Annual Report to Parliament 2014-2015 – Privacy Act

Annual Report to Parliament 2014‑2015 - Privacy Act (PDF, 1,219 KB)

I. Introduction

The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals and that provide individuals with a right of access to personal information about themselves. The federal Privacy Act regulates the collection, use and disclosure of personal information held by federal institutions including the National Research Council Canada (NRC).

In accordance with Section 72 of the Privacy Act, this thirty-first Annual Report on the administration of the Privacy Act at NRC describes how NRC discharged its responsibilities in relation to the Act in the fiscal year 2014-2015. The Annual Report is to be tabled in Parliament in accordance with section 72 of the Privacy Act.

Mandate of the National Research Council of Canada

The National Research Council of Canada (NRC) is an agency of the Government of Canada established in 1916. As stated in the NRC Act, the agency is responsible for:

  • Undertaking, assisting or promoting scientific and industrial research in different fields of importance to Canada;
  • Establishing, operating and maintaining a national science library;
  • Publishing and selling or otherwise distributing such scientific and technical information as the Council deems necessary;
  • Investigating standards and methods of measurement;
  • Working on the standardization and certification of scientific and technical apparatus and instruments and materials used or usable by Canadian industry;
  • Operating and administering any astronomical observatories established or maintained by the Government of Canada;
  • Administering NRC's research and development activities, including contributions used to support a number of international activities;
  • Providing vital scientific and technological services to the research and industrial communities.

II. Organizational Structure

From 1 April 2014 to 19 August 2014, the NRC President delegated the responsibilities associated with the administration of the Privacy Act to the Executive Vice President and Secretary General and to the Director, Corporate Governance. Partial authority was delegated to the Access to Information and Privacy (ATIP) Coordinator.

The delegation of authority changed as of 20 August 2014. The President delegated full authority for the application and administration of the Privacy Act to the Director General, Knowledge Management and to the Director, Information Management Services Directorate. The ATIP Coordinator's authority remained the same.

A detailed signed Delegation Order can be found at Annex A.
During the period covered by this report, the NRC Access to Information and Privacy (ATIP) office was part of NRC Knowledge Management Branch (NRC-KM).

In 2014-2015, the NRC ATIP office was comprised of one part-time Coordinator, one senior ATIP Officer and two junior ATIP Officers (one full-time and one part-time).

The NRC ATIP office works closely with the NRC Records Management, NRC Industrial Research Assistance Program ATIP liaison officer, Executive Advisors, NRC Communications Branch and senior management across the organization.

Procedures are in place to process all formal Privacy requests in accordance with the Privacy Act..

The ATIP office is responsible for the coordination and implementation of policies, guidelines and procedures to ensure the organization's compliance with the Privacy Act. To that end, the office provides the following services to the organization:

  • Promotes awareness of the Privacy Act within the organization
  • Processes and manages Privacy requests and complaints
  • Manages the relevant electronic management system
  • Responds to access-related matters in the Management Accountability Framework
  • Processes consultations received from other institutions
  • Provides advice and guidance to employees and senior officials on Privacy-related matters
  • Prepares an Annual Report to Parliament
  • Coordinates updates to the Info Source publications
  • Reviews departmental documents (such as audit and evaluation reports prior to their proactive disclosure on the organization's website), Parliamentary Questions and Harassment Reports
  • Develops internal procedures
  • Participates in forums for the ATIP community, such as the Treasury Board Secretariat ATIP Community meetings and working groups.

The ATIP Office is also responsible for the implementation of any new Treasury Board Secretariat (TBS) directives.

III. Interpretation of Statistical Report

Annex B provides a summarized statistical report on the privacy requests received and processed by the National Research Council from 1 April 2014 to 31 March 2015. This section provides an interpretation of the statistical report.

During the fiscal year, NRC received eleven (11) new privacy requests. One (1) request was outstanding from the previous fiscal year for a total of twelve (12) privacy requests to process in this fiscal year. During this reporting period, NRC completed the processing of a total of ten (10) privacy requests. Two (2) requests were carried forward into 2015-2016.
The figures, as reflected in the chart below, indicate the number of requests received and processed over the past three years. The figures do not reflect requests processed informally or other queries that have been received in the ATIP office.

