Annual Report to Parliament on the Administration of the Privacy Act 2022-2023

Table of Contents

• Introduction
  • Purpose of the Privacy Act
  • Mandate of the Institution
• Organizational Structure
• Delegation Order
• Performance 2022-2023
  • Number of Requests
  • Active Requests Outstanding from Previous Reporting Periods
  • Extensions
  • Compliance Rate
  • Completion Time
  • Disposition of Completed Requests
  • Consultations from Other Institutions
  • Staffing
  • COVID-19 Impacts to Privacy Operations
• Training and Awareness
• Policies, Guidelines, and Procedures
  • ATIP ADM Tasking
  • ATIP at the Executive Committee Meeting
  • HR Strategies
  • Privacy Tools and Initiatives
• Initiatives and Projects to Improve Privacy
  • New ATIP Software
• Summary of Key Issues and Actions Taken on Complaints
  • Requests for Personal Information
  • Management of Personal Information
  • Active Complaints Outstanding from Previous Reporting Periods
• Material Privacy Breaches
• Privacy Impact Assessments
• Public Interest Disclosures
• Monitoring Compliance
  • Ongoing Reporting
  • Limiting Inter-institutional Consultations
  • Frequently Requested Types of Information
  • Privacy Protection in Contracting
• Annex A: Designation Order
• Annex B: Global Affairs Canada 2022-2023 Statistical Report
• Annex C: Global Affairs Canada 2022-2023 Supplemental Statistical Report

Introduction

We are pleased to table the Annual Report to Parliament on the administration of the Privacy Act for fiscal year 2022-2023, as required under section 72 of the Act. Global Affairs Canada is not reporting on behalf of wholly owned subsidiaries or non-operational institutions.

NOTE: The Department is referred to in this report as Global Affairs Canada (GAC). Its legal name, however, remains the Department of Foreign Affairs, Trade and Development, as set out in the Department of Foreign Affairs, Trade and Development Act.

Purpose of the Privacy Act

The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.

Mandate of the Institution

Global Affairs Canada, under the leadership of the Minister of Foreign Affairs; the Minister of Export Promotion, International Trade and Economic Development; and the Minister of International Development, is responsible for advancing Canada’s international relations, including:

• Developing and implementing foreign policy;
• Fostering the development of international law, international trade and commerce;
• Providing international assistance (encompassing humanitarian, development, and peace and security);
• Providing consular services for Canadians; and
• Overseeing the Government of Canada’s global network of missions abroad.

Global Affairs Canada manages Canada’s diplomatic and consular relations with foreign governments and international organizations, engaging and influencing international players to advance Canada’s political, legal and economic interests, including poverty reduction, the empowerment of women and girls, the promotion of a rules-based international order, international peace and security, human rights, inclusive and accountable governance, peaceful pluralism, inclusion and respect for diversity, and environmental sustainability.

In support of efforts to eradicate global poverty and contribute to a more peaceful, prosperous, and inclusive world, the department manages the majority of Canada’s international assistance. The department also leads coordinated Canadian responses to crises and natural disasters abroad, including the provision of needs-based humanitarian assistance.

Global Affairs Canada also manages Canada’s international platform—a global network of missions in approximately 110 countries that supports the international work of the department and partner departments, agencies, and co-locators.

To improve and maintain market access for Canadian businesses, Global Affairs Canada leads the negotiation of bilateral, plurilateral and multilateral trade agreements, the administration of export and import controls, as well as the management of international trade disputes. The Department also provides advice and services to help Canadian businesses succeed abroad and attract foreign direct investment to Canada, and supports international innovation, science, and technology.

The Department delivers consular services and provides travel information to Canadians.

It also supports global peace and stability and addresses international security threats such as terrorism, transnational organized crime and the proliferation of weapons, and materials of mass destruction.

Global Affairs Canada develops and implements policy and programming based on analysis of available evidence, including through consultation and engagement with Canadians and international stakeholders. The department is responsible for fostering the development of international law and its applications in Canada’s foreign relations.

The department’s legal responsibilities are detailed in the 2013 Department of Foreign Affairs, Trade and Development Act.

For more information on the ministers’ mandated commitments, see the ministers’ mandate letters.

Organizational Structure

The Access to Information and Privacy Protection (ATIP) Division is responsible for the administration of the Access to Information Act and the Privacy Act, including the processing of requests and consultations. The Director of the ATIP Division reports to the Corporate Secretary who, in turn, reports to the Deputy Minister of Foreign Affairs.

In 2022-2023, the ATIP Division had 70 Full-Time Equivalent (FTE) positions to fulfill the Department’s obligations under both the Access to Information Act and the Privacy Act. During the fiscal year, the ATIP Division was able to fill, on average, 48 of those 70 positions and relied on the services of up to 10 ATIP consultants.

The Access to Information and Privacy Division is led by a Director, who manages the teams that administer the Access to Information and Privacy Acts:

• The Operational Unit is managed by 4 Deputy Directors who head 1-2 processing teams. There are 7 Team Leaders who supervise processing teams. 1 Senior Advisor, 17 Analysts, and 7 consultants distributed throughout these teams. The Operational Unit is responsible for the processing and review of access, privacy, and consultation It also includes a team with dedicated resources to work on complaints, which processes legacy complaints and works closely to resolve them with the Office of the Information Commissioner and the Office of the Privacy Commissioner.

• The Privacy Policy Team is managed by 1 Deputy Director and includes 1 Team Leader, 5 Analysts, and 2 consultants who deal directly with privacy breaches, departmental complaints, privacy impact assessments (PIAs), and requests for privacy advice.

• The Policy and Governance Team is managed by 1 Deputy Director and includes 1 Senior ATIP Policy and Governance Advisor who coordinates process modernization, procedural updates, and departmental training.

• The Business Practices and Systems Unit is managed by 1 Deputy Director and includes 1 ATIP Systems Analyst, 3 Business Analysts and 4 Clerks who process incoming and outgoing ATIP correspondence, imaging services, technical support, and other administrative tasks.

• The Corporate Affairs Unit is managed by 1 Deputy Director and includes 1 Administrative Assistant and 1 consultant. This group is responsible for the oversight of the division’s human resources, budget management, and general administration.

All employees are working within a hybrid model, with telework from home and in-office presence at headquarters (125 Sussex Drive). Global Affairs Canada did not have any regional ATIP staff.

During the fiscal year 2022-2023, Global Affairs Canada did not have any service agreements pursuant to section 73.1 of the Privacy Act.

Delegation Order

Consistent with Section 73 of the Privacy Act, the Minister’s authority is delegated to the Deputy Ministers, to the Corporate Secretary, to the Director of the ATIP Division, and to the Deputy Directors of the ATIP Division. It is also delegated to Heads of Mission for the purpose of public interest disclosures under section 8(2)(m) of the Act.

A copy of Global Affairs Canada’s signed Delegation Order is provided in Annex A.

Performance 2022-2023

Number of Requests

In 2022-2023, the Department received 118 new requests under the Privacy Act, an increase of 8% compared to the 2021-2022 fiscal year. A total of 72 requests were carried over into this reporting period; 49 requests were outstanding from the previous reporting period and 23 outstanding from more than one reporting period, for a total of 190 active requests.

During the same reporting period, 124 requests were completed; an increase of almost 13% compared to the 2021-2022 fiscal year. The rise in the number of completed requests, compared to 2021-2022, reflects a gradual normalization of access to the workplace that followed the first year of the pandemic, during which time access to the office was severely constrained.

The carry-over of active files at the end of fiscal year 2022-2023 was 66.

Active Requests Outstanding from Previous Reporting Periods

At the end of reporting period, approximately 21% of Global Affairs Canada’s outstanding requests from previous reporting period were still on time.

Extensions

During the reporting period, the Department took extensions on 22 out of the 124 requests it closed. The reasons for extension include 21 extensions taken under section 15(a)(i) for interference with operations, and 1 extension under section 15 (a)(ii) for consultation requirement.

Compliance Rate

The compliance rate is defined as the percentage of Access to Information requests that the Department responded to within the deadline required under the Act. In 2022-2023, the departmental compliance rate for Global Affairs Canada was 52%. This means that 48% of Privacy requests received a response beyond the deadline. The compliance rate for the reporting period increased by 7 percentage points compared to the previous reporting period.

Completion Time

During the reporting period, the Department was able to close a total of 33 requests in 15 days or less (27%), 19 requests within 16-30 days (15%), 25 requests within 31-60 days (20%), 8 requests within 61-120 days (6.5%), 8 requests within 121-180 days (6.5%), 15 requests within 181-365 days (12%), and 16 requests took over 365 days to complete (13%).

Disposition of Completed Requests

Of the 124 Privacy requests closed in the 2022-2023 fiscal year, 17 were all disclosed (14%), 53 were disclosed in part (43%), 1 was all exempted (1%), 14 had no records in existence (11%), and 39 were abandoned (31%).

Consultations from Other Institutions

Given its mandate and various responsibilities at the international level, the Department plays a key role under the Act on behalf of other institutions of the Government of Canada. Specifically, the Department consulted foreign governments and organizations on behalf of other federal government institutions when the latter needed to determine whether they could release records that originated abroad.

During the reporting period, the Department received two new consultations from other government institutions and had carried over 1 consultation from the previous reporting period. Of these 3 active requests, the Department closed 2 consultation requests having reviewed 41 pages.

Of the 2 consultation requests closed this fiscal year, 1 request was closed in 15 days or less (50%), and 1 request within 121-180 days.

Staffing

In 2022-2023, the ATIP Division had approximately 12 Full-Time Equivalent (FTE) positions working on Privacy Protection requests and Privacy Policy. This is consistent with the staffing level of the previous reporting period.

COVID-19 Impacts to Privacy Operations

In 2022-2023, Global Affairs Canada adopted the hybrid model and departmental officials were able to provide responsive records to requests made under the Privacy Act, regardless of security classification. The ATIP office remained fully operational during the fiscal year 2022-2023 reporting period, as there were no significant impacts on ATIP performance attributable to COVID-19.

Training and Awareness

The ATIP Division continues to develop tools, guidance and training to ATIP Analysts, ATIP Liaison Officers and subject matter experts across Global Affairs Canada.

Again this fiscal year, the ATIP Division benefited from its Professional Development Program (PDP), which allows the Department to train and promote its ATIP Analysts from junior (PM-01) to senior (PM-05) levels. This long-standing program continues to be very successful in addressing recruitment, retention, and succession planning issues. The majority of the employees working in the division are already part of the PDP and are eligible for promotion to the next level once they meet the required objectives. The PDP aims to build a more robust ATIP capacity within Global Affairs Canada by “growing its own”, thereby addressing the shortage of Analysts and Team Leaders across the federal ATIP community.

A small team within the division provided ATIP training to 5 Junior ATIP Analysts. The training was composed of 3 sessions that lasted up to 2 hours each session and was divided as the following:

1. The A-to-Z process of ATIA and PA requests
2. Extension and Consultations under the ATIA and PA
3. Exemptions and Exclusions under the ATIA and PA

Training was given in small sessions (1-2 employees per session), providing participants with the opportunity to speak freely and ask any questions as they arose.

Along with internal coaching, the division also participated in training for other divisions within the Department. For example, the Blended Learning Program for Administrative/Executive Assistance at Headquarters educated 37 participants on privacy awareness and gave an overview of their obligations vis-à-vis the Access to Information Act. Furthermore, ATIP training was provided to 13 participants during the Foreign Service Executive Administrative Assistants (FSEAA) onboarding program.

Additionally, the ATIP Division provided the following training modules to GAC employees:

1. ATIP for Liaison Officers
2. ATIP for Reviewing Officers

Due to GAC’s rotational employee structure, ATIP training sessions were made available upon request and attendance varied between 1 to 42 employees. During the fiscal year, a total of 67 training sessions were delivered to approximately 700 Global Affairs Canada employees. Of these presentations, 65 were delivered virtually via the use of MS Teams and 2 training sessions were delivered in person.

In addition, 171 employees successfully completed an online interactive ATIP awareness tutorial during the reporting period, which was developed in collaboration with the Canadian Foreign Service Institute (CFSI).

The Policy and Governance Team continues to offer training to all employees of Global Affairs Canada to address the specific business and operational needs of the individual groups within the department.

The Privacy Policy Team maintains an updated spreadsheet, documenting all privacy training sessions conducted within the organization throughout the fiscal year, ensuring an accurate reflection of specific topics discussed and keeping track of employees’ increasing privacy awareness. The team is also developing new privacy awareness modules which will mirror new language to be included in the modernized Privacy Act, as well as targeted training sessions in-line with GAC’s new Privacy Management Framework.

Policies, Guidelines, and Procedures

ATIP ADM Tasking

Over the fiscal year, the ATIP Division at Global Affairs Canada gradually implemented the ATIP Assistant Deputy Minister (ADM) tasking model. The division used to rely on ATIP Liaison Officers working in the Director General office (DGO) to coordinate the retrieval of relevant records in response to requests made under the Access to Information Act and Privacy Act. Before implementing the initiatives, the ATIP Division had approximately 100 ATIP Liaison Officers across Global Affairs Canada. In an attempt to better identify subject matter experts within the department, the ADM tasking model encompasses a coordination role held by an Assistant Deputy Minister office (ADMO) Liaison Officer (LO). ADMO LOs coordinate a branch-wide ATIP response to the ATIP Division and are able to monitor compliance and backlog progress directly with their responsible DGOs.

GAC is composed of 16 branches (that are ADM-led) and 13 special bureaus (that are led by a Director General and/or report directly to a Deputy Minister). In September 2022, the ATIP Division piloted 5 branches and 5 special bureaus in its ADM tasking model. Following a successful pilot phase, the division onboarded an additional 5 branches and 8 special bureaus in December 2022. In January 2023, another 3 branches joined the new model. The final implementation phase is scheduled for the 2023-2024 fiscal year, where the remaining 4 branches will join the new structure.

Since its implementation, the Department has seen an increase in on-time tasking responses of 25% and tasking backlog by about 50%, reducing overall outstanding taskings from 811 to 410 by fiscal year end.

ATIP at the Executive Committee Meeting

During the fiscal year of 2022-2023, the Corporate Secretary of Global Affairs Canada overseeing the administration of the Access to Information Act made 3 appearances at GAC’s Executive Committee (EXCO) – June 14, 2022, September 15, 2022, and March 23, 2023. During appearances at EXCO the Corporate Secretary emphasized both the requirement to respond to ATIP requests in a timely fashion and the importance of reducing the backlog of ATIP taskings. In order to meet these goals, best practices were discussed, and achievable reduction targets were imposed on GAC’s ADMOs and special bureaus.

HR Strategies

The implementation of the hybrid work model proved beneficial for the retention of staff in the ATIP Division. However, recruitment of skilled analysts, at GAC as in other government institutions, remains a challenge, especially at the Senior Analyst level. Despite the challenges, there have been recent successes having onboarded 23 new employees in the 2022-2023 fiscal year. Staffing strategies included hiring a new Deputy Director within the division to manage a range of recruitment activities, including staffing processes, multi-level advertised processes, and participation in the recruitment efforts led by ATIP Community Development Office at TBS. The division also actively utilizes its Professional Development Program resulting in the promotions of 1 Senior Analyst and 2 Privacy Analysts, as well as 7 Team Leaders and Senior Advisors at the PM-05 level through its expanded program.

These initiatives have aided in the ATIP Division’s successes in the 2022-2023 fiscal year.

Privacy Tools and Initiatives

The official launch of a privacy management framework in November 2022 marks an important milestone for GAC. This framework provides the Department with guidelines to implement effective privacy policies and procedures that comply with the latest legislative regulations. It emphasizes the need for transparency, accountability, and security in data processing, storage, and sharing. The launch of this framework is a step forward towards ensuring individuals' rights to privacy and strengthening trust between GAC and Canadian citizens.

Further to the launch, the Privacy Policy Team continues to develop various tools for advancing privacy awareness and ensuring proper privacy safeguards are in place:

• A Privacy Impact Assessment (PIA) policy was completed in March 2023 and will launch September 2024.

• A privacy handbook for employees was launched in November 2022, with the goal to provide comprehensive guidelines on privacy and data protection. The handbook covers various topics such as the collection, use, and storage of personal data, workplace monitoring, and cybersecurity measures. It also highlights the importance of complying with relevant laws and regulations and emphasizes the employee's responsibility to safeguard sensitive information. The handbook is an essential tool in raising awareness and promoting good privacy practices among employees, ensuring the protection of both personal and corporate data.

• The Department will be conducting a survey on privacy awareness and personal information handling practices for senior management (Fall 2024).

• A Data and Privacy Breach Protocol (Fall 2024).

• A Protocol for the Handling of Personal Information for Non-Administrative Purposes (Fall 2024).

• Plans are underway for the 2023-2024 review of privacy breach incidents related to passport and travel document applications received from a client at a GAC mission abroad.

The Privacy Policy Team continues to actively participate in the Department of Justice led modernization of the Privacy Act and awaits the next meetings on its development so that Global Affairs Canada’s views can be reflected within.

Initiatives and Projects to Improve Privacy

New ATIP Software

The current case management software used to process requests is becoming obsolete and will no longer be supported by the vendor in the coming years. GAC is using this opportunity to replace the legacy software and leverage new technology such as artificial intelligence to increase efficiencies in their service delivery and to better handle the large volume of ATIP requests. Deployment of the new solution is anticipated for fiscal year 2025-2026.

During the reporting period, we have started the ATIP Online Request Service to communicate responsive records through the online portal, which enables us to provide faster responses to requesters while ensuring transmittal is done in a safe and secure manner.

Summary of Key Issues and Actions Taken on Complaints

Requests for Personal Information

During fiscal year 2022-2023, 20 complaints were made to the Office of the Privacy Commissioner of Canada regarding Privacy requests to the Department. The reasons for the complaints are as follows:

Over the course of the reporting period, 9 complaints against the Department were closed. The findings on closed complaints were as follows:

All closed complaints regarding access to personal information were resolved by responding or providing additional personal information to the requesters. The ATIP Division relied on continuous and consistent follow-ups on outstanding taskings, ensuring escalation procedures are conducted in order to respond to requesters fully and close complaints.

The ATIP Division continues to operate a team dedicated to managing complaints from the Office of the Privacy Commissioner (OPC). This team serves as the primary point of contact between Global Affairs Canada and the OPC, working closely and collaboratively to strengthen relationships and improve Global Affairs Canada’s ATIP program performance.

Management of Personal Information

The Privacy Policy Team received 3 new complaints during the reporting period relating to the management of personal information. Specifically, they can be summarized as:

1. A mission’s unauthorized disclosure of personal information regarding the mandatory COVID-19 vaccination for federal employees,
2. An inadvertent disclosure where personal information of an employee was shared with the wrong recipient, and
3. An individual’s personal health information improperly disclosed to a foreign government by an employee of Global Affairs Canada.

The team closed one complaint relating to the management of personal information during the reporting period: Item 1 was closed March 10, 2023. In this instance the Office of the Privacy Commissioner sought representations from the Department, further to any steps taken since the incident to ensure the security of staff information. The Department informed the OPC that the division is not storing personal medical records of staff, including any that may have been vaccinated. The COVID vaccination was an exclusive task managed by Human Resources and that the personal health information requested had to be provided to the local government to obtain the COVID certificate required for travel. This was known to all participants. The Department also informed the OPC that the personal health information was stored on a protected drive that could only be accessed by Human Resources, while the mission had to process the information and obtain a COVID Vaccination Certificate from the local government’s Health authority. The information was subsequently removed from the mission’s drive following receipt of the complaint. Additionally, the mission has put a policy in place in the event where the office is required to collect personal information from staff, that staff will be aware of the purpose of collection and be requested to consider consenting to its collection and use.

Active Complaints Outstanding from Previous Reporting Periods

Material Privacy Breaches

During fiscal year 2022-2023, six material privacy breaches were reported to the Department. At the end of the fiscal year, six material privacy breach notifications were reported to the Treasury Board Secretariat and the Office of the Privacy Commissioner.

Material Breaches Reported to OPC and TBS 2022-2023

Privacy Impact Assessments

During the fiscal year, Global Affairs Canada finalized three Privacy Impact Assessments.

1. Canadian National Contact Point (NCP) for Responsible Business Conduct

The purpose of this Privacy Impact Assessment (PIA) is to identify and analyze the potential privacy risks associated with the collection, use, disclosure, and retention of personal information (PI) by the NCP Secretariat in relation to the changes it is making to its procedures. The NCP operates as a unit within GAC, which is named in the Schedule to the Privacy Act and is subject to the privacy policies and directives of the Treasury Board Secretariat (TBS). This PIA is the assessment of the privacy impacts associated with the NCP to fulfill the requirements of the TBS Directive on Privacy Impact Assessment, the TBS Directive on Privacy Practices and to reflect the Privacy Commissioner of Canada instrument – Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada. This PIA will assess the NCP’s complaint/Request for Review (RfR) process from the point of collection of PI through to the destruction of that PI.

The Order in Council authorizing the creation of Canada’s NCP was issued in 2000. Since that time the NCP has made substantial changes to its operations, and their alignment with the Privacy Act has been deemed a priority. The changes include adopting a de-identification model, revising its Procedures Guide, and creating an intake form and a case tracker.

In this PIA, the NCP is:

• Reviewing associated policies, framework and guidelines;
• Identifying privacy protection gaps, risks and potential mitigation strategies;
• Identifying privacy impacts resulting from the current operational environment and procedural changes; and
• Recommending mitigation strategies to eliminate, limit or reduce levels of risk.

2. Mission Emergency Plan Generator (MEPGEN)

The Mission Emergency Plan (MEP) provides Mission personnel with information and guidance on relevant emergency management policy and procedures. MEP is used for contingency planning for emergency preparedness and response to events, up to and including evacuation of staff and mission closures or relocations. The MEP incorporates planning and emergency response policies and best practices that have been used by Global Affairs Canada and its missions in responding to emergency events. The plan also incorporates mission-specific information that will assist in creating local response strategies for dealing with emergencies. In general, information is not repeated from one component of the plan to another. The MEP is supported by stand-alone contingency plans, protocols, or standard operating procedures (SOPs).

The MEP is prepared under the authority of the Head of Mission (HOM). The HOM is responsible for the entire life cycle of Mission emergency management activities. Emergency Management (EM) is the process of conducting activities, including risk management measures, that will help prepare for, prevent, mitigate, respond to, or recover from all types of emergencies. Global Affairs Canada emergency management capabilities are central to a coordinated whole of government approach to international emergency events.

The Department of Foreign Affairs, Trade and Development Act sets out the mandate to coordinate the direction given by the Government of Canada to the heads of Canada’s diplomatic and consular missions. These directions include but are not limited to mission emergency preparedness, from planning, training, emergency exercises, to MEP evaluation and improvements.

Global Affairs Canada uses and discloses personal information collected to construct MEPs for each mission as and when required. Mission Emergency Plans are stored in MEPGEN, a secure encrypted web-based system that draws key information from departmental databases to facilitate emergency planning at missions. Global Affairs is modernizing the existing legacy system for better efficiency, mission accessibility and interoperability with other GC modernized systems.

The scope of this Privacy Impact Assessment (PIA) is to review and assess the privacy protection practices and identify potential risks to the personal information collected, used, managed, disclosed, and retained by GAC while operating the Mission Emergency Plan Generator (MEPGEN) system.

The Privacy Impact Assessment is an independent process that assesses privacy protection measures, identifying potential gaps and risks to the institution. In order to protect the institution as well as the privacy rights of individuals, it offers mitigation strategies to remedy the risks found. There are limited inherent risks associated with information capture, collection, retention, and flow in the context of the operational features of the MEPGEN.

The Supreme Court of Canada has characterized the Privacy Act as "quasi-constitutional" because of the role privacy plays in the preservation of a free and democratic society. With the enactment of the Federal Accountability Act, the scope of the Privacy Act was broadened, and it now includes well over 200 government institutions. The Policy on Privacy Protection facilitates statutory and regulatory compliance, as well as enhancing effective application of the Privacy Act and its Regulations by government institutions.

There is administrative legislation such as the Federal Accountability Act, the Financial Administration Act, Access to Information Act and the Privacy Act, all designed to ensure transparency and accountability. A host of Treasury Board policies and directives related to privacy and data protection facilitates statutory and regulatory compliance with the Privacy Act as well as ensuring consistency in practices and procedures in administering the Act and Regulations across of all of government.

Throughout this assessment mitigation strategies have been offered to reduce the level of risk presented by the operational environment, however, these strategies do not eliminate the risks entirely. This assessment has resulted in the identification of a series of risks and includes detailed mitigation strategies associated with each risk. For a comprehensive list of all risks and mitigation strategies please review Section II (page 23) – Risk Area Identification and Categorization as well as Section VI (page 57) – Summary of Analysis and Recommendations of this document.

The following is a brief and limited summary of recommendations associated with key risks found through this assessment. These recommendations are part of an integrated privacy risk management approach designed to reduce the level of risk found within the operational environment.

Recommendation 1: It is recommended that GAC develop a clear policy on MEPGEN to highlight potential privacy and safeguarding practices.

Recommendation 2: It is recommended that GAC formalize retention and disposition procedures related to MEPGEN reports on all platforms. Development of MEPGEN related policy prescribing retention and disposition guidelines and expected practices is required.

3. PIA Case, Contact and Emergency Management (CCEM)

This Privacy Impact Assessment (PIA) builds on the original 2019 Case, Contact and Emergency Management (CCEM) PIA. The 2019 PIA assessed the planning and development process, and this PIA will assess the implementation and operations of the CCEM system. The 2019 PIA offers a more comprehensive coverage of select topics such as Online Appointment Booking Solution (OABS) and use of commercial cloud services, which are not updated in this PIA.

The scope of this Privacy Impact Assessment is to review and assess the privacy protection practices and identify potential risks to the personal information collected, used, managed, disclosed and retained by GAC while operating the Case, Contact and Emergency Management system (CCEM), Registration of Canadians Abroad system (ROCA) as well as the Online Appointment Booking Solution (ORV).

The Privacy Impact Assessment is an independent process that assesses privacy protection measures, identifying potential gaps and risks to the institution. In order to protect the institution as well as the privacy rights of individuals, it offers mitigation strategies to remedy the risks found. There are inherent risks associated with information capture, collection, retention, and flow in the context of the operational features of the CCEM.

The Privacy Impact Assessment is an independent process that assesses privacy protection measures, identifying potential gaps and risks to the institution. In order to protect the institution, as well as the privacy rights of individuals, it also offers mitigation strategies to remedy the risks found.

Some of the key recommendations are:

Recommendation 1: It is recommended that GAC provide privacy protection training and awareness to CCEM users on a regular basis. Also, it is important that the privacy section of the Consular Manual provide context and guidance on managing CCEM protected information on the system as well as management of the reports and data extracted from the system.

Recommendation 2: GAC has determined to proceed with the CCEM deployment process even though the system will operate with some flaws until such time they are resolved. It is recommended that the Department judiciously risk manage potential areas of vulnerability and continue with user acceptance and verification testing.

Recommendation 3: This assessment was performed during COVID restrictions, with GAC resources, especially those at missions, strained in helping Canadians with their needs. While GAC may find global deployment and training challenging in present conditions, it is recommended that the Department implement continuous user training and awareness plans. It is further recommended that the Department assess CCEM’s data quality management requirements and develop appropriate methodologies, procedures and technical solutions to assist with ongoing quality control data-assessment, reporting and data accuracy and completeness.

Recommendation 4: In order to safeguard personal information collected, retained and used, it is recommended that GAC reduce and limit the use of offline temporary templates to collect case and contact information and to be inputted by other staff into CCEM. It is recommended that the Department ensure robust training, support, and awareness opportunities for all potential and designated users of CCEM in order to avoid the use of temporary templates where possible.

The Privacy Policy Team is liaising with the web publishing team within the department to publish the PIAs summaries.

Public Interest Disclosures

Subsection 8(2) of the Privacy Act provides that “personal information under the control of a government institution may be disclosed” without consent under certain specific circumstances.

During fiscal year 2022-2023, the Department made a total of 103 disclosures pursuant to subsection 8(2)(m) of the Privacy Act. In 20 cases, the Department determined that the public interest in disclosing personal information clearly outweighed any invasion of privacy that could result. All other disclosures were determined to clearly benefit the individual to whom the information related.

Disclosures pursuant to subparagraph 8(2)(m)(i):

• 20 disclosures were made in the interest of public safety.

Disclosures pursuant to subparagraph 8(2)(m)(ii):

• 10 disclosures were made to notify the relevant authorities of an individual’s detainment and arrest abroad.
• 6 disclosures were made to a family member on compassionate grounds.
• 1 disclosure was made to a family member as subject was missing abroad.
• 3 disclosures were made in the interest of fairness related to legal matters.
• 16 disclosures were related to advising local authorities, or agencies regarding child welfare cases.
• 3 disclosures were made to the local authorities to conduct a wellness check, and
• 44 disclosures were made to either the family, friend, doctor, or legal counsel of an individual requiring medical assistance.

In all instances notification to the Privacy Commissioner occurred after disclosure.

Monitoring Compliance

Ongoing Reporting

The ATIP Division prepares and distributes a weekly statistics report to management that tracks the number of requests that were received and closed, as well as any emerging trends and performance statistics. The report also allows for comparison of workload and completion rates in relation to the previous year in order to identify changes in ATIP processing.

Additionally, an active tasking report is generated and posted to the intranet weekly to identify all current active taskings within the Department. This report is available for all offices of primary interest (OPIs) to view and lists all open taskings by bureau, highlighting late files.

New this fiscal year is the process of having the Director General and Corporate Secretary overseeing the administration of the Access to Information and Privacy Acts, send the ATIP Twice Monthly Performance Report to Deputy Ministers, Assistant Deputy Ministers, and Directors General, outlining the number of active taskings and compliance within each of the branches/special bureaus. The intent of this procedure is to sensitize senior management to the backlog of active taskings, thereby increasing compliance.

Limiting Inter-institutional Consultations

During the reporting period, the ATIP Division monitored superfluous inter-institutional consultations by having experienced ATIP Team Leaders oversee the relevant records before they were sent out for consultation. By doing so, ATIP Team Leaders were able to reduce the number of consultations sent to the other Government of Canada institutions and other organizations outside the Government of Canada, reducing the amount of time to process requests and not overburdening other departments with unnecessary consultations.

Frequently Requested Types of Information

Throughout fiscal year 2022-2023, GAC did not monitor or review frequently requested types of information for the purpose of making the information available by other means.

Privacy Protection in Contracting

In reviewing contracts, the Privacy Policy group provides privacy clauses that are written to call out privacy protections and regulatory requirements within the statement of work and then mapped to service-level agreements to ensure there are no questions concerning data privacy responsibilities, breach response, incident response, media press releases on breaches, and other considerations, as if the vendor were part of the organization.

As per the information sharing agreements, the Privacy Policy group ensure privacy protection assisted by the TBS Guidance on Preparing Information Sharing Agreements Involving Personal Information.

Annex A: Designation Order

Annex B: Global Affairs Canada 2022-2023 Statistical Report

Statistical Report on the Privacy Act

Name of institution: Global Affairs Canada

Reporting period: 2022-04-01 to 2023-03-31

Section 1: Requests Under the Privacy Act

1.1 Number of requests received

1.2 Channels of requests

Section 2: Informal Requests

2.1 Number of informal requests

2.2 Channels of informal requests

2.3 Completion time of informal requests

2.4 Pages released informally

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time

3.2 Exemptions

3.3 Exclusions

3.4 Format of information released

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats

3.5.2 Relevant pages processed by request disposition for paper and e-record formats by size of requests

3.5.3 Relevant minutes processed and disclosed for audio formats

3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests

3.5.5 Relevant minutes processed and disclosed for video formats

3.5.6 Relevant minutes processed per request disposition for video formats by size of requests

3.5.7 Other complexities

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines

• Number of requests closed within legislated timelines: 65
• Percentage of requests closed within legislated timelines (%): 52.41935484

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

3.7.2 Request closed beyond legislated timelines (including any extension taken)

3.8 Requests for translation

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Section 5: Requests for Correction of Personal Information and Notations

Section 6: Extensions

6.1 Reasons for extensions

6.2 Length of extensions

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services

8.2 Requests with Privy Council Office

Section 9: Complaints and Investigations Notices Received

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy Impact Assessments

• Number of PIAs completed: 3
• Number of PIAs modified: 0

10.2 Institution-specific and Central Personal Information Banks

Section 11: Privacy Breaches

11.1 Material Privacy Breaches Reported

• Number of material privacy breaches reported to TBS: 6
• Number of material privacy breaches reported to OPC: 6

11.2 Non-Material Privacy Breaches

• Number of non-material privacy breaches: 3

Section 12: Resources Related to the Privacy Act

12.1 Allocated Costs

12.2 Human Resources

Annex C: Global Affairs Canada 2022-2023 Supplemental Statistical Report

Supplemental Statistical Report on the Access to Information Act and the Privacy Act

Name of institution: Global Affairs Canada

Reporting period: 2022-04-01 to 2023-03-31

Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act

1.1  Enter the number of weeks your institution was able to receive ATIP requests through the different channels.

Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act

2.1  Enter the number of weeks your institution was able to process paper records in different classification levels.

2.2  Enter the number of weeks your institution was able to process electronic records in different classification levels.

Section 3: Open Requests and Complaints Under the Access to Information Act

3.1  Enter the number of open requests that are outstanding from previous reporting periods.

3.2  Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.

Section 4: Open Requests and Complaints Under the Privacy Act

4.1  Enter the number of open requests that are outstanding from previous reporting periods.

4.2  Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.

Section 5: Social Insurance Number

5.1  Has your institution begun a new collection or a new consistent use of the SIN in 2022-2023? No

Section 6: Universal Access under the Privacy Act

6.1  How many requests were received from confirmed foreign nationals outside of Canada in 2022-2023? 0