Annual Report on the Privacy Act—2017–18
Annual Report on the Privacy Act—2017–18
Introduction
The Privacy Act gives individuals the right to access information about themselves that is held by the Office of the Auditor General of Canada (OAG), subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.
Section 72 of the Act requires the head of each government institution to prepare an annual report on the administration of the Act within the institution and to submit the report to Parliament.
This annual report on the administration of the Privacy Act at the OAG describes how we administered our responsibilities under the Act during the 2017–18 fiscal year.
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Coordinator
Office of the Auditor General of Canada
240 Sparks Street
Ottawa, Ontario K1A 0G6
Tel.: 613-952-0213 (ext. 6455)
Fax: 613-954-0441
Email: privacy@oag-bvg.gc.ca
Who we are
The Office of the Auditor General of Canada (OAG) audits federal government operations and provides Parliament with independent information, advice, and assurance regarding the federal government’s stewardship of public funds. While the OAG may comment on policy implementation in an audit, it does not comment on policy itself.
We are in the business of legislative auditing. We conduct
- performance audits of federal departments and agencies;
- annual financial audits of the government’s financial statements;
- special examinations and annual financial audits of Crown corporations; and
- audits of the governments of Nunavut, Yukon, and the Northwest Territories.
Since 1995, the OAG has also had a specific environmental and sustainable development mandate, which was established through amendments to the Auditor General Act.
The Auditor General of Canada is the designated head of the institution for the Access to Information Act as well as the Privacy Act. Pursuant to section 73 of both acts, the Auditor General has delegated full authority to the Access to Information and Privacy Coordinator.
Access to Information and Privacy Office
The Access to Information and Privacy (ATIP) Coordinator is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Office of the Auditor General of Canada (OAG) meets its responsibilities under the Access to Information Act and the Privacy Act.
The ATIP Office at the OAG consists of
- one full-time ATIP Coordinator;
- two full-time employees from the Legal Services group, who help the ATIP Office on a part-time, ad hoc basis; and
- one full-time legal counsel, who helps the ATIP Office on a part-time, ad hoc basis.
The main activities of the ATIP Coordinator include
- monitoring compliance with the acts, regulations, and relevant procedures and policies;
- processing requests under both acts;
- developing and maintaining policies, procedures, and guidelines to ensure that the OAG respects the acts;
- promoting awareness of the acts within the OAG to ensure that employees are aware of their responsibilities;
- preparing annual reports to Parliament and other statutory reports, as well as other material that may be required by central agencies;
- representing the OAG in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies to determine how the acts apply to the OAG; and
- helping the OAG meet its commitments to ensure openness and transparency, through proactive and informal disclosure of information.
DELEGATION ORDER
ACCESS TO INFORMATION ACT AND PRIVACY ACT
I, Michael Ferguson, Auditor General of Canada, pursuant to section 73 of the Access to Information Act and section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions as the head of Office of the Auditor General of Canada, under the provisions of the Act and related regulations set out in the schedule opposite each position. This designation replaces all previous delegation orders.
| Position | Access to Information Act and Regulations | Privacy Act and Regulations |
|---|---|---|
| Senior General Counsel | Full authority | Full authority |
| Access to Information and Privacy Coordinator | Full authority | Full authority |
Dated at the City of Ottawa this 10 day of July 2015
Michael Ferguson, Chartered Professional AccountantCPA, Chartered AccountantCA
Fellow Chartered AccountantFCA (New Brunswick)
Auditor General of Canada
Highlights and accomplishments for the 2017–18 fiscal year
One hundred percent compliance
No formal Privacy Act requests passed their legislative deadlines during the 2017–18 fiscal year. The Office of the Auditor General of Canada (OAG) is proud to have maintained 100 percent compliance with legislated deadlines.
Privacy notice and statement
During the 2017–18 fiscal year, the OAG published an updated privacy notice on its website that clarifies how the OAG processes user data collected from website visitors.
The OAG also published an updated privacy statement to clarify how the OAG processes personal information collected or obtained during mandated activities, such as financial audits, performance audits, and special examinations.
Training
The OAG requires that all employees attend mandatory Access to Information and Privacy (ATIP) training, separate from other information sessions or other forms of training. This ATIP-specific training focuses on employee requirements when the OAG receives a request, as well as a significant training component related to personal information handling and the legislation, policies, directives, and best practices related to privacy in the Canadian public sector.
During the reporting period, two training sessions were given, with a total attendance of 198.
Administration of the Privacy Act
Requests under the Privacy Act
| Received during the reporting period: | 7 |
| Outstanding from the previous period: | 1 |
| Total: | 8 |
Disposition of completed requests
The Office of the Auditor General of Canada (OAG) completed 6 requests in the 2017–18 fiscal year. Of these requests, 4 were disclosed in part, 1 was abandoned by the requester, and 1 resulted in no retrievable records.
Exemptions invoked
Of the 4 requests in which exemptions were invoked,
- section 22(3) was invoked in 2 requests, and
- section 26 was invoked in 4 requests.
Exclusions cited
The OAG did not invoke any exclusions for the 2017–18 fiscal year.
Completion time
Of the 6 requests that were completed during the reporting period, 2 were completed within 30 days, and 4 were completed within 30 to 60 days.
Extension of time limits
The OAG invoked extensions of between 1 and 30 days for 2 requests pursuant to section 15(a)(i).
Method of access
All 4 of the requests that were disclosed in part were disclosed in an electronic format.
Costs
The costs directly associated with administration of the Privacy Act for the reporting period are estimated to be $32,883 for salaries. No costs were incurred for goods and services, contracts, or other expenses.
Complaints and investigations
The OAG did not receive any complaints pursuant to the Privacy Act during this reporting period, and no investigations regarding the OAG were carried out.
Disclosure of personal information under section 8(2)
The OAG did not disclose any personal information pursuant to section 8(2) during the reporting period.
Institution-specific policies, guidelines, and procedures
The OAG did not revise policies, guidelines, or procedures—or implement new ones—during the 2017–18 fiscal year. However, an employee privacy statement was drafted and was expected to be implemented during the 2018–19 fiscal year.
Monitoring
The OAG uses time-code (product-code) management software, essentially a digital “timesheet,” to track all audit and audit-service activities, including
- management of the Access to Information and Privacy (ATIP) Office,
- management of access to information cases (treatment of formal Access to Information Act requests and consultations),
- management of privacy cases (treatment of formal and informal Privacy Act requests), and
- privacy impact assessments.
Whenever employees or contractors of the OAG participate in any ATIP-related activity, they must track the time they spend on the activity by entering the number of hours or partial hours into the product-code management software. These records are monitored on a regular basis for human resource and financial purposes. Any employee with access to the OAG network can use the OAG’s INTRAnet (internal Internet) to view this data.
As reflected in part 10.2 of the Appendix, the OAG dedicated 1.75 person-years to ATIP-related activities.
Breaches
No breaches of privacy occurred as a result of any OAG activity during the 2017–18 fiscal year.
Privacy impact assessments
One privacy impact assessment was completed during the reporting period. The subject of the assessment was the telemetry function of Microsoft’s Windows 10 operating system. This function allows Windows 10 to collect user data and send it back to Microsoft.
Privacy impact assessments are not required by the Treasury Board’s Directive on Privacy Impact Assessments. However, the OAG determined that a thorough assessment should be conducted because all employees using Windows 10 would be subject to the operating system’s collection of their personal information. Although the OAG network would be the source of the transmission of this information, the OAG would not collect, use, or otherwise process any of the information for its own purposes.
The assessment concluded that the OAG took all available measures to limit the collection of OAG user data, even though Microsoft did not allow the complete interruption of the telemetry function.
Appendix—Statistical Report on the Privacy Act
Name of institution: Office of the Auditor General of Canada
Reporting period: 2017-04-01 to 2018-03-31
Part 1: Requests Under the Privacy Act
| Number of Requests | |
|---|---|
| Received during reporting period | 7 |
| Outstanding from previous reporting period | 1 |
| Total | 8 |
| Closed during reporting period | 6 |
| Carried over to next reporting period | 2 |
Part 2: Requests Closed During the Reporting Period
2.1 Disposition and completion time
| Disposition of Requests | Completion Time | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 4 | 0 | 0 | 0 | 0 | 4 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| Request abandoned | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 2 | 4 | 0 | 0 | 0 | 0 | 6 |
2.2 Exemptions
| Section | Number of Requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 0 |
| 19(1)(b) | 0 |
| 19(1)(c) | 0 |
| 19(1)(d) | 0 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 0 |
| 21 | 0 |
| 22(1)(a)(i) | 0 |
| 22(1)(a)(ii) | 0 |
| 22(1)(a)(iii) | 0 |
| 22(1)(b) | 0 |
| 22(1)(c) | 0 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 2 |
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 0 |
| 26 | 4 |
| 27 | 0 |
| 28 | 0 |
2.3 Exclusions
| Section | Number of Requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
2.4 Format of information released
| Disposition | Paper | Electronic | Other Formats |
|---|---|---|---|
| All disclosed | 0 | 0 | 0 |
| Disclosed in part | 0 | 4 | 0 |
| Total | 0 | 4 | 0 |
2.5 Complexity
2.5.1 Relevant pages processed and disclosed
| Disposition of Requests | Number of Pages Processed | Number of Pages Disclosed | Number of Requests |
|---|---|---|---|
| All disclosed | 0 | 0 | 0 |
| Disclosed in part | 1,762 | 191 | 4 |
| All exempted | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 1 |
| Neither confirmed nor denied | 0 | 0 | 0 |
| Total | 1,762 | 191 | 5 |
2.5.2 Relevant pages processed and disclosed by size of requests
| Disposition | Less Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 1 | 2 | 2 | 63 | 0 | 0 | 1 | 126 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 2 | 2 | 2 | 63 | 0 | 0 | 1 | 126 | 0 | 0 |
2.5.3 Other complexities
| Disposition | Consultation Required | Legal Advice Sought | Interwoven Information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 1 | 1 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 1 | 1 |
2.6 Deemed refusals
2.6.1 Reasons for not meeting statutory deadline
| Number of Requests Closed Past the Statutory Deadline |
Principal Reason | |||
|---|---|---|---|---|
| Workload | External Consultation | Internal Consultation | Other | |
| 0 | 0 | 0 | 0 | 0 |
2.6.2 Number of days past deadline
| Number of Days Past Deadline | Number of Requests Past Deadline Where No Extension Was Taken | Number of Requests Past Deadline Where An Extension Was Taken | Total |
|---|---|---|---|
| 1 to 15 days | 0 | 0 | 0 |
| 16 to 30 days | 0 | 0 | 0 |
| 31 to 60 days | 0 | 0 | 0 |
| 61 to 120 days | 0 | 0 | 0 |
| 121 to 180 days | 0 | 0 | 0 |
| 181 to 365 days | 0 | 0 | 0 |
| More than 365 days | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
2.7 Requests for translation
| Translation Requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
Part 3: Disclosures Under Subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
Part 4: Requests for Correction of Personal Information and Notations
| Disposition for Correction Requests Received | Number |
|---|---|
| Notations attached | 2 |
| Requests for correction accepted | 0 |
| Total | 2 |
Part 5: Extensions
5.1 Reasons for extensions and disposition of requests
| Disposition of Requests Where an Extension Was Taken | 15(a)(i) Interference With Operations |
15(a)(ii) Consultation |
15(b) Translation or Conversion |
|
|---|---|---|---|---|
| Section 70 | Other | |||
| All disclosed | 0 | 0 | 0 | 0 |
| Disclosed in part | 2 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 |
| No records exist | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 |
| Total | 2 | 0 | 0 | 0 |
5.2 Length of extensions
| Length of Extensions | 15(a)(i) Interference with operations |
15(a)(ii) Consultation |
15(b) Translation purposes |
|
|---|---|---|---|---|
| Section 70 | Other | |||
| 1 to 15 days | 2 | 0 | 0 | 0 |
| 16 to 30 days | 0 | 0 | 0 | 0 |
| Total | 2 | 0 | 0 | 0 |
Part 6: Consultations Received From Other Institutions and Organizations
6.1 Consultations received from other Government of Canada institutions and other organizations
| Consultations | Other Government of Canada Institutions | Number of Pages to Review | Other Organizations | Number of Pages to Review |
|---|---|---|---|---|
| Received during the reporting period | 0 | 0 | 0 | 0 |
| Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 |
| Closed during the reporting period | 0 | 0 | 0 | 0 |
| Pending at the end of the reporting period | 0 | 0 | 0 | 0 |
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
| Recommendation | Number of Days Required to Complete Consultation Requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
6.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 7: Completion Time of Consultations on Cabinet Confidences
7.1 Requests with Legal Services
| Number of Days | Fewer Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
| Number of Days | Fewer Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 8: Complaints and Investigations Notices Received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 |
Part 9: Privacy Impact Assessments (PIAs)
| Number of PIA(s) completed | 1 |
|---|
Part 10: Resources related to the Privacy Act
10.1 Costs
| Expenditures | Amount |
|---|---|
| Salaries | $32,883 |
| Overtime | $0 |
| Goods and Services | $0 |
| Professional services contracts | $0 |
| Other | $0 |
| Total | $32,883 |
10.2 Human Resources
| Resources | Person Years Dedicated to Privacy Activities |
|---|---|
| Full-time employees | 1.25 |
| Part-time and casual employees | 0.25 |
| Regional staff | 0.00 |
| Consultants and agency personnel | 0.00 |
| Students | 0.25 |
| Total | 1.75 |