Annual Report on the administration of the Privacy Act
On this page
- Executive summary
- 1. Introduction
- 2. Organizational structure
- 3. The Privacy Management framework and Privacy Governance in ESDC
- 4. Delegations
- 5. Privacy activities and initiatives
- 6. Performance reporting
- Requests and consultations: total volume
- Total requests received and completed
- Requests by calendar days taken to complete
- Timeframes
- Timeframe monitoring
- Pages processed and disclosed
- Exemptions and exclusions
- Consultations received from other Government of Canada Institutions and other organizations
- Requests for the correction of personal information under the Privacy Act
- 7. Complaints, Investigations and Court Actions
- 8. Internal Privacy-related audits
- 9. Public Interest Disclosures
- 10. Material privacy breaches
- 11. Training and awareness activities
- Annex A: Delegation orders
- Annex B: Summaries of completed Privacy Impact Assessments
- Annex C: Statistical reports
Alternate formats
Annual Report on the administration of the Privacy Act [PDF - 2.53 MB]
Large print, braille, MP3 (audio), e-text and DAISY formats are available on demand by ordering online or calling 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105.
List of figures
- Figure 1: Privacy Act Requests – Total volume received
- Figure 2: Privacy Act consultation requests – Total volume received
- Figure 3: Requests received and completed, Privacy Act
- Figure 4: Privacy Act Access requests by calendar days taken to complete
- Figure 5: Number of requests processed within and beyond legislated timeframes, Privacy Act
- Figure 6: Number of pages processed and disclosed, Privacy Act
List of tables
- Table 1: Summary of requests under the Privacy Act
- Table 2: Number of requests and percentage of total exemptions
- Table 3: Consultation requests received from other Government of Canada Institutions and other organizations – Privacy Act
- Table 4: Complaints, Investigations and Court Actions, 2020 to 2021
- Table 5: Number of Disclosures by reason
- Table 6: Material breaches
- Table 7: Privacy Act – Delegated authorities
- Table 8: Privacy Regulations – Delegated authorities
- Table 9: Number of requests under the Privacy Act
- Table 10: Disposition and completion time
- Table 11: Exemptions
- Table 12: Exclusions
- Table 13: Relevant pages processed and disclosed
- Table 14: Relevant pages processed and disclosed by size of requests
- Table 15: Other complexities
- Table 16: Number of requests closed within legislated timelines
- Table 17: Reasons for not meeting legislated timelines
- Table 18: Requests closed beyond legislated timelines (including any extension taken)
- Table 19: Requests for translation
- Table 20: Disclosures under Subsections 8(2) and 8(5)
- Table 21: Requests for correction of personal information and notations
- Table 22: Reasons for extensions and disposition of requests
- Table 23: Length of extensions
- Table 24: Consultations received from other Government of Canada institutions and other organizations
- Table 25: Recommendations and completion time for consultations received from other Government of Canada institutions
- Table 26: Recommendations and completion time for consultations received from other organizations
- Table 27: Requests with Legal Services
- Table 28: Requests with Privy Council Office
- Table 29: Complaints and investigations notices received
- Table 30: Personal information banks
- Table 31: Material privacy breaches
- Table 32: Costs
- Table 33: Human resources
Executive summary
Employment and Social Development Canada (ESDC), including the Labour Program and Service Canada, strives to build a stronger and more inclusive Canada, to help Canadians live productive and rewarding lives, and to improve quality of life for all Canadians. Many of the federal government’s largest and most well-known programs and services are provided by the Department in fulfillment of this broad mandate.
ESDC is a major user of personal information and other data to deliver these key programs and services to Canadians in support of its own mandate, as well as on behalf of other federal institutions. As a result, it operates within one of the most complex privacy regimes in government in carrying out collection, use, retention and disclosure activities that are vast in scale and scope. The Department takes this responsibility seriously, and the protection of the privacy rights of Canadians, as well as the safeguarding of their personal information, remains an ongoing priority.
As a federal institution, ESDC is subject to the Access to Information Act and the Privacy Act. Both acts require the Department to submit annual reports to Parliament on their administration at the conclusion of every fiscal year. These reports describe ESDC’s major strategic and operational highlights for both access to information and privacy during the reporting period.
The 2020 to 2021 reporting period was dominated by the COVID-19 pandemic, during which ESDC was tasked with delivering major initiatives under the COVID-19 Economic Response Plan. The Department played an important role in ensuring that Canadians received the emergency supports they needed during this unprecedented time, through initiatives like the Canada Emergency Response Benefit (CERB), the Employment Insurance Emergency Response Benefit (EI ERB), and the one-time payment to persons with disabilities. The successful implementation of these key initiatives required a comprehensive departmental effort, including the temporary reassignment of some access to information and privacy (ATIP) resources.
The Department took a balanced approach in this endeavour, allowing for ongoing ATIP operations. While the pandemic had consequences for ESDC’s compliance with the Access to Information Act and the Privacy Act, by the end of this reporting period, the Department had returned to regular ATIP operations. In this sense, measures taken were temporary and are not expected to have long-term impacts on the Department’s compliance with the acts.
Modernization and transformation continued to be important themes in 2020 to 2021. The pandemic spurred the implementation of digital solutions to the way programs and services are delivered in order to meet the current and evolving needs of Canadians. This was especially relevant with respect to the processes used in addressing access to information and privacy requests received from Canadians. The Department went from a predominantly paper-based regime to an almost exclusively digital response format.
ESDC continued to experience some of the largest volumes of access to information and privacy requests among federal institutions. In the Treasury Board Secretariat’s 2019 to 2020 ranking of Government of Canada institutions, the Department ranked second for the number of privacy requests received and pages processed. During 2020 to 2021, the total number of requests under both acts decreased from the previous fiscal year as a result of the pandemic. However, the number of requests received remained high.
Once the effects of the pandemic wane, ESDC anticipates that the trend of large and increasing volumes of requests will re-emerge. Ensuring that ESDC’s access to information and privacy request processes are efficient and effective will be important for the Department to continue to respond to requests in a timely manner.
These achievements, and the detailed results described in this report, are a snapshot of the degree of responsibility, stewardship, and effort that ESDC’s employees demonstrate every day to fulfill the Department’s legal requirements for the management of personal information, as well as to protect the privacy rights of Canadians.
1. Introduction
Presentation of the report
Section 72 of the Privacy Act requires the head of a federal institution to submit an annual report to Parliament on the administration of each Act following the end of every fiscal year. ESDC is pleased to present to Parliament its annual report on the administration of the Privacy Act for the 2020 to 2021 fiscal year.
About Employment and Social Development Canada
ESDC, which includes the Labour Program and Service Canada, delivers many federal programs and services. Given the broad scope of its mandate, it is among the largest and most decentralized federal institutions. Each day, ESDC interacts with thousands of Canadians by delivering services and programs that play important roles in their lives. Canadians expect high-quality, easy-to-access, and secure services that are responsive to their needs, whether they are interacting online, through call centres, or in person.
ESDC’s programs and services affect Canadians throughout the course of their lives. For example, the Department assists parents who are raising young children, helps students finance their post-secondary education, and provides income support to unemployed and pension income to seniors. ESDC delivers many of the Government of Canada’s flagship programs, such as the Canada Student Financial Assistance Program, EI, Old Age Security (OAS), and the Canada Pension Plan (CPP). Overall, the Department is responsible for delivering over $132.5 billion in benefits directly to individuals and organizations, which represent 6.15% of Canada’s Gross Domestic Product.
In addition, during this reporting period, ESDC stood at the forefront of Canada’s efforts to mitigate the social and economic impacts of the COVID-19 pandemic. This included work to deliver CERB and targeted support for students and seniors among others.
The Labour Program contributes to social and economic well-being by fostering safe, healthy, fair and inclusive work environments, and cooperative workplace relations in workplaces falling under federal jurisdiction. The Labour Program also supplies labour relations mediation services, enforces minimum working conditions, promotes decent work and fosters respect for international labour standards. As with other parts of the Department, the Labour Program responded with agility and flexibility to the pandemic.
The Department’s service delivery arm, Service Canada, provides Canadians with a single point of access to ESDC programs and benefits, as well as to other Government of Canada programs and services. Although the COVID-19 pandemic had a direct impact on Service Canada’s ability to provide in-person services, the needs of Canadians continued to be served online at Canada.ca, through the My Service Canada Account (MSCA), and by telephone through “1 800 O-Canada” and its network of call centres.
About the Access to Information Act and the Privacy Act
The Access to Information Act provides Canadian citizens, permanent residents, and any individual or corporation present in Canada a right to access records of government institutions that are subject to the ActFootnote 1. This right is subject to limited and specific exemptions and exclusions, and in accordance with the principle that government information should be available to the public. The Government of Canada brought forth new legislative requirements under the Act in 2019 mandating departments to, among other things, proactively publish frequently requested information in an effort to further increase transparency and openness.
The Privacy Act protects the privacy of Canadian citizens, permanent residents and individuals present in Canada with respect to their personal information held by a federal government institution that is subject to the Act and provides them with a right of access to that informationFootnote 2. The Privacy Act sets out provisions for the collection, use, retention and disclosure of personal information by government institutions.
Personal information provisions in the Department of Employment and Social Development Act
In addition to the Privacy Act, the management of personal information by ESDC is governed by statutory obligations set out in the Department’s enabling act. The Department of Employment and Social Development Act (DESDA) sets out the rules that apply to personal information controlled by ESDC. These provisions set out the conditions for:
- disclosing personal information, including public interest disclosures
- making available information contained in the Social Insurance Register
- using personal information for internal policy analysis, research and evaluation purposes; and
- disclosing personal information for research or statistical analysis
Where the Department delivers services to the public on behalf of other federal institutions and jurisdictions or when delivering select services for the Government of Canada, the partner’s privacy regime (normally the Privacy Act for federal partners) would apply instead.
2. Organizational structure
Corporate Secretary and Chief Privacy Officer
ESDC’s Corporate Secretariat Branch is responsible for issuing and managing privacy management policy within the Department, the provision of privacy advice and guidance, and the processing of privacy requests in the National Capital Region. These functions are carried out by ESDC’s ATIP Operations and the Privacy Management Division (PMD).
The Branch is led by the Corporate Secretary who is ESDC’s designated Chief Privacy Officer, the Department’s functional authority on all privacy matters and for the implementation of the privacy management framework. The Chief Privacy Officer’s responsibilities include providing strategic privacy advice and recommendations, maintaining ESDC’s privacy management program, including conducting privacy risk assessments, and monitoring compliance with privacy legislation, policies and standards.
Access to Information and Privacy Operations Division
The ATIP Operations is the departmental focal point for the management and processing of ESDC access to information and privacy requests. It leads and advises on the processing of all ESDC requests under the Access to Information Act, performs “line-by-line” reviews of records requested under the Access to Information Act, and delivers training and awareness sessions to departmental employees on the administration of the Act.
Privacy Management Division
PMD is the Department’s centre for privacy expertise. PMD leads the horizontal implementation of departmental privacy policies and initiatives, conducts risk analyses, including privacy impact assessments, and delivers privacy compliance support for ESDC’s programs and services. The Division also administers legal requests for documents, administers public interest disclosures, plays a key role in the management and prevention of privacy breaches, with departmental partners, and supports privacy training and awareness activities. During the 2020 to 2021 fiscal year, PMD had, on average, a complement of 37 full-time employees.
Service Agreement with the Canadian Accessibility Standards Development Organization
During the reporting period, ESDC entered into a memorandum of understanding (MoU) for the provision of access to information and privacy services with the Canadian Accessibility Standards Development Organization (CASDO), an independent departmental corporation within the Employment and Social Development portfolio. CASDO was established under the Accessible Canada Act and is mandated to contribute to the realization of a Canada without barriers, on or before January 1, 2040.
Under the MoU, ESDC provides Access to Information Act and Privacy Act request processing services, annual reporting advice and statistics, liaison and training. ESDC also furnishes analysis and advice on privacy matters including privacy impact assessments, information-sharing arrangements, disclosures, contracting, legislative and policy compliance and the management of security incidents.
COVID-19 operational impact
Due to the nature of the COVID-19 global pandemic, the department transitioned all available resources to deliver critical services and departmental employees were called upon to provide essential support to Canadians. ATIP personnel were part of those deployed to assist and steps were taken to inform requestors of possible delays in processing, including by email and through the ESDC website. To facilitate the transition, ESDC temporarily suspended the internal assignment of ATIP requests from March 16 to April 27, 2020. This measure was taken to not divert resources from essential and critical services. During this period, the department continued to process pre-existing ATIP requests. ESDC resumed processing new requests on Monday, April 27, 2020, including logging and tracking new requests, tasking program areas for retrieval of responsive records, conducting follow-ups and providing response packages.
In addition, in an effort to stop the spread of COVID-19, all ATIP officials across the department began to work remotely in March 2020. Transitioning to all new electronic processes posed several challenges for ATIP Operations, which was further compounded by the need to catch up on a backlog of approximately 80 requests that had been placed in abeyance while the remote processes were established. Following the successful resumption of ATIP request processing, the department resumed with Proactive Publication requirements.
Although this emergency response posed some operation challenges and impacted the department’s ability to process ATIP requests within the timelines mandated by the Access to Information Act, a range of critical benefits and services were made available to Canadians in a very short period and at a time they needed help the most. In addition, the vast majority of Canadians received the information they requested, although delayed. Recent monthly compliance rates show a return to pre pandemic levels of performance.
3. The Privacy Management framework and Privacy Governance in ESDC
Departmental Policy on Privacy Management
The Departmental Policy on Privacy Management sustains a robust privacy regime for the protection and judicious use of personal information by ESDC. The policy outlines the requirements and standards for the management and protection of personal information and articulates clear and universal privacy principles. The policy sets out the Department’s Privacy Management Framework, outlined below, designates the Chief Privacy Officer function, defines roles and responsibilities for the management of personal information, and establishes the Department’s privacy governance mechanisms.
Privacy Management framework
ESDC’s privacy management framework promotes a proactive approach for the management of privacy by fostering the integration of privacy practices into program, system, and business process design. The framework consists of 5 elements:
- Governance and Accountability: Roles and responsibilities for privacy are clearly defined
- Stewardship of Personal Information: Appropriate privacy protections are implemented to properly manage personal information throughout its life cycle
- Assurance of Compliance: Formal processes and practices are in place to ensure adherence to privacy specifications, policies, standards and laws
- Effective Risk Management: Structured and coordinated risk identification and assessments that are conducted to limit the probability and impact of negative events; and
- Culture, Training and Awareness: Privacy training and awareness activities that sustain a privacy-aware organization that values the protection and stewardship of personal information
Privacy Governance in ESDC
The Data and Privacy Committee (DPC) is the primary governance body with respect to privacy matters. Co-chaired by the Chief Privacy Officer and the Chief Data Officer, the DPC oversees the stewardship and management of data and the protection of personal information across the Department. The Committee supports the integration of data management, privacy, and security, as well as oversees ESDC’s personal information risk management process. The DPC reports to the Corporate Management Committee, chaired by ESDC’s Associate Deputy Minister.
4. Delegations
Section 73 of the Privacy Act empowers the head of an institution to delegate any of the powers, duties or functions assigned to them by these acts to employees of that institution.
The Minister of Employment, Workforce Development and Disability Inclusion is responsible for the purposes of the Privacy Act and the Department’s enabling legislation, the DESDA.
The departmental Privacy Act delegation order and delegated authorities are reproduced in Annex A.
5. Privacy activities and initiatives
The wide scope and breadth of ESDC mandate comes with responsibility for managing one of the largest personal information holdings in the Government of Canada. The management and delivery of programs and services by the Department usually involves the collection, use, and disclosure of personal information. In many instances, detailed and often sensitive personal information is required either by ESDC or other government organizations to determine program eligibility or to provide benefits and services. Layered on top is a complex privacy legal regime within which ESDC operates that includes the Privacy Act and the DESDA, as well as the federal and provincial legislation of its Government of Canada and provincial government partners, respectively.
The sweeping technological changes of the digital age have created new expectations and challenges for ESDC on the use, management and protection of personal information. There are opportunities to use and exchange data in new, innovative ways for public benefit. The increasing volumes of electronic data and the employment of advanced methodologies, such as artificial intelligence, provide government with the opportunity to improve the quality and manner that information is used for decision-making, policy development, and service delivery. Canadians seek to interact with government and access services by using a number of client-service options, including online, that are commensurate with their experiences with private-sector services. At the same time, the large quantities of digital information along with the velocity of its collection, use and disclosure have heightened the challenges for its safeguarding and the protection of the privacy of individuals.
During the 2020 to 2021 fiscal year, ESDC continued to advance a proactive, risk-based approach to privacy management and sought to adapt its activities and processes to the needs of the changing privacy environment. It applied its privacy lens to the large number of departmental initiatives—some of which involved the large-scale collection, use and disclosure of personal information.
ESDC’s contribution to the whole-of-government response to the COVID-19 pandemic was the overriding focus for PMD and ATIP Operations Division. PMD provided rapid privacy analysis and on-demand support for the implementation of emergency programs that were designed and launched on an urgent basis and immediately accessed by millions of Canadians. The Canada Emergency Response Benefit, the Employment Insurance Emergency Response Benefit, the Quarantine call centre, and Fish Harvester Benefit and Grant Program, are among the programs and services that PMD supported. The Division adapted its existing analytical approaches and suite of tools to provide privacy analyses and risk assessments to meet very tight deadlines. Simultaneously, PMD and ATIP Operations rapidly transformed to digitally connected teams that could work remotely effectively and efficiently. Within the first weeks of the pandemic, their privacy teams were fully functional and continued to provide services to the Department and the public.
The pandemic served to accelerate the digitization of government services, including, notably, the use and exchanges of data for program delivery, policy analysis and research with other federal institutions, as well as between ESDC and the provinces and territories. PMD worked with program and data leads to protect the privacy of individuals, to safeguard information, and to mitigate any identified risks.
The COVID-19 crisis demonstrated the importance of modern technology and the flexibility it offers, as well as highlighting the need for ESDC’s continued transformation and investments in service infrastructure.
Overall, ESDC completed 18 privacy assessments, copies of which were provided to the Treasury Board Secretariat and the Office of the Privacy Commissioner. Information on these assessments can be found in Annex B of this report and on ESDC’s privacy impact assessments website. PMD also supported the completion of over 60 information-sharing agreements and actioned over 350 requests for privacy compliance advice. In addition, the Division provided timely strategic policy advice and analysis to ESDC’s senior leadership on a range of internal and interdepartmental privacy strategic issues and questions.
With respect to its privacy program, ESDC implemented an updated Delegation Order for the DESDA, which applies to the entire Department except for the Labour Program. The revised Order streamlines ESDC’s risk-based approval processes for information-sharing agreements that set out the conditions for the use and disclosure of personal information and for making available personal information for policy analysis, research and evaluation activities. At the same time, the Order strengthens the control of personal information for these purposes by requiring the mandatory approval of a senior departmental privacy official.
ESDC continued to participate actively in Justice Canada’s work on Privacy Act modernization by contributing advice and insight associated with its programs, service delivery and digital transformation efforts.
6. Performance reporting
The following section provides key statistics and analysis on ESDC accomplishments in the previous 4 fiscal years and how the Department contributed to the Government’s agenda in terms of privacy. Figures 3 through 5 display a four-year comparison to highlight the Privacy Act performance trends. Detailed statistical reports for the Act are found in Annex C. It is important to note the effects of the COVID-19 pandemic during the current reporting period. There were decreases in the number of requests received, as well as delays in meeting legislated response times. Privacy Operations had returned to full capacity by the end of the reporting period and the impact of the pandemic on performance is expected to have been a temporary outcome of an emergent situation.
Requests and consultations: Total volume
During the 2020 to 2021 fiscal year, ESDC experienced a decrease of 9% in privacy requests, from 15,405 in the 2019 to 2020 fiscal year to 13,998 in 2020 to 2021. Consultation requests related to the Privacy Act also decreased.
Text description for Figure 1
Year | Number of requests |
---|---|
2017 to 2018 | 8852 |
2018 to 2019 | 12678 |
2019 to 2020 | 15405 |
2020 to 2021 | 13998 |
Text description for Figure 2
Year | Number of requests |
---|---|
2017 to 2018 | 35 |
2018 to 2019 | 38 |
2019 to 2020 | 23 |
2020 to 2021 | 11 |
Activity | 2017 to 2018 | 2018 to 2019 | 2019 to 2020 | 2020 to 2021 |
---|---|---|---|---|
Formal requests received under the Privacy Act | 8,852 | 12,678 | 15,405 | 13,998 |
Requests completed during the reporting period | 8,817 | 12,260 | 15,004 | 12,883 |
Number of requests completed within legislated timeframes (including extensions) | 8,728 | 12,137 | 14,949 | 5,906 |
Number of requests completed beyond legislated timeframes | 89 | 123 | 55 | 6,977 |
Proportion of requests that were responded to within legislated timeframes | 99% | 99% | 99% | 46% |
Public interest disclosures | 329 | 261 | 419 | 373 |
Material privacy breachesFootnote 3 | 128 | 74 | 210 | 161 |
Complaints to the Privacy Commissioner | 29 | 9 | 16 | 12 |
The Privacy Commissioner reports on findings with respect to any complaints received and may make recommendations. As demonstrated in Figure 3, 12 complaints were made to the Privacy Commissioner during the reporting period, a decrease from the previous year. The number of material privacy breaches decreased from 210 in 2019 to 2020 to 161 in 2020 to 2021.
Total requests received and completed
Privacy Act
The number of requests closed during the reporting period went from 15,004 in 2019 to 2020 to 12,883 in 2020 to 2021. The effects of the pandemic caused a great number of responses to be late. While this decrease in responding within the legislated timeframe is of some concern, it is directly attributed to the challenges faced due to the COVID-19 pandemic.
Text description for Figure 3
Year | Received | Completed |
---|---|---|
2017 to 2018 | 8,852 | 8,817 |
2018 to 2019 | 12,678 | 12,260 |
2019 to 2020 | 15,405 | 15,004 |
2020 to 2021 | 13,998 | 12,883 |
Requests by calendar days taken to complete
Privacy Act
The compliance rate for Privacy Act requests being closed within the legislated 30 days, or within 60 days after an extension was granted, decreased from 99%in 2019 to 2020 to just 46% (5,906) in 2020–2021. This represents an enormous increase of late files compared to the 2019 to 2020 fiscal year, but is directly attributed to the challenges faced as a result of the COVID-19 pandemic. It is to be noted that 92% of requests (12,883) were responded to during the fiscal year.
Text description for Figure 4
Year | 30 calendar days | 31-60 calendar days | 61 or more calendar days |
---|---|---|---|
2017 to 2018 | 8,595 (97%) | 179 (2%) | 43 (1%) |
2018 to 2019 | 11,832 (97%) | 370 (2%) | 58 (1%) |
2019 to 2020 | 14,613 (97%) | 358 (2%) | 68 (1%) |
2020 to 2021 | 5,029 (39%) | 2,459 (19%) | 5,395 (42%) |
Timeframes
Privacy Act
During the reporting period, ESDC met legislated timelines for 5906 requests, which represents a 46% compliance rate. This is a decrease from previous years where ESDC regularly achieved a compliance rate of 99%. The effects of the COVID-19 pandemic were directly responsible for the decrease. As activities returned to normal, the number of requests being closed within legislated timelines returned to pre-pandemic compliance rates.
Institutions may apply for an extension beyond the original 30-day statutory timeframe in cases where meeting the statutory date is not feasible due to: the volume of pages to be processed; where consultation is required that could not reasonably be conducted within the initial 30 days; or, for translation purposes or to convert a record to another format. During the reporting period, ESDC requested 990 extensions. This represents an increase from the previous reporting period, when ESDC requested 260 extensions.
Text description for Figure 5
Year | Within | Beyond |
---|---|---|
2017 to 2018 | 99% | 1% |
2018 to 2019 | 99% | 1% |
2019 to 2020 | 99% | 1% |
2020 to 2021 | 46% | 54% |
Timeframe monitoring
Privacy Act
ESDC’s regional offices manage the majority of the privacy request workload and prepare weekly reports concerning new requests, workload and status for the tracking of on-time performance for privacy requests. Regional offices also produce performance reports on a monthly, quarterly and yearly basis.
Pages processed and disclosed
Privacy Act
The total number of pages processed and disclosed for privacy requests decreased during the 2020 to 2021 fiscal year. During this reporting period, 1,164,618 pages were processed for exemptions and exclusions, which represents a decrease of 8% from the previous fiscal year when 1,259,755 pages were processed. A total of 1,084,070 pages were disclosed, which is a decrease from the previous year when 1,208,351 pages were disclosed. However, the number of pages processed and disclosed during the reporting period remained higher than earlier reporting periods.
Text description for Figure 6
Year | Received | Completed |
---|---|---|
2017 to 2018 | 798,436 | 771,256 |
2018 to 2019 | 979,247 | 934,672 |
2019 to 2020 | 1,259,755 | 1,208,351 |
2020 to 2021 | 1,164,618 | 1,084,070 |
Exemptions and exclusions
ESDC is one of the largest holders of personal information in the Government of Canada, which affects the frequency in which exemptions and exclusions are applied under the Privacy Act.
Privacy Act
Exemptions
The Privacy Act recognizes that individuals value their privacy and the protection of their personal information and that this protection is an essential element in maintaining public trust in government. Although the Privacy Act provides individuals with an enforceable right of access to their personal information, there are instances where certain limited and specific exemptions can be applied.
Due to the nature of ESDC’s mandate and its personal information holdings, the exemption under the Privacy Act that was applied most frequently is Section 26, which protects personal information about another individual as defined by Section 3 of the Privacy Act. This exemption occurred in 8,628 instances of completed requests during the 2020 to 2021 fiscal year. This represents a decrease of 1,184 instances when compared to the previous fiscal year.
Section | 2017 to 2018 | 2018 to 2019 | 2019 to 2020 | 2020 to 2021 |
---|---|---|---|---|
s. 22 – Law enforcement and investigation | 101 (1.7%) |
61 (0.7%) |
56 (0.6%) |
63 (0.7%) |
s. 26 – Information about another individual | 5,898 (96.7%) |
8,082 (98.1%) |
9,812 (98.7%) |
8,628 (98.8%) |
s. 27 – Solicitor-client privilege | 81 (1.3%) |
72 (0.9%) |
63 (0.6%) |
42 (0.5%) |
Exclusions
The Privacy Act allows for the exclusion of certain types of information, such as records that are already available to the public (Section 69) and confidences of the Queen’s Privy Council for Canada (Section 70). During the 2020 to 2021 fiscal year, ESDC did not exclude any records for requests under the Privacy Act.
Consultations received from other Government of Canada Institutions and other organizations
Privacy Act
ESDC received 11 external consultation requests during the 2020 to 2021 fiscal year, which originated from Government of Canada institutions and other organizations, requiring a review of 72 additional pages. This represents a significant decrease from the previous fiscal year when ESDC reviewed 3,137 pages.
The Department closed 9 requests for consultations of which 3 were completed within 30 days. Of the total number of requests for consultation, 5 resulted in a recommendation to disclose the records entirely and one recommended the consulting institution or organization disclose the information in part.
Type of consultation | 2017 to 2018 | 2018 to 2019 | 2019 to 2020 | 2020 to 2021 |
---|---|---|---|---|
Consultations requests received under the Privacy Act | 35 | 38 | 20 | 11 |
Additional pages reviewed under the Privacy Act | 5,355 | 1,578 | 3,137 | 388 |
Privacy Act requests for consultations closed | 34 | 36 | 21 | 9 |
Privacy Act requests for consultations closed within 30 days | 29 | 36 | 18 | 3 |
Requests for the correction of Personal Information under the Privacy Act
Under the Privacy Act, individuals have a right to request the correction of erroneous personal information pertaining to them that is retained by a government institution, provided that the individual can adequately substantiate the request. ESDC accepted 4 requests for correction of personal information during the 2020 to 2021 fiscal year.
7. Complaints, Investigations and Court Actions
Under the Privacy Act, individuals may lodge a complaint to the Office of the Privacy Commissioner (OPC) on the processing of their access requests if they were refused access or if they feel there was an undue delay in processing. Individuals can also lodge complaints on the personal information handling practices of federal institutions subject to the Act, on matters such as the collection, use or disclosure of personal information.
During the 2020 to 2021 reporting period, ESDC was notified by the OPC of 30 privacy complaints and carried over one complaint from the previous fiscal year. The OPC closed 19 complaints of which 7 were determined to be well founded.
There were 3 privacy complaints in the courts during the reporting period. Please refer to the following table for more details about the complaints.
Complaints | Number |
---|---|
Complaints Total complaints received
|
30 2 0 10 1 1 |
Investigations Total findings received
|
21 7 9 4 1 |
Court actions Number of court actions |
3 |
Note: The total number of notifications of complaints received and the total number of investigations with findings received will not necessarily be the same in a given fiscal year. Investigations could relate to complaints that were received by the OPC in a fiscal year prior the 2020 to 2021 reporting period.
8. Internal Privacy-related audits
ESDC’s Internal Audit and Enterprise Risk Management Branch initiated an advisory assessment on the implementation of the adjustments made in recent years to the Department’s privacy impact assessment (PIA) and approval process. The assessment will include a review of PIA risk ratings, internal PIA process documentation, and Data and Privacy Committee meeting minutes. The findings and recommendations from this advisory assessment are expected during 2021 to 2022.
9. Public Interest Disclosures
Disclosures in the public interest are made by ESDC under Section 37(1) of the DESDA instead of under Section 8(2)(m) of the Privacy Act. Disclosures made under this provision are reported to the OPC.
During the 2020 to 2021 fiscal year, the Department disclosed personal information in the public interest in 373 instances. ESDC processed 334 public interest disclosures in the regions, the preponderance of which consisted of incidents involving individuals who threatened to harm themselves or others. In instances where there is an imminent threat to the safety and security of individuals, employees have the delegated authority to make the disclosure. Given the urgency of these situations, the OPC is informed after the disclosure is made. PMD approved the disclosure of personal information in an additional 39 cases (“NHQ disclosures”).
Reason for disclosure | Number of disclosures |
---|---|
Regional disclosures (Imminent threats) | 334 |
NHQ disclosures
|
39 9 3 11 12 4 |
Total | 373 |
10. Material privacy breaches
A privacy breach is defined by the Treasury Board Secretariat-issued policy as the “improper unauthorized collection, use, disclosure, retention or disposal of personal information.” A material privacy breach is defined as one “that involves sensitive personal information and could reasonably be expected to cause injury or harm to the individual and/or to a significant number of individuals.”
During the 2020 to 2021 fiscal year, the Department reported 161 material breaches to the OPC and to the Treasury Board Secretariat, a 23% decline from the previous year. Most of these breaches were the result of operational errors resulting in personal information lost in transit in the postal system or sent to the wrong person.
The majority of these incidents (108 of 161 cases) involved lost or misdirected passports of which the Canada Post Corporation took responsibility for 76 breaches (please refer to the table below). The unauthorized access by ESDC employees of personal information stored in departmental systems accounted for 16 incidents. These cases were identified as a result of the Department’s Audit Log Monitoring initiative to detect the unauthorized accesses of personal information in ESDC’s electronic data holdings by ESDC employees. It is expected that additional incidents of this type will continue to be detected during the 2021 to 2022 fiscal year as this project expands in scope. During August 2020, credential-stuffing attacks were made against the GC Key service. ESDC, which uses GC Key for its online services, took immediate action to contain the breach and implemented additional technical security measures. ESDC clients that were affected or potentially affected by the incident were contacted and offered free credit monitoring.
The Department continually seeks to implement measures to reduce privacy breaches through administrative, technical, and physical means. Importantly, through ESDC’s privacy training and awareness activities, employees are informed and trained in the handling of personal information, including appropriate use and safeguarding protocols.
Number of material breaches | Nature of information breached | Communication and notification | Actions undertaken in response |
---|---|---|---|
37 | Personal information incorrectly shared with third party individuals, via telephone, email, or mail and/or Documents containing personal information of clients were lost or stolen. |
When possible, personal letters were sent to affected individuals informing them of the breach. |
|
16 | Employees who made unauthorized accesses in departmental systems to client information (mostly discovered as part of internal audits conducted on the Departmental systems). | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
76 | Passports lost, stolen, or misdirected, where Canada Post Corporation was responsible for the breach. | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
32 | Passports lost, stolen or misdirected as a result of an internal error. | When possible, personal letters were sent to affected individuals informing them of the breach. |
|
Total number of material breaches: 161 |
11. Training and awareness activities
Privacy training
ESDC has a comprehensive and mandatory training program to increase knowledge and awareness of the stewardship of information. All employees are required to maintain valid certification in Stewardship of Information and Workplace Behaviours (SIWB), which addresses privacy, the handling of personal information, access to information, information management, security, and values and ethics. Delivered online, SIWB certification is valid for 2 years.
ESDC has been updating the content of the SIWB certification course; as such, the course was temporarily removed from the Department’s Essential Training Curriculum. SIWB was made available to learners on May 2020 as a stand-alone course for all ESDC employees. A total of 7,821 employees completed SIWB during 2020 to 2021. ESDC will reintegrate the course into the Essential Training Curriculum early in the new fiscal year.
New employees are obligated to complete online privacy-related training when joining the Department. The “Doing Things Right and Doing the Right Thing: Putting the Department Code of Conduct into Action” course was completed by 10,118 new employees. “Access to Information and Privacy (ATIP): It’s Everybody’s Business” was completed by 10,024 employees.
In addition to online training and certification, ESDC undertook a number of “in-person” privacy training sessions and activities online. Many of the activities and events that ESDC typically holds during a fiscal year were cancelled as the Department focussed on delivering urgent COVID-19 measures and transforming into an online workforce. ESDC resumed “in-person” training during the second half of 2020 to 2021 with 5 “in-person” sessions that were held virtually and were attended by 162 employees.
Privacy awareness
Throughout the reporting period, the Department continued to provide practical, easy-to-understand, and readily available privacy information and guidance to employees to reinforce the application of appropriate personal information handling and safeguarding practices. Normally, these activities include organizing various privacy-themed information events for Privacy Awareness Week. However, due to the pandemic and the heavy workload resulting from it, Privacy Awareness Week was cancelled for 2020 to 2021. ESDC organized a “Data Privacy Day” in February 2021, with corporate messages and virtual “in-person” activities, which had 146 participants.
Annex A: Delegation orders
Privacy Act and Regulations: Delegation of Authority, Department of Employment and Social Development
The Minister of Employment and Social Development, pursuant to section 11 of the Department of Employment and Social Development Act, hereby designates the persons, officers or employees holding the positions with Employment and Social Development set out in the schedules attached hereto, or the persons, officers or employees occupying on an acting basis those positions, to exercise the powers or perform the duties or functions of the Minister or to exercise or perform the powers, duties or function of the head of the institution, as specified in the attached schedules.
Original signed March 12, 2020 by the Honourable Carla Qualtrough, Minister of Employment and Social Development
Privacy Act, Department of Employment and Social Development
Description | Section | Delegated authority |
---|---|---|
Retention of a record of requests and disclosed records to investigative bodies under Section 8(2)(e) of the Privacy Act | 8(4) |
|
Retention of records of uses of personal information | 9(1) |
|
Notification of the Privacy Commissioner of any new consistent uses of personal information and ensure use is included in next statement of consistent uses set forth in the Index | 9(4) |
|
Include personal information in personal information banks | 10 |
|
Respond to request for access within 30 days and give written notice and, if access to be given, give access | 14 |
|
Extension of the 30-day time limit to respond to a privacy request | 15 |
|
Decision on whether to translate a response to a privacy request in one of the 2 official languages | 17(2)(b) |
|
Decision on whether to convert personal information to an alternate format | 17(3)(b) |
|
Decision to refuse to disclose personal information contained in an exempt bank | 18(2) |
|
Decision to refuse access to personal information that was obtained in confidence from the government of a foreign state or institution, an international organization of states or an institution thereof, the government of a province or institution thereof, a municipal or regional government established by or pursuant to an act of the legislature of a province or an institution of such a government, or the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act or the council of a participating in First Nation as defined in the First Nations Jurisdiction over Education in British Columbia Act | 19(1) |
|
Authority to disclose personal information referred to in 19(1) if the government, organization or institution described in 19(1) consents to the disclosure or makes the information public | 19(2) |
|
Refuse to disclose personal information that may be injurious to the conduct of federal-provincial affairs | 20 |
|
Refuse to disclose personal information that may be injurious to international affairs or the defence of Canada or one of its allies | 21 |
|
Refuse to disclose personal information prepared by an investigative body, information injurious to the enforcement of a law, or information injurious to the security of penal institutions | 22 |
|
Refuse to disclose personal information created for the Public Servants Disclosure Protection Act | 22.3 |
|
Refuse to disclose personal information prepared by an investigative body for security clearance | 23 |
|
Refuse to disclose personal information that was collected by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board while the individual was under sentence if the conditions in the Section are met | 24 |
|
Refuse to disclose personal information which could threaten the safety of individuals | 25 |
|
Refuse to disclose personal information about another individual and shall refuse to disclose such information where disclosure is prohibited under Section 8 | 26 |
|
Refuse to disclose personal information that is subject to solicitor-client privilege | 27 |
|
Refuse to disclose personal information relating to the individual’s physical or mental health where the disclosure is contrary to the best interests of the individual | 28 |
|
Receive notice of investigation by the Privacy Commissioner | 31 |
|
Right to make representations to the Privacy Commissioner during an investigation | 33(2) |
|
Receive Privacy Commissioner’s report of findings of an investigation and give notice of action taken | 35(1) |
|
Provision of addition personal information to a complainant after receiving a 35(1)(b) notice. | 35(4) |
|
Receive Privacy Commissioner’s report of findings of investigation of exempt bank | 36(3) |
|
Receive report of Privacy Commissioner’s findings after compliance investigation | 37(3) |
|
Request that a court hearing, undertaken with respect to certain sections of the Act be held in the National Capital Region | 51(2)(b) |
|
Request and be given right to make representations in Section 51 hearings | 51(3) |
|
Prepare annual report to Parliament |
|
Description | Section | Delegated authority |
---|---|---|
Allow examination of the documents (Reading room) | 9 |
|
Notification of correction | 11(2) |
|
Correction refused, notation placed on file | 11(4) |
|
Disclosure to a medical practitioner or psychologist | 13(1) |
|
Disclosure in the presence of a medical practitioner or psychologist | 14 |
|
Annex B: Summaries of completed Privacy Impact Assessments
ESDC completed 18 PIAs of different types over the course of the past fiscal year. Of this total, 3 were prepared in an adapted Privacy Compliance Evaluation (PCE) format that was specified in the Interim Directive on Privacy Impact Assessment. Additional information can be found on ESDC’s privacy impact assessments website.
Government of Canada Telephone General Enquiries Services Program – 1–800 O Canada Business Model Review and Procurement Project
The Government of Canada Telephone General Enquiries Services Program consists of 3 components:
- the 1 800 O-Canada primary toll-free service for general information on Government of Canada programs, services and initiatives, and a critical public communication service in the Federal Emergency Response Plan
- customized Information Services, which deliver a variety of communications services for Government of Canada clients relating to specific programs, services, initiatives, campaigns and crisis situations; and
- integrated Content Management, which provides content management services for the 2 initiatives described above and for Service Canada centres
The Program will include fully outsourced and managed call centres by a contractor within contractor-provided facilities and contractor-provided workstations, telephones, and printers. ESDC retains full control of content management tools, the call centre platform, and the workforce management tool to which the contractor will connect using Shared Services Canada virtual desktop infrastructure.
The main objective of the Privacy Analysis was to identify privacy risks and impacts of the Government of Canada Telephone General Enquiries Services Program on the access, use, and handling of personal information. The assessment identified 2 medium-level risks. The Program will be implementing appropriate mitigations.
British Columbia Trusted Digital Identity Project with the Department of Employment and Social Development Canada
The British Columbia Trusted Digital Identity Project will provide residents in the province with the opportunity to streamline access to their MSCA by using their provincial government-approved identity-bound credential as a Trusted Digital Identity (BC TDI).
This PIA was conducted because the project requires a substantial modification to MSCA processes, introduces new technology, and involves a new collaboration with the Government of British Columbia. The PIA focussed on the identification of the privacy risks related to the handling of personal information during the collection and use of BC TDI for MSCA client registration, return use or substitution from existing credential login solutions. The PIA identified 2 medium-level risks and one compliance issue. Mitigation strategies to address these risks were scheduled for completion by the 2021 to 2022 fiscal year.
Canada Emergency Response Benefit
The CERB was created in March 2020 to provide financial support to workers whose income was affected by the COVID-19 pandemic. The program, while authorized under ESDC, is administered by the Canada Revenue Agency.
A multi-institutional PIA was developed in collaboration with the Canada Revenue Agency to identify privacy risks associated with the collection and use of personal information with a focus on safeguards. The assessment identified 3 medium-level risks and provided a mitigation plan to address them.
Canada Pension Plan Service Improvement Strategy, Enhanced Death Notification – Proof of Concept
The Canada Pension Plan Service Improvement Strategy, Enhanced Death Notification – Proof of Concept (CPP SIS EDN POC) will enable funeral services providers to submit domestic death notifications through a secure online electronic portal that eliminates the need to fax the information to Service Canada. Funeral services providers will collect personal information from the deceased’s family or estate in order to complete an online version of the death notification form.
A Privacy Analysis for IT Solutions (PAITS) was completed to identify and assess privacy risks associated with the design, procurement or acquisition phases for the CPP SIS EDN POC initiative. The proposed process to collect data elements electronically by the funeral services providers was assessed to ensure that the initiative adheres to legislative and departmental privacy requirements upon implementation. Privacy risks were also identified and assessed.
The PAITS identified one low-level risk. A mitigation plan is under development.
Electronic Social Insurance Number Application
The Electronic Social Insurance Number Application (eSIN Application) was implemented during the COVID-19 pandemic in order to provide Canadians with a self service electronic Social Insurance Number application form. This service replaces in person processes and may become permanent.
A PAITS was completed to identify privacy risks associated with the collection of personal information from clients who submit the required information to the eSIN Application platform in order to process their requests. The PAITS focussed on the electronic application process and the technical environment of the third-party solution used to collect and process personal information. It did not examine processes already established for the processing of applications once information is received by ESDC through the platform. The analysis identified 3 medium-level and 2 low-level risks. In addition, there were 3 privacy compliance issues. Mitigations are being implemented.
Employment Insurance Emergency Response Benefit
The EI ERB program is the portion of the CERB that was administered by ESDC to support workers during the COVID-19 pandemic. In the context of urgent delivery of income support at the outset of the pandemic, a PCE was completed. The PCE examined the administration and delivery of EI ERB and identified 2 medium-level risks, the mitigations for which are being implemented. A follow-up analysis will examine compliance and enforcement processes.
Enterprise Document Upload Solution
The Enterprise Wide Document Upload Service (Enterprise DUS) will enhance the client interactions with ESDC by providing the means to submit information electronically to the Department through the individual’s MSCA as an alternative to mailing documents or submitting them in person. ESDC’s programs and services will be able to use the Enterprise DUS to collect information that offers a consistent, standardized and scalable method.
A PAITS was completed to identify privacy risks associated with implementation of Enterprise DUS. The analysis identified one medium-level risk. A mitigation plan to address this risk is being implemented.
Service Delivery Arrangement for the Grant Program to Support Self-Employed Fish Harvesters in Canada Affected by COVID-19
On May 14, 2020, the Prime Minister announced new measures to support Canada’s fish harvesters who are economically impacted by the pandemic but cannot access existing federal measures. The Department of Fisheries and Oceans sought ESDC’s service delivery assistance to implement the Grant Program to Support Self employed Fish Harvesters in Canada Affected by COVID-19. There are 2 distinct but complementary streams to the Program: the Fish Harvester Benefit and the Fish Harvester Grant. The Program’s benefit calculations will be based on the applicant’s fishing income from the 2018 or 2019 tax years.
A PIA was completed to identify the privacy risks associated with the Program with a focus on its delivery. The assessment identified eleven risks of which 5 were low-level and 6 were medium-level. A mitigation plan was developed and put into effect.
Mental Health Peer Support Program
The Peer Support Program is an ESDC initiative that provides mental health-related social support by employee volunteers who share their own mental health challenges to support their colleagues who are experiencing their own health issues or challenges.
A PIA examined the privacy related to the management of personal information collected by the Peer Support Program. The PIA identified one medium-level risk and 3 low-level risks. Mitigations are being implemented.
Old Age Security and Canada Pension Plan Personal Information Exchange between the Service Canada International Operations and International Social Security Agreement Foreign Partners using Canada Post’s epost Connect
Service Canada regularly exchanges information with foreign entities for the administration of OAS and the CPP for individuals who have lived or worked in another country, as well as enables clients to obtain a foreign pension from a country in which they have lived or worked. As the situation with the COVID-19 pandemic evolved, the precautionary measures implemented by international postal operators necessitated Service Canada to change from paper-based instruments to using Canada Post’s epost Connect.
A PIA was completed that focussed on the use of epost Connect. Three medium-level risks were identified. A mitigation plan has been developed and is being implemented.
The Disclosure of Canada Pension Plan and Old Age Security Personal Information with the Office of the Chief Actuary and Canada Revenue Agency for Statutory Valuations and to Prepare Actuarial Reports
ESDC discloses personal information on CPP and OAS recipients to the Office of the Chief Actuary, which forms part of the Office of the Superintendent of Financial Institutions (OSFI). OFSI uses the personal information to fulfill its legislative requirement to conduct statutory valuations and prepare actuarial reports.
A Privacy Analysis was completed to identify and assess the privacy risks associated with the disclosure of personal information to OSFI. Two medium-level and one low-level risks were identified. Three compliance issues were also raised.
Passport Program Modernization Initiative
The undertaking of the Passport Program Modernization Initiative entails making changes to the functions carried out by ESDC in its service delivery role. The Department is phasing out an outdated system used in the delivery of the passport program and is piloting the Global Case Management System, which has enhanced business intelligence capabilities.
A privacy analysis was conducted that resulted in the identification and assessment of one medium-level risk, one low-level risk, and 3 compliance issues. A mitigation plan has been developed to address the risks and compliance issues.
Pension Process Automation
ESDC’s Benefits Delivery Services program is seeking to use robotic process automation (RPA) to automatically complete processes in a number of different applications in the same manner a human would, with human assistance for exception management. The CPP and OAS will be automatically processed using RPA software to replace manual processing by an agent.
A significant number of files will be processed through this RPA solution, all of which are administrative decisions taken that will affect individuals directly. Sensitive personal information will be housed in a server and the robot will have access to personal information from the applications.
A PAITS analyzed different aspects of the Pension Process Automation project. All issues and risks that were identified were mitigated during the assessment. There are no outstanding risks or issues for the program.
Quarantine Call Centre
As part of the Government of Canada’s measures to respond to COVID-19, the Public Health Agency of Canada (PHAC) contacted symptomatic travellers entering Canada to ensure they were in compliance with the Mandatory Isolation Order. PHAC Designated Screening Officers call travellers and ask a series of questions to determine whether they were following the guidelines for self-isolation. ESDC is supporting PHAC with compliance verification.
This PCE was completed to identify and assess privacy risks. Six medium-level risks, 3 low-level risks and 3 compliance issues were identified. A mitigation strategy was developed and implemented.
Receipt of Entry-Exit Data from the Canada Border Services Agency by the Old Age Security Program
In order to investigate potential fraud and abuse of the OAS program, ESDC will receive Entry-Exit traveller information from the Canada Border Services Agency. This information will be matched with OAS client data to identify non-portable beneficiaries who should have self-reported their absence from Canada.
A PIA was completed to identify the privacy risks associated with the collection and use of Entry-Exit data from Canada Border Services Agency. Four medium-level risks and one low-level risk were identified. Mitigations are expected to be fully implemented by the end of the 2022 to 2023 fiscal year.
Service Canada Compliance Verification Service for the Public Health Agency of Canada during COVID-19 Pandemic
The Service Canada Compliance Verification Service for PHAC during COVID-19 pandemic was expanded for the implementation of the PHAC COVID-19 Inbound Dial Campaign for Quarantine Confirmation and Symptom Reporting with the objective of supporting the enforcement of the Quarantine Act. PHAC sought to encourage travellers to verify their identity and proactively provide their quarantine confirmation. It also shifted to using the statistical sampling of travellers for outbound agent dialling. In addition, PHAC asked travellers to report on their symptoms daily by using their channel of choice.
A Privacy Compliance Checklist identified 2 medium-level risks, 5 low-level risks and 4 compliance issues. A mitigation plan is being implemented to address the risks and compliance issues.
Unauthorized Access Program
ESDC implemented an Unauthorized Access Program to monitor systems logs to determine whether employees accessed files containing personal information without authorization. Log monitoring will help the Department identify incidents of internal “snooping,” fraud, and misuse of personal information entrusted to ESDC.
A PIA analyzed the detection, identification, analysis, categorization of the severity of wrongdoing, the referral of cases for administrative actions, and reporting. The PIA did not review established processes, actions, and measures related to administrative investigations, disciplinary processes and measures, or criminal investigations. Two risks were identified: one low-level risk and one medium-level risk. Mitigations are being implemented.
VidCruiter Hiring Platform
ESDC will pilot pre-recorded, asynchronous video and audio interview technology using cloud-based technology for staffing purposes. In addition to the anticipated accrual of efficiencies, COVID-19 had made the acquisition of a video interview platform necessary. The use of video and audio recordings as part of the staffing interview process involves a new collection of sensitive personal information by a contracted and hosted third-party solution.
The PIA focussed on the collection and use of personal information obtained from video and VidCruiter, the third-party provider. The PIA reviewed ESDC’s changes to its staffing processes specific to the use of the solution as an alternative to in-person interviewing. The PIA identified 3 medium-level and 2 high-level risks and outlined a mitigation plan to address them.
Annex C: Statistical reports
Statistical report on the Privacy Act
Name of institution: Employment and Social Development Canada
Reporting period: 2020-04-01 to 2021-03-31
Section 1: Requests under the Privacy Act
1.1 Number of requests
Detail | Number of requests |
---|---|
Received during reporting period | 13998 |
Outstanding from previous reporting period | 1129 |
Total | 15127 |
Closed during reporting period | 12883 |
Carried over to next reporting period | 2244 |
Section 2: Requests closed during the Reporting period
2.1 Disposition and completion time
Disposition of requests | Completion time: 1 to 15 days | Completion time: 16 to 30 days | Completion time: 31 to 60 days | Completion time: 61 to 120 days | Completion time: 121 to 180 days | Completion time: 181 to 365 days | Completion time: more than 365 days | Completion time: Total |
---|---|---|---|---|---|---|---|---|
85 | 319 | 239 | 703 | 7 | 1 | 1 | 1355 | |
Disclosed in part | 818 | 2358 | 1868 | 4068 | 109 | 21 | 14 | 9256 |
All exempted | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
No records exist | 762 | 465 | 295 | 435 | 1 | 2 | 0 | 1960 |
Request abandoned | 162 | 59 | 57 | 30 | 2 | 0 | 1 | 311 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 1827 | 3202 | 2459 | 5236 | 119 | 24 | 16 | 12883 |
2.2 Exemptions
Section | Number of requests |
---|---|
18(2) | 0 |
19(1)(a) | 0 |
19(1)(b) | 0 |
19(1)(c) | 0 |
19(1)(d) | 0 |
19(1)(e) | 0 |
19(1)(f) | 0 |
20 | 0 |
21 | 0 |
22(1)(a)(i) | 0 |
22(1)(a)(ii) | 0 |
22(1)(a)(iii) | 0 |
22(1)(b) | 63 |
22(1)(c) | 0 |
22(2) | 0 |
22.1 | 0 |
22.2 | 0 |
22.3 | 0 |
22.4 | 0 |
23(a) | 0 |
23(b) | 0 |
24(a) | 0 |
24(b) | 0 |
25 | 0 |
26 | 8628 |
27 | 39 |
27.1 | 3 |
28 | 0 |
2.3 Exclusions
Section | Number of requests |
---|---|
69(1)(a) | 1 |
69(1)(b) | 0 |
69.1 | 1 |
70(1) | 0 |
70(1)(a) | 0 |
70(1)(b) | 0 |
70(1)(c) | 0 |
70(1)(d) | 0 |
70(1)(e) | 0 |
70(1)(f) | 0 |
70.1 | 0 |
2.4 Format of information released
- Paper = 8414
- Electronic = 2193
- Other = 4
2.5 Complexity
2.5.1 Relevant pages processed and disclosed
Number of pages processed | Number of pages disclosed | Number of requests |
---|---|---|
1164618 | 1084070 | 10923 |
2.5.2 Relevant pages processed and disclosed by size of requests
Disposition | Less than 100 pages processed |
101–500 pages processed |
501-1000 pages processed |
1001–5000 pages processed |
More than 5000 pages processed |
|||||
---|---|---|---|---|---|---|---|---|---|---|
Number of requests | Page disclosed | Number of requests | Page disclosed | Number of requests | Page disclosed | Number of requests | Page disclosed | Number of requests | Page disclosed | |
All disclosed | 1073 | 30181 | 273 | 49701 | 7 | 4511 | 1 | 1198 | 1 | 1970 |
Disclosed in part | 6038 | 235241 | 3001 | 561552 | 163 | 99347 | 50 | 75393 | 4 | 24398 |
All exempted | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Request abandoned | 308 | 360 | 3 | 218 | 0 | 0 | 0 | 0 | 0 | 0 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 7420 | 265782 | 3277 | 611471 | 170 | 103858 | 51 | 76591 | 5 | 26368 |
2.5.3 Other complexities
Disposition | Consultation required | Legal Advice sought | Interwoven information | Other | Total |
---|---|---|---|---|---|
All disclosed | 1 | 0 | 0 | 0 | 1 |
Disclosed in part | 3 | 0 | 155 | 0 | 158 |
All exempted | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 |
Request abandoned | 0 | 0 | 0 | 0 | 0 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
Total | 4 | 0 | 155 | 0 | 159 |
2.6 Closed requests
2.6.1 Number of requests closed within legislated timelines
Detail | Requests closed within legislated timelines |
---|---|
Number of requests closed within legislated timelines | 5906 |
Percentage of requests closed within legislated timelines (%) | 45.8 |
2.7 Deemed refusals
2.7.1 Reasons for not meeting legislated timelines
Number of requests closed past the legislated timelines | Principal reason: Interference with Operations / Workload | Principal reason: External consultation | Principal reason: Internal consultation | Principal reason: Other |
---|---|---|---|---|
6977 | 53 | 0 | 0 | 6924 |
2.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of days past legislated timelines | Number of requests past legislated timeline where no extension was taken | Number of requests past legislated timelines where an extension was taken | Total |
---|---|---|---|
1 to 15 days | 589 | 141 | 730 |
16 to 30 days | 1100 | 155 | 1255 |
31 to 60 days | 3196 | 87 | 3283 |
61 to 120 days | 1613 | 29 | 1642 |
121 to 180 days | 31 | 6 | 37 |
181 to 365 days | 8 | 9 | 17 |
More than 365 days | 5 | 8 | 13 |
Total | 6542 | 435 | 6977 |
2.8 Requests for translation
Translation requests | Accepted | Refused | Total |
---|---|---|---|
English to French | 0 | 0 | 0 |
French to English | 3 | 1 | 4 |
Total | 3 | 1 | 4 |
Section 3: Disclosures under Subsections 8(2) and 8(5)
3.1 Disclosures under Subsections 8(2) and 8(5)
Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
---|---|---|---|
0 | 0 | 0 | 0 |
NB: The Department of Employment and Social Development Act takes precedence over Privacy Act s.8(2)
Section 4: Requests for correction of Personal information and notations
4.1 Requests for correction of Personal information and notations
Disposition for correction requests received | Number |
---|---|
Notations attached | 0 |
Requests for correction accepted | 4 |
Total | 4 |
Section 5: Extensions
5.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken | 15(a)(i) Interference with operations: Further review required to determine exemptions | 15(a)(i) Interference with operations: Large volume of pages | 15(a)(i) Interference with operations: Large volume of requests | 15(a)(i) Interference with operations: Documents are difficult to obtain | 15 (a)(ii) Consultation: Cabinet Confidence Section (Section 70) | 15 (a)(ii) Consultation: External | 15 (a)(ii) Consultation: Internal | 15(b) Translation purposes or conversion |
---|---|---|---|---|---|---|---|---|
990 | 57 | 33 | 881 | 9 | 0 | 2 | 5 | 3 |
5.2 Length of extensions
Length of extensions | 15(a)(i) Interference with operations: Further review required to determine exemptions | 15(a)(i) Interference with operations: Large volume of pages | 15(a)(i) Interference with operations: Large volume of requests | 15(a)(i) Interference with operations: Documents are difficult to obtain | 15 (a)(ii) Consultation: Cabinet Confidence Section (Section 70) | 15 (a)(ii) Consultation: External | 15 (a)(ii) Consultation: Internal | 15(b) Translation purposes or conversion |
---|---|---|---|---|---|---|---|---|
1 to 15 days | 0 | 9 | 0 | 0 | 0 | 0 | 0 | 0 |
16 to 30 days | 57 | 24 | 881 | 9 | 0 | 2 | 5 | 3 |
31 days or greater | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 57 | 33 | 881 | 9 | 0 | 2 | 5 | 3 |
Section 6: Consultations Received From Other Institutions and Organizations
6.1 Consultations received from other Government of Canada institutions and other organizations
Consultations | Other Government of Canada institutions | Number of pages to review | Other organizations | Number of pages to review |
---|---|---|---|---|
Received during the reporting period | 10 | 383 | 1 | 5 |
Outstanding from the previous reporting period | 2 | 3 | 0 | 0 |
Total | 12 | 386 | 1 | 5 |
Closed during the reporting period | 8 | 67 | 1 | 5 |
Carried over to the next reporting period | 4 | 319 | 0 | 0 |
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation | Number of days required to complete consultation requests | |||||||
---|---|---|---|---|---|---|---|---|
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
All disclosed | 0 | 0 | 0 | 3 | 1 | 0 | 0 | 4 |
Disclosed in part | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Consult other institution | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 2 |
Other | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 1 |
Total | 2 | 1 | 0 | 4 | 1 | 0 | 0 | 8 |
6.3 Recommendations and completion time for consultations received from other organizations
Recommendation | Number of days required to complete consultation requests | |||||||
---|---|---|---|---|---|---|---|---|
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
All disclosed | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 1 |
Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 1 |
Section 7: Completion Time of Consultations on Cabinet Confidences
7.1 Requests with Legal Services
Number of days | Fewer than 100 pages processed | 101 to 500 pages processed | 501 to 1000 pages processed | 1001 to 5000 pages processed | More than 5000 pages processed | |||||
---|---|---|---|---|---|---|---|---|---|---|
Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
More than 165 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
Number of days | Fewer than 100 pages processed | 101 to 500 pages processed | 501 to 1000 pages processed | 1001 to 5000 pages processed | More than 5000 pages processed | |||||
---|---|---|---|---|---|---|---|---|---|---|
Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
More than 165 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 8: Complaints and Investigations notices received
8.1 Complaints and Investigations notices received
Section | Section 31 | Section 33 | Section 35 | Court action | Total |
---|---|---|---|---|---|
Number of complaints and investigations notices received | 12 | 22 | 10 | 1 | 45 |
Section 9: Privacy Impact Assessments (PIA) and Personal Information Banks (PIB)
9.1 Privacy Impact Assessments
- Number of PIA(s) completed = 18
9.2 Personal Information Banks
Personal Information Banks | Active | Created | Terminated | Modified |
---|---|---|---|---|
Number of Personal Information Banks | 64 | 6 | 0 | 38 |
Section 10: Material Privacy breaches
10.1 Material Privacy breaches
Number of material privacy breaches reported to TBS | 161 |
Number of material privacy breaches reported to OPC | 161 |
Section 11: Resources related to the Privacy Act
11.1 Costs
Expenditures | Amount |
---|---|
Salaries | $5,788,710 |
Overtime | $181,815 |
Goods and services subtotal | $321,070 |
Goods and services: Professional services contracts | $302,906 |
Goods and Services: Other | $18,164 |
Total | $6,291,595 |
11.2 Human Resources
Resources | Person years dedicated to privacy activities |
---|---|
Full-time employees | 36.06 |
Part-time and casual employees | 0.00 |
Regional staff | 41.95 |
Consultants and agency personnel | 5.58 |
Students | 0.00 |
Total | 83.59 |
11.3 New reporting requirement - Privacy Act
Section | Number of requests |
---|---|
22.4 National Security and Intelligence Committee | 0 |
27.1 Patent or Trademark privilege | 0 |
Page details
- Date modified: