,234 (97%)	252 (3%)	24 (0%)
2017 to 2018	8,595 (97%)	179 (2%)	43 (1%)
2018 to 2019	11,832 (96%)	370 (3%)	58 (1%)

Timeframes

Access to Information Act

During the 2018 to 2019 fiscal year, the Department met legislated timelines for 1,305 requests under the Access to Information Act, the majority of which were completed within legislated timeframes with a compliance rate of 87%. This represents an increase of 4 percentage points compared to the Department’s 2017 to 2018 compliance rate (83%).

Institutions may apply for an extension beyond the original 30-day statutory timeframe in cases where meeting the statutory date is not feasible due to the volume of pages to be processed; where consultation is required that could not reasonably be conducted within the initial 30 days or; where notice is given to a third party. During the 2018 to 2019 fiscal year, ESDC requested 508 extensions.

ESDC was unable to meet legislated timelines for 204 requests during the fiscal year, an improvement from the previous year where 332 requests did not meet the legislative timelines.

Text description of Figure 10

Year	Within	Beyond
2015 to 2016	82%	18%
2016 to 2017	77%	23%
2017 to 2018	83%	17%
2018 to 2019	87%	13%

Privacy Act

During the 2018 to 2019 fiscal year, ESDC met legislated timelines for 12,137 requests, which represents a 99% compliance rate, which was similar to the previous fiscal year. ESDC was unable to meet legislated timelines for 123 requests during the fiscal year, which represents a non-compliance rate of 1%.

Institutions may apply for an extension beyond the original 30-day statutory timeframe in cases where meeting the statutory date is not feasible due to the volume of pages to be processed; where consultation is required that could not reasonably be conducted within the initial 30 days or; for translation purposes or to convert a record to another format. During the 2018 to 2019 fiscal year, ESDC requested 128 extensions. This represents an increase from last fiscal year, when ESDC requested 76 extensions.

Text description of Figure 11

Year	Within	Beyond
2015 to 2016	98%	2%
2016 to 2017	99%	1%
2017 to 2018	99%	1%
2018 to 2019	99%	1%

Timeframe Monitoring

Access to Information Act

Except in certain circumstances, which allow for extensions, the Access to Information Act contains a statutory timeline of 30 calendar days (about 20 working days) to provide responses to requests. Given the legislated timeframes and ESDC’s commitment to respecting both the letter and spirit of the Access to Information Act, the Department established a process and defined responsibilities as outlined in figure 12.

ESDC’s Timeframe Monitoring – Goal-based Strategies to respect ESDC’s Process and commitments

Figure 12: Roles and Responsibilities and description

• Retrieval of Relevant Records and Formulation of Recommendations: Once a request is received, it is tasked to the relevant Branches and/or regions, the Offices of Primary Interest (OPI). The OPIs have 8 working days to retrieve all responsive records and present them, along with any recommendations, to ATIP Ops.
• Line-by-line Review of the Responsive Records: ATIP Ops has 8 working days to complete a thorough line-by-line review of the records and to invoke any applicable exemptions and/or exclusions.
• Advance Release Notice: Key stakeholders receive a notification that the release package has been posted electronically on a secure internal web site at least 4 working days prior to the scheduled release date. This mechanism allows all implicated parties to provide final comments prior to release.

In support of timeframe monitoring, ATIP Operations provides a weekly report to senior management and ministerial level. Additionally, a quarterly report capturing key ATIP processing performance indicators is also shared with senior management; including, all Deputy Ministers, and the Assistant Deputy Ministers. These improvements position Branches and regions to be more proactive in the monitoring of tasked access to information requests.

Privacy Act

ESDC’s regional offices manage the majority of the privacy request workload and prepare weekly reports concerning new requests, workload and status for the tracking of on-time performance for privacy requests. Regional offices also produce performance reports on a monthly, quarterly and yearly basis.

Pages Processed and Disclosed

Access to Information Act

During the 2018 to 2019 fiscal year, the Department experienced an 87.8% year-over-year decrease^{Footnote 6} in terms of total number of pages of documents processed and disclosed for requests under the Access to Information Act (please refer to Figure 13). This decrease can be explained, in part, by ESDC receiving during the 2017 to 2018 reporting period a single dataset request containing 774,731 pages.

Text description of Figure 13

Year	Processed	Disclosed
2015 to 2016	257,249	216,929
2016 to 2017	438,368	410,089
2017 to 2018	970,992	943,669
2018 to 2019	118,818	94,115

Privacy Act

The total number of pages processed and disclosed for privacy requests increased during the 2018 to 2019 fiscal year. During this reporting period, 979,247 pages were processed for exemptions and exclusions, which represents an increase of 23% from the previous fiscal year when 796,436 pages were processed. A total of 934,672 pages were disclosed, which is an increase from the previous year when 771,256 pages were disclosed.

Text description of Figure 14

Year	Processed	Disclosed
2015 to 2016	789,762	740,582
2016 to 2017	818,954	769,173
2017 to 2018	798,436	771,256
2018 to 2019	979,247	934,672

Sources of requests under the Access to Information Act

During the 2018 to 2019 fiscal year, the most common source of requests under the Access to Information Act was from media (429), followed by the general public (350) and business/private sector (332). This trend continued from the previous fiscal year where media was the main source of requesters. Lists of briefing notes and briefing note documentation have been the most common type of departmental material requested.

Exemptions and Exclusions

ESDC is one of the largest holders of personal information in the Government of Canada, which affects the frequency in which exemptions and exclusions are applied under the Access to Information and Privacy Acts.

Access to Information Act

Exemptions

The Access to Information Act allows, and in some instances requires, that information relating to the internal decision-making processes of government, national security, law enforcement or trade secrets be exempted and not released.

The following table (Figure 16) outlines the most frequently invoked exemptions during the past 4 fiscal years. Due to the nature of ESDC’s mandate, most of the information under the Department’s control contains personal information about individuals and must be withheld under the mandatory exemptions set out in section 19 (Personal information) unless certain conditions are met. Although section 21 (Advice) was not the most frequently applied exemption for the 2018 to 2019 fiscal year, it continued to represent an important percentage of the total and was applied in 304 instances.

*Figures are rounded for readability purposes

Exclusions

The Access to Information Act does not apply to information that is already publicly available, such as government publications (section 68), and confidences of the Queen’s Privy Council for Canada (section 69), which require consultation with the Department of Justice. During the 2018 to 2019 fiscal year, ESDC excluded records based on section 69 for 108 requests.

Privacy Act

Exemptions

The Privacy Act recognizes that individuals value their privacy and the protection of their personal information, and that this protection is an essential element in maintaining public trust in government. Although the Privacy Act provides individuals with an enforceable right of access to their personal information, there are instances, where certain limited and specific exemptions can be applied.

Due to the nature of ESDC’s mandate and its personal information holdings, the exemption under the Privacy Act that was applied most frequently is section 26, which protects personal information about another individual as defined by section 3 of the Privacy Act. This exemption occurred in 8,082 instances of completed requests during the 2018 to 2019 fiscal year. This represents an increase of 2,184 instances when compared to last fiscal year.

Exclusions

The Privacy Act allows for the exclusion of certain types of information such as records that are already available to the public (section 69) and confidences of the Queen’s Privy Council for Canada (section 70). During the 2018 to 2019 fiscal year, ESDC did not exclude any records for requests under the Privacy Act.

Consultations received from other government of Canada institutions and other organizations

Access to Information Act

During the 2018 to 2019 fiscal year, ESDC received 222 external consultation requests, which originated from other Government of Canada institutions and other organizations, that required a review of an additional 15,299 pages. This represents a slight increase from the previous 2 fiscal years when ESDC received 220 requests for external consultations and reviewed an additional 11,567 pages.

The Department closed 223 requests^{Footnote 7} for consultations of which 141 (63%) were completed within 30 days. Nearly 3 quarters of those completed (163) resulted in a recommendation to disclose the records in their entirety and 44 (20%) recommended to disclose in part.

Privacy Act

ESDC received 38 external consultation requests during the 2018 to 2019 fiscal year, which originated from Government of Canada institutions and other organizations, requiring an additional review of 1,549 pages. This represents a decrease from the previous fiscal year when ESDC reviewed 5,355 pages.

The Department closed 36 requests for consultations, all of which were completed within 30 days. Of the 36 requests for consultation, 5 (14%) resulted in a recommendation to disclose the records entirely and 31 (86%) recommended that the consulting institution or organization disclose the information in part.

Requests for the correction of personal information under the Privacy Act

Under the Privacy Act, individuals have a right to request the correction of erroneous personal information pertaining to them that is retained by a government institution, provided that the individual can adequately substantiate the request. ESDC accepted one request for correction of personal information during the 2018 to 2019 fiscal year.

Reporting on Access to Information fees for the purposes of the Service Fees Act

In 2017, the Government of Canada introduced the Service Fees Act, which replaced the User Fees Act. All government Departments and Agencies that charge fees for services are subject to this legislation, including ESDC.

The Service Fees Act requires a responsible authority to report annually to Parliament on the fees collected by the institution. Consistent with Treasury Board policy, fees charged pursuant to the Access to Information Act are to be reported in the Access to Information Annual Report. Consequently, ESDC is reporting these fees in this consolidated report.

With respect to fees collected under the Access to Information Act, the information is reported in accordance with the requirements of section 20 of the Service Fees Act.

General fees information

Figure 19 provides information on fees for processing requests filed under the Access to Information Act, including:

• Fee-setting authority
  • Access to Information Act
• Fee Amount
  • $5
• Service standard
  • Response provided within 30 days following receipt of request; the response time may be extended pursuant to section 9 of the Access to Information Act. Notice of extension is to be sent within 30 days after receipt of the request.
• Performance results
  • Total requests received: 1,409
  • Total requests completed: 1,509^{Footnote 8}
  • Requests responded to within 30 days: 1,305
  • Requests completed within prescribed time limits of extensions: 508
  • Requests responded to after deadline: 204
  • Statutory deadline met 87% of the time
• Other information
  • In accordance with the Interim Directive on the Administration of the Access to Information Act, issued on May 5, 2016, ESDC waives all fees prescribed by the Act and Regulations, other than the $5 application fee set out in paragraph 7(1)(a) of the Regulations.

Figure 20: Financial information (dollars)

• 2017 to 2018 Revenue:
  • $ 7,180.00
• 2018 to 2019 Revenue:
  • $ 5,360.00*
• 2018 to 2019 Total cost of operating the program^{Footnote 9}:
  • $1,521,865.00
• 2018 to 2019 Remissions^{Footnote 10}:
  • $ 1,455.00

*Based on total requests received during the 2018 to 2019 fiscal year minus remissions

7. Complaints, investigations and court actions

Access to Information Act

During the 2018 to 2019 reporting period, the Department was notified by the Office of the Information Commissioner (OIC) of 35 access complaints, which represents 2.5% of all Access to Information requests received (1,409). The Department received findings on 25 complaints. There were no court actions during the reporting period. Please refer to Figure 21 for more information.

Employment and Social Development Canada (ESDC) received 2 complaints pursuant to subsection 35(2) of the Access to Information Act (ATIA). These complaints related to the Department’s use of subsection 10(2) of the ATIA, which allows an institution to neither, confirm nor deny the existence of a record in response to an access request. As of March 31, 2019, a decision from the Office of the Information Commissioner was still pending; the findings of these investigations will therefore be reported during the 2019 to 2020 fiscal year.

Privacy Act

During the 2018 to 2019 reporting period, the Department was formally notified by the Office of the Privacy Commissioner of 9 privacy complaints. Compared to the hundreds of millions of transactions conducted by ESDC over the span of a year, the number of complaints is statistically small. Of the investigation results received during the 2018 to 2019 fiscal year, 8 were determined to be well-founded; however, the Office of the Privacy Commissioner did not make any recommendations. There were no court actions during the reporting period.

Note: The total number of notifications of complaints received and the total number of investigations with findings received will not necessarily be the same in a given fiscal year. Investigations could relate to complaints that were received by the Office of the Privacy Commissioner in a fiscal year prior to the 2018 to 2019 reporting period.

8. Internal audits

Access to Information-related audits

Audit of the Access to Information process

In 2016, Employment and Social Development Canada (ESDC) undertook an internal audit on the administration of access to information. While the audit concluded ESDC’s access to information function complies with the Access to Information Act (ATIA), opportunities were identified to (i) improve oversight, (ii) address timeliness of responses and skills shortages, (iii) enhance data integrity, and (iv) address training gaps and modernization efforts as a means to increase compliance and respond to access to information requests in a more efficient manner.

Over the past 2 and a half years, ATIP Operations (ATIP Ops) has actively followed up on the first 3 audit recommendations, actively engaging ESDC senior management, increasing ATIP capacity, and taking steps to ensure complete and accurate performance reporting. During fiscal year 2018 to 2019, the focus was on pursuing training gaps and modernization efforts to further increase compliance and efficient ATI request processing.

ATIA training was provided to 27 departmental Liaison Officers (LOs) and a number of observers. ATIP junior analysts also received training as part of a professional development program. During the 2018 to 2019 fiscal year, several ATIA awareness-training sessions were also given to ESDC staff (Refer to Chapter 11). The sessions were also leveraged to inform participants of Bill C-58 – An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts’ proactive disclosure requirements.

Throughout the fiscal year, ATIP Ops worked closely with the College@ESDC to explore options for providing widely available training and learning material that supports ESDC employees in applying the ATIA (for example, recognizing cabinet confidences), supporting the new proactive disclosure requirements with an emphasis on protecting and safeguarding the release of sensitive information.

Going forward, ATIP Ops will work with its departmental partners, to finalize a learning proposal and will pursue short, medium and long-term (for example, e-learning) solutions in support of access to information and proactive publication activities. As a strategy, ATIP Ops will seek opportunities to leverage existing departmental initiatives and training to increase employee awareness of ATIP.

As a result of these undertakings, all internal audit recommendations have been addressed and are now considered complete.

Privacy-related Audits

Through its audit plan, ESDC continued to address the management of risks to privacy and the safeguarding of personal information with targeted examinations. During the 2018 to 2019 fiscal year, the Privacy Management Division (PMD) was involved in the following audit:

Audit of the Management and Implementation of Select Privacy Impact Assessments

This audit identified the requirement to improve privacy impact assessment controls to achieve the thorough identification and consistent assessment of risks to personal information via the assessment process. It also noted that the Department needed to follow-up on the mitigation activities established in the individual assessments. The audit provided 3 recommendations:

• the Department should assign to the Chief Privacy Officer the responsibility and accountability to complete sound privacy analyses, thorough identification and consistent assessment of privacy risks found in the Department’s privacy impact assessments;
• the Chief Privacy Officer should include privacy risks identified in IT security assessments in privacy impact assessments and monitor that they are mitigated with activities commensurate with the risk identified; and
• the Chief Privacy Officer should be responsible for following-up on mitigation activities to verify if they are implemented as documented in the privacy impact assessments.

The Chief Privacy Officer accepted the recommendations and developed a management action plan. The Privacy Management Division (PMD) is working with the Internal Audit Services Branch to implement the audit recommendations. It is anticipated that full implementation will be achieved during the 2019 to 2020 fiscal year.

9. Public interest disclosures

In accordance with section 8(2) of the Privacy Act, Part 4 of the Department of Employment and Social Development Act takes precedence over the Privacy Act concerning the use and disclosure of personal information. Employment and Social Development Canada’s (ESDC) disclosures in the public interest are not made under section 8(2)(m) of the Privacy Act, but under section 37(1) of the Department of Employment and Social Development Act. This section states that personal information may be disclosed “…if the Minister is of the opinion that the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure or that disclosure would clearly benefit the individual to whom the information relates.” As with public interest disclosures under the Privacy Act, public interest disclosures made under the Department of Employment and Social Development Act are also reported to the Office of the Privacy Commissioner (OPC).

During the 2018 to 2019 fiscal year, the Department approved the disclosure of personal information in the public interest in 261 instances. The Department processed 228 public interest disclosures in the regions, which involved individuals who were threatening to harm themselves or others. In instances where there is an imminent threat to the safety and security of individuals, regional employees have the delegated authority to make the disclosures. Given the urgency of these situations, the OPC is informed after the disclosure is made.

Privacy Management Division (PMD) approved the disclosure of personal information in an additional 33 cases. Of the 33 cases, the OPC was informed prior to the disclosure in 24 instances (verbally with a follow up letter, or by letter only), and by letter after the disclosure in 9 occasions.

10. Material privacy breaches

A privacy breach refers to the improper or unauthorized collection, use, disclosure, retention or disposal of personal information. According to the Treasury Board Secretariat, “a material privacy breach has the highest risk impact and is defined as involving sensitive personal information; and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals”.

Because of the scope and breadth of Employment and Social Development Canada’s (ESDC) mandate, the Department has one of the largest personal information holdings in the Government of Canada. For some ESDC programs, detailed and often sensitive personal information is needed to determine program eligibility or to receive benefits and services. Personal information is handled by a large number of employees to deliver services across the country by using ESDC’s numerous IT systems and databases. Moreover, the personal information held by the Department is sought by, and disclosed to, a large number of partners and stakeholders for many purposes, including the delivery of their programs, the determination of the eligibility for federal and provincial programs and benefits, the authentication of individuals, identity management, research and statistics, integrity operations, performance management, and legal proceedings. In short, the magnitude and complexity of ESDC’s personal information management responsibilities are considerable, and are characterized by millions of transactions that involve personal information every year.

During the 2018 to 2019 fiscal year, there were 74 material breaches representing a 42% decrease compared to 128 breaches in the 2017 to 2018 fiscal year (please refer to Figure 23). These breaches were the result of operational processes such as information lost in transit in the postal system. Compared to the hundreds of millions of transactions conducted by ESDC over the span of a year, the incident rate is, statistically, very small.

Over the last 3 years, additional time and resources have been invested to foster a privacy-aware organization through formal privacy training and awareness activities. The Department continues to explore ways to reduce the number of breaches. For example, during the 2018 to 2019 fiscal year, the Canada Student Loans Program implemented an “e-delivery” model for its Master Student Financial Assistance Agreement that resulted in enhanced self-service capabilities for full-time students. In the first phase of enhancements, identity verification, as well as document signing and submission became possible to perform online. This eliminated the need to send paper documentation by mail, thereby, significantly reducing the risk of misdirected and lost documents and was consequently the largest influence on the reduction of material privacy breaches during the 2018 to 2019 fiscal year.

11. Training and awareness activities

Privacy and Access to Information training

Employment and Social Development Canada (ESDC) has a comprehensive and mandatory online training strategy to increase knowledge of, and raise awareness about the stewardship of information, which includes the management and safeguarding of personal information. As part of the Department’s commitment to maintain the security of its systems and to protect the personal information of its clients and colleagues, all ESDC employees are required to maintain valid certification in Stewardship of Information and Workplace Behaviours (SIWB). Launched in 2014, and updated in 2016, SIWB addresses access to information, information management, security, and values and ethics in addition to the management of personal information.

SIWB certification is valid for 2 years and must be maintained by all departmental employees. In total, 2,391 employees (which include students, casuals, terms and indeterminate staff) successfully completed the course by the end of the 2018 to 2019 fiscal year. Of the 21,568 employees registered in ESDC’s online training system, 19,084 or 88.5%, retained a valid certification at the end of the fiscal year and represents a 4% increase over the 2017 to 2018 reporting period. ESDC will follow-up with the remaining employees on acquiring their certification.

In addition, the online training module, Privacy and Access to Information – It’s Everybody’s Business, has trained 12,265 employees since the 2014 to 2015 fiscal year, including 3,152 employees during the reporting period.

In addition to online training and certification, ESDC undertook a number of in-person and WebEx training sessions and activities. Since the 2014 to 2015 fiscal year, the Department delivered 214 in-person sessions to 6,148 employees. During the 2018 to 2019 fiscal year, ESDC delivered 29 in-person sessions to 817 employees.

Text description of Figure 24

Year	Stewardship of Information and Effective Workplace Behaviours	Privacy and Access to Information – It’s Everybody’s Business
2015 to 2016	1,678	1,742
2016 to 2017	2,251	2,364
2017 to 2018	20,613	3,651
2018 to 2019	2,391	3,152

Text description of Figure 25

Year	Training Sessions	Employees Trained
2015 to 2016	48	1,131
2016 to 2017	59	963
2017 to 2018	35	1,467
2018 to 2019	29	817

Access to Information awareness

As previously noted, training was a priority focus for ATIP Operations (ATIP Ops) during the 2018 to 2019 fiscal year. In terms of training to non-ATIP officials, 15 training sessions were held in the National Capital Region, consisting of 199 participants, while another 3 sessions were held in the regions with 45 participants. ATIP Ops is working to improve its capacity to offer training sessions with the intention of increasing the number of sessions held during the 2019 to 2020 fiscal year. ATIP Ops also engaged with individual Branches and regions within ESDC (for example, providing presentations to senior executives) to raise awareness on the requirements of Bill C-58 – An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts and its implications for the Department’s proactive disclosure and Access to Information activities.

Privacy awareness

Throughout the 2018 to 2019 reporting period, the Department continued to promote practical, easy to understand, and readily available privacy-related information and guidance to employees to reinforce the application of appropriate privacy and personal information safeguarding practices. This included organizing various privacy-themed information events such as Privacy Awareness Week during May 2018, a Data Privacy Day in January 2019, and a series of specialized knowledge talks. During Privacy Awareness Week, information kiosks were set up and staffed, and hundreds of information pamphlets and brochures, which were developed by the Department, and by the Office of the Privacy Commissioner, were distributed to ESDC staff.

12. Moving forward

With respect to the management of the access to information function, Employment and Social Development Canada (ESDC) recognizes the value of its previous year investments; in particular, those made in the area of capacity building, including: recruitment and skills development. During the 2019 to 2020 fiscal year, the Department will continue to pursue training strategies to increase knowledge of Access to Information Act requirements across the Department as well as pursue opportunities to leverage technology, systems and tools to continue improving access to information processing timelines. The Access to Information and Privacy Operations Division (ATIP Ops) will also continue to work with ESDC Branches and regions to raise awareness and ensure compliance with the requirements of Bill C-58 – An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts.

In terms of personal information management priorities, during the 2019 to 2020 fiscal year, ESDC will continue to support current privacy legislative and policy reform activities, implement changes resulting from the Department’s privacy governance review, work towards realizing the Privacy Management Service Vision and actively support service transformation activities.

Annex A: Delegation orders

Access to Information Act and regulations: Delegation of Authority Department of Employment and Social Development

The Minister of Employment and Social Development, pursuant to section 11 of the Department of Employment and Social Development Act, hereby designates the persons, officers or employees holding the positions with Employment and Social Development set out in the schedules attached hereto, or the persons, officers or employees occupying on an acting basis those positions, to exercise the powers or perform the duties or functions of the Minister or to exercise or perform the powers, duties or function of the head of the institution, as specified in the attached schedules.

• Access to Information Act
• Privacy Act

Original signed June 22, 2017 by the Honourable Jean-Yves Duclos, Minister of Employment and Social Development

Privacy Act and regulations: Delegation of Authority, Department of Employment and Social Development

The Minister of Employment and Social Development, pursuant to section 11 of the Department of Employment and Social Development Act, hereby designates the persons, officers or employees holding the positions with Employment and Social Development set out in the schedules attached hereto, or the persons, officers or employees occupying on an acting basis those positions, to exercise the powers or perform the duties or functions of the Minister or to exercise or perform the powers, duties or function of the head of the institution, as specified in the attached schedules.

• Access to Information Act
• Privacy Act

Original signed June 22, 2017 by the Honourable Jean-Yves Duclos, Minister of Employment and Social Development

Annex B: Summaries of Completed Privacy Impact Assessments

ESDC completed 5 Privacy Impact Assessments (PIAs) over the course of this past fiscal year, the summaries of which are found in the subsequent paragraphs. This information has also been posted on the Department’s web site at the following address: https://www.canada.ca/en/employment-social-development/corporate/transparency/access-information/reports/pia.html.

Service Canada’s Role in Temporary Foreign Worker Program (TFWP) and International Mobility Program (IMP) Investigations

The Temporary Foreign Worker Program assists employers in filling their acute labour shortages on a temporary and limited basis when qualified Canadians and permanent residents are not available. ESDC, Immigration Refugees and Citizenship Canada (IRCC), and the Canada Border Services Agency, jointly manage the TFWP. The Program aims to improve the Government of Canada's capacity to conduct integrity investigations to detect misuse and reduce the potential of abuse of foreign workers. This PIA was completed to address the transition to a new IT system, which represented a substantial modification to program operations and changed the way personal information was processed. The PIA focused on the required amendments to the current information sharing agreement between ESDC and IRCC, and the changes to the interface of the new case management system.

Education Savings Referral Service

The Government of Canada encourages Canadians to use Registered Education Savings Plan (RESP) to save for a child’s post-secondary education. The Education Savings Referral Service (ESRS) will enable Ontario’s parents of newborn children to provide consent to be contacted by an RESP promoter to learn about, and perhaps start, the process to open an RESP and request the education saving incentives. This PIA was completed since the Referral Service represents a new collection, use and disclosure of personal information. The ESRS is intended to ease access to the savings incentives. This PIA focused on the exchange of personal information with the province of Ontario and on the collection, use, and disclosure of personal information.

Death Abroad Data Exchange Initiative

The Death Abroad Data Exchange (DADE) initiative facilitates ESDC’s timely suspension and termination of the Canada Pension Plan and Old Age Security benefit payments to beneficiaries who lived outside of Canada upon their death. This initiative, in conjunction with the Netherlands, addresses the issue of overpayments, which can be difficult to recover from the deceased beneficiaries’ estate or appointed representative. This PIA was completed to identify the privacy risks, as personal information will be used for an administrative purpose. This PIA focused on the legal authorities to conduct the information sharing agreement (ISA) between the Department and The Netherlands, the method of exchange of personal information, data matches and the date flow and processes associated with the implementation of the DADE initiative. The assessment is intended to be used as a basis for future ISAs concluded with different partners under the DADE initiative and will be amended or updated as new ISAs are negotiated.

The Exchange of Information between ESDC and British Columbia’s Ministry of Social Development and Poverty Reduction

The Exchange of Information between ESDC and British Columbia’s Ministry of Social Development and Poverty Reduction allows the exchange of personal information between British Columbia and ESDC that will result in improving the administration of the provincial Social Assistance and Supplement Programs such as the Income and Disability Assistance Programs and the Bus Pass Program. This PIA was completed as personal information from ESDC will be used by British Columbia as part of the decision-making process that will directly affect individuals. This PIA focused on the exchange of Canada Pension Plan (CPP)/Old Age Security (OAS) information to determine eligibility and entitlement to the British Columbia provincial programs. The PIA also examined the information technology systems required for the data match and the information exchange process.

Information Sharing Agreement between ESDC and Department of Justice

The information sharing agreement between ESDC and the Department of Justice allows the latter to receive specific personal information from 2 additional ESDC databases. The personal information is shared to assist in locating certain persons who are in default of family support orders or who are in violation of custody or access rights. This PIA was completed for this information exchange given that it represents a substantial modification to an existing activity where personal information is used or intended to be used for an administrative purpose. This PIA focused on the privacy risks associated with the sharing of information on matches to certain databases with the Department of Justice for the purposes of administering The Family Orders and Agreements Enforcement Assistance Act.

Annex C: Statistical reports

Statistical report on the Access to Information Act

Name of institution: Employment and Social Development Canada

Reporting period: 2018-04-01 to 2019-03-31

Part 1: Requests under the Access to Information Act

Part 2: Requests closed during the reporting period

2.5 Complexity

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline

• Number of requests closed past the statutory deadline = 204
• Principal reason
  • Workload = 91
  • External consultation = 38
  • Internal consultation = 4
  • Other = 71

Part 3: Extensions

Part 4: Fees

Part 5: Consultations received from other institutions and organizations

Part 6: Completion time of consultations on cabinet confidences

Part 7: Complaints and investigations notices received

• Section 32 = 35
• Section 35 = 59
• Section 37 = 25
• Total = 119

Part 8: Court action

• Section 41 = 0
• Section 42 = 0
• Section 44 = 0
• Total = 0

Part 9: Resources related to the Access to Information Act

New reporting requirement

Statistical Report on the Privacy Act

Name of institution: Employment and Social Development Canada

Reporting period: 2018-04-01 to 2019-03-31

Part 1: Requests under the Privacy Act

Part 2: Requests closed during the reporting period