2019-2020 Annual Report on the Administration of the Privacy Act

In June 2019, Bill C-58, An Act to Amend the Access to Information Act and Privacy Act and to make consequential amendments to other Acts, received Royal Assent.  The Bill brought forth the most significant advances to the Access to Information Act as well as minor amendments to the Privacy Act since they came into force in 1983. 

This report is prepared and tabled in Parliament in accordance with section 72 of the Privacy Act.  It covers the way in which the Canadian Security Intelligence Service (CSIS) administered the Act from April 1, 2019 to March 31, 2020.

2. CSIS Mandate

CSIS has, for the past 35 years, continued to demonstrate its value to Canadians by providing the Government of Canada with crucial information and advice linked to threats to the security of Canada and of Canadian interests.  The CSIS Act gives CSIS the mandate to investigate activities suspected of constituting threats to the security of Canada including terrorism and violent extremism, espionage and sabotage, foreign influenced activities, and subversion of government.  CSIS also advises the Government on these threats and takes lawful measures to reduce them.  In addition, the Service provides security assessments on individuals who require access to classified information or sensitive files within the Government of Canada as well as security advice relevant to the exercise of the Citizenship Act or the Immigration and Refugee Protection Act.  Foreign intelligence collection within Canada is also conducted by CSIS at the request of the Minister of Foreign Affairs or the Minister of National Defence. 

In June 2019, the National Security Act, 2017 received Royal Assent.  This legislation modernized the original CSIS Act by addressing outdated legal authorities, introducing new safeguards and accountability measures as well as clarifying CSIS’ responsibilities.  The legislation addressed specific challenges and provided new modern authorities needed to keep pace with continuous changes in the threat, technological and legal landscape. 

3.  Organizational Structure

During the 2019-2020 fiscal year, the Access to Information and Privacy (ATIP) Section was transferred from the Assistant Director, Intelligence Directorate to the Assistant Director,  Policy and Strategic Partnerships Directorate.  Within the Directorate, the ATIP Section is part to the Litigation and Disclosure Branch headed by the Director General.  The employees of the ATIP Section are fully dedicated to the administration of the Privacy Act and the Access to Information Act programs within CSIS, providing high-quality and timely responses to internal and external clients including other government departments as well as providing advice to CSIS employees as they fulfill their obligations under both Acts.

CSIS Legal Services Branch, which is staffed by Department of Justice (DoJ) lawyers, provides legal advice as required.
This past year, 5 new analyst positions, as well as a casual part time analyst position, were staffed.   These positions were created to address the surge of requests from individuals seeking their personal information, the status of their citizenship and immigration files as well as the Service’s backlog of access to information requests received from Library and Archives Canada (LAC). As a result, the ATIP section has an establishment of 22 employees to fulfill CSIS’ obligations under the Privacy Act and the Access to Information Act.   During this reporting period, the ATIP Section was fully staffed and consisted of a Chief (Coordinator), a Deputy Chief, three unit Heads, 13 full-time Analysts, 1 part-time Analyst, a Privacy Advisor, an Administrative Officer and a Researcher.   

The ATIP Section’s responsibilities vis-à-vis the Act can be divided in 2 categories:

Operations

• receiving and processing all requests in accordance with the Act;
• assisting requesters in formulating their requests when required;
• gathering all pertinent records and ensuring that the search for information is rigorous and complete;
• conducting the initial review of the records and providing recommendations to the program areas;
• applying all discretionary and mandatory exemptions under the Act;
• conducting and responding to all internal and external consultations;
• consolidating the recommendations;
• assisting the Office of the Privacy Commissioner (OPC) in all privacy related matters including complaints against CSIS; and
• representing CSIS in privacy litigation cases.

Policies and Procedures

• coordinating the annual Info Source update and submission to TBS;
• preparing the annual report on the administration of the Act;
• providing ongoing advice and guidance to senior management and departmental staff on all matters related to the privacy;
• promoting privacy awareness and training sessions and ensuring all employees are aware of the obligations imposed by the legislation;
• monitoring departmental compliance with the Act, regulations and relevant procedures and policies;
• maintaining the CSIS public reading room;
• developing and maintaining privacy policies and guidelines, when required; and
• participating in ATIP community activities, such as the annual Canadian Access and Privacy Association (CAPA) conference, TBS ATIP community meetings and various working groups.

As defined in section 73.1 of the Privacy Act, CSIS did not provide nor receive services related to any power, duty or function to or from another government institution, during this reporting period.

4. Delegation Order

In accordance with section 73(1) of the Act, a delegation order signed by the Minister of Public Safety and Emergency Preparedness designates the persons holding the positions of Director of CSIS, Assistant Director of the Policy and Strategic Partnerships Directorate, Director General of the Litigation and Disclosure Branch, as well as the Chief, Deputy Chief and the Unit Heads of the Access to Information and Privacy Section to exercise and perform the duties of the Minister as Head of the institution.

The current delegation order was issued on March 10th 2020, by the Honourable Bill Blair, P.C., M.P.

5. Interpretation of the 2019-2020 statistical report for requests under the Privacy Act

Every year, TBS requires institutions to submit a statistical report on their administration of the Privacy Act which contains cumulative data on the application of the legislation during the fiscal year.  The CSIS Statistical Report and Supplemental Report for 2019-2020 are included in this report.

* The on-time compliance rate for 2019-2020 was impacted by the COVID-19 pandemic and will be discussed further in the report.

As indicated in table 1, the Service received 844 requests under the Act between April 1st, 2019 and March 31st, 2020.  This represents a 19.5 per cent decrease from the requests received during the previous reporting period.  However, during this reporting period, the ATIP Section reviewed 1,863 pages more that it did during the 2018-2019 fiscal year. 

5.1 - Sources of requests

The 844 requests received during this reporting period came from various sources.    72.6 per cent of requests came from members of the public who, largely, were seeking the status of their citizenship and immigration file or seeking to know whether the Service had information on them.   8.1 per cent of requests came from businesses; the most common being law offices seeking the personal information on behalf of their clients who are seeking their immigration and citizenship status.  

5.2 - Disposition of completed requests

The ATIP Section successfully closed 854 requests during the 2019-2020 reporting period.  44.9 per cent of requests were closed within 1 to 15 days, 42.9 per cent were closed within 16 to 30 days and 4.3 per cent took over 60 days to close.  Of the records relevant to these requests, 23.6 per cent were disclosed in part, 20.8 per cent did not exist, and 28.6 per cent for which the existence could neither be confirmed nor denied.   

5.3 - Deemed refusals

Out of the 854 requests closed during this reporting period, the ATIP Section successfully closed 817 requests (95.7 per cent) within the legislated timelines; however, the remaining 37 requests (4.3 per cent) were closed past the legislated timelines.   It is important to note that out of the 37 requests, extensions were taken on 33 requests.  This past year, the main reason for files being closed after the legislated timelines was an interference with operations and/or substantial workloads.  The COVID-19 pandemic measures taken by the Service, as well as those taken by the Government of Canada had an impact on files being closed after the legislated timelines.

5.4 - Extensions

The legislation allows for extensions when the response requires internal or external consultations, additional review time due to large amount of records, or when the review could interfere with Service operations.  Throughout the reporting period, a total of 87 extensions were taken.  58.6 per cent of the 87 extensions taken were due to the need to consult various internal branches and/or other government departments and 41.4 per cent were due to an interference with operations.    100 per cent of the extensions taken were between 16 to 30 days.

5.5 – Exemptions and exclusions invoked

The Privacy Act allows institutions to exempt information from being released for a variety of reasons.  The ATIP Section invoked a total of 1,534 exemptions under the Act during the reporting period. 

The Act does not apply to information already publically available and excludes from disclosure material such as Cabinet Confidences.  The ATIP Section invoked exclusions under the Act, 1 time.

5.6 - Consultations received from other Government of Canada institutions

During the 2019-2020 fiscal year, the Service received, from other government institutions, 23 consultation requests under the Privacy Act involving Service records or matters.  There were no requests outstanding from the 2018-2019 fiscal year. 

During the 2019-2020 reporting period, the ATIP Section closed 21 privacy consultation requests totaling 636 pages reviewed.  57 per cent of consultation requests were processed in less than 15 days and 43 per cent were closed between 16 and 120 days. There were 2 privacy consultation requests carried over to the next fiscal year. 

5.7 – Other requests:

The ATIP Section also acted as a resource for CSIS executives by offering advice and guidance on provisions of the legislation.  The ATIP Section provided assistance, over 180 times, on a variety of matters including, but not limited to, releases of information made by CSIS outside the parameters of the Act.  

Throughout 2019-2020, the ATIP Section continued to receive telephone calls and emails from employees of the Service as well as from the public seeking direction on how to obtain information and/or how to submit a request under the Privacy Act.  The ATIP Section administration team provided guidance in a professional manner and often directed these individuals to the ATIP Online Request Service website for additional information. 

5.8 – Impact of Covid-19 measures:

As indicated in table 1, the on-time compliance rate for this reporting period was slightly impacted by the Government of Canada’s measures to stop the spread of the Covid-19 virus.  The Service dropped its on-time compliance rate by 1 per cent in the last two weeks of the 2019-2020 fiscal year.   Prior to March 14th, 2020, the ATIP Section’s on-time compliance rate for requests made under the Privacy Act was 96.7 per cent with a 3.3 per cent deemed refusal rate.

On March 14th, 2020, the Service’s Business Continuity Plan was activated.  As part of the plan, the ATIP Section was deemed non-essential.  As a result, privacy requests received between March 14th, 2020 and March 31st, 2020 were neither registered nor processed.  The ATIP Section was not able to work remotely due to the handling of classified materials/records and due to technical limitations.  While there was no movement on requests during that time, the Chief and the Deputy Chief remained available to provide advice on matters related to the Privacy Act.

Of the 63 requests carried over to 2020-2021, 45 remained outstanding from 2019-2020 and 18 were new requests received after March 14th, 2020.   The real impact of the measures taken to combat the virus will be presented in the 2020-2021 Annual Report on the Administration of the Privacy Act.

6. Training and Awareness

During the 2019-2020 reporting period, ATIP prepared and offered 3 presentations further to the Royal Assent of Bill C-58 (An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts) to the Executive, employees of the Policy and Strategic Partnerships Directorate as well as the management team of the Deputy Director Administration and Chief Financial Officer. The ATIP section also provided a presentation to another government of Canada institution on the way it processes complaints.  The presentation was well-received and was deemed helpful.  Additionally, the ATIP Section conducted awareness sessions through ATIP e-learning narrated slides. The narrated slides form part of the new employee orientation program which is required for all new employees.  All other Service employees have the ability to reference the narrative slides at any given time through the e-learning application. The narrated slides provides participants with an overview of the Act and the Access to Information Act, promotes a better comprehension of individual responsibilities and obligations relating to the Acts and offers an greater understanding of the internal ATIP process.  During the 2019-2020 fiscal year, 266 Service employees viewed the ATIP online module. 

7. Policies, Guidelines, Procedures and Initiatives

There were no policies, guidelines or procedures implemented during this reporting period as a result of new TBS policies and directives or issues raised by the Office of the Privacy Commissioner (OPC) further to the Privacy Act.
However, it was decided that the Privacy Advisor position, which had been a part of the ATIP Section since July 2018, would be transferred to the Service’s Compliance Unit during the 2020-2021 reporting period.  The Privacy Advisor’s responsibilities include ensuring compliance with the TBS policies on Privacy Impact Assessments (PIA) and privacy breaches as well as privacy practices.  The Privacy Advisor will nevertheless be required to consult the ATIP Section further to s.10 and s.71(6) of the Privacy Act.

8.  Issues and Actions Taken on Complaints or Audits

Section 29 (1) of the Act provides requesters with the right to file a complaint with the Office of the Privacy Commissioner (OPC) should they be displeased with the response to their access to information request.  Reasons for complaints include the refusal of an institution to disclose personal information, personal information used and disclosed for other purposes, delays in receiving a response, etc.  64 complaints were registered with the OPC during the 2019-2020 fiscal year.   This represents 7.5 per cent of the total number of Privacy Act requests received throughout the fiscal year.   

OPC investigators closed and issued their findings on 64 complaints.   They determined that 57 (89 per cent) were not well-founded, 3 were well-founded but resolved immediately and 2 were resolved at the early resolution stage. 

CSIS continues to work closely with the OPC in order to resolve complaints in an efficient and timely manner.  The Service reviews the outcome of all investigations by the OPC and where appropriate, integrates lessons learned into corporate processes. 

There were 2 Court actions filed against CSIS regarding the Act.  The Court actions remain ongoing.

9.  Monitoring Compliance

The unit heads are responsible for monitoring compliance and reporting issues to the chief ATIP.  The monitoring is continuously conducted via reports produced by the ATIP Case Management Software.  The ATIP Coordinator conveys compliance issues to the DG, Litigation and Disclosure Branch.

10. Material Breaches

There was one material privacy breach reported to the OPC and to the Treasury Board Secretariat of Canada’s, Information and Privacy Policy Division  during the last week of the 2018-2019 reporting period which is why it was not included in the 2019-2020 statistical report.  However, since the OPC received the Material Breach Subject Report on April 11th, 2019, it is included as part of this report.  The breach was due to a technical glitch involving the administration of an employee questionnaire.  The breach impacted 53 employees of the Service.   The OPC assessed the particulars of the breach, the nature and sensitivity of the information at issue, the number of individuals directly affected by it and the consequences of the breach.  The OPC also carefully considered the measures taken by the Service to contain the breach as well as efforts made to prevent the recurrence of a similar breach.  Being satisfied with how the Service handled the breach, the OPC closed the matter on July 22nd, 2019. The Service takes the privacy of its employees as well as Canadians seriously and continues to take appropriate measures and put in place proper safeguards to prevent future breaches.

11.  Privacy Impact Assessments (PIA)

The TBS Privacy Impact Assessment (PIA) Directive took effect on April 1st, 2010. The PIA is a process that helps determine whether an initiative involving the use and collection of personal information raises privacy risks. It measures, describes and quantifies the risks, and proposes solutions to eliminate or mitigate them to an acceptable level prior to the implementation of new or substantially modified programs or activities.

Since the ATIP section was selected as the CSIS Policy Center for the PIA development and approval process, a Privacy Advisor position was created.  This position was staffed in June 2018.  In consultation with subject matter experts within the Service, the Privacy Advisor has the responsibility to assess whether modified or new programs /activities have an impact on privacy and warrant the preparation of a PIA based on the TBS Directive on PIAs.   When a PIA is required, the Privacy Advisor will  initiate the process, determine the appropriate format for the PIA, coordinate the completion of the PIA, seek proper approvals, submit the PIA to the President of TBS and to the OPC and respond to the OPC’s observations and/or recommendations .  As mentioned above, the Privacy Advisor position will be transferred to another section during the 2020-2021 fiscal year.

During this reporting period:

• 21 consultations with CSIS subject matter experts took place to determine whether a PIA was required for new or modified programs/initiatives/activities;
• No PIAs were approved and sent to the OPC;
• 1 PIA was pending approval at the end of the reporting period;
• 2 PIAs were in process;
• 2 responses to the OPC’s recommendations were delivered; and   
• 2 PIA summaries were published to the CSIS website:  https://www.canada.ca/en/security-intelligence-service/corporate/transparency/access-to-information-and-privacy/privacy-impact-assessment.html

For national security reasons, the Service only publishes the summaries of unclassified PIAs.   

12.  Public Interest Disclosures

No disclosures were made under paragraph 8(2)(m) of the Privacy Act during the reporting period.

13.  Other

Throughout the 2019-2020 fiscal year, the ATIP Section incurred $881,540 in salary costs and $1,845 in other costs associated with the administration of the Privacy Act.

2019-2020 Statistical Report on the Privacy Act

Name of institution: Canadian Security Intelligence Service

Reporting Period: 01 April 2019 to 31 March 2020

Section 1 – Requests Under the Privacy Act

1.1 Number of Requests

Section 2: Requests Closed During the Reporting Period

2.1 Disposition and completion time

2.2 Exemptions

2.3 Exclusions

2 .4 Format of information released

2.5 Complexity

2.5.1 Relevant pages processed and disclosed

2.5.2 Relevant pages processed and disclosed by size of requests

2.5.3 Other complexities

2.6 Closed requests

2.6.1 Number of requests closed within legislated timelines

2.7 Deemed refusals

2.7.1 Reasons for not meeting statutory deadline

2.7.2 Requests closed beyond legislated timelines (including any extension taken)

2.8 Requests for translation

Section 3: Disclosures Under Subsections 8(2) and 8(5)

Section 4: Requests for Correction of Personal Information and Notations

Section 5: Extensions

5.1  Reasons for extensions and disposition of requests

5.2 Length of extensions

Section 6: Consultations received from other institutions and organizations

6.1 Consultations received from other government institutions and organizations

6.2  Recommendations and completion time for consultations received from other Government of Canada institutions

6.3 Recommendations and completion time for consultations received from other organizations

Section 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services

7.2 Requests with Privy Council Office

Section 8: Complaints and Investigations Notices Received

Section 9: Privacy Impact Assessments (PIA) and Personal Information Banks

9.1 Privacy Impact Assessments

9.2 Personal Information Banks

Section 10: Material Privacy Breaches

Section 11: Resources Related to the Privacy Act

11.1 Costs

11.2 Human Resources

2019-2020 Supplemental Statistical Report – Requests affected by COVID-19 measures

Table 1 - The following table reports the total number of formal requests received during two periods; 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

Table 2 - The following table reports the total number of requests closed within the legislated timelines and the number of closed requests that were deemed refusals during two periods 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

Table 3 - The following table reports the total number of requests carried over during two periods; 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.