Annual Report to Parliament 2024-2025: Privacy Act

Information contained in this publication or product may be reproduced, in part or in whole, and by any means, for personal or public non-commercial purposes, without charge or further permission, unless otherwise specified.

You are asked to:

Commercial reproduction and distribution is prohibited except with written permission from the Department of Justice Canada. For more information, please contact the Department of Justice Canada at: www.justice.gc.ca.

© His Majesty the King in Right of Canada, represented by the Minister of Justice and Attorney General of Canada, 2025.

ISSN 2369-2596
Cat. No. J1-16E-PDF

Table of Contents

Introduction

The Department of Justice is pleased to present to Parliament, in accordance with section 72 of the Privacy Act (PA), its annual report on the management of the Act. The report describes the activities that support compliance with the PA for the fiscal year commencing April 1, 2024, and ending March 31, 2025.

A Message from the Director

The year 2024-25 was characterized with purposeful, cautious growth, with Access to Information and Privacy (ATIP) modernization and digital transformation held as a top priority. the Department made notable strides in adopting ATIPXpress, our new advanced request processing and case management software. This software will be hosted on the Government of Canada's Platform as a Service, using a standard cloud architecture that emphasizes efficiency and innovative architectural solutions. The careful adoption of modern tools and skill building act as a foundation for continued innovation in ATIP practices.

To complement these technological advances, we must also acknowledge the human aspect of ATIP. Change cannot be accomplished without an agile, skilled team. The ATIP Division is equipped with the necessary tools to meet and support this moment of ATIP advancement. Together with the ATIP management team, we are focused on building trusting relationships with our internal clients and further developing analyst skills and knowledge.

This past year, there has been a particular focus on the heightened pressures of complaints from the Office of the Information Commissioner (OIC), which must be strategically managed, to ensure sustained progress. We continue to seize on diverse opportunities for ATIP readiness, such as support from the Department’s Paralegal Services Centre, and numerous initiatives involving artificial intelligence with our colleagues from the Analytics and Systems Division.

This report serves as a comprehensive summary of key milestones and accomplishments from the 2024-25 fiscal year. 2025-26 is brimming with potential for smarter business practices, renewed relationships, and client service excellence for all Canadians.

Purpose of the Privacy Act

The PA was proclaimed into force on July 1, 1983.

The PA extends to individuals the right of access to information about themselves held by the federal government, subject to specific and limited exceptions. The PA also protects individuals’ privacy by preventing others from having access to their personal information and gives individuals substantial control over the collection, use, and disclosure by the federal government of such information. Section 72 of the PA requires that the head of every government institution prepare for submission to Parliament an annual report on the administration of the PA within the institution during each financial year.

This 42nd Annual Report on the administration of the PA is intended to describe how the Department of Justice Canada (hereinafter referred to as “the Department”) administered its responsibilities during fiscal year 2024-25 (hereinafter “during the reporting period”).

Mandate of the Department of Justice

The Department has the mandate to support the dual roles of the Minister of Justice and the Attorney General of Canada.

The Department supports the Minister of Justice in his responsibilities for 49 statutes and areas of federal law by ensuring a bilingual and bijural national legal framework principally within the following domains: criminal justice (including youth criminal justice), family justice, access to justice, Indigenous justice, public law and private international law.

The Department also supports the Attorney General as the Chief Law Officer of the Crown, both in terms of the ongoing operations of government and of the development of new policies, programs, and services for Canadians. The Department provides legal advice to the Government and federal government departments and agencies, represents the Crown in civil litigation and before administrative tribunals, drafts legislation and responds to the legal needs of federal departments and agencies.

The Department did not have any non-operational (“paper”) subsidiaries during this reporting period.

The Modernization of ATIP in the Department

The Department is committed to strengthening transparency, accountability, and service excellence in Access to Information and Privacy administration.  The Department’s ATIP Modernization Plan (2024–2027) provides a strategic framework to enhance request management under the Access to Information Act (ATIA) and the PA positioning the Department as a leader in innovative ATIP service delivery within the public sector.

A key initiative under this Plan is the implementation of ATIPXpress, a modernized case management system designed to streamline request processing and harness advanced technologies to improve productivity. The adoption of this system also presents an opportunity to review and formalize internal ATIP policies and procedures, reinforcing a culture of continuous improvement in information management. By integrating modernized tools with refined processes, the Department will set new standards for data-driven decision-making, compliance, and service excellence.

Collaboration with departmental stakeholders is central to this modernization effort. Strengthening partnerships will enhance knowledge-sharing, role clarity, and best practices, ensuring ATIP operations remain responsive and effective. The Department will also prioritize the rigorous application of new policies and procedures, reinforcing its commitment to transparent and accountable governance.

The Plan’s objectives will be operationalized through the Access to Information and Privacy Action Plan, which will outline clear actions and measurable outcomes. This structured approach reflects the Department’s dedication to leading ATIP transformation through strategic investments in skilled professionals, advanced technologies, and modernized service delivery.

Through these initiatives, the Department will not only enhance public trust but also establish itself as a model of innovation and efficiency in ATIP administration, setting new benchmarks for transparency and accountability within the Government of Canada.

Key Achievements 2024-2025
Text version

Key achievements 2024-2025

April: Privacy Process Maps - CMBT and ATIPXpress

May:Privacy Awareness Week 2024

June: OPC Info Session on PIAs and 8(2) Disclosures

August: Interdepartmental Group on Privacy, Harassment & Disciplinary Files

September: Right to Know Week 2024

October: TBS Updates to Privacy Suite

November: OPC/OIC Connect Event

December: AI & Privacy Deep Dive Series

January: Data Privacy Week 2025

February: New Internal Guidelines on PIAs at JUS

March: Policy on Obstruction & Guide on Control at JUS

Initiatives and Projects to Improve Privacy

Privacy Projects & Updates

The Privacy Policy and Programs Unit in the ATIP Division continues to improve the support and guidance it provided to Offices of Primary Interest (OPIs) in the Department over the reporting period. This included developing additional tools and resources, as well as increasing general privacy awareness.

The Unit increased its visibility and promoted its service offerings in the Department through awareness campaigns on privacy practices and risks, delivered training sessions, and communicated the latest updates via departmental newsletters and other communications channels.

The Unit’s work over the past year has not only ensured compliance with the latest Treasury Board Secretariat (TBS) updates to the Directive on Privacy Practices, it has also strengthened the Department’s overall privacy practices and risk management framework, positioning the Department to continue safeguarding personal information in line with evolving best practices.

Our Privacy Policy and Programs Unit also continued to proactively monitor new developments and best practices in privacy, to integrate them into our own processes, as well as contribute to the modernization of ATIP.

Compliance with Updated TBS Directive on Privacy Practices

In October 2024, TBS released updates to the Government of Canada’s privacy policy suite.

The ATIP Division’s Privacy Policy and Programs Unit works to ensure compliance with these updates. The new TBS directives mandated the adoption of updated policy instruments, new triggers for Privacy Impact Assessments (PIAs), a streamlined breach reporting process, and changes to Personal Information Banks, and web summaries.

These changes created an immediate need for a thorough overhaul of existing processes and the integration of new templates and guidelines. The Privacy Policy and Programs unit has worked diligently to ensure these updates were effectively incorporated into departmental practices.

The updates have significantly altered the landscape for privacy compliance within the Department. Adapting to these changes has been no small feat and has required substantial effort from the Privacy Policy and Programs Unit. Furthermore, it also required extensive communication and joint efforts with our OPIs to ensure their compliance with the updated standards.

Privacy Checklists

The ATIP Division ensures compliance with TBS directives by adopting the updated Privacy Checklists for internal use over the reporting period. The Checklists have been used by program areas and the Privacy Policy and Programs Unit to better streamline incoming requests and privacy advice. They assist with the identification of potential risks and concerns with a program, initiative or tool, and determine whether further assessments such as PIAs or Privacy Protocol are required.

Managing Privacy Breaches

In 2024, TBS officially released its updates to the Directive on Privacy Practices, Appendix B: Mandatory Procedures for Privacy Breaches, as well as updates to the Privacy Breach Management Toolkit. These updates include new required information to be provided to TBS and the Office of the Privacy Commissioner (OPC) when reporting material privacy breaches. It also prescribes a new mandatory PA Material Breach Reporting form.

Throughout the reporting period, the Privacy Policy and Programs Unit updated the Department’s internal privacy breach forms to reflect these new updates. The updates provide greater consistency and data and ultimately allow for better responses to privacy breaches. The Privacy Policy and Programs Unit has worked to ensure that all necessary information is now included in privacy breach reports.

Our internal Privacy Breach Protocol was also updated to reflect the responsibilities of employees and provide them with guidance on preventing and handling privacy breaches. It is the Department’s adaptation of the Guidelines for Privacy Breaches prepared by TBS.

Privacy Impact Assessments

In 2024, TBS updated the policy instruments and practices associated with PIAs and introduced a mandatory standardized PIA template and Privacy Checklist.

The expanded triggers for PIAs, particularly around the use of new technologies and automated decision systems, required close collaboration with various program areas and teams across the Department. The Unit worked together with the program leads in assessing both ongoing and upcoming initiatives to determine whether PIAs were required under the new Directive. The transition to the new PIA framework was not a one-off task, but a continuous process of monitoring, assessing, and adaptation.

Furthermore, we developed and released Internal Guidelines for Conducting PIAs at the Department to inform employees and OPIs of the TBS changes, their obligations, providing the Department with specific procedures on the PIA process. Along with assessing various programs and initiatives through the Privacy Checklist, the Unit also focused on completing PIAs that were started prior to the new TBS Directive.

Artificial Intelligence (AI) and Privacy

In response to the rapid evolution of artificial intelligence (AI) technologies and their growing impact on privacy, the Privacy Policy and Programs Unit has initiated an internal deep dive and discussion series to learn more about AI. Topics have included machine-learning models, generative AI, and data processing.

Through this initiative, we hope to improve our support and guidance for OPIs and ensure the Department remains compliant with privacy regulations. This includes the ability to better detect privacy risks and strengthen privacy protections in new or existing tools and programs.

The Privacy Unit has also reached out to other institutions to request further support on developing guidance for the use and adoption of artificial intelligence in departmental programs and tools.

Privacy by Design

The Privacy Policy and Programs Unit’s work over the reporting period not only included updating internal policies and processes but also involved providing training and awareness to departmental staff. Through training and internal communications, the Unit helped build a greater understanding of privacy obligations and the importance of adhering to new and existing TBS requirements and privacy regulations.

The Privacy Policy and Programs Unit also worked to foster a culture of continuous improvement, proactively identifying gaps in compliance processes and addressing them in real time. This ongoing effort ensured that the Department not only met its immediate compliance obligations, but also laid the groundwork for long-term privacy governance, as well as a culture of Privacy by Design, which is a framework that integrates privacy into the daily operations of the Department.

The Privacy Policy and Programs Unit and ATIP Division are currently working with the Information Solutions Branch and Business Planning Portfolio to better integrate privacy into all tools and programs for the Department. This includes presentations and discussions to ensure privacy reviews, assessments, and considerations are conducted prior to the introduction or launch of new initiatives