Annual Report to Parliament on the Administration of the Privacy Act 2016–2017

Introduction

Privacy Act

The l40Privacy Act came into effect on July 1, 1983. The sdsPrivacy Act protects the privacy of individuals with respect to their personal information held by government institutions. It establishes the rules for the collection, use, disclosure, retention and disposal of such information. It also provides individuals with a right to be given access to, and to request a correction of, their personal information.

Section 72 of the l41Privacy Act requires that the head of every government institution submit an annual report to Parliament on the administration of the Act within the institution for the past fiscal year. It is under this provision that the present annual report is tabled in Parliament.

The present annual report describes how Shared Services Canada (SSC) administered the l42Privacy Act for the period from April 1, 2016, to March 31, 2017.

Institutional Mandate and Organization

Mandate

SSC was created on August 4, 2011 to transform how the Government of Canada manages its information technology (IT) infrastructure. SSC delivers email, data centre, network and workplace technology device services to departments and agencies in a consolidated and standardized manner to support the delivery of Government of Canada programs and services. With a whole of government approach to IT infrastructure services, SSC is generating economies of scale to deliver more efficient, reliable and secure IT infrastructure services. SSC also provides certain optional technology services to other organizations on a cost-recovery basis.

The Shared Services Canada Act recognizes that the Government of Canada wishes to standardize and streamline, within a single shared services entity, certain administrative services that support government institutions. Through orders-in-council (OIC), the Department received specific responsibilities in the area of IT infrastructure services.

SSC’s focus is to maintain and improve IT service delivery across the Government of Canada, enhance security, and implement government-wide solutions to transform IT infrastructure to improve value for money and services to Canadians.

SSC is working with the information and communications technology sector to deliver an enterprise-wide email system, consolidate and modernize government data centres, and transform telecommunications services. Budget 2013 further expanded SSC’s mandate, adding the consolidation of government-wide procurement of software and hardware for workplace technology devices (e.g., printers, and desktop and laptop computers).

SSC contributes to the achievement of other critically important Government of Canada initiatives, including border security, benefit payments and weather forecasting, as well as the vision of the future Public Service as articulated in Blueprint 2020. In addition, SSC works collaboratively with Government of Canada cyber security agencies to improve cyber and IT security.

As of September 1, 2015, OIC 2015 1071 provides SSC the authority to offer any or all of its services to any federal government entity on a voluntary basis, as well as to another Canadian jurisdiction or a foreign government, as long as there are no additional costs incurred or additional resources allocated by SSC. The OIC also expands the mandatory nature of a sub-set of SSC services related to email, data centres and networks to a range of new clients. Most small departments and agencies previously not served, or served only on an optional basis, are set out as mandatory clients for this sub-set of services.

Delegated Authority

In August 2015, pursuant to section 73 of the Privacy Act, the President authorized the delegation instrument by reconfirming full powers, duties and functions under the Act to levels down to and including the Director of the Access to Information and Privacy (ATIP) Protection Division, hereafter referred to as the ATIP Division (see Annex B).

ATIP Division Structure

During the reporting period, the ATIP Division structure remained the same as reported in previous reports, with a director and two deputy directors, each overseeing teams of analysts for the Operations side as well the Policy and Governance side. While an average of 20 person years were dedicated to the ATIP program, just over five person years were dedicated to the administration of the Privacy Act. These person years include full-time equivalents, casual employees, and students.

Words of Recognition

The SSC ATIP Division was founded on experience and guided by service excellence. The ATIP Division’s success since its creation in April 2012 is a direct result of the level of experience and calibre of the two deputy directors who were recruited five years ago. Specifically, the Deputy Director for ATIP Operations (Johanne Daigle) as well as the Deputy Director for ATIP Policy and Governance (Lorraine Richer) were instrumental in building the SSC ATIP Division by ensuring that the right people, tools, policies and procedures were in place to meet all ATIP legislative and policy obligations.

This reporting period involved a very successful succession plan exercise in preparation of the retirement of these two key members of the SSC ATIP Management team. Both Johanne and Lorraine were actively involved in the staffing processes to recruit their replacements, and once the two new deputy directors were in place, they ensured the necessary transfer of knowledge with their mentoring and coaching. Their engagement in the process resulted in a very smooth transition for the ATIP Division, its staff and SSC as a whole. The succession plan exercise also permitted both retirees to work closely with the Corporate Secretary to advance various SSC internal services projects.

Shared Services Canada and the federal ATIP community have been most fortunate to have had such dedicated and competent people. Kudos to them for their relentless commitment to all aspects associated with the principles of fair information handling practices, the concept of openness, transparency and accountability in a democratic society, the human right to privacy, as well as the public’s right to have access to government records with limited exceptions. They will be missed and the SSC ATIP Division wishes them the very best in this next stage of their lives.

Dedicated to ATIP Excellence

The ATIP Division is responsible for developing, coordinating, implementing and monitoring compliance with effective ATIP-related policies, guidelines, systems and procedures across SSC. This enables SSC to meet the requirements and to fulfill its obligations under the Privacy Act and its accompanying piece of legislation, the Access to Information Act.

The main activities of the ATIP Division are as follows:

• Receiving, coordinating and processing requests under the Privacy Act and the Access to Information Act;
• Responding to consultations from other government institutions regarding SSC information under consideration for release;
• Developing and maintaining SSC-specific policy instruments in support of access and privacy legislation;
• Developing and delivering ATIP awareness and training across SSC so that employees and management understand their roles and responsibilities;
• Supporting a network of ATIP liaison officers across SSC who assist with requests by coordinating the retrieval of records and recommendations from within their branch or region;
• Monitoring institutional compliance with both Acts and their regulations, as well as relevant procedures and policies;
• Preparing annual reports to Parliament on the administration of the Acts, as well as other material that may be required by central agencies;
• Representing SSC in dealings with the Treasury Board of Canada Secretariat (TBS), and the Offices of the Privacy and Information Commissioners of Canada regarding the application of both Acts as they relate to SSC;
• Supporting SSC in meeting its commitments to openness and transparency through the proactive disclosure of information and the release of information via informal avenues, such as the Open Government portal;
• Supporting the Corporate Secretariat’s Business Process Transformation by simplifying the access to information request process to ensure timeliness and quality review of the information;
• Monitoring ATIP tasking performance and reporting to senior management on a monthly basis; and
• Participating in whole-of-government initiatives for the federal ATIP community.

The administration of the Acts by the ATIP Division is facilitated at the branch and directorate level of SSC. Each organizational branch and directorate has an ATIP Liaison Officer who coordinates the collection of requested information and provides guidance to branch and directorate managers on the application of the Acts.

Interpretation of the Statistical Report – Requests for Personal Information and Consultations

The Statistical Report (Annex C) on the administration of the Privacy Act provides a summary of the personal information requests and consultations processed during the 2016–2017 reporting period.

Overview of Workload (Annex C, Parts 1 and 2, Table 2.5.1, Table 2.6.2)

During the reporting period, the ATIP Division received 111 requests under the lpo978Privacy Act and carried forward three requests from the previous reporting period. There were no consultations under the ol7trPrivacy Act received from other government institutions. The ATIP Division processed all 114 requests and, as such, no gffytPrivacy Act requests were carried over to the next reporting year.

The number of requests received under the ldfttPrivacy Act during this reporting period decreased slightly compared to the previous reporting period (in which 123 requests had been received). Out of 6,428 pages processed by the ATIP Division, 3,009 were deemed relevant to the Privacy Act requests and were either disclosed in whole or in part.

The ATIP Division ensures that it monitors on a weekly basis its turnaround times in processing requests and tracks the timeliness of their completion. In this reporting period, all ldf4rtPrivacy Act requests processed were completed within legislated timelines.

Requests Received (Annex C, Part 1)

During the reporting period, 111 requests were received under the l34rtPrivacy Act. Three requests from the previous reporting period were carried forward, for a total of 114 requests requiring action for this reporting period.

Disposition of Requests Completed (Annex C, Part 2, Table 2.1)

By the end of the reporting period, all 114 requests were completed. Of these, 12 requests were disclosed in part and three were released in their entirety. It should be noted as well that 18 requests were abandoned and 81 requests yielded no responsive records as they were for the most part misdirected.

Completion Time (Annex C, Part 2, Table 2.1)

The vvbPrivacy Act sets the timelines for responding to privacy requests. It also allows for extensions in cases where responding to the request requires the review of a large volume of information or extensive consultations with other government institutions or other third parties. Of the 114 completed requests, 98 percent were completed by the 30 day deadline. The remaining 2 percent of the requests received were completed within the lawful time extension of 30 additional days.

Exemptions Invoked (Annex C, Part 2, Table 2.2)

The v78vbPrivacy Act allows, and in some instances requires, that some personal information be exempted and not released. For example, personal information may be exempted when it relates to law enforcement investigations, another individual besides the requester, or when it is subject to solicitor-client privilege.

During the reporting period, 11 requests required that information be withheld because it related to another individual, and was therefore exempted under section 26 of the 980cbPrivacy Act. Only one request required an exemption to be applied to information subject to solicitor client privilege under section 27 of the Act.

Exclusions Cited (Annex C, Part 2, Table 2.3)

The 99gftPrivacy Act does not apply to information that is already publicly available, such as government publications and material in libraries and museums. It also excludes material such as Cabinet confidences. There were no exclusions cited in the requests completed during the reporting period.

Disclosure of Personal Information Pursuant to Paragraphs 8(2)(e) and (m) (Annex C, Part 3)

Paragraph 8(2)(e) of the oiu897Privacy Act allows the head of the institution to disclose personal information without the consent of the affected individual where such information is requested in writing by a designated investigative body for law enforcement purposes. During the reporting period, SSC made no disclosures of personal information under this provision.

Paragraph 8(2)(m) of the no9987Privacy Act allows the head of the institution to disclose personal information without the consent of the affected individual in cases where, in the opinion of the head, the public interest outweighs any invasion of privacy that could result from the disclosure or when it is clearly in the best interest of the individual to disclose. During the reporting period, SSC made no disclosures of personal information under this provision. Subsection 8(5) of the jhu72Privacy Act obliges the head of the institution to notify the Office of the Privacy Commissioner of Canada prior to, or if not practical, forthwith on, any disclosure under paragraph 8(2)(m). Since SSC made no disclosures of personal information under that provision, no notifications to the Office of the Privacy Commissioner of Canada were required under subsection 8(5) of the Act.

Extensions (Annex C, Part 5, Table 5.1)

Extensions permissible under section 15 of the u95alPrivacy Act were invoked for two requests. Extensions were required for 30 additional days to reduce the risk of interference with daily operations due to a large volume of records.

Consultations (Annex C, Part 6)

During the reporting period, SSC received no consultations under the jh84qPrivacy Act from other government institutions.

Costs (Annex C, Part 10)

According to the information provided by SSC’s Finance Division in April 2017, during the reporting period, the ATIP Division spent a total of $461,340 for the administration of the r54mPrivacy Act, of which $410,277 was spent on salaries and $51,063 was spent on goods and services.

Comparative Review

The ATIP Division has generally seen an upward trend in requests received since SSC’s creation. It should be noted, however, that the number of pages processed has fluctuated.

Institutional ATIP Training and Awareness Activities

The ATIP Division continued its efforts toward embedding a culture of ATIP excellence across SSC with a focus on delivering training and awareness activities. In order to assess and continually improve the effectiveness of its training activities, the ATIP Division uses a comprehensive evaluation form for participants to provide feedback regarding their training experience. The feedback received is always assessed and, as much as possible, incorporated into the material developed for training purposes.

In order to ensure that SSC employees, regardless of their position or level, are made aware of their responsibilities related to ATIP, and that they gain an in-depth understanding of the related practices and principles SSC launched in collaboration with the Canada School of Public Service (CSPS), the Access to Information and Privacy Fundamentals course on July 14, 2016. While this course is optional for all federal Public Service employees through the CSPS website, its completion has been made mandatory for all SSC employees. As such, bi-annual reminders are issued to employees to complete this mandatory course.

During the current reporting period, 26 ATIP training and awareness sessions were delivered to approximately 450 participants, which included SSC executives, managers and employees at various levels. Based on the feedback received, these sessions have all been very well received and participants have indicated high satisfaction with the sessions.

It should be noted that while much training has been delivered internally to liaison officers and subject matter experts, analysts working in the ATIP Division have continually strived to gain new knowledge and remain informed in relation to both legislation and emerging trends. All ATIP Operations employees, for instance, have completed the ATIP training for specialists offered the through the CSPS (Access to Information in the Government of Canada [I701] and Privacy in the Government of Canada [I702] courses). Furthermore, employees have attended ATIP community meetings, conferences, and ATIP related training sessions offered through various means.

It should also be noted that SSC’s Architecture Centre of Excellence hosted a session on Privacy by Design presented by Dr. Ann Cavoukian, who served an unprecedented three terms as Information and Privacy Commissioner of Ontario. The session’s purpose was to outline the Privacy by Design framework, which is key to maintaining privacy in an ever-changing technological information environment.

Training for the ATIP Liaison Officer Network

As the primary point of contact for a branch or directorate, an ATIP Liaison Officer must have an in-depth understanding of the ATIP process and a heightened understanding of the legislation. During the reporting period, the ATIP office delivered 5 training sessions to ATIP Liaison Officers and their delegates, for a total of 42 participants. There were fewer participants in these sessions than in the previous reporting period largely due to the more extensive Liaison Officer training sessions delivered in the previous reporting year (263 participants over 4 sessions). It should be noted that during the current reporting period, many liaison officers and their delegates also participated in sessions targeting offices of primary interest and their subject matter experts.

During the next reporting period, the ATIP office plans to schedule a series of meetings with the liaison officers, their delegates, and offices of primary interest subject matter experts to discuss specific issues in processing requests received. It is anticipated that these meetings will enable the ATIP office to refine its processes in order to deliver the best service possible to its internal and external clients.

ATIP Training for Subject Matter Experts in Offices of Primary Interest

During the reporting period, the ATIP office delivered seven office of primary interest training sessions targeting all of the branches within SSC: Service Delivery Management, Data Centre Services, Networks and End User Branch, Cyber and IT Security, Strategy, Corporate Services and Project Management and Delivery. Furthermore, several offices within SSC also requested they be provided with training and awareness sessions, for a total of 10 sessions totaling approximately 194 employees. The ATIP Division also delivered such sessions in collaboration with the learning and development efforts of other groups within SSC.

In an effort to assist SSC’s offices of primary interest, the ATIP Division has developed a new processing guide that will be launched during the next reporting period. The purpose of the guide is to provide employees with basic, yet complete instructions to follow in order to meet their obligations when processing requests received by SSC.

ATIP Awareness for SSC Executives

During the reporting period, two awareness sessions were delivered for executives by the Director of the ATIP Division, for a total of 80 participants. These sessions were focused on general ATIP awareness and the communication of SSC ATIP policy instruments.

ATIP in the Government of Canada

The Director of SSC’s ATIP Division also continues to deliver, for the CSPS, the courses entitled, Access to Information in the Government of Canada (I701) and Privacy in the Government of Canada (I702), which are intended for federal public servants.

The Director also delivered an information session to a TBS-led Chief Information Officer Council (CIOC) meeting related to SSC’s Standard on Facilitating Access to Data Under the Control of Partner Organizations, that is, a standard related to partners’ access to their own data held in the SSC IT infrastructure. This policy instrument and SSC’s Standard on Managing Privacy Breaches were also presented during a Government of Canada Security Council meeting, as well as during an Assistant Deputy Minister Security Committee meeting.

Collaboration with the ATIP Community

During the reporting period, the Director of SSC’s ATIP Division presented SSC’s ATIP policy instruments to participants at the Access to Information and Privacy Practitioners’ Meeting. Such meetings bring together ATIP analysts from across the federal ATIP community, and serve as an opportunity for the community members to exchange ideas on issues related to the field and to be updated on developing trends. SSC’s ATIP policy instruments were made available to the ATIP community for other departments to leverage for their own purposes.

Info Source at SSC

Info Source is a publication that lists and describes the information holdings of all federal departments and is a reference tool that assists individuals in submitting requests.

During the reporting period, four training sessions were given to employees responsible for updating the information holdings for their respective branches or directorates. A total of 23 participants were present at these sessions.

ATIP Training for GCDOCS Coaches

GCDOCS is the secure information repository used by SSC (up to Protected B). It enables employees to create, save and share documents digitally within SSC.

Two training sessions were held in collaboration with Information Management and Corporate Security, aimed at established GCDOCS coaches in SSC. The training served as a reminder of best practices related to information management and security when handling personal information. GCDOCS coaches were reminded of privacy and security considerations related to access permissions, and considerations to be shared within their own work groups.

While training on best practices related to the use of GCDOCS and access privileges has taken place, as a means to bring further awareness to the users, a banner was created and put in use in GCDOCS in order to remind employees to question themselves as to whether they should be seeing the information they have accessed (the “need to know” principle). This banner serves as a tool to heighten awareness to the security of information and to further prevent potential privacy breaches.

Right to Know Week

In 2016, Right to Know (RTK) Week took place from September 26 to October 2 in Canada. Initiated in Bulgaria on September 28, 2002, International Right to Know Day is intended to raise awareness of an individual’s right to access government information while promoting freedom of information as an essential feature of both democracy and good governance. SSC advanced awareness of RTK Week by highlighting it in its weekly bulletin to employees.

Data Privacy Day

On January 28, 2017, Canada, along with many other countries, celebrated Data Privacy Day. Recognized by privacy professionals, corporations, government officials, academics and students around the world, Data Privacy Day highlights the impact that technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.

During the reporting period, SSC promoted this day by issuing a communiqué to employees from the Chief Privacy Officer, which highlighted that public servants are required to act with integrity and in a manner that will bear the closest public scrutiny. The Chief Privacy Officer also encouraged all SSC employees to consult the Values and Ethics Code for the Public Sector and SSC’s Standard on the Code of Privacy Principles while reminding employees of their obligation to complete the Access to Information and Privacy Fundamentals online course, launched by SSC in collaboration with the CSPS.

Remaining Informed

The Policy and Governance team of the ATIP Division conducts a media scan, on a daily basis, for any articles that may be relevant to the field of ATIP and to SSC. These scans, which are shared with the Corporate Secretariat and colleagues within Security, help employees remain aware of ongoing issues in the field and emerging trends.

ATIP Policy Instruments, Procedures and Initiatives

ATIP Management Framework

While SSC continues to revise its ATIP policy instruments as needed, during the reporting period, it also published the following five policy instruments, which were approved by the Corporate Management Board in March 2016:

• Directive on Managing Personal Information Required for Administrative Purposes and Lawful Investigations — This directive supports SSC’s commitment in establishing and adhering to best practices for collecting, retaining, using, disclosing and disposing of personal information in strict compliance with the qqwqPrivacy Act.
  • Standard on Facilitating Access to Data Under the Control of Partner Organizations — This standard supports timely and effective service to SSC’s partners whose data resides on SSC’s IT infrastructure. This standard provides comprehensive governance and accountability in facilitating partner access to their data.
  • Standard on the Use and Disclosure of Personal Information Under the Control of SSC — This standard supports effective privacy management at SSC by providing comprehensive governance and accountability in SSC’s use and disclosure of personal information under its control.
  • Standard on eDiscovery Multi-Mailbox Searches for Access to Information and Privacy Purposes — This standard supports access to information and privacy management at SSC by providing comprehensive governance and accountability involving the use of MMS/eDiscovery activities warranted by an ATIP request.
  • Standard on Managing Personal Information in Emergencies — This standard serves to ensure effective privacy management at SSC by providing comprehensive direction in activities involving the handling of personal information under SSC’s control in the event of an emergency.

SSC Enterprise Services—Functional Direction 6.0

SSC updated its Functional Direction during the reporting period. It provides guidance and principles to follow for aligning existing services during the transition to enterprise services. Through an associated communiqué, the Senior Assistant Deputy Minister of Strategy at SSC emphasized that it was essential that the Functional Direction be applied consistently by all operational teams for sourcing and deploying SSC services.

Privacy-by-design is a concept that was included in the updated version of the Functional Direction. The sixth governing principle states that during the project initiation phase, necessary security and privacy controls for all projects must be incorporated and remain in place throughout the life cycle of the project, that is, from initiation to implementation.

Chief Information Officer Council Community Award

The SSC ATIP Division’s ATIP Management Framework, including its 14 ATIP policy instruments as well as an initiative related to Open Government, were recognized by the CIOC and received the CIOC Community Award in Excellence in the ATIP category.

Tremendous work was completed during the reporting period by the ATIP Policy and Governance team as well as the ATIP Operations team in terms of the development of policy instruments and the proactive monthly posting of briefing note lists. This work helped pave the way for a greater level of transparency and accountability at SSC.

Intradepartmental Collaboration

In 2016–2017, tiger teams were created within SSC for the purpose of promoting discussion and developing strategies to address issues covering various work related themes, such as work processes, learning and development and customer service. Many members of the ATIP Division participated and along with their team members, received awards of excellence in collaboration in recognition of their efforts.

“Duty to Assist” Principle

The ATIP Division’s process under the dt6qwqPrivacy Act is based on the “duty to assist” principle, which is defined in the Directive on Privacy Requests and Correction of Personal Information as follows:

1. Process requests without regard for the identity of the applicant;
2. Offer reasonable assistance throughout the request process;
3. Provide information on the 000998Privacy Act, including information on the processing of requests and the right to complain to the Information Commissioner of Canada;
4. Inform the applicant as appropriate and without undue delay when the request needs to be clarified;
5. Make every reasonable effort to locate and retrieve the requested records under the control of the institution;
6. Apply limited and specific exemptions to the requested records;
7. Provide accurate and complete responses;
8. Provide timely access to the requested information;
9. Provide records in the format and official language requested, as appropriate; and
10. Provide an appropriate location within the institution to examine the requested information.

SSC’s ATIP process is further supported by best practices within the federal ATIP community, which enable SSC to meet the challenges of responding in a timely manner to 88yyfdPrivacy Act requests for access and consultations.

ATIP Process Manual

During the reporting period, the ATIP Division continued to update its procedural manual to guide ATIP staff in processing requests received under the hutrePrivacy Act and its accompanying piece of legislation, the hj7w3Access to Information Act. The manual provides information about the types of documents processed and how they should be handled pursuant to the Acts. The manual serves as a reference tool for ATIP staff and is designed to ensure consistent application of the Acts and related policy instruments. Further, the manual supports SSC’s “duty to assist” all applicants, so that all reasonable effort is made to help applicants receive complete, accurate and timely responses in accordance with the legislation.

SSC has developed internal procedures and guidelines to ensure appropriate monitoring of and reporting on ATIP requests, as well as compliance with TBS policies and guidelines. They provide important checks and balances required to maintain full compliance.

Control of Records and Partner Organizations

Given SSC’s mandate, there are challenges surrounding the roles and responsibilities under the ggffddsPrivacy Act. Section 16 of the Shared Services Canada Act states that:

“…for the purposes of the bvgtrfPrivacy Act, personal information that is collected by other government institutions […] that is, on behalf of those institutions or organizations, contained in or carried on Shared Services Canada’s information technology systems is not under the control of Shared Services Canada.”

Given the unique relationship between SSC and its partner organizations, from time to time the partner organizations may require SSC’s assistance to access their data residing on the SSC IT infrastructure. When all efforts by partners to retrieve records internally have been unsuccessful, the primary contact within SSC to facilitate partner access to their data is SSC’s Security Operations Centre. The Security Operations Centre’s assistance may be requested in the following cases, if attempts by partner organizations have been unsuccessful:

1. When partners receive ATIP requests for their records (records under their control residing on the SSC IT infrastructure);
2. When partners are subject to court orders, subpoenas, warrants or any other binding order made by a person or body with jurisdiction to compel the production of records; and
3. When a lawful investigation (administrative or criminal) requires the retrieval of records residing on the SSC IT infrastructure.

As previously indicated, the related policy has been shared on several occasions with SSC’s partner organizations through various forums where SSC’s Director of ATIP has given presentations on the matter. It is also available to partner organizations on SSC’s Serving Government website.

Info Source Update

Info Source: Sources of Federal Government and Employee Information provides information about the functions, programs, activities and related information holdings of government institutions subject to the ffut3Access to Information Act and the buynowPrivacy Act. It provides individuals as well as current and former employees of the government with relevant information to assist them in accessing personal information about them held by government institutions subject to the selloffPrivacy Act and exercising their rights under the grabfPrivacy Act.

TBS requires that government institutions publish their own Info Source chapter on their Internet site. During the reporting period, SSC completed its review of its Info Source chapter and met all legislative and TBS mandatory requirements. In fact, SSC received notification from TBS that the 2015–2016 update was deemed excellent.

Complaints and Audits

Complaints

SSC was subject to one complaint under the f667bfPrivacy Act. In April 2016, an individual alleged that SSC contravened the uy712Privacy Act with respect to the protection of documents stored in GCDOCS, SSC’s electronic information management system. The individual lodged a complaint with the Office of the Privacy Commissioner of Canada concerning improper use and disclosure of personal information. Upon being made aware of the complaint, SSC’s ATIP Division immediately assessed and contained the incident. The Office of the Privacy Commissioner of Canada deemed the complaint resolved via early resolution.

Audits

During the reporting period, no audits involving SSC were completed by the Office of the Privacy Commissioner of Canada pursuant to section 37 of the hjuuuyPrivacy Act.

Parliamentary Affairs

During the period under review, eight order paper questions were placed by members of Parliament with respect to the following: budget allocated to the ATIP Division, statistical data of ATIP requests received, and data pertaining to privacy breaches. SSC provided its written responses. Upon request, these responses are available to the public via the Library of Parliament.

Breaches

During the reporting period there was one material breach that was reported to the Office of the Privacy Commissioner of Canada. The breach involved the theft of four laptops from SSC premises. While local law enforcement conducted an investigation of the incident, SSC launched an internal investigation of the circumstances surrounding the theft. SSC’s investigation concluded that it was unlikely that any personal information on or available from the laptops could be compromised due to the security safeguards in place. The matter is now considered closed.

Privacy Impact Assessments

Summaries of completed PIAs are posted on SSC’s Internet site: Publications—Access to Information and Privacy.

In keeping with the guidance from the Office of the Privacy Commissioner of Canada and the Treasury Board Directive on Privacy Impact Assessment, privacy risks identified in PIAs are aligned with the 10 universal privacy principles found in the Canadian Standards Association’s Model Code for the Protection of Personal Information. In addition, privacy and security controls are required to be in place during the life cycle of projects at SSC, as recommended through SSC’s Functional Direction 6.0.

During the reporting period, SSC completed the PIA for the Electronic Procurement and Payment system (also known as “P2P”). 

Ongoing PIA Files

SSC continues to work on initiated PIAs and privacy risk checklists for projects such as the following:

1. Videoconferencing Enterprise Service
2. Workplace Communication Service Internet Protocol Telephony (including Voice over Internet Protocol)
3. Hosted Contact Centre Service
4. Government of Canada Internal Centralized Authentication Service  
5. Government of Canada Managed Security Services
6. Port Management
7. Conflict of Interest System and E-Forms
8. Emergency Attendance Report System
9. Workplace Technology Devices—Printing Products Procurement Project
10. Data Centre Consolidation

SSC continues to monitor the mitigation strategies identified in all PIA actions plans.

Next Steps for the Year Ahead

SSC’s ATIP Division will continue to be innovative in its administration of the Privacy Act and take part in SSC internal services transformation initiatives as well as federal ATIP community initiatives. The ATIP Division is committed to further supporting SSC as it instils a culture of service excellence and moves toward an efficient and modern paperless environment.

At the end of the reporting period, the ATIP Division was mapping its information holdings against SSC’s 2017–2018 Program Alignment Architecture. This initiative will assist in further defining SSC’s information holdings for the purpose of enhancing the clarity of its Info Source chapter.

The ATIP Division will continue to foster the development of knowledge tools for the ATIP Liaison Network as well as to provide ATIP training and awareness opportunities for executives, managers and employees across the Department. Meetings will be scheduled with liaison officers, their delegates and office of primary interest subject matter experts for the purpose of discussing issues related to the processing of requests, to further awareness and refine processes. The liaison officers play a crucial role in ensuring the Department fulfills its legislative requirement and, this being the case, their involvement, expertise, and collaboration are invaluable.

Finally, it should also be noted that the ATIP Division is developing a logic model and performance measurement indicators in relation to its ATIP Management Framework and its 14 policy instruments, which consists of desired outcomes, performance indicators and targets. This exercise will enable the ATIP Division to gauge the efficacy of its policy instruments.

Annex A – Partner Organizations

1. Agriculture and Agri-Food Canada
2. Atlantic Canada Opportunities Agency
3. Canada Border Services Agency
4. Canada Economic Development for Quebec Regions
5. Canada Revenue Agency
6. Canada School of Public Service
7. Canadian Food Inspection Agency
8. Canadian Heritage
9. Canadian Northern Economic Development Agency
10. Canadian Nuclear Safety Commission
11. Canadian Space Agency
12. Correctional Service Canada
13. Department of Finance Canada
14. Department of Justice Canada
15. Employment and Social Development Canada
16. Environment and Climate Change Canada
17. Federal Economic Development Agency for Southern Ontario
18. Financial Transactions and Reports Analysis Centre of Canada
19. Fisheries and Oceans Canada
20. Global Affairs Canada
21. Health Canada
22. Immigration and Refugee Board of Canada
23. Immigration, Refugees and Citizenship Canada
24. Indigenous and Northern Affairs Canada
25. Infrastructure Canada
26. Innovation, Science and Economic Development Canada
27. Library and Archives Canada
28. National Defence
29. National Research Council Canada
30. Natural Resources Canada
31. Parks Canada
32. Privy Council Office
33. Public Health Agency of Canada
34. Public Safety Canada
35. Public Service Commission of Canada
36. Public Services and Procurement Canada
37. Royal Canadian Mounted Police
38. Statistics Canada
39. Transport Canada
40. Treasury Board of Canada Secretariat
41. Veterans Affairs Canada
42. Western Economic Diversification Canada

Annex B – Delegated Authority

Privacy Act Designation Order

The President of Shared Services Canada, pursuant to section 73 of the Access to Information Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons acting in those positions, to exercise the powers and perform the duties and functions of the President of Shared Services Canada as the head of a government institution under all sections of the Access to Information Act. This designation is effective immediately upon being signed.

SCHEDULE

1. Chief Operating Officer
   
2. Senior Assistant Deputy Minister and Chief Financial Officer
   Corporate Services
   
3. Cooperative Secretary and
   Chief privacy Offices
   
4. Director,
   Access to Information and Privacy Protection Division

Ron Parker

Ottawa

Annex C – Statistical Report

Name of institution: Shared Services Canada
Reporting period: 2016–04–01 to 2017–03–31

Part 1 – Requests Under the Privacy Act

Part 2 - Requests Closed During the Reporting Period

2.5 Complexity

2.6 Deemed refusals

Part 3 – Disclosures Under Subsections 8(2) and 8(5)

Part 4 – Requests for Correction of Personal Information and Notations

Part 5 – Extensions

Part 6 – Consultations Received From Other Institutions and Organizations

Part 7 – Completion Time of Consultations on Cabinet Confidences

Part 8 – Complaints and Investigations Notices Received

Part 9: Privacy Impact Assessments (PIAs)

Part 10: Resources Related to the Privacy Act

Note: Enter values to two decimal places.

Free PDF download

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet:

• Adobe Reader
• Foxit Reader
• Xpdf
• eXPert PDF Reader