2015-2016 Annual Report on the Administration of the Privacy Act

Posted on : Monday 12 September 2016

The Privacy Act

The Privacy Act (hereafter the “Act”) came into force on July 1, 1983. Under subsection 12(1) of the Act, Canadian citizens, permanent residents and individuals present in Canada have the right to access personal information that is under the control of the Government of Canada. This right of access is balanced against the legitimate need to protect sensitive information and to permit effective functioning of government, while promoting transparency and accountability in government institutions.

In addition, the Act protects an individual’s privacy by preventing others from accessing his or her personal information, and manages the collection, retention, use and disclosure of personal information.

Section 72 of the Act requires the head of every government institution to submit an annual report to Parliament on the administration of the Act during the fiscal year. This report describes how the Canadian Security Intelligence Service (CSIS) administered the Act throughout fiscal year 2014-2015.

Overview of the Canadian Security Intelligence Service

In 1984, the Government of Canada passed an Act of Parliament for the creation of a civilian security intelligence service. This legislation not only gave birth to CSIS, it also clarified the differences between security intelligence activities and law-enforcement work, bringing to an end the 120-year interlocking of Canada's security intelligence service with the federal police force. CSIS came into existence on July 16, 1984.

CSIS is at the forefront of Canada's national security establishment and as such, its programs are proactive and pre-emptive. Its role is to investigate threats, analyze information and produce intelligence. CSIS reports to, and advises, the Government of Canada so as to protect the country and its citizens. Key threats include terrorism, espionage, foreign interference, the proliferation of weapons of mass destruction and cyber-threats against critical information systems and infrastructure.

Through its Security Screening Program, CSIS provides advice that prevents non-Canadians who pose security concerns from entering Canada or receiving permanent resident status or citizenship. CSIS also helps prevent individuals of security concern from gaining access to Canadian information, assets, sites or events.

The Access to Information and Privacy Section

The Access to Information and Privacy (ATIP) Section reports to the Assistant Director Intelligence via the Director General Litigation and Disclosure Branch. The ATIP Section has an establishment of 15 employees to fulfill CSIS’ obligations under the Access to Information Act and the Privacy Act. The CSIS Legal Services Branch provides legal advice as required. When fully staffed, the ATIP Section is comprised of a Chief, a Deputy Chief, three unit Heads, eight Analysts and two Officers. During the reporting period, 14 positions were filled and the Deputy Chief position was vacant. All staff in the ATIP Section is fully dedicated to the administration of the ATIP program within CSIS, providing high-quality and timely responses to our clients.

Listed below are the ATIP Section’s responsibilities vis-à-vis the Privacy Act:

receive and process all requests in accordance with the Act;
assist requesters in formulating their requests when required;
gather all pertinent records, ensuring that the search for information is rigorous and complete;
conduct the initial record review and provide recommendations to the program areas;
conduct all internal and external consultations;
consolidate the recommendations;
apply all discretionary and mandatory exemptions under the Act;
assist the Office of the Privacy Commissioner (OPC) in all privacy-related matters, including complaints against CSIS;
represent the Service in privacy-related litigation cases;
coordinate the annual update of Info Source and submission to Treasury Board Secretariat (TBS);
prepare the annual report on the administration of the Act;
provide ongoing advice and guidance to senior management and departmental staff on all matters related to privacy;
promote privacy awareness and training sessions within the department to ensure all staff are aware of the obligations imposed by the legislation;
monitor departmental compliance with the Act, regulations and relevant procedures and policies;
respond to consultations received from external organizations on CSIS records being considered for release;
develop and maintain privacy policies and guidelines, as required; and
participate in ATIP community activities, such as the annual Canadian Access and Privacy Association (CAPA) conference, TBS ATIP community meetings and various working groups.

Monitoring the progress of requests

There is a robust case monitoring system in place using reports produced by the ATIP Case Management software. The status of requests is monitored by the Chief ATIP and the unit heads on an ongoing basis.

Performance

A total of 1212 requests were received in the 2015-2016 fiscal year. This represents an increase of 149% from the previous year. Although faced with a significant increase in volume, the Service closed 1287 requests and maintained a high on-time compliance rate of 99%.

Deemed Refusals

Fourteen requests were closed past the statutory deadline for the following reasons:

13 because of workload;
0 because of external consultations;
0 because of internal consultations; and
1 because of other reasons.

Other Requests

The ATIP Section also acted as a resource for CSIS officials, and offered advice and guidance on the provisions of the legislation. The ATIP Section was consulted on issues relating to a range of matters, such as information management issues, security of information, draft policies and memoranda of understanding and releases of information made by CSIS outside the parameters of the Act.

Education and Training

During the 2015-2016 reporting period, no training was done; but, the ATIP Section continued to conduct awareness sessions through an ATIP e-learning narrated slides. The narrated slides are a requirement for all new employees and act as a reference for all others. The narrated slides provide participants with an overview of the Access to Information Act and the Privacy Act, to promote a better understanding of their responsibilities and obligations under the Acts and awareness of the ATIP process within CSIS. They were viewed by 155 employees.

Delegation of Authority

In accordance with section 73 of the Privacy Act, a delegation of authority, signed by the Minister of Public Safety Canada, designates the persons holding the positions of Director of CSIS, the Assistant Director Intelligence, the Director General Litigation and Disclosure Branch, the Chief ATIP, the Deputy Chief and the Unit Heads to exercise and perform some of the powers, duties and functions of the Minister as head of the institution. The order was issued on March 8, 2016, by the Minister of Public Safety Canada, the Honourable Ralph Goodale.

Requests under the Privacy Act

The CSIS privacy client group consists for the most part of individuals who were subject to the security clearance process as well as members of the public interested in knowing whether CSIS had any information concerning them.

During this reporting period:

1212 requests were received;
1258 requests were closed;
75 requests were outstanding from the previous reporting period; and
29 requests were carried over to next reporting period.

The following table maps out the trend for the previous three years.
Request Status	Fiscal Year
Request Status	2012-2013	2013-2014	2014-2015
Requests Received	350	486	1212
Requests processed	322	451	1258
Requests carried over	12	40	75
Requests carried forward	40	75	29

Disposition of Completed Requests

The disposition of the 1258 requests completed in 2015-2016 was as follows:

1 was all disclosed;
113 were disclosed in part;
10 were exempted in their entirety;
0 were excluded in their entirety;
445 were no records;
45 were abandoned; and
644 were neither confirmed nor denied.

The following table maps out the trend for the previous three years.
Request Disposition	Fiscal Year
Request Disposition	2013-2014	2014-2015	2015-2016
All disclosed	3	9	1
Disclosed in part	57	80	113
All exempted	63	12	10
Exclusions	0	0	0
No records	91	227	445
Abandoned	108	15	45
Neither confirmed nor denied		108	644

Completion Rate

During the 2015-2016 fiscal year, the CSIS ATIP Section completed the Privacy Act requests within the following time frames:

468 within 1 to 15 days;
714 within 16 to 30 days;
63 within 31 to 60 days;
13 within 61 to 120 days;
0 within 121 to 180 days;
0 within181 to 365 days; and
0 in more than 365 days.

Exemptions Invoked

The ATIP Section invoked exemptions under the Act a total of 989 times, as follows:

590 times under paragraph 18(2) (disclosure may be refused);
9 times under paragraph 19(1)(a) (information obtained in confidence);
3 times under paragraph 19(1)(c) (information obtained in confidence);
3 times under paragraph 19(1)(d) (information obtained in confidence);
151 times under section 21 (subversive or hostile activities);
2 times under subparagraph 22(1)(a)(ii) (law enforcement and investigation);
1 time under subparagraph 22(1)(a)(iii) (law enforcement and investigation);
140 times under paragraph 22(1)(b) (law enforcement and investigation);
89 times under section 26 (information about another individual); and
1 time under section 28 (medical record).

Exclusions Cited

Two exclusions were invoked.

Number of Days Past Deadline

During the fiscal year, 14 requests went over the deadline:

7 within 1 to 15 days;
0 within 16 to 30 days;
7 within 31 to 60 days;
0 within 61 to 120 days;
0 within 121 to 180 days;
0 within181 to 365 days; and
0 in more than 365 days.

Format of Information Released

104 disclosures were made in hard copy.
10 disclosures were made electronically.

Requests for Translation

No requests for translation were received.

Disclosures under Subsection 8(2) of the Act

During this fiscal year:

No disclosures were made pursuant to paragraph 8(2)(e); and
No disclosures were made pursuant to paragraph 8(2)(m).

Requests for Correction of Personal Information and Notations

No request for correction was accepted.
The ATIP section made one notation.

Extensions

During this fiscal year, 45 extensions were taken for the following reasons:

26 were taken pursuant to subparagraph 15(1)(a)(i); and
19 were taken pursuant to subparagraph 15(1)(a)(ii) (other consultation).

Consultations Received from Other Government of Canada Institutions

During this reporting period:

84 consultation requests were received;
4 consultation requests were outstanding from the previous reporting period, for a total of 88 consultations;
86 consultation requests were closed; and
2 consultation requests were carried over to next reporting period.

Completion Time for Consultations Received from Other Government of Canada Institutions

During this reporting period:

69 were completed within 1 to 15 days;
11 were completed within 16 to 30 days;
4 were completed within 31 to 60 days;
2 were completed within 61 to 120 days;
None were completed within 121 to 180 days;
None were completed within 181 to 365 days; and
None were completed in more than 365 days.

Consultations Received from Other Organizations

During this reporting period, no consultations were received from other organizations.

Completion Time of Consultations on Cabinet Confidences

During this reporting period, no consultations were sent to the Privy Council Office.

Complaints and Investigations with the Office of the Privacy Commissioner during 2015-2016

50 complaints were filed;
29 were closed; and
21 were still active.

Privacy Impact Assessments

The TBS Privacy Impact Assessment (PIA) Directive took effect on April 1, 2010. The PIA provides a framework to ensure that privacy is considered throughout the design or re-design of a program or service. The assessments will identify the extent to which proposals comply with all appropriate statutes. Assessments assist managers and decision-makers to avoid or mitigate privacy risks and promote fully informed policy, program and system design choices.

During this review period:

No preliminary PIAs were initiated;
No preliminary PIAs were completed;
No PIA was initiated;
No PIA was completed; and
No PIA was forwarded to the OPC.

One PIA was initiated in the 2013-2014 fiscal year, and remains ongoing.

Privacy Breaches

During the reporting period, one privacy breach was brought to the attention of the Privacy Commissioner of Canada. The breach involved a limited number of disclosures of information obtained by a CSIS regional office from the Canada Revenue Agency (CRA) without warrant. The breach was first discovered in January 2014, during a Federal Court warrant application process. The improperly collected information was deleted from CSIS operational holdings in 2014, and none of the information received from CRA was shared beyond CSIS with the exception of the aforementioned Federal Court Application.

CSIS has taken steps to prevent recurrence of this type of incident, including implementing the recommendations made by the Security Intelligence Review Committee (SIRC). CSIS maintains robust policies and procedures defining our roles and responsibilities. The Service continues to actively educate and train its staff on the latest updates of relevant policies.

Resources Related to the Administration of the Privacy Act

During the 2015-2016, the ATIP Section incurred an estimated $585,491 in salaries, $99 in overtime and $1,358 in costs relating to goods and services for a total of $586,948.

Data-matching and Data-sharing Activities

CSIS is not in a position to publicly discuss data-matching or data-sharing activities for reasons of national security.

New Privacy-related Policies or Procedures Implemented

None were implemented.

Significant Changes to the Organization, Programs, Operations or Policy

On August 1, 2015, the Security of Canada Information Sharing Act (SCISA) entered into force providing an explicit authority for Government of Canada departments and agencies to share information with designated recipients in accordance with the relevant provision of the Act. CSIS is a designated recipient under this legislation.

To give effect to this legislation, CSIS is engaging with partners bilaterally, on a prioritized basis, to renew information sharing relationships. This incremental approach has been adopted as a practical matter to ensure that relevant legal, policy and privacy considerations are fully considered.

In fall 2015, CSIS presented its overall approach to the implementation of SCISA to officials of the Office of the Privacy Commissioner and engagement is ongoing.

Changes As a Result of Issues Raised by the Office of the Privacy Commissioner (OPC)

No changes to report.

Federal Court Cases

There are no pending cases against CSIS.

2015-2016 Statistical Report on the Privacy Act

Name of institution: Canadian Security Intelligence Service

Reporting Period: 01 April 2015 to 31 March 2016

Part 1 – Requests under the Privacy Act

**1. Number of requests**
	Number of requests
Received during the report period	1212
Outstanding for the previous reporting period	75
Total	1287
Closed during the reporting period	1258
Carried over to the next reporting period	29

Part 2 – Requests closed during the reporting period

**2.1 Disposition and closing time**
Disposition of requests	Completion time
Disposition of requests	1 to15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
All disclosed	0	0	1	0	0	0	0	1
Disclosed in part	13	61	27	12	0	0	0	113
All exempted	4	5	0	1	0	0	0	10
All excluded	0	0	0	0	0	0	0	0
No records exist	179	246	20	0	0	0	0	445
Request abandoned	45	0	0	0	0	0	0	45
Neither confirmed nor denied	227	402	15	0	0	0	0	644
Total	468	714	63	13	0	0	0	1258

**2.2 Exemptions**
Section	Number of requests
18(2)	590
19(1)(a)	9
19(1)(b)	0
19(1)(c)	3
19(1)(d)	3
19(1)(e)	0
19(1)(f)	0
20	0
21	151
22(1)(a)(i)	0
22(1)(a)(ii)	2
22(1)(a)(iii)	1
22(1)(b)	140
22(1)(c)	0
22(2)	0
22.1	0
22.2	0
22.3	0
23(a)	0
23(b)	0
24(a)	0
24(b)	0
25	0
26	89
27	0
28	1

**2.3 Exclusions**
Section	Number of requests
69(1)(a)	0
69(1)(b)	0
69.1	0
70(1)	0
70(1)(a)	2
70(1)(b)	0
70(1)(c)	0
70(1)(d)	0
70(1)(e)	0
70(1)(f)	0
70.1	0

**2.4 Format of information released**
Disposition	Paper	Electronic
All disclosed	1	0
Disclosed in part	103	10
Total	104	10

2.5 Complexity

**2.5.1 Relevant pages processed and disclosed**
Disposition of requests	Number of pages processed	Number of pages disclosed	Number of requests
All disclosed	98	77	1
Disclosed in part	9088	6036	113
All exempted	1145	0	10
All excluded	0	0	0
Requests abandoned	23	0	45
Neither confirmed nor denied	0	0	644
Total	10354	6113	813

**2.5.2 Relevant pages processed and disclosed by size of requests**
Disposition	Less than100 pages processed		101 to 500 Pages processed		501 to 1000 Pages processed		1001 to 5000 Pages processed		More than 5001 Pages processed
Disposition	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed
All disclosed	1	77	0	0	0	0	0	0	0	0
Disclosed in part	87	1678	24	2679	1	596	1	1083	0	0
All exempted	7	0	2	0	1	0	0	0	0	0
All excluded	0	0	0	0	0	0	0	0	0	0
Request abandoned	45	0	0	0	0	0	0	0	0	0
Neither confirmed nor denied	644	0	0	0	0	0	0	0	0	0
Total	784	1755	26	2679	2	596	1	1083	0	0

**2.5.3 Other complexities**
Disposition	Consultation required	Total
All disclosed	0	0
Disclosed in part	92	92
All exempted	1	1
All excluded	0	0
Request abandoned	1	1
Neither confirmed nor denied	5	5
Total	99	99

2.6 Deemed refusals

**2.6.1 Reasons for not meeting statutory deadline**
Number of requests past deadline	Principal Reason
Number of requests past deadline	Workload	External consultation	Internal consultation	Other
14	13	0	0	1

**2.6.2 Number of days past deadline**
Number of days past deadline	Number of requests past deadline where no extension was taken	Number of requests past deadline where and extension was taken	Total
1 to 15 days	2	5	7
16 to 30 days	0	0	0
31 to 60 days	0	7	7
61 to 120 days	0	0	0
121 to 180 days	0	0	0
181 to 365 days	0	0	0
More than 365 days	0	0	0
Total	2	12	14

**2.7 Requests for translation**
Translation requests	Accepted	Refused	Total
English to French	0	0	0
French to English	0	0	0
Total	0	0	0

**Part 3 - Disclosures under subsection 8(2)**
Paragraph 8(2)(e)	Paragraph 8(2)(m)	Paragraph 8(2)(m)	Total
0	0	0	0

**Part 4 - Requests for correction of personal information and notations**
Disposition for Correction Requests Received	Number
Notations attached	1
Requests for correction accepted	0
Total	1

Part 5 - Extensions

**5.1 Reasons for extensions and dispositions of requests**
Disposition of requests where an extension was taken	15(1(a)(i) Interference with operations	15(1)(a)(ii) Consultation		15(b) Translation or conversion
Disposition of requests where an extension was taken	15(1(a)(i) Interference with operations	Section 70	Other	15(b) Translation or conversion
All disclosed	1	0	0	0
Disclosed in part	23	0	11	0
All exempted	1	0	0	0
All excluded	0	0	0	0
No records exist	1	0	8	0
Requests abandoned	0	0	0	0
Total	26	0	19	0

**5.2 Length of extensions**
Length of extensions	15(a)(i) Interference with operations	15(a)(ii) Consultation		15(b) Translation or conversion
Length of extensions	15(a)(i) Interference with operations	Section 70	Other	15(b) Translation or conversion
1 to 15 days	0	0	0	0
16 to 30 days	26	0	19	0
Total	26	0	19	0

Part 6 - Consultations received from other institutions and organizations

**6.1 Consultations received from other institutions and organizations**
Consultations	Other Government of Canada Institutions	Number of pages to review
Received during the reporting period	84	1240
Outstanding from the previous reporting period	4	66
Total	88	1306
Closed during the reporting period	86	1298
Pending at the end of the reporting period	2	8

**6.2 Recommendations and completion time for consultations received from other government institutions.**
Recommendation	Number of days required to complete consultation requests
Recommendation	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
All disclosed	6	1	0	0	0	0	0	7
Disclose in part	63	10	4	2	0	0	0	79
All exempted	0	0	0	0	0	0	0	0
All excluded	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	0	0	0	0	0	0	0	0
Total	69	11	4	2	0	0	0	86

**6.3 Recommendations and completion time for consultations received from other government institutions.**
Recommandation	Number of days required to complete consultation requests
Recommandation	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
All disclosed	0	0	0	0	0	0	0	0
Disclose in part	0	0	0	0	0	0	0	0
All exempted	0	0	0	0	0	0	0	0
All exempted	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0

Part 7: Completion Time of Consultations on Cabinet Confidences

**7.1 Requests with Legal Services**
Number of Days	Fewer Than 100 Pages Processed		101-500 Pages Processed		501-1000 Pages Processed		1001-5000 Pages Processed		More Than 5000 Pages Processed
Number of Days	Number of Requests	Pages Disclosed	Number of Requests	Pages Disclosed	Number of Requests	Pages Disclosed	Number of Requests	Pages Disclosed	Number of Requests	Pages Disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

**7.2 Requests with Privy Council Office**
Number of Days	Fewer Than 100 Pages Processed		101‒500 Pages Processed		501-1000 Pages Processed		1001-5000 Pages Processed		More Than 5000 Pages Processed
Number of Days	Number of Requests	Pages Disclosed	Number of Requests	Pages Disclosed	Number of Requests	Pages Disclosed	Number of Requests	Pages Disclosed	Number of Requests	Pages Disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

Part 8: Complaints and Investigations Notices Received
Section 31	Section 33	Section 35	Court action	Total
50	21	29	0	100

Part 9: Privacy Impact Assessments (PIAs)
Number of PIA(s) completed	0

Part 10: Resources Related to the Privacy Act

10.1 Costs
Expenditures		Amount
Salaries		585,491$
Overtime		$99
Goods and Services		1,358$
Professional services contracts	0$
Other	1,358$
Total		$586,948

10.2 Human Resourcess
Resources	Person Years Dedicated to Privacy Activities
Full-time employees	7.00
Part-time and casual employees	0.00
Regional staff	0.00
Consultants and agency personnel	0.00
Students	0.00
Total	7.00

Page details

Date modified:: 2018-05-03