ARCHIVED - Annual Report to Parliament 2008-2009 - Privacy Act
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Table of Contents
- Download this document in PDF format (3.26 MB)
- National Research Council of Canada - Mandate
- Delegation of Authority
- Organizational Structure
- Interpretation of Statistical Report
- Privacy Impact Assessment Activities
- Data Matching and Data Sharing
- Privacy-Related Training and Education
- Section 8(2) Disclosures
- Organizational Changes
- Privacy Complaints
- MAF and Info Source Commentary
- Annex A: Delegation Order
- Annex B: Statistical Report
The purpose of the Privacy Act is "to extend the present laws of Canada that protect the privacy of individuals and that provide individuals with a right of access to personal information about themselves." The federal Privacy Act regulates the collection, use and disclosure of personal information held by NRC.
In accordance with Section 72 of the Privacy Act, this twenty-fifth Annual Report on the administration of the Privacy Act at the National Research Council of Canada (NRC) describes how NRC discharged its responsibilities in relation to the Act in the fiscal year 2008-2009.
The National Research Council of Canada (NRC) is an agency of the Government of Canada established in 1916 under the NRC Act. Its mandate is to help build an innovative, knowledge-based economy for Canada through research and development, technology commercialization and industry support.
As stated in the NRC Act, the agency is responsible for: undertaking, assisting or promoting scientific and industrial research in different fields of importance to Canada; establishing, operating and maintaining a national science library; publishing and selling or otherwise distributing such scientific and technical information as the Council deems necessary; investigating standards and methods of measurement; working on the standardization and certification of scientific and technical apparatus and instruments and materials used or usable by Canadian industry; operating and administering any astronomical observatories established or maintained by the Government of Canada; administering NRC's research and development activities, including contributions used to support a number of international activities; and providing vital scientific and technological services to the research and industrial communities.
The President has delegated the responsibilities associated with the administration of the Privacy Act to the Secretary General of NRC. As a result, the Access to Information and Privacy (ATIP) forms part of the Secretary General’s Office (SGO). Operational responsibility for the application of the Act has been delegated to the Access to Information and Privacy Coordinator.
A detailed signed Delegation Order can be found at Annex A.
The Secretary General is overall responsible for ensuring that NRC’s policies, procedures and practices are compliant with the application and administration of the Privacy Act. As shown in the Delegation Order, the Secretary General has delegated some of her authority to the Access to Information and Privacy Coordinator. The ATIP Unit is responsible for the coordination and implementation of policies, guidelines and procedures to ensure the organization’s compliance with the Privacy Act. The Unit also provides the following services to the organization:
- Promote awareness of the Privacy Act within the Department
- Processes privacy requests and privacy complaints
- Provides advice and guidance to employees and senior officials on Privacy related matters
- Prepares an Annual Report to Parliament
- Responds to the SGO on the privacy related matters mentioned in the Management Accountability Framework
- Coordinates and implements updates to Info Source
- Administers Preliminary Privacy Impact Assessments
- Manages the electronic management system
- Develops internal procedures
- Participates in forums for the ATIP Community, such as the Treasury Board Secretariat ATIP Community Meetings, Training and Annual Meetings.
The ATIP Unit is comprised of a full-time Coordinator and a full-time Officer. During the 2008-2009 fiscal year, the ATIP Unit went through a transitional period during which there was a shortage of staff. To address the transitional gap in the organization during that period, NRC engaged the services of a consultant on a casual basis to assist with the processing of the voluminous privacy requests.
Annex B provides a summarized statistical report on the privacy requests received and processed by National Research Council from 1 April 2008 to 31 March 2009. This section provides an interpretation of the statistical report.
During the fiscal year, NRC received eight (8) new privacy requests. Five requests (5) were carried forward from the previous fiscal year. In spite of the significant increase in volume and complexity of the requests received, NRC completed the processing of a total of twelve (12) privacy requests during this reporting period. One (1) request was carried over into the next fiscal year.
Section 15 of the Privacy Act allows institutions to extend the legal deadline for processing a request. NRC invoked extensions in the case of five (5) of the twelve (12) requests. Meeting the original time limit of thirty days would have unreasonably interfered with the operations of the organization. The high volume of records along with the shortage of staff in the ATIP Unit affected the performance in meeting statutory deadlines for responding within the 30-day extension. In summary, out of the twelve requests, four took between 31 to 60 days and four between 61 to 120 days to complete.
The exemptions invoked were pursuant to sections 22(1) (b), 26 and 27 of the Privacy Act. Section 22 was applied three times. Section 26 was applied seven times while section 27 was applied twice.
The figures, as reflected in the chart below, indicate a fluctuation in the number of requests received and processed over the past three years. The figures do not reflect requests processed informally or other queries that have been received in the ATIP Office. NRC does expect that privacy requests and queries concerning privacy-related matters will continue to represent a significant portion of the workload.
There were no privacy impact assessments or preliminary impact assessments undertaken during the year.
There were no data matching or data sharing activities undertaken in 2008-2009.
The ATIP Unit is committed to ongoing development and training. This year, the ATIP Officer participated in training sessions organized by the Treasury Board Secretariat (TBS) for instance, sessions on Parliamentary Reporting Requirements and Privacy Impact Assessments. Both the ATIP Coordinator and ATIP Officer participated in TBS ATIP community meetings.
During the fiscal year, the ATIP Unit continued to provide information and advice to NRC directors, managers and staff, on an on-going basis. In particular, the ATIP Coordinator delivered a privacy awareness session to a group of seventeen Hiring Advisors within the Human Resources Branch. Another session on the privacy legislation was delivered in the context of a two-day orientation session for new Managers at NRC. Eleven participants were in attendance. Both of these sessions included information on the access to information legislation which has been accounted for in the Access to Information Act annual report.
The ATIP Unit is working with the staff of Treasury Board to capture the information necessary to satisfy the requirements identified in the Management Accountability Framework, specifically with regards to restructuring of the Info Source Chapter including personal information banks. Additional information on this subject is provided in the final commentary on page 7.
There was no disclosure made to a Federal Government Department pursuant to section 8(2) of the Privacy Act.
In 2008-2009, NRC introduced a new organizational structure that established three new senior executive positions, Vice-President Human Resources, Vice-President Corporate Management & Chief Financial Officer (CFO) and an expanded portfolio under the Secretary General. Under the new role of Vice-President Corporate Management & CFO, the areas of business relate to asset management and include Finance Branch, the Information Management Services Branch and Administrative Services and Property Management. The Corporate Communications and Relations Branch and the Strategy and Development Branch will be transferred to the Secretary General’s Portfolio.
During the fiscal year, NRC received one privacy complaint. The requestor complained about the exemptions that were invoked by NRC. The investigation is ongoing.
This section addresses the challenges confronted by ATIP in relation to the Management Accountability Framework (MAF) and Info Source. Working solutions to these matters are also included in this section. For a small ATIP Office comprised of only one or two employees, the task of coordinating and completing all mandatory legislative requirements and obligations can become a considerable challenge. As a way of strengthening support, NRC consults and routinely meets with the staff of other small ATIP Offices to find common solutions to the increasing complexity of files and reporting demands.
The Management Accountability Framework provides a clear evaluation of the areas within ATIP that require improvements. However, as Info Source moves towards a more integrated model over a five-year phase, it seems unreasonable for TBS to continue to assess Info Source submissions as part of the MAF review. It would appear more advantageous to postpone the assessment of Info Source until a clear and concise model is provided to all government stakeholders. Despite the approach taken by TBS, NRC is committed to working closely with their staff to capture the information necessary to satisfy the requirements identified in the MAF.
NRC has developed a four-phased approach to restructure its entire Info Source Chapter based on the recent TBS directives. The first phase involves reworking the organizational structure based on the Program Activity Architecture (PAA). The second phase involves the integration of the classes of records and personal information banks according to the sub activities, as identified in the PAA. The third phase involves developing a collaborative process to elaborate the classes of records, descriptions and types. Further, this phase includes analyzing and addressing information gaps to strengthen the sub-activity based approach and to ensure TBS compliance. The fourth phase involves a close review of the personal information banks and assurance that the personal information collected, used and disclosed by NRC is identified in the information holdings. To assist in the first phase, the services of a casual employee have been engaged for a few months. NRC expects to have completed this four-phased approach within the next two to three fiscal years.
We anticipate that this new integrated model for Info Source will become a more effective and comprehensive tool for Canadians. Furthermore it will assist NRC in ensuring the quality and integrity of the collection, use and disclosure of personal information.
Access to Information and Privacy Acts Delegation Order (PDF version)
Report on the Privacy Act (PDF version)
- Date modified: