Annual Report to Parliament 2023-2024: Privacy Act

PDF Version

Information contained in this publication or product may be reproduced, in part or in whole, and by any means, for personal or public non-commercial purposes, without charge or further permission, unless otherwise specified.

You are asked to:

Commercial reproduction and distribution is prohibited except with written permission from the Department of Justice Canada. For more information, please contact the Department of Justice Canada at: www.justice.gc.ca.

© His Majesty the King in Right of Canada, represented by the Minister of Justice and Attorney General of Canada, 2024.

Table of Contents

Introduction

We are pleased to table the Annual Report to Parliament on the administration of the Privacy Act (the Act) for fiscal year 2023-2024, as required under Section 72 of the Act.

A word from the Director

This past year has been one of transition, innovation, change, and careful consideration. We launched a multi-phased modernization of our Access to Information and Privacy (ATIP) Office to position ourselves to meet the growing, challenging and evolving current and future demands and expectations of our stakeholders for years to come.

Phase 1 of our modernization plan focused on people and service delivery as well as putting in place the building blocks for Phase 2 which will capitalize on the integration of emerging new technologies like the ATIPXpress case management system and innovative new practices such as collaborating with the Department’s Paralegal Services Centre and making use of the Department’s litigation management tool to assist with responding to complex and voluminous ATIP requests.

This report provides a comprehensive summary of our accomplishments and implementation of Phase 1 of our ATIP modernization journey. Through all of this, our priority continues to be our commitment to the public in granting access to information while safeguarding their personal data.

We look forward to the future with great enthusiasm as we are excited about the positive impact this modernization has already had and will continue to have in the years to come.

Purpose of the Privacy Act

The Act was proclaimed into force on July 1, 1983.

The Act extends to individuals the right of access to information about themselves held by the Government, subject to specific and limited exceptions. The Act also protects individuals’ privacy by preventing others from having access to their personal information and gives individuals substantial control over the collection, use, and disclosure by the federal government of such information. Section 72 of the Act requires that the head of every government institution prepare for submission to Parliament an annual report on the administration of the Act within the institution during each financial year. 

This 41st Annual Report on the administration of the Act is intended to describe how the Department of Justice (hereinafter referred to as “the Department”) administered its responsibilities during fiscal year 2023-24 (hereinafter “during the reporting period”).

Mandate of the Department of Justice

The Department of Justice has the mandate to support the dual roles of the Minister of Justice and the Attorney General of Canada.

The Department supports the Minister of Justice in his responsibilities for 49 statutes and areas of federal law by ensuring a bilingual and bijural national legal framework principally within the following domains: criminal justice (including youth criminal justice), family justice, access to justice, Indigenous justice, public law and private international law.

The Department also supports the Attorney General as the Chief Law Officer of the Crown, both in terms of the ongoing operations of government and of the development of new policies, programs, and services for Canadians. The Department provides legal advice to the Government and federal government departments and agencies, represents the Crown in civil litigation and before administrative tribunals, drafts legislation and responds to the legal needs of federal departments and agencies.

Launching the Modernization of ATIP at the Department

During the first phase of our modernization strategy, we focused on improving the ATIP Office’s collaboration with all Offices of Primary Interest (OPIs), liaison officers as well as analysts within the ATIP Office to ensure they are well supported and have the tools required to meet the growing challenges of the ATIP practice.

Our goal is to build a more effective internal process framework for handling ATIP requests that will increase agility and effectiveness at all steps in the treatment of requests by using new technology, such as ATIPXpress, while also enhancing our internal practices to enable effective collaboration and cooperation among all stakeholders.

Text version

Key achievements 2023-2024

April: Spring FSWEP Recruitment Process

May: TBS Notice on Indigenous Cultural Sensitivity

June: Update to Departmental Training Resources

July: Release of Preliminary Privacy Impact Assessment Tool

September: AMA Session on Open Government & IM

October: ATIPXpress Interdepartmental Working Group

November: Attended 2023 CAPA Conference

December: Updated Internal Breach Protocol

January: Data Privacy Week 2024 at JUS

February: Winter Student Recruitment and Career Fair

March: Updated Internal Privacy Breach Form & Tools

Privacy Projects & Updates

The Privacy team focused throughout the fiscal year on developing and providing more useful tools and guidance resources for their OPIs. The team also increased their visibility and promoted their service offerings in the Department through awareness campaigns on privacy practices and risks by delivering training sessions and communicating latest developments via branch newsletters and departmental communications channels.

Our Privacy Policy Unit is also proactively monitoring recent developments to implement them into our own processes as well as contributing to the development of Privacy Act amendments by sharing our experiences and suggestions for future amendments.

Preliminary Privacy Assessment

In July, the ATIP Office introduced a new Preliminary Privacy Assessment for internal use. The tool is used by program areas and the Privacy team to better streamline incoming requests and privacy advice. The assessment assists with the identification of potential risks and concerns with a program, initiative or tool and determines whether further processes such as a Privacy Impact Assessment or Privacy Protocol may be required.

Managing Privacy Breaches

The Privacy team performed various policy updates on managing privacy breaches.

In March 2024, the Treasury Board Secretariat (TBS) officially released its updates to the Directive on Privacy Practices, Appendix B: Mandatory Procedures for Privacy Breaches, as well as updates to the Privacy Breach Management Toolkit. These updates include new required information to be provided to TBS and the Office of the Privacy Commissioner (OPC) when reporting material privacy breaches. It also prescribes a new mandatory Privacy Act Material Breach Reporting form.

The ATIP Office and Privacy Policy Unit updated their internal breach forms to reflect the new changes required by the TBS’s updates in order to provide greater consistency and data, and ultimately, allow for better responses to privacy breaches.

Our internal Privacy Breach Protocol was also updated in December 2023 to reflect responsibilities of employees and provide them guidance on preventing and handling privacy breaches. It is the Department’s adaptation of the Guidelines for Privacy Breaches prepared by the TBS.

Three additional internal policies related to privacy are currently under development by the ATIP Office’s Privacy Policy Unit and are set to be released in the 2024-2025 fiscal year.

Tracking Privacy Files

The Privacy team updated its internal tracking procedures for privacy-related requests and initiatives. Throughout the 2023-2024 fiscal year, the team conducted and closed 112 privacy advice files (i.e., surveys, advice, notice statements) and 18 Preliminary Privacy Assessments.

Outreach & Collaboration

Consulting with stakeholders

In partnership with the Change Management and Business Transformation (CMBT) team, we undertook extensive consultations with stakeholders to better identify their needs and to chart a way forward to find efficiencies in service delivery while also focusing on employee morale and well-being. CMBT conducted a series of one on one and group sessions with ATIP Office employees and OPIs. The sessions led by CMBT helped provide an understanding of the underlying issues and concerns to be addressed through the modernization of the ATIP Office.

These sessions led us to identify several topics and areas for wellness training to assist ATIP Office staff. These sessions have been scheduled over the course of 2024-2025.

Currently, the ATIP Office is actively working to improve communications as well as professional relationships amongst all OPIs, liaison officers, and analysts within the ATIP Office. To accomplish this goal, the ATIP Office began by creating a series of outreach and education sessions aimed at clients to open communication lines for feedback and to bolster our collective understanding of roles and responsibilities.

For example, in September, the ATIP Office hosted an Ask Me Anything: Open Government, Information Management session and ATIP session. This event focused on fostering proper information management practices, such as Open by Default and the new Standard on Managing Digital Information in the Digital Workspace (DW) and the LEX legal case management system, while also supporting open government, access to information and privacy principles such as transparency and collaboration. This event offered Department of Justice employees the opportunity to have their privacy and access-to-information-related questions directly answered by one of the members of our team.

In November, several members of the ATIP Office team attended the 37th annual Canadian Access and Privacy Association (CAPA) conference. The event offered training, as well as valuable insight and updates from privacy leaders, public servants, journalists as well as consultants and experts in the private sector.

In January, ATIP celebrated Data Privacy Week. To mark, the annual global event, the Department released a publication in our departmental weekly newsletter and posted a variety of resources from the Office of the Privacy Commissioner throughout the department. These resources aimed to better inform employees of privacy risks at home and in the workplace, as well as their rights and responsibilities regarding privacy and the handling of information and data.

Procedures and Policies

Building Efficiencies into our Procedures and Policies

Building on these collaborations, the ATIP Office started updating their policies and procedures to enhance productivity and efficiency in processing ATIP requests. Our goal is to provide the OPIs and liaison officers with a repository of up-to-date information where they can find several tools and guidance materials to help them with the processing of ATIP requests.

These improvements will further the sharing of knowledge generally and clarify roles and responsibilities of all those involved in the processing of requests.

Training Updates

Update to Privacy Training

The ATIP Office updated their training resources and training decks during the reporting period. Departmental informal training sessions will be provided throughout 2024-2025 fiscal year.

The ATIP Office continued to provide employees with the required training to support their development, success, and wellbeing. The ATIP Office employees also completed mandatory departmental training on issues such as security and cultural sensitivity.

Improving Service to Indigenous Clients and Cultural Sensitivity in the Workplace

In compliance with the Treasury Board of Canada Secretariat’s Access to Information and Privacy Implementation Notice 2023-01: Advancing Reconciliation with Indigenous Peoples by Providing Culturally Appropriate Services, the ATIP Office updated its training and capacities to meet the needs of our programs and clients.

We added new mandatory and recommended training requirements for employees and ATI and Privacy professionals to facilitate access to government information and personal information by Indigenous Peoples.

This includes new mandatory training courses such as:

As well as the following, optional but strongly encouraged training courses:

The ATIP Office also conducted a gap analysis of its current intake process of Access to Information Privacy requests to identify areas where services to Indigenous requesters can be improved. The findings and recommendations in this gap analysis facilitated a greater understanding of diverse Indigenous cultures and perspectives, as well as developed the cultural competencies needed to build respectful relationships with Indigenous Peoples while respecting their right to access information and data sovereignty. Several considerations were made through the gap analysis and are pending further review and implementation in the 2024-2025 fiscal year.

Employee Well-Being and Professional Development

We offered training on diverse topics and issues including Emotional Intelligence & Mental Health, Vicarious Trauma, Harassment Prevention, Discussed/Warned of Exposure to Explicit & Sensitive Material, Civility & Respect Training, Service Excellence & Difficult Conversations Training.

Formal language training, as well as other training to develop employee competencies and knowledge surrounding professional development, networking, technology and program-specific information were also regularly provided to employees throughout the year.

Finally, ATIP Office employees participated in a number of internal and interdepartmental training sessions, conferences, information sessions and seminars organized by the TBS or by various associations on matters relating to both access and privacy. They include GCCollab broadcasts, InfoBlitz and Privacy communities’ sessions by the Treasury Board Secretariat and Access to Information and Privacy Communities Development Office. These exchanges provided updates to employees in the development of ATIP practices and upcoming trends in this area, contributing to the modernization of our team and informing best practices.

Improved Analytics and Technology

The implementation of a new case management system, ATIPXpress, will enable better analytics and reporting hence demonstrating the Department’s commitment to continuous improvement and informed decision making.

The Department’s ATIP Office is currently in the process of integrating a new case management system that will replace the current Access Pro Case Management (APCM) system. Employees have participated in training with the vendor, OPEXUS to better understand how the system works and its various functions.

The ATIP Office is currently hosting the ATIPXpress Modernization and Privacy Sub-working Group, an interdepartmental working group established to exchange gaps, best practices, and identify areas for collaboration to ease the phasing in of the new case management system.

Several departments have been collaborating with the Department’s ATIP Office to develop resources such as workflows and process maps, as well as to discuss the modernization process. The main goal of these meetings and working sessions has been to identify how ATIPXpress fits within the multiorganizational needs of ATIP services and privacy professionals. There has also been a focus on refining existing activities and functions in APCM, rather than reinventing them as well as anticipating upcoming changes to the Privacy Act.

Recruitment and Retention Initiatives

The ATIP Office has attended recruitment events throughout the reporting period, with a specialized focus on Indigenous, student and Francophone recruitment. These recruitment events were held at academic institutions such as the Cégep de l'Outaouais and the Université du Québec en Outaouais. The Department’s ATIP Office also attended the Ottawa Indigenous Student Career Fair and participated in the Federal Student Work Experience Program (FSWEP) recruitment process in the spring, resulting in the hiring of three FSWEP students.

The ATIP Office continued to engage with other ATIP professionals and has had an active recruitment campaign on GCollab. This led to hiring an additional 6 full time employees.

Commitment to Diversity and Employment Equity

The Department of Justice and ATIP Office believe that to be able to effectively serve the public, its workforce needs to accurately reflect the diversity of the Canadian population. The Department actively recruits members of Employment Equity designated groups and encourages them to self-identify when they apply and begin their employment.

Complaints

Reduced Complaints

In the past year, we reinforced our relationship with the OPC through meaningful and open dialogue. Though these efforts, we have been able to reduce the total number of complaints from 14 to 12 or by 21.4%.

Organizational structure

In 2023-24, the ATIP Office underwent a change to its reporting structure. In April 2023, the ATIP Office moved from the Information Solutions Branch (ISB) structure to the Legal Practices Branch (LPB). The Director of the ATIP Office now reports to the Senior General Counsel and Director General of the Legal Practices Branch under Management Sector to better align it to deliver on its modernization initiative, benefit from additional legal and analytics services within LPB.

During the reporting period, the Department’s ATIP Office had a total of 25.17 fulltime equivalent (FTE) positions working on access to information requests and privacy files, and a total of three consultants. To support the administration of the Privacy Act, the Privacy, Policy and Programs Unit as well as operations had a total of 5.85 FTE positions, in addition to 0.7 part-time and casual equivalent positions, 0.5 consultants, and one student position. The ATIP Office committed to reducing its reliance on consulting services. We began exploring alternatives to consultants by for example utilizing the services of the Paralegal Services Centre, making use of the Department’s litigation management system, providing additional training to our staff and OPIs as well as implementing the new ATIPXpress system. We have begun to see very positive results that should be even more evident in the future as the modernization project is concluded.

The ATIP Office is organized into three units:

In addition, the ATIP Office is currently working on modernizing its ATIP management system in order to achieve better performance and is building a team with information technology experts. The team will ensure a smooth transition to the new platform.

Under section 73.1 of the Act institutions reporting to the same minister can partner to share request-processing services. The Department of Justice has not entered into any such service sharing agreements in the current reporting period.

The Department’s ATIP Office is comprised of a dedicated workforce committed to access to information and the protection of privacy. This work includes:

The work of the ATIP Office is supported by 26 offices of primary interest (OPIs) within the Department. These offices are responsible for locating and providing the records responsive to requests and providing recommendations about the disclosure of records in compliance with the provisions of the Act.

Special Interlocutor’s Office

Over the 2023-2024 fiscal year, the ATIP Office also assisted the Special Interlocutor’s (SI) Office to respond to ATIP requests and contribute to building a relationship of trust and respect between Canada and First Nations, Inuit and Métis. The Independent Special Interlocutor will assist in identifying needed measures and recommending a new federal framework to ensure the respectful and culturally appropriate treatment of unmarked graves and burial sites of children associated with former residential schools.

The ATIP Office received two requests regarding the Office of the Independent Special Interlocutor.  Due to a large number of records, and the fact that the Special Interlocutor’s office had limited resources, the Paralegal Services Centre assisted the SI Office with its material gathering process.

Delegation order

The ATIP Director has full authority delegated by the Minister for the administration of the Act.

For the purpose of increased executive oversight, full authority is also conferred to the Deputy Ministers, the Associate Deputy Minister, the Assistant Deputy Minister and Chief Financial Officer, Management Sector and the Senior General Counsel and Director General, Legal Practices Branch. A copy of the Department’s Delegation Order can be found in Annex A of this report.

Performance and statistics

The Department is committed to transparency and accountability under the Act and continues to work to improve its performance to deliver the highest standards of service for access and protection of personal information.

Number of Requests

Overview of requests received and completed by the Department pursuant to the Act
Fiscal year Number of requests received Number of requests completed Number of pages processed Number of pages released
2023-24 565 528 28,012 7,049
2022-23 130 117 1,664 632
2021-22 131 120 14,336 6,213

The Department received 565 requests during the reporting period, a significant increase of 334% compared to the previous reporting period.

The increase can also be attributed to the Department closing 388 “spam requests,” in accordance with guidance provided by the Access to Information and Privacy Policy Division at TBS and the OPC. The Department received an influx of requests made through what is suspected to be bots or automatic means. Many of these requests were duplicates or repetitive, out of scope with the Department’s mandate and may have been submitted on behalf of another individual without consent or authorization provided.

After following up and clarification of these requests, the Department was advised by TBS and OPC to close these files, to ensure the ATIP Office had capacity to complete its remaining and new, incoming requests for the reporting period. As a result, the total number of “legitimate” requests received this reporting period was 177.

The Department attributes the overall significant increase to be a direct result of the recent Privacy Act Extension Order, No. 3, which extended the right of access under the Privacy Act to all individuals outside Canada.

In addition, 67 requests were outstanding from previous years, for a total of 632 active requests in 2023-2024. During the same reporting period 528 requests were completed, a significant decrease compared to the previous reporting period, due to the overall increase of requests received.  Of the 565 requests, 104 were carried-forward to be completed in fiscal year 2024-2025, compared to 68 requests in the previous reporting period. This reflects the overall increase in requests received by the Department.

Responding to formal privacy requests involved the review of 28,012 pages, of which 7049 pages were disclosed. This is a significant increase once again compared to the previous reporting period.

Compliance Rate, Completion Times and Extensions

Out of 528 requests completed in 2023-2024, 418 requests were completed within the legislated timelines under the Act. Furthermore, as mentioned previously, 388 of these requests were considered “spam requests.” A slight decrease in the compliance rate from 84% in the previous reporting, to 79% in 2023-24 can be noted. This decrease can be attributed to a lack of resources and capacity to comply with the rapid increase and tight timeline of requests (30-60 days). Privacy requests can only have a 30-day extension applied, unlike access to information requests.

During the reporting period, the Department was able to close a total of 31 requests (28.2%) in 15 days or less, 18 requests within 16 to 30 days (16.4%), 43 requests within 31-60 days (39.1%), three requests within 61 to 120 days (2.7%), one request within 121 to 180 days (0.9%), and five requests within 181-365 days (4.5%). In addition, nine requests took over 365 days to complete (8.2%). The chart below represents the number of requests completed (with percentage) per completion time for all completed requests.

Text version

Pie chart displaying completion times of requests as follows:

  • 28.2% of requests took 1 to 15 days to complete;.
  • 16.4% of requests took 16 to 30 days;
  • 39.1% of requests took 31 to 60 days;
  • 2.7% of requests took 61 to 120 days;
  • 0.9% of requests took 121 to 180 days;
  • 4.5% of requests took 181 to 356 days;
  • 8.2% of request took more than 365 days.

The Department found it necessary to seek extensions to the prescribed time limits in 24 requests, pursuant to section 15(1)(a) for interference with operations.

Deemed Refusal Rate

The Department’s deemed refusal rate in this reporting period (i.e., the percentage of personal information requests that received a response beyond the deadline required under the Act) was 20.83%, which means that 110 requests were closed past the legislated timelines. The deemed refusal percentage for the reporting period increased from 20.83% compared to 15% in the 2022-2023 reporting period.

Text version

The deemed refusal rate was:

  • 28% in 2021-2022
  • 15% in 2022-2023
  • 20% in 2023-2024

Outstanding Requests

TBS collects statistical data from specific institutions (the Department is one of these) on the volume of their outstanding access to information requests and requests for personal information. The Department carried-forward 104 requests, and out of those requests, 35.6%, or 37 requests were received during the reporting period.

Fiscal year open requests were received Open requests that are within legislated timelines as of March 31, 2024 Open requests that are beyond legislated timelines as of March 31, 2024 Total
Received in 2023-2024 27 29 56
Received in 2022-2023 0 18 18
Received in 2021-2022 0 11 11
Received in 2020-2021 0 11 11
Received in 2019-2020 0 4 4
Received in 2018-2019 0 1 1
Received in 2017-2018 0 1 1
Received in 2016-2017 or earlier 0 2 2
Total 27 77 104

Disposition of Completed Requests

Of the 528 requests closed in the 2023-2024 fiscal year, 37 requests (7%) did not have any responsive records to provide, 462 requests (87.5%) were abandoned by the requestor as they were mostly spam, two requests (0.4%) were exempted in their entirety (0.4%), 23 requests (4.4%) were disclosed in part while four requests were released in their entirety (0.8%). The number of requests abandoned by the requester increased significantly compared to the previous report period as a result of the “spam requests” noted previously.

Text version

Bar graph displaying the disposition of completed requests, as follows:

  • Disclosed in part: 23
  • No relevant records: 37
  • Abandoned: 462
  • Released in their entirety: 4

Requests, Exemptions and Exclusions

Exemptions invoked

The Department used exemptions 37 times under the Act for 177 requests (excluding 388 “spam requests”). The most used exemption was section 26 which was invoked in 24 requests and exempts personal information relating to individuals other than the requestor. This is followed by section 27 (12 requests), which exempts information relating to solicitor-client privilege. One exemption was made under section 19.

Exclusions cited

No information was excluded under section 69 during the reporting period.

Informal Requests

The Department published on the Open Government Portal summaries of completed access to information requests that do not contain personal or third party information. Members of the public can submit informal requests for a copy of the previously released information.

No informal request was processed during this reporting period.

Format of Information Released

Most applicants (553) chose to receive information in an electronic format at no extra charge as the Department continued to use the delivery via Epost Connect, a service offered at no charge to the requestor and which is now the office’s primary method of record delivery. It allows for secure delivery of records in an electronic format and circumvents the issue of email size restrictions and the need for the recipient to have a compatible device to access the records. Only 12 requestors chose to receive information in paper copies by mail.

Consultations

During the 2023-2024 reporting period, the Department received 16 requests from other government institutions and no requests from other organizations requesting recommendations regarding records originating from, pertaining to, or of interest to the Department. In addition, one consultation was carried over from previous years, for a total of 17 consultations. In total, the Department was asked to review 2,456 pages for these consultations.

Of the 17 consultations, nine were completed during the reporting period (2,325 pages) and the remaining eight were carried forward to be completed in fiscal year 2024-2025.

The completion times for the nine consultations completed were the following:

Active Complaints

The chart below represents the number of active complaints with the OPC that are outstanding from previous reporting periods, broken down by fiscal year in which they were received. Eight complaints remain active after the current reporting period.

Text version

Bar graph displaying the number of actives complaints, as follows:

  • 8 in 2023-2024
  • 3 in 2022-2023
  • 4 in 2021-2022
  • 0 in 2020-2021
  • 0 in 2019-2020

Salaries and Costs

The total cost for administering the Act during the 2023-2024 reporting period was $754,810. This cost includes $657,003 in salaries and overtime, as well as operating costs totaling $97,807, which include $75,946 in professional service contracts.

These costs do not capture resources expended by the Department’s other sectors to meet the requirements under the Act.

Training and awareness activities

Training Sessions

The Department of Justice and ATIP Office continuously provide employee training to enhance wellbeing and professional development.

Some training sessions are provided on an ad-hoc basis, while others are scheduled routinely throughout the fiscal year.

The employees of the ATIP Office also regularly provide advice and informal training on the application of ATIP legislation to departmental employees who must review relevant records requested under the Act. Formal awareness information sessions are offered to other sectors within the Department in order to address the specific business and operational needs of the individual groups.

The ATIP Office recently updated their training resources and training decks during the reporting period. Departmental informal training sessions will be provided throughout 2024-2025 fiscal year.

The ATIP Office continues to ensure employees receive integral training to support their development, success, and wellbeing. Along with internal standard operating procedures and policies, ATIP Office employees must also complete mandatory departmental training on issues such as security and cultural sensitivity.

The Centre for Information and Privacy Law, in the Public Law and Legislative Sector of the Department, is responsible for providing legal advice to all departments on the interpretation and application of the Access to Information Act and Privacy Act. It also offers training to departmental employees, and to employees from other government departments.

ATIP training is part of the recommended courses under the values and ethics component of the Department’s Roadmap for new Managers. An e-orientation deck is posted on the Department’s Intranet site for employee consultation.

The Department’s ATIP Office employees participated in collective awareness sessions with ATIP Counsel to review recent jurisprudence and case law related to the Act. The ATIP Counsel participated in monthly ATIP Practice Group meetings during which information was exchanged and solutions proposed. The Practice Group is open to all departmental counsel, including those from Legal Services Units, and its mandate is to discuss questions such as the right of access to information and privacy issues.

In addition to mentorship and partnership relationships, workshops and presentations were regularly provided within the ATIP Office on various topics concerning the application of the Privacy Act and related policy and procedures. This allowed the Department’s ATIP Office employees to benefit from each other’s experience and knowledge.

Policies, guidelines, procedures and initiatives

The Department participated in developing several procedures and guidance documents that were developed and updated by the Legal Practices Branch and Department of Justice. These resources for employees covered various subjects to ensure consistency, clarity on expectations and communication standards and training.

These updates included creating process maps for internal and external clients, reducing dependency on consultants for specific programs, as well as developing new onboarding and training programs for employees and OPIs.

There was also a focus on enhancing internal efficiency and well-being through weekly and quarterly workload management meetings, the implementation of updated standard operating procedures, and the establishment of Specific, Measurable, Achievable, Relevant, and Time-bound (SMART) objectives for employees’ Performance Management Agreements. The Department amended work descriptions to reflect trauma risks, as well as a formal, safe process for reporting trauma.

The Department and ATIP Office also engaged with Change Management and Business Transformation to develop communication and engagement plans, establish team norms, and develop standardized ATIP Communication and Process templates.

Complaints, investigations and federal court cases

Complaints Filed

The ATIP Office created a dedicated team to manage complaints, serving as the primary liaison between the Department and the OPC. The team continued to work to strengthen relationships and improve the Department’s ATIP program performance. A complaints mailbox was also created to streamline complaints.

During the 2023-2024 reporting period, the Department received 12 Notices of Intention to Investigate from the OPC during the reporting period. The reasons for the complaints were as follows:

Note: there can be multiple complaints related to one file; one file has two complaints, resulting in a total of 13.

Completed investigations

The OPC may choose to investigate multiple files under one complaint. The number of investigations does not show how many files are being investigated, and there may be multiple finding dispositions based on the number of files investigated through a singular complaint. A total of 17 investigations were completed during the reporting period, some of which had been carried forward from previous years. Of the 17 investigations, four were not well founded, seven were resolved, none were settled, seven were well founded, and one was withdrawn. No key issues were raised as a result of these complaints. Complaint findings are defined as follows:

Well founded: The institution contravened a provision of the Act.

Well founded and resolved: The institution contravened a provision of the Act but has since taken corrective measures to resolve the issue to the satisfaction of the OPC.

Not well founded: There was no or insufficient evidence to conclude the institution/organization contravened the privacy legislation.

Resolved: The investigation revealed that the complaint is essentially a result of a miscommunication, misunderstanding, etc., between parties; and/or the institution agreed to take measures to rectify the problem to the satisfaction of the OPC.

Settled: The OPC helped negotiate a solution that satisfied all parties during the course of the investigation and did not issue a finding.

Discontinued: The investigation was terminated before allegations were fully investigated.

Early Resolution: Applied to situations in which the issue is resolved to the satisfaction of the complainant early in the investigation process and the OPC did not issue a finding.

Review by the Federal Court of Canada

During the 2023-2024 reporting period there were two applications filed before the Federal Court pursuant to sections 41 of the Act.

Audits Conducted by the Privacy Commissioner

During fiscal year 2023-2024, no formal investigations were conducted by the Privacy Commissioner.

Monitoring compliance

The ATIP Office regularly monitored compliance with statutory requirements and timeliness associated with the processing of requests through ongoing communication with senior management and OPIs.

The workload was assessed daily, through the ATIP Case Management System, in order to ensure that workload was evenly distributed and effectively managed to meet statutory deadlines.

The reading rooms at the Department’s headquarters in Ottawa and those located in the regional offices across Canada make available to the public the most recently published version of InfoSource, as well as departmental publications and manuals. Many of these publications can be found on the Department’s website and the Treasury Board Secretariat’s websites.

Requests for the Correction of Personal Information

Paragraph 12(2)(a) of the Act provides that every individual be given access to personal information about himself or herself that has been used, is being used, or is available for use for an administrative purpose, is entitled to request correction of such information where the individual believes there is an error or omission therein.

The Department did not receive any requests for correction of personal information during the reporting period.

Administration of personal information

Advice

The ATIP Office acted as a resource on several occasions for departmental officials as well as those from other government institutions, offering advice and guidance on the provisions of the legislation as well as related policies. The ATIP Office was consulted on the collection, use, the disclosure and disposal or retention of personal information on a wide range of issues.

During the 2023-2024 fiscal year, the Department’s ATIP Office responded to a total of 112 formal and informal privacy advice requests. These included advice on Privacy Notice Statements, Protocols for Access to Employee Network Account requests, human resources (HR) projects, software and security-related procedures and documents, as well as publications.

Public Interest Disclosures

Paragraph 8(2)(m) of the Act permits the disclosure of personal information in situations where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure or when the disclosure would clearly benefit the individual to whom the information relates. The Privacy Commissioner must be informed of disclosures to be made under these provisions. During fiscal year 2023-2024, the Department disclosed personal information pursuant to paragraph 8(2)(m) in one instance.

Material Privacy Breaches

During the reporting period 2023-2024, the Department reported two material breaches to the OPC and to TBS Access to Information and Privacy Policy Division.

Brookfield Global Relocation Services (BGRS) and SIRVA Canada Inc. Breach

In October 2023, BGRS confirmed that there had been a breach involving Government of Canada information held by BGRS and SIRVA Canada systems. These companies provide relocation support to federal employees. One employee at the Department was identified to be impacted by the breach, which was contained.

The Department’s ATIP Office participated in interdepartmental collaboration with other Government of Canada departments and agencies to handle the impacts of the BGRS and SIRVA systems breach. The ATIP Office took immediate action to investigate and document the material breach and is taking precautions and working with other departments to mitigate such privacy risks in the future.

Digital Workspace (DW) Breach

In September 2023, the Department was notified of an internal material privacy breach related to the Justice Canada Digital Workspace. The breach involved an employee having unauthorized access to Duty to Accommodate files containing Protected B personal information during an unrelated search of records. The employee looked at multiple documents containing personal and confidential information of other employees over this three-day period. Records indicate the employee accessed 106 documents, related to over 74 employees, and downloaded 12 documents relating to nine employees. All affected individuals were notified. The breach was contained by security and the ATIP Office.

Non-Material Privacy Breaches

The ATIP Office also handled several non-material privacy breaches and privacy related incidents throughout the 2023-2024 fiscal year. These files included personal information mistakenly shared through errors in email attachments, incorrect recipients, incorrect redactions, as well as unauthorized access and permissions granted in error.

Privacy Impact Assessments

The Department has not completed any new privacy impact assessments (PIAs) during the 2023-2024 reporting period.

Four PIAs have been carried over from a previous reporting period and are at various stages of completion. These active PIAs are primarily related to human resources functions and departmental-specific programs, including:

LEX System: The program is used by the Department’s Legal Services to represent federal departments in legal matters involving the Department. It can also be used to provide legal advice to federal government departments and agencies, represents the Crown in civil litigation and before administrative tribunals, drafts legislation and responds to the legal needs of federal departments and agencies. The LEX system can be used to generate reports, track issues, run reports, search for and track status of legal files.

Talent Management: The Department has implemented new Talent Management Plans and Talent Management (TM) processes for senior legal practitioners and non-senior cadre. Under these TM processes, the Department’s Human Resources Branch (HRB) plans to collect EE / ESG information. Due to HRB collecting, using, disclosing, and retaining personal information from process participants, and where that information may be used for administrative purposes, a PIA was considered important in protecting the privacy of the Department’s employees.

Vidcruiter: Vidcruiter is a Canadian company that offers an online video and pre-recording interviewing platform, as well as many different functionalities for human resources and hiring. A PIA was conducted to assess the use of this technology for presenting staffing purposes, and to adopt its long-term or permanent use.

Internet Evidence Gathering: A PIA was conducted regarding the privacy impacts associated with the collection, use, disclosure and retention of personal information and internet evidence by the Department from social media and other internet sites for use as evidence in civil litigation. Although litigation teams at the Department have, from time to time, engaged in the collection and use of personal information from social media sites as evidence in the context of civil litigation – in keeping with industry practices – formal policies and procedures governing those activities have not, until recently, been put in place. The Department launched an internal review of its online search and collection activities with a view to assessing the operational merits and impacts of those activities.

Personal Information Banks (PIBs)

The Department would like to note the significant decrease of its reported central PIBs from 48 in the previous reporting periods, to none in 2023-24. This is due to the correction of an error in Section 10.2: Institution-specific and Central PIBs on its 2021-2022 and 2022-23 Annual Report to Parliament on the Privacy Act and 2021-2022, 2022-23 Statistical Report on the Privacy Act. The Department inaccurately reported the 48 standard PIBs belonging to TBS in the Central PIBs section. The Department currently does not have any Central PIBs to report. The numbers have been corrected in the Department’s updated 2023-24 Statistical Report.

Annex A – Delegation order

Text version

The Department of Justice’s Delegation Order for the Access to Information Act and Privacy Act

The Minister of Justice of Canada pursuant to subsections 95(1) of the Access to Information Act and 73(1) of the Privacy Act, hereby delegates any powers, duties and functions under the Acts to the persons holding the positions set out in the schedule hereto, as well as to the persons occupying those positions on an acting basis. This delegation order replaces any previous delegation order.

Schedule

Position: The Deputy Minister and Associate Deputy Minister
Privacy Act and Regulations: Full Authority
Access to Information Act and Regulations: Full Authority (including for the Act as it was prior to June 21, 2019)

Position: The Director, Access to Information and Privacy Office
Privacy Act and Regulations: Full Authority
Access to Information Act and Regulations: Full Authority (including for the Act as it was prior to June 21, 2019)

Position: The Chief Financial Officer and Assistant Deputy Management Sector
Privacy Act and Regulations: Full Authority
Access to Information Act and Regulations: Full Authority (including for the Act as it was prior to June 21, 2019)

Position: The Senior General Counsel and Director General, Legal Practices Branch
Privacy Act and Regulations: Full Authority
Access to Information Act and Regulations: Full Authority (including for the Act as it was prior to June 21, 2019)

Position: The Chief of Operations, Chief of Policy and Legal Counsel, Access to Information and Privacy Office
Privacy Act and Regulations: 15, and the mandatory provisions of section 26 for all records
Access to Information Act and Regulations: 8(1), 9, 11, and the mandatory provisions of section 19 for all records

Position: The Senior Access to Information and Privacy Advisors
Privacy Act and Regulations: 15 for all records
Access to Information Act and Regulations: 8(1) and 9 for all records

Dated, at the City of Ottawa, this 14 day of April, 2023.

Signed by the Honourable David Lametti, Minister of Justice.