Number of requests received and processed

Number of requests received and processed. Long description follows.
Long description of the number of requests received and processed
2012‑2013 2013‑2014 2014‑2015
received 15 11 11
completed 14 12 10
carried forward 2 1 2

The trends indicate that the number of privacy requests received is the same as last fiscal year.

As per the grid below, the number of pages that had to be reviewed by the ATIP Unit has dramatically decreased. However, the complexity of the requests has significantly increased mainly due to the way the requests are written. The ATIP Unit is required to retrieve the records from many levels of the organization including individual employees and operating units. In consequence, the analysts have to go through a large amount of paper which often consists of duplicates and email chains. The ATIP Office will continue to reinforce the training on email best practices across NRC to resolve this particular issue.

Pages processed

Pages processed. Long description follows.
Long description for pages processed
Pages processed
2012‑2013 2,582
2013‑2014 15,715
2015‑2015 1,740

Section 15 of the Privacy Act allows institutions to extend the legal deadline for processing a request. NRC invoked an extension in two (2) cases. Meeting the original time limit of thirty days would have unreasonably interfered with the operations of the organization.

In summary, out of the ten (10) requests, seven (7) were completed within 30 days or less, two (2) took between 31 and 60 days to complete and one (1) request took between 61 and 120 days to complete.

The exemptions section of the Statistical Report is intended to identify the number of requests in cases where specific types of exemptions were invoked. NRC invoked exemptions pursuant to section 26 of the Privacy Act. Section 26 (information about another individual) was applied in three (3) cases.

Within the context of its overall roles and responsibilities, NRC's ATIP office reviewed a total of one hundred sixty-one (161) parliamentary questions received for the period of 1 April 2014 to 31 March 2015, compared to seventy-six (76) in 2013‑2014 and eighty-six (86) in 2012‑2014.

Parliamentary Questions

Parliamentary Questions. Long description follows.
Long description for Parliamentary Questions
Pages processed
2012‑2013 86
2013‑2014 76
2014‑2015 161

There is no request for correction of personal information to be reported for the 2014-2015 period.

The annual statistical report for the fiscal year 2014-2015 is included at the end of this chapter, as Annex BFootnote 1.

IV. Privacy‑related Training and Education

The ATIP office is committed to providing ongoing development and training to NRC's employees. Six training sessions were offered during the fiscal year:

Date Topic Number of Attendees
22 April 2014 ATIP general function training 10
23 April 2014 ATIP general function training 20
15 May 2014 ATIP at the NRC 12
23 October 2014 Basics of the Acts, processes, legislative requirements and best practices 15
12 January 2015 OPIs and their roles 8
21 January 2015 Information Management and ATIP at NRC 27

All training sessions included information on the access to information legislation which has been accounted for in the Access to Information Act annual report.

ATIP tools are available on NRC external and internal websites.

ATIP employees continually work to sensitize and guide employees, third parties and requesters regarding the requirements of the Privacy Act by means of ongoing dialogue. During the reporting period, ATIP Coordinator and Officers responded to inquiries from colleagues, providing advice and guidance on various subjects pertaining to Privacy legislation.

Throughout the fiscal year, the ATIP Coordinator and Officers attended ATIP community meetings and different training sessions offered by Treasury Board Secretariat.

V. Procedures, Guidelines and Directives

On July 29, 2014, the Chief Information Officer for the Government of Canada issued a public statement saying that: "Recently, the Government of Canada, through the work of the Communications Security Establishment (CSE), detected and confirmed a cyber intrusion on the IT infrastructure of the National Research Council of Canada by a highly sophisticated Chinese state-sponsored actor." The statement added that the Government had, in response, isolated NRC's IT infrastructure and separated it from the broader Government of Canada network as a precautionary measure. NRC officials stated at that time that NRC had received confirmation of the intrusion earlier in the month (July 2014) and that it had worked with its security and other government partners in the following days to determine the nature and scope of the intrusion and to identify the best means of countering it. The Offices of the Privacy Commissioner of Canada and the Information Commissioner of Canada were contacted immediately thereafter to share information on the event as it related to the administration of the Access to Information and Privacy (ATIP) Acts.

Over the following months, the NRC ATIP Office itself committed itself to the following:

  • Monitoring activity pursuant to the cyber intrusion with respect to any inappropriate access to personal and other sensitive information;
  • Placing a priority on  the early restoration of NRC's capacity to meet the requirements of the ATIP Acts, both in terms of access to data and files and in restoring of software tools and networks;
  • Seeking opportunities to participate in and contribute to the development of an information security culture at NRC through the development of training and other engagement activities around the deployment of a new NRC IT infrastructure and security systems.

With the completion of the previously announced (1 April 2014) transfer of the ATIP function from the NRC Secretary General's Office (NRC-SGO) to the NRC Knowledge Management (NRC-KM) Branch in September 2014, the stage was set for a more robust integration of ATIP considerations with planning, training, records management, and information security strategies at NRC. This situation will ensure that the NRC ATIP Office has the means to input directly into the above processes and to draw on resources related to issues raised by the cyber intrusion and its aftermath.

Due to the cyber intrusion, some delays occurred in the posting of the ATIP Annual Reports and the revision of its InfoSource Chapter on its website.

VI. Privacy Complaints

During this fiscal year, NRC received one (1) complaint for file P2014-0006. The requester complained about the application of section 26 (information about another individual).

VII. Monitoring of Privacy Requests

In keeping with TBS policies and directives, the ATIP Office has established internal ATIP procedures and business practices to ensure the efficient and timely processing of privacy requests, while making every effort to assist applicants in the most expeditious manner without regard to their identity.

The Access to Information and Privacy Office had, in previous years, a tracking system that kept track of both the active and closed requests. This system was designed to follow the legislative deadlines. Interim internal procedures were implemented due to the cyber intrusion on the NRC IT infrastructure. An alternate operational system was put in place while pending the recovery of the tracking database.

The ATIP Office holds weekly meetings to discuss file activities, determine timelines and for ensuring all team members are informed of status of files. This is further an opportunity to share other ATIP business and to inform departmental officials on ATIP business.

A report of active ATIP files (while maintaining the privacy requestors' identity) is shared with the NRC Communications Branch on a weekly basis and a bi-weekly more detailed report is provided to delegated authorities.

VIII. Material Privacy Breaches

There is no material privacy breach to report for fiscal year 2014-2015.

IX. Privacy Impact Assessment Activities

During this fiscal year, NRC did not complete any PIA.

X. Section 8(2)(m) Disclosures

Paragraph 8(2)(m) allows for the disclosure of personal information when the public interest clearly outweighs any invasion of privacy or when the disclosure would benefit the individual. There were no disclosures pursuant to paragraph 8(2)(m) for the 2014-2015 period.

Footnotes

Footnote 1

The accompanying Statistical Tables do not always present data reflecting the total number of requests as they often focus on specific subsets such as the cases that involve exclusions and exemptions; that report only on closed requests; that report only on requests involving consultations and extensions; or that list requests involving the disclosure of all documents or a partial disclosure. Other differences between totals are due to reports that exclude cases where no records exist or where a request is abandoned.

Return to footnote 1 referrer

Annex A: Delegation Order

Access to Information and Privacy Acts Delegation Order

The President of the National Research Council of Canada, pursuant to section 73 of the Access to Information Act and the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the person occupying on an acting basis the position, to exercise the powers and functions of the President as the head of a government institution, under the section of the Acts set out in the schedule opposite each position. This Designation Order supersedes all previous designation orders.

Schedule

Position Access to Information Act
and Regulations
Privacy Act and Regulations
Director General, Knowledge Management Full authority Full authority
Director, Information Management Services Directorate Full authority Full authority
Access to Information and Privacy Coordinator Sections 7(a), 8(1), 9, 11(2) to (6), 12(2)(3), 26, 27(1) and (4), 29(1), 33, 37(4), 43(1), 44(2) Section 8(2)(j), 8(4), 8(5), 9(1), 9(4), 10, 14, 15, 17(2)(b), 18(2), 31, 35(1), 35(4), 36(3), 37(3), 51(2)(b)

Dated, at the City of Ottawa
20 August 2014

John R. McDougall, ing.,
President of the National Research Council of Canada

Annex B: Statistical Report on the Privacy Act

Name of institution: National Research Council Canada

Reporting period: 2014-04-01 to 2015-03-31

Part 1 - Requests under the Privacy Act

Number
of Requests
Received during reporting period 11
Outstanding from previous reporting period 1
Total 12
Closed during reporting period 10
Carried over to next reporting period 2

Part 2 – Requests Closed During the Reporting Period

2.1 Disposition and completion time

Completion Time
Disposition of requests 1 to 15
days
16 to 30
days
31 to 60
days
61 to 120
days
121 to 180
days
181 to 365
days
More than 365
days
Total
All disclosed 0 2 0 0 0 0 0 2
Disclosed in part 0 2 2 1 0 0 0 5
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 3 0 0 0 0 0 0 3
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 3 4 2 1 0 0 0 10

2.2 Exemptions

Section Number
of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 3
27 0
28 0

2.3 Exclusions

Section Number
of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

2.4 Format of information released

Disposition Paper Electronic Other formats
All disclosed 2 0 0
Disclosed in part 5 0 0
Total 7 0 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed
Disposition of Requests Number of
Pages Processed
Number of
Pages Disclosed
Number of
Requests
All disclosed 67 67 2
Disclosed in part 1673 1671 5
All exempted 0 0 0
All excluded 0 0 0
Request abandoned 0 0 0
Neither confirmed or denied 0 0 0
Total 1740 1738 7
2.5.2 Relevant pages processed and disclosed by size of requests
Disposition Less Than 100 Pages Processed 101‑500 Pages Processed 501‑1000 Pages Processed 1001‑5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 2 67 0 0 0 0 0 0 0 0
Disclosed in part 0 0 4 1129 1 542 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed or denied 0 0 0 0 0 0 0 0 0 0
Total 2 67 4 1129 1 542 0 0 0 0
2.5.3 Other complexities
Disposition Consultation
Required
Legal Advice
Sought
Interwoven
Information
Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed or denied 0 0 0 0 0
Total 0 0 0 0 0

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline
Number of Requests
Closed Past the
Statutory Deadline
Principal Reason
Workload External Consultation Internal Consultation Other
3 3 0 0 0
2.6.2 Number of days past deadline
Number of Days Past
Deadline
Number of Requests
Past Deadline Where
No Extension Was Taken
Number of Requests
past Deadline Where
An Extension Was Taken
Total
1 to 15 days 1 0 1
16 to 30 days 0 1 1
31 to 60 days 0 1 1
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
More than 365 days 0 0 0
Total 1 2 3

2.7 Requests for translation

Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Part 3 – Disclosures under subsection 8(2)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Part 4 – Requests for Correction of Personal Information and Notations

Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Part 5 – Extensions

5.1 Reasons for extensions and disposition of requests

Disposition of Requests Where an Extension Was Taken 15(a)(i)
Interference With Operations
15(a)(ii) Consultation 15(b)
Translation or Conversion
Other
All disclosed 0 0 0 0
Disclosed in part 2 0 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
No records exist 0 0 0 0
Request abandoned 0 0 0 0
Total 2 0 0 0

5.2 Length of extensions

Length of Extensions 15(a)(i)
Interference with operations
15(a)(ii)
Consultation
15(b)
Translation purposes
Section 70 Other
1 to 15 days 0 0 0 0
16 to 30 days 2 0 0 0
Total 2 0 0 0

Part 6 – Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and organizations

Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Pending at the end of the reporting period 0 0 0 0

6.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

6.3 Recommendations and completion time for consultations received from other organizations

Recommendation Number of days required to complete consultation requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
all excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7 – Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services

Number of Days Fewer Than 100 Pages Processed 101‑500 Pages Processed 501‑1000 Pages Processed 1001‑5000 Pages Processed More than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

7.2 Requests with Privy Council Office

Number of Days Fewer Than 100 Pages
Processed
101‑500 Pages
Processed
501‑1000 Pages
Processed
1001‑5000 Pages
Processed
More than 5000 Pages
Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Part 8 – Complaints and Investigations Notices Received

Section 31 Section 33 Section 35 Court action Amount
1 0 0 0 0

Part 9: Privacy Impact Assessments (PIAs)

Number of PIA(s) completed 0

Part 10: Resources Related to the Privacy Act

10.1 Costs

Expenditures Amount
Salaries $52,889
Overtime $0
Good and Services $9,070
Professional services contracts $0
Other $9,070
Total $61,959

10.2 Human Resources

Resources Person Years Dedicated
to Privacy Activities
Full-time employees 0.50
Part-time and casual employees 0.50
Regional staff 0.00
Consultants and agency personnel 0.00
Students 0.00
Total 1.0
Date modified: