Annual Report on the administration of the Privacy Act

Privacy and ESDC’s operating context

There were 3 primary influences on ESDC’s privacy management during the reporting period:

• digital transformation is changing how personal information is being used and managed, including within the federal government. Individuals increasingly expect to interact with federal institutions digitally as a matter of convenience. As a result, ESDC continued with its efforts to meet the expectations of Canadians and to modernize its service offerings and delivery approaches. The expanded use of digital program and data management, and electronic identification and authentication, improves services and their convenience for Canadians. The careful management of personal information under ESDC’s control requires diligent stewardship and robust vigilance, which includes countering cybersecurity threats and risks
• in late 2022, the Department began implementing the Treasury Board common hybrid work model, with employees working on a combination of on-site and remote locations. The transition was seamless without any interruption of privacy services, given the investments in electronic infrastructure and the development of new processes
• ESDC continued to use a decentralized business model to process privacy requests. The Department’s footprint spans across the country with Service Canada operating close to 600 in-person points of service besides national and regional call centres and web-based digital service options available online through Canada.ca. Consequently, the Department’s 4 regions play a key role in helping ESDC meet its Privacy Act request processing obligations

Privacy by design at ESDC

ESDC manages one of the most robust privacy regimes in the federal system through the privacy code that is enshrined in the Department’s enabling legislation and departmental policies that complement the President of the Treasury Board’s requirements and Office of the Privacy Commissioner’s (OPC) expectations. A key element is ESDC’s “privacy by design” approach that integrates privacy considerations into all project management activities and new funding proposals.

ESDC’s privacy assessment process begins with an early check to establish the type of privacy review that is required at an initial stage of a project. The Department has a tailored suite of assessment tools to ensure the right level of attention is committed to each initiative that considers an initiative’s complexity and the level of sensitivity of the personal information that is involved. Active and regular communications with the Treasury Board Secretariat (TBS), and with the OPC, ensure that these oversight bodies are well informed on ESDC’s privacy risks and how they are mitigated at an early stage.

ESDC also actively tracks and reports privacy breach incidents to the OPC and TBS. Breach incidents as a percentage of overall transactions remain low considering the high volume of daily transactions that use personal information. Importantly, the links between privacy and cybersecurity are being closely monitored to prepare the Department for current and future threats in this area.

Privacy request processing

The 2022 to 2023 reporting period saw an 18% increase in the number of Privacy Act requests submitted to ESDC, with almost 21,000 received and more than 1.8 million pages processed. Progress was made to improve time limit compliance rates towards pre-pandemic levels, from 58% in 2021 to 2022 to 71% in this reporting period. ESDC has taken action to continue improving performance in this area.

Highlights and results for 2022 to 2023

• A record volume of pages (1,837,744) was processed for exemptions and exclusions this past fiscal year, an increase of 19.6% over the previous fiscal year. A total of 1,738,097 pages were disclosed, an increase of 25.6% from the previous year.
• ESDC received 20,964 Privacy Act requests, up from the previous year’s total of 17,665. A record number of requests were completed, from 17,577 in 2021 to 2022, to 21,321 during 2022 to 2023.
• ESDC completed or substantially revised 22 privacy impact assessments (PIA), which represented approximately one fifth of the number of PIAs completed by all federal institutions last year.
• To protect personal information when it is shared with other federal institutions or other jurisdictions, 76 information sharing agreements were prepared with privacy protection provisions specific to the Department’s obligations.
• The number of initial program, project, and software privacy reviews conducted by ESDC increased by 11.5% in 2022 to 2023, totalling 222 compared with 199 completed in 2021 to 2022.
• Privacy reviews were also completed for the Department’s policy analysis, research and evaluation activities involving personal information. This past fiscal year, 26 such reviews were completed compared with 23 during 2021 to 2022.

These performance highlights are just a snapshot of how ESDC proactively supports the judicious use and protection of personal information in one of the most challenging privacy environments in government. The facts, figures and information in this report demonstrate the responsibility, diligence, and effort that ESDC’s employees apply daily to maintain the trust of Canadians as responsible stewards of their data.

Presentation of this report

Section 72 of the Privacy Act requires the head of a federal institution to submit an annual report to Parliament on the administration of the Act following the end of every fiscal year. This is ESDC’s annual report to Parliament on the administration of the Privacy Act for the 2022 to 2023 fiscal year.

There are no ESDC wholly owned subsidiaries or non-operational institutions on which to report.

About ESDC

ESDC is the Government of Canada department responsible for developing, managing, and delivering social programs and services. Its mission is to build a stronger and more inclusive Canada, support Canadians in helping them have productive and rewarding lives and improve their quality of life. ESDC includes 2 major entities: the Labour Program and Service Canada.

The Department is responsible for many programs and services that affect Canadians throughout their lives. It provides seniors with basic income security, supports unemployed workers, helps students finance their post-secondary education and aids parents in raising young children. The Labour Program contributes to social and economic well-being by fostering safe, healthy, fair, and inclusive work environments and cooperative workplace relations under federal jurisdiction. Service Canada engages with millions of Canadians each year to provide a range of government services and information online, by phone, and in person.

ESDC is responsible for the design and delivery for many of the most well-known Government of Canada programs and services, such as:

• OAS
• CPP
• EI
• Canada Student Grants and Loans and Canada Apprentice Loans program
• Canada Education Savings Program
• Wage Earner Protection Program
• Passport Services

For the 2022 to 2023 fiscal year, ESDC’s planned expenditures on programs and services totalled $89.2 billion. Of that amount, $87.6 billion was allocated to benefit Canadians directly through statutory payment, grant and contribution programs.

ESDC’s Corporate Secretary and Chief Privacy Officer

ESDC’s Corporate Secretariat Branch is responsible for issuing and overseeing the implementation of the Department’s privacy management policy, providing privacy advice and guidance and, in the National Capital Region, for processing privacy requests. These activities are carried out by the Branch’s Access to Information and Privacy (ATIP) Operations Division, with functional support from ESDC’s 4 regional branches, and the Privacy Management Division (PMD).

The Corporate Secretary heads the Branch and is ESDC’s designated Chief Privacy Officer (CPO). The CPO is the Department’s functional authority on all privacy matters and leads the management of privacy in the Department. The CPO’s responsibilities consist of providing strategic privacy policy advice and maintaining ESDC’s privacy management program that includes assessing privacy risks, monitoring compliance with privacy legislation, issuing policies and standards, and providing privacy training, all of which are crucial in implementing a privacy by design approach.

Access to Information and Privacy Operations Division

The ATIP Operations Division administers the Access to Information Act and the privacy request components of the Privacy Act for ESDC. It leads and advises on the processing of all ESDC requests under the Access to Information Act, performs line-by-line reviews of records requested under the Acts, and delivers training and awareness sessions to departmental employees on their administration. The Director of ATIP Operations is ESDC’s designated ATIP Coordinator.

The responsibility for processing Privacy Act requests in ESDC is shared between the ATIP Operations Division and the Department’s 4 regional branches: Atlantic, Ontario, Quebec, and Western and Territories. ATIP Operations Division is responsible for coordinating ATIP activities in ESDC’s branches and regions, which include:

• responding to Access to Information Act requests
• responding to specific Privacy Act requests
• providing functional guidance to the regions about the operational and reporting components of the privacy function
• delivering general and tailored training sessions to employees on the administration of both acts

The Division also reviews Open Government publications for compliance with the Privacy Act.

The ATIP Operations Division is composed of an intake unit, several ATIP processing teams, and a small proactive disclosure operations and policy unit. In 2022 to 2023, there were approximately 39 employees in the Division. Despite sustained resource challenges, the team achieved an improved rate of compliance while processing a record level of requests.

Regional privacy operations

The regional branches play a key role in fulfilling the Department’s Privacy Act responsibilities. During the 2022 to 2023 fiscal year, there were approximately 61 employees in the regions who processed ATIP files. A network of liaison officers and managers within each region support the processing of privacy requests as well as provide expert advice and guidance directly to program areas while working with the guidance of ATIP Operations Division.

Privacy Management Division

PMD is ESDC’s centre for privacy policy expertise and is the Department’s focal point for privacy advice. PMD leads the horizontal implementation of departmental privacy policies and initiatives, conducts risk analyses, including PIAs, and gives privacy compliance guidance. In doing so, the Division incorporates a privacy by design approach that integrates privacy considerations in the early stages of new programs, projects, and initiatives. It also supports the preparation of information-sharing agreements and contracts. The Division responds to court and law enforcement requests for documents, administers public interest disclosures, plays a key role in the management and prevention of privacy breaches, and supports privacy training and awareness activities. Also, PMD provides strategic privacy policy and analytical advice to the CPO and ESDC’s senior leaders.

The Division is organized into 4 functional groups consisting of a privacy policy and risk management unit, a privacy compliance and advisory services unit, an incident management, and legislative disclosures unit, and a small strategic advisory and planning team. At the end of the 2022 to 2023 fiscal year, PMD had 39 employees. Consultants totalling 1.1 full-time equivalents were engaged during the reporting period.

Service Agreement with the Canadian Accessibility Standards Development Organization

ESDC has a memorandum of understanding to provide ATIP services for the Canadian Accessibility Standards Development Organization, an independent departmental corporation in the Department’s portfolio. This organization, established under the Accessible Canada Act, is mandated to contribute to the realization of a Canada without barriers on or before January 1, 2040.

Services include processing services, annual reporting advice and statistics, liaison functions, and training. ESDC also furnishes, when required, analysis and advice for PIAs, information-sharing arrangements, disclosures, contracting, legislative and policy compliance, and the management of security incidents.

Legal framework for privacy

ESDC operates within one of the most complex privacy regimes in the Government. Its legal obligations are set out in the Privacy Act and in the personal information protection provisions found in the Department of Employment and Social Development Act (DESDA). Moreover, with the many collaborative efforts with which ESDC is involved to deliver national programs and services, legal interoperability with Government of Canada organizations, the provinces and territories, and municipal governments is always an important requirement.

The Privacy Act is the federal legislation that protects the personal information of Canadians, permanent residents, and individuals present in Canada that is in the control of federal public-sector institutions. Extending from the Charter of Rights and Freedoms, the Act is a key foundation piece for preserving the privacy interests of individuals in Canada. It sets the rules for the Government’s management of personal information by providing a framework on how federal institutions can collect, use, retain, and disclose personal information.

The collection and use of personal information by federal institutions are based on lawful authority or legal authorization. Federal institutions can only collect or use personal information with a sufficiently direct connection to legally authorized programs and activities.

Personal information under the control of a government institution cannot be disclosed without the consent of the individual, except in specific circumstances. These include uses that are consistent with the purpose of the original collection, when authorized by federal legislation, to comply with legal instruments, such as subpoenas and court orders, in circumstances where there is a clear benefit to the individual, and where there is a public interest that outweighs the invasion of privacy. Importantly, the Act gives individuals the right to request access to their own personal information held by a federal institution and the right to request a correction to their information when it is inaccurate.

The Privacy Act also establishes the OPC, an independent agent of Parliament that oversees the Act’s implementation. The Privacy Commissioner has powers to receive and investigate complaints, including in cases where an individual’s request for access to their personal information has been refused by a government institution.

The administration of the Act by federal institutions, including ESDC, is supplemented by policies and directives. These are issued by the President of the Treasury Board or an authorized delegate.

In addition to the Privacy Act, the management of personal information by ESDC is undertaken in accordance with the statutory obligations in the Department’s enabling legislation. DESDA describes the rules for personal information controlled by ESDC and is applied in tandem with the Privacy Act. DESDA sets out the requirements for:

• making personal information available to other federal institutions, provincial and territorial authorities or international partners for administrative and integrity purposes
• making personal information available in the public interest and for law enforcement
• making available the information contained in the Social Insurance Register
• using personal information for internal policy analysis, research, and evaluation purposes
• making personal information available for research or statistical analysis

Where the Department delivers services to the public on behalf of other federal institutions and jurisdictions, or when delivering select services for the Government of Canada, the partner’s privacy regime, normally the Privacy Act, will apply instead of DESDA.

Privacy Act Delegation Order

Section 73 of the Privacy Act empowers the head of an institution to delegate any of the powers, duties or functions assigned to that person by the Act to employees of that institution, typically through a delegation order. This instrument sets out the powers, duties, and functions for the administration of the Act that have been delegated by the head of the institution and to whom that delegation has been assigned.

The approved Privacy Act Delegation Order that was in effect on March 31, 2023, is reproduced in Annex A. A new delegation order incorporating organizational changes in ESDC is anticipated during the 2023 to 2024 fiscal year.

Departmental Policy on Privacy Management

The Departmental Policy on Privacy Management supports a robust privacy by design regime for the protection and judicious use of personal information by ESDC. Supplementing TBS policies, directives and standards, this departmental policy codifies the requirements for the management and protection of personal information, articulates clear and universal privacy policy principles, and specifies roles and responsibilities for the management of personal information including discrete functional responsibilities and accountabilities. The policy also sets out ESDC’s Privacy Management Framework, outlined below, designates the CPO, and establishes the Department’s privacy governance mechanisms.

The expected results from the application of the Departmental Policy on Privacy Management include the sound management and safeguarding of personal information by the Department; the implementation of robust practices for the identification, assessment, and management of risks to personal information; and the establishment of clear accountabilities with effective governance structures and mechanisms to protect and manage personal information under ESDC’s stewardship.

Privacy Management Framework

ESDC’s Privacy Management Framework reflects privacy by design principles by promoting a proactive approach for the management of personal information by fostering the integration of privacy practices into the program, system, and business process design. The Framework consists of 5 elements:

• Governance and accountability: Roles and responsibilities for privacy are clearly defined
• Stewardship of personal information: Appropriate privacy protections are implemented to properly manage personal information throughout its life cycle
• Assurance of compliance: Formal processes and practices are in place to ensure adherence to privacy specifications, policies, standards and laws
• Effective risk management: Structured and coordinated risk identification and assessments are conducted to limit the probability and impact of negative events
• Culture, training, and awareness: Privacy training and awareness activities that sustain a privacy-aware organization that values the protection and stewardship of personal information

The Framework is a clear and succinct foundational element for establishing and operating a comprehensive privacy program in the Department.

Privacy governance at ESDC

ESDC uses a committee structure to support privacy governance, risk oversight, and decision making. For this reporting period, the Department’s primary governance body for privacy and the safeguarding of personal information was the Data and Privacy Committee (DPC) that is co‑chaired by the CPO and the Chief Data Officer. The DPC is mandated to provide oversight on the management of personal information entrusted to the Department and the management of enterprise data resources. The DPC supports the implementation and maintenance of ESDC’s data strategy and privacy management programs, provides oversight on risk management processes for the management of data and personal information, and promotes a departmental culture that recognizes that data is a business asset that should be maximized while respecting the privacy rights of Canadians.

The DPC reports to the Assistant Deputy Minister-level Enterprise Management Committee. The Committee serves as the Department’s horizontal oversight and decision-making body for the implementation of enterprise strategies, plans, policies, and guidelines related to the management of risk, data, information, technology, and security, and corporate finances and resources.

Privacy assessments and compliance reviews

In accordance with the Treasury Board’s Directive on PIAs, ESDC must conduct a PIA before establishing any new or substantially modified program or activity involving the administrative use of personal information. PIAs are used to identify and assess privacy risks, as well as to develop plans to reduce or eliminate those risks. Among federal institutions, ESDC is an innovator in the methods used to conduct privacy assessments. For example, PMD draws from a suite of approaches that it developed, including full PIAs, Privacy Analyses (a streamlined PIA process for lower-risk activities), Privacy Analyses for Information Technology Solutions (PAITS), and Privacy Protocols, to tailor the assessment that is most appropriate for an ESDC project or initiative. These instruments have enabled ESDC to continue to be a leading department for the completion of PIAs over the past several years.

In 2022 to 2023, ESDC produced 15 PIAs and prepared significant updates to 7 others as part of its privacy by design approach. Copies of the PIA reports and updates were provided to TBS and the OPC. Information on these assessments is provided in Annex B of this report and on ESDC’s PIA website.

Privacy reviews for the Department’s policy analysis, research and evaluation activities were also completed. This past fiscal year, 26 such reviews were completed for these initiatives involving non-administrative uses of personal information compared to 23 during 2021 to 2022.

DESDA and its related regulations set out strict parameters for making available^{Footnote *} personal information that is under the control of the Department. ESDC’s privacy policy requires that all arrangements for making personal information available to other federal institutions, other jurisdictions, and service delivery providers are verified by PMD. The Division also makes sure that these instruments have the necessary terms and conditions for the use, disclosure, protection, and disposal of personal information made available by ESDC. The implementation of information-sharing agreements requires the endorsement of the appropriate privacy authority designated in the DESDA Delegation Order, normally the CPO or the Executive Director of the PMD. All procurement documents are similarly required by policy to be checked by PMD to ensure compliance with statutory and privacy policy requirements. This past fiscal year, 76 information-sharing agreements and 74 procurement instruments were reviewed in detail.

The internal departmental demand for privacy services remains high. For example, the number of initial reviews for programs, projects and software applications is a relatively new function for PMD, which has experienced rapid growth in the volume of service requests over the past 3 fiscal years. The Division completed 222 such reviews in 2022 to 2023, an increase of 10% from the previous year. The number of general privacy inquiries and requests for service from internal clients maintained their record levels, totalling 221 during the reporting period. In addition, PMD prepared 80 privacy notices and consent forms.

ATIP modernization

ESDC continued to make progress in modernizing its practices through a comprehensive initiative to standardize processes and identify efficiencies in the processing of requests. It is a renewal exercise that is expected to enhance operational effectiveness once completed. This work continues to be given a high priority with a view to leveraging technological change and the benefits of an increasingly digital environment.

Benefits Delivery Modernization

ESDC’s privacy management team worked closely on the Department’s service transformation projects, including the Benefits Delivery Modernization (BDM) Programme, where a multi-pronged strategy is being applied. The BDM Programme delivers improved client experience for several of Canada’s largest benefits programs through a modern technology platform, streamlined processing, new digital services, and enhanced service management capabilities.

ESDC is applying core principles of its Privacy Management Framework, namely effective risk management and stewardship of personal information, by using its privacy by design approach and by assigning dedicated privacy resources to the Programme. Privacy advice is being integrated into the BDM Programme design while detailed privacy analyses and risk assessments are conducted for individual project components. During the past fiscal year, PMD completed compliance reviews for several BDM items, including privacy protocols and procurement documents. Privacy assessments were also underway for several major Programme components.

Breach management protocols

With the introduction of updated breach management requirements by TBS, ESDC launched a review of its own breach directive and processes to ensure that they were aligned. Work is underway in collaboration with Corporate Security, Cybersecurity, and IT Security to revise the ESDC directive, modify processes, and amend roles and responsibilities. The Department is expecting to finalize these elements during the fourth quarter of 2023 to 2024.

Strategic risks

ESDC maintains a privacy strategic risk profile to identify and focus attention on the most prominent threats to the management and safeguarding of personal information under the Department’s control. There is a continuous effort to implement practices that allow for the effective safeguarding of personal information as an integrated part of program administration and departmental operations. Risk management includes monitoring a rapidly changing context and threats, including cyber security, information management, contracts, and information-sharing agreements, assessment, and mitigation.

Privacy Management Road Map

In 2018, ESDC introduced a multi-year strategic plan––a privacy management road map––in response to the rapidly changing privacy environment and in support of the Department’s modernization and innovation initiatives. The implementation of the road map resulted in strengthened risk management practices, revised privacy governance mechanisms, optimized approval processes, and buttressed incident management activities and legal instrument disclosure processes.

Based on the success of the first 3-year privacy management road map, a new privacy road map was developed for the next 3 years. This updated plan identifies actions to further strengthen privacy management processes, enhance collaboration with PMD’s information management and security partners, support ESDC’s strategic priorities, and modernize the Department’s privacy practices as it seeks technological and methodological innovation in the use of personal information.

New SIN authority — One-time Guaranteed Income Supplement payment for older seniors

In accordance with the Directive on Social Insurance Number, the Minister of Seniors was granted an authority for a new consistent use of the SIN that was collected for the purposes of administering a one-time grant for GIS recipients of pandemic benefits. This activity occurred in April 2022. SINs that were collected under the authority of the Income Tax Act by the Canada Revenue Agency, and by ESDC for the administration of EI and OAS, were used to determine program eligibility.

Requests and consultations: total volume

ESDC experienced an 18% increase in privacy requests, from 17,695 in 2021 to 2022 to 20,964 in fiscal year 2022 to 2023. Consultation requests received related to the Privacy Act totalled 11 during the reporting period.

Text description of Figure 1

Year	Number of requests
2019 to 2020	15,405
2020 to 2021	13,998
2021 to 2022	17,695
2022 to 2023	20,694

Text description of Figure 2

Year	Number of requests
2019 to 2020	23
2020 to 2021	11
2021 to 2022	3
2022 to 2023	11

The following table (Table 1) provides a summary of ESDC’s Privacy Act access request metrics comparing them across the last 4 fiscal years.

Total requests received and completed

The number of requests closed during the reporting period grew from 17,577 in 2021 to 2022 to 21,321 in 2022 to 2023. Recovery from the effects of the pandemic, which had caused a great number of responses to be late in the previous 2 years, continued in the current reporting period. As a result, the Department could complete a record number of requests during the year and 21% more than the previous record in 2021 to 2022.

Text description of Figure 3

Year	Total requests received	Total requests completed
2019 to 2020	15,405	15,004
2020 to 2021	13,998	12,883
2021 to 2022	17,695	17,577
2022 to 2023	20,964	21,321

Requests by calendar days taken to complete

As with the last fiscal year, ESDC processed more privacy requests than it received during this reporting period. The compliance rate for closing requests within 30 days (or 60 days after an extension) continued to rebound from the impact of the pandemic, increasing from 58% in 2021 to 2022 to 71% in 2022 to 2023. This increase was achieved despite a corresponding rise in Privacy Act requests by 18% and significant efforts made to reduce residual processing backlogs acquired during the pandemic. As of April 1, 2023, there were 1,631 active requests carried over to the next reporting period, of which 94% were on track to be processed within the legislated deadlines.

Text description of Figure 4

Year	30 Calendar Days	31 to 60 Calendar Days	61 or more Calendar Days
2019 to 2020	14,613 (97%)	358 (2%)	33 (1%)
2020 to 2021	5,029 (39%)	2,459 (19%)	5,395 (42%)
2021 to 2022	8,130 (46%)	5,009 (29%)	4,438 (25%)
2022 to 2023	12,257 (58%)	5,694 (27%)	3,370 (15%)

Text description of Figure 5

Year	Within	Beyond
2019 to 2020	14,949 (99%)	55
2020 to 2021	5,906 (46%)	6,977
2021 to 2022	10,190 (58%)	7,387
2022 to 2023	15,098 (71%)	6,223

Reasons for extensions

Institutions may apply for an extension beyond the original 30-day statutory timeframe in cases where meeting the statutory date is not feasible. In 2022 to 2023, there were 1,285 large volume requests, 3 requests requiring either translation or converting a record to another format, and 16 internal consultations, which were required to be performed and could not reasonably be conducted within the initial 30 days. These requests resulted in ESDC seeking 1,304 extensions. This total represented a 22% increase from 2021 to 2022 when ESDC requested 1,069 extensions.

Timeframe monitoring

Given the Department’s decentralized approach to processing privacy requests, there is currently no centrally directed specific monitoring vis-à-vis the time taken to process personal information requests, limits to inter-institutional consultations or reviews of frequently requested types of information. ESDC’s regional offices manage most of the privacy requests (personal information requests and requests for the correction of personal information) for the Department and prepare periodic reports concerning new requests, workload, and status updates regarding on-time performance for privacy requests. Performance reports are generated by the regional offices on a monthly, quarterly, and yearly basis.

As the Department continues to modernize the privacy request function, standardization and compliance monitoring will be a major focus so that Canadians receive dependable, responsive service to every request.

Number of active requests that are outstanding from previous fiscal years

Occasionally, the processing time for some Privacy Act requests is longer than the legislated timeline.

Pages processed and disclosed

During this reporting period, 1,837,744 pages were processed for exemptions and exclusions, representing an increase of 24% from the previous fiscal year when 1,477,202 pages were processed. A total of 1,738,097 pages were disclosed, which is also an increase from the previous year when 1,384,322 pages were disclosed. Both the number of pages processed and disclosed during the reporting period were significantly higher than any previous reporting period.

Text description of Figure 6

Year	Pages Processed	Pages Disclosed
2019 to 2020	1,259,755	1,208,351
2020 to 2021	1,164,618	1,084,070
2021 to 2022	1,477,202	1,384,322
2022 to 2023	1,837,774	1,738,097

Exemptions and exclusions

As ESDC is one of the largest holders of personal information in the Government of Canada, the application of exemptions and exclusions under the Privacy Act typically occurs more frequently than most other federal institutions. During 2022 to 2023, the total number of requests that were completely disclosed was 2,969 (17%). The number of files that were disclosed in part was 13,633 (77%). There were 2 requests which were all exempted and 1,178 abandoned requests.

Exemptions

While the Privacy Act provides individuals with an enforceable right of access to their personal information, there are instances where certain limited and specific exemptions can be applied. The Privacy Act exemption that was applied most frequently was section 26, which protects personal information of another individual as defined by section 3 of the Act. This exemption occurred in 13,486 instances of completed requests during the 2022 to 2023 fiscal year. This represents an increase of 1,500 when compared to the previous fiscal year.

Exclusions

The Privacy Act allows for the exclusion of certain types of information, such as records that are already available to the public (section 69) and confidences of the King’s Privy Council for Canada (section 70). During the 2022 to 2023 fiscal year, there were zero exclusions.

Consultations received from other Government of Canada institutions and other organizations

ESDC received 11 external consultation requests during the 2022 to 2023 fiscal year, requiring a review of 120 additional pages. These requests originated from Government of Canada institutions and other organizations.

The Department closed 12 requests for consultations, 8 of which were completed within 30 days. Of the total number of requests for consultation, 6 resulted in a recommendation to the consulting institution or organization to disclose the records entirely.

Requests for the correction of personal information under the Privacy Act

Under the Privacy Act, individuals have a right to request the correction of erroneous personal information pertaining to them that is retained by a government institution, provided that the individual can adequately substantiate the request. ESDC accepted 1 request for correction and attached 4 notes to files during the 2022 to 2023 fiscal year.

COVID-19 operational impact

The challenges of transitioning to remote working at the outset of the COVID-19 pandemic resulted in a lower ATIP compliance rate and the creation of a backlog of ATIP requests during the 2020 to 2021 fiscal year. By assigning additional resources and using new electronic processes, the Department reduced the backlog during 2022 to 2023 and significantly improved its compliance rate.

Online privacy training

ESDC has a comprehensive training program to increase the knowledge and awareness of appropriate personal information management practices. All employees must maintain a valid 2-year certification in Stewardship of Information and Workplace Behaviours (SIWB), which addresses privacy, the handling of personal information, security, access to information, information management, and values and ethics. It is a component of the Department’s Essential Training Curriculum and is delivered online. At the end of the reporting period, 9,503 employees achieved SIWB certification over the fiscal year. There were 33,453 employees certified in 2021 to 2022.

To complement SIWB certification, ESDC has additional privacy-relevant online courses in its training catalogue. The “Access to Information and Privacy (ATIP): It’s Everybody’s Business” course gives employees the knowledge required to protect, use, and disclose personal information daily and teaches them to prevent breaches by seeking guidance or by using good judgment in a timely manner. Last fiscal year, 8,829 employees completed it.

New employees take the “Doing Things Right and Doing the Right Thing: Putting the Departmental Code of Conduct into Action” course, which has a significant privacy component. The course helps participants understand the application of ethical behaviour in the workplace and how to use that knowledge to guide them in their day-to-day work and decision-making, including their interactions with clients and colleagues. The course was taken by 7,137 employees during the 2022 to 2023 fiscal year.

In-person and virtual training and awareness

Throughout the reporting period, the Department continued to deliver practical, easy-to-understand, and readily available privacy information and guidance to employees to reinforce the application of appropriate personal information handling and safeguarding practices, as well as to provide general knowledge on the philosophical and legislative underpinnings on privacy. The highlight of these activities were privacy-themed information events and a series of specialized knowledge talks delivered during Privacy Awareness Week in January 2023.

Overall, 1,757 ESDC employees attended, either in-person or by video, 24 privacy training and awareness sessions offered during 2022 to 2023. This was a 56% increase from the previous fiscal year (1,127 people in 2021 to 2022).

Privacy Act and Regulations: Delegation of Authority, Department of Employment and Social Development

The Minister of Employment and Social Development, pursuant to section 73 of the Privacy Act (the Act), hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties or functions of the Minister as the head of a government institution, under the provisions of the Act and the Privacy Regulations (the Regulations) set out in the schedule opposite each position.

Original signed March 12, 2020, by the Minister of Employment and Social Development

Hosted social media account management service – Hootsuite

As the Principal Publisher, the Citizen Service Branch is responsible for managing key digital services, including support of GC official social media accounts. In 2016, the Citizen Service Branch conducted a PIA on the Hootsuite Enterprise as part of a large implementation of the Hootsuite Enterprise solution to federal organizations. Since 2016, there have been several changes in the administrative process of account management that is addressed in this PIA. The changes, however, do not involve a collection of personal information. Therefore, this PIA only serves as an update to the original PIA.

An update to the original PIA was completed to consider if there were any privacy risks associated with the creation and account management activities of the Principal Publisher and to determine the privacy-related impacts of implementing new modules. The PIA did not identify any privacy risks or compliance issues.

Implementation of the Federal COVID-19 Vaccination Policy Attestation Validation Requirement

During the COVID-19 pandemic, public sector employees reported their vaccination status attestations in the Government of Canada Vaccination Attestation System. ESDC developed and conducted an audit that was applied to all executive employees and a random selection of non-executive employees for the purpose of verifying attestations provided to the Government of Canada Vaccination Attestation System.

A PIA was completed to identify privacy risks associated with the collection and use of personal information for the purpose of verifying that the information provided to the Government of Canada Vaccination Attestation System was accurate and true. This PIA focused on the development of the random selection process, the tools used in verifying information, and data matching activities to ensure that individual privacy rights were protected. The PIA did not identify any privacy risks or compliance issues.

Information Sharing on the SIN-Social Insurance Register

The Canadian Employment Insurance Commission (CEIC) maintains a Social Insurance Register containing the SINs and any other information that it determines necessary to accurately identify individuals. In June 2014, the Minister of Employment and Social Development announced a specific commitment to improve information sharing with the Canada Border Services Agency to enhance the administration and enforcement of Canada’s immigration programs.

A PIA was completed to assess the privacy risks and compliance issues related to the disclosure of personal information between CEIC and Canada Border Services Agency. The PIA identified 1 medium risk and some low-level risks. In addition, there was 1 compliance issue.

One-time Grant for Guaranteed Income Supplement Recipients Who Received Pandemic Benefits in 2020

The GIS benefit is available to low-income OAS pensioners who experienced a loss or reduction to their GIS benefit due to receiving pandemic benefits in July 2021.

A PIA was completed to identify the privacy risks related to the collection, use, disclosure, and handling of personal information for clients receiving this payment. The PIA identified some medium-level risks, no low-level risks, and 0 issues of non-compliance were identified.

Canada Pension Plan Disability Work Activity/Substantial Gainful Occupation

ESDC implemented a revised Canada Pension Plan Disability (CPPD) benefit policy to assess work activity and substantial gainful occupation as part of a multi-year renewal. The intent of the CPPD Work Activity/Substantial Gainful Occupation data collection phase is to collect information on recipients who report volunteer and/or education activities of 15 hours or more per week continuous for 4 months or more.

A Privacy Analysis was completed to identify privacy risks or compliance issues associated with handling personal information as the new CPPD policy will revise procedures on how personal information is being handled that directly affects that individual. This analysis identified 1 low risk and 1 medium risk. Also, there were 2 associated compliance issues. The corrective measures to address these issues are documented within the PIA.

Data Migration and Retention for the Public Health Agency of Canada COVID-19 Quarantine Compliance Campaign

ESDC assisted the Public Health Agency of Canada (PHAC) with the implementation of a call centre to monitor and ensure compliance with the Quarantine Compliance Campaign during the pandemic. To do so, ESDC leveraged an existing contract with a third-party organization to provide call centre services. The Order expired on September 30, 2022, which means all data collected by the third-party call centre organization needs to be migrated to and retained by ESDC.

A Privacy Analysis was completed to identify the privacy risks related to the migration and retention of personal information. The Privacy Analysis identified 1 low-level risk and no compliance issues.

Canada Student Financial Assistance Program Buy-Back of Student Loans from Financial Institutions

The Canadian Student Financial Assistance (CSFA) Program is in the process of buying back eligible student loans from financial institutions. As a result, personal information on borrowers will be transferred to CSFA’s third-party service provider, the National Student Loans Service Centre.

A Privacy Analysis was completed to identify privacy risks associated with the transfer of personal information for the purpose of purchasing remaining and outstanding loans from financial institutions to ESDC. The PIA identified 1 medium risk and 1 compliance issue. The strategies to address these risks and issues are scheduled for completion by August 2024.

Benefits Knowledge Hub

The Benefits Knowledge Hub data warehouse is a merged set of data from multiple sources. It supports the requirement that the Department can find, use, and understand data to answer key questions, and make evidence-based decisions. The Benefits Knowledge Hub generates reports and analytics on the outcomes of programs and services, including rapidly established benefits.

A PAITS was created to examine any privacy risks and associated mitigations related to the management and protection of personal information as it flows in, out and through the Hub. Multiple medium-level risks were identified and 2 insignificant risks. The mitigation strategies to address these risks were scheduled for completion by the end of the 2023 to 2024 fiscal year.

Canada Pension Plan-Disability Medical Expertise Division File Tracking Solution

When a CPPD application has been denied at the initial level and at the reconsideration level by Service Canada, the applicant can appeal with the Social Security Tribunal. A new case management solution will be used for applicants to provide additional information to appeal these files.

A PAITS was completed to identify the privacy risks related to the handling of personal information for case management purposes. The PAITS identified no risks or issues to be mitigated in the future. The program is recommended to consult the PMD to assess any new components or improvements for the file management solution in the future.

EI Part II Application Programming Interface Project

The Application Programming Interface Project under Part II of the Employment Insurance Act will transfer existing EI information from the Employment Insurance Benefits Information System to provinces and territories (PTs) by using server-to-server connections. The EI Application Programming Interface will automate the secure data exchange with PTs starting with British Columbia and Ontario. Other PTs will be included over 5 releases.

A PAITS was completed to identify the privacy risks related to the EI Application Programming Interface solution, which is only limited to the automation of the data exchanged with the PTs. The PAITS identified 2 low‑level risks.

Addendum to the PAITS on the Electronic Social Insurance Number Application push notification

In response to the COVID-19 pandemic, the SIN program under ESDC’s Integrity Services Branch’s SIN program implemented a self-service electronic form to replace in-person services. This addendum to the Electronic Social Insurance Number (eSIN) Application PAITS addresses the additional optional collection and use of applicant emails for the inclusion of the email push notification process.

The addendum to the original PIA was completed to identify privacy risks associated with the collection of personal information from clients who submit various required documentation to the eSIN Application platform. The privacy analysis identified no new or additional risks associated with the new collection of email addresses or activities around push notifications.

Integrated Quality Platform

The Integrated Quality Platform is a combination of 3 different quality assurance programs at ESDC. The Payment Accuracy Review program, the Processing Excellence Accuracy and Quality Program, and the Medical Adjudication Quality Assurance Individual Quality Feedback program were integrated into one system to improve quality and timeliness of services to clients through improved payment and processing accuracy.

A PAITS was completed to identify the privacy risks associated with Integrated Quality Platform due to the handling of sensitive personal information for the purposes of quality assurance. The PAITS identified 1 medium risk and 1 compliance issue.

Integrity Investigations Document Upload System

The Integrity Investigations Document Upload System is a system developed by ESDC in response to the closure and restrictions of Service Canada Centres due to COVID-19. With this system, clients have access to a public portal over the Web and can securely upload documents.

A PAITS was completed to identify privacy risks associated with the new method of collecting personal information through the Integrity Investigations Document Upload System. The Privacy Analysis identified some medium-level risks and 1 low risk.

Privacy Analysis for IT Solutions on the Passport Application Status Checker

Service Canada, in collaboration with Immigration, Refugees and Citizenship Canada, launched the Passport Application Status Checker. This project is part of the Passport Program, and it enables passport applicants to request their application file number and/or check their passport application status online.

ESDC Privacy Management Division and Immigration, Refugees and Citizenship Canada Privacy helped complete this PAITS to identify the privacy risks associated with the Passport Application Status Checker. The PAITS identified some low-level risks and 1 medium risk. In addition, there were 2 compliance issues.

Addendum to Privacy Analysis for IT Solutions on Pensions Process Automation Use of Automation Anywhere, Robotic Processing Automation for the Pensions Process Automation

A new automation solution is being implemented for the Pensions Process Automation project, Automation Anywhere, a cloud-based commercial-off-the-shelf product. Personal Information is received from clients for CPP and OAS-related applications. The information that is received will be automatically processed using robotic processing automation software to replace manual processing by an agent.

An addendum to the original PAITS was completed because a significant number of files will be processed through this robotic processing automation solution, which will involve administrative decisions that affect individuals directly. The analysis has no outstanding risks or issues to mitigate.

Rogers Virtual Contact Centre

Service Canada (part of ESDC) implemented call/screen recordings to the Rogers Virtual Contact Centre system for the Canada Student Financial Assistance Program and the Canada Education Savings Program contact centres. This solution offers capabilities such as call routing, interactive voice response, call handling, workforce management, quality management and reporting.

A PAITS was completed to identify the privacy risks relating to the implementation of call/screen recordings features to Rogers Virtual Contact Centre for training and quality assurance purpose. Some medium risks and 1 compliance issue were identified. The mitigation strategies to address them are currently being implemented.

Updates to the Privacy Compliance Evaluation on Service Canada Compliance Verification Service for the Public Health Agency of Canada during COVID-19 (PHAC 4.0)

During the COVID-19 pandemic, the Service Canada Compliance Verification Service for PHAC was modified to help the Agency contact more travellers. ESDC and Service Canada continue to provide service for PHAC’s COVID‑19 Quarantine Compliance Campaign with changes to its services in determining whether travellers are following travel guidelines. A Privacy Compliance Evaluation (PCE) was completed to identify and assess any privacy risks associated with the collection and handling of travellers’ personal information.

An update to the original PCE was completed to address gaps identified by TBS in November 2021, which includes modifications to the Personal Information Bank. No new privacy risks or issues of non-compliance were identified.

Updates to the Privacy Compliance Evaluation on the Employment Insurance Emergency Response Benefit – Phase 1 –Administration of EI Emergency Response Benefit

As a result of the Government of Canada’s COVID-19 Emergency Response Act, measures were designed to provide immediate income support to Canadians and to help protect the economy from the impacts of the COVID-19 pandemic. ESDC is responsible for managing and processing payments for the EI Emergency Response Benefit (EI ERB) Program.

An update to the original PCE was completed to identify the privacy risks and issues of non‑compliance associated with the administration of the EI ERB. No new privacy risks or compliance issues were discovered.

Updates to the Privacy Compliance Evaluation for the exchange of personal information on offenders between Employment and Social Development Canada/Canada Employment Insurance Commission and Correctional Service Canada for the administration of the Employment Insurance Emergency Response Benefit

In response to the Canada Emergency Response Benefit Act, applicants applied for income support under the EI ERB administered by ESDC or under the Canada Emergency Response Benefit administered under the Canada Revenue Agency. As some incarcerated individuals were eligible for the benefit while others were not, a one-way data transfer from Correctional Service Canada to ESDC/CEIC was deemed necessary to determine whether an individual is eligible or not. An information-sharing agreement between the departments was established in January 2021.

As a result, the original PCE was updated to identify any new privacy risks or compliance issues related to the exchange of personal information shared between ESDC and CEIC and Correctional Service Canada. The analysis found no further privacy risks or compliance issues to add to the original Privacy Compliance Evaluation.

Updates to the Privacy Compliance Evaluation on the Quarantine Call Centre

In support of Health Canada’s PHAC, Designated Screening Officers call and collect information from travellers returning to Canada by phone to ensure compliance with new measures announced by the Government of Canada.

An update to the original PCE was completed to address gaps identified by TBS in November 2021. The analysis found no new privacy risks or issues of non-compliance associated with the collection, use, or disclosure of clients’ personal information.

Updates to the Privacy Compliance Evaluation on Service Canada Compliance Verification Service for the Public Health Agency of Canada during COVID-19 (PHAC 2.0 and 3.0)

In July 2020, PHAC 2.0 and 3.0 were launched, with Service Canada employing a contractor to provide call centre services including inbound Interactive Voice Response, robot promo dials, and live agent outbound calls. Service Canada agents no longer make outbound calls. Service Canada is now the contracting authority and performs vendor management services.

An update to the original PCE addresses gaps identified by TBS in November 2021. After addressing said gaps, no additional privacy risks or issues of non-compliance were found.

Updates to the Privacy Compliance Evaluation for the Simplified Digital Identity Validation

The Simplified Digital Identity Validation solution will deliver real-time multi-factor authentication that improves ESDC’s Enterprise Cyber Authentication Service. The Simplified Digital Identity Validation will be another solution for users who have forgotten the answers to their security questions and have locked themselves out of their account.

An update to the PCE was completed to address the gaps in the original PCE identified by TBS. This PCE Update identified no additional privacy risks or compliance issues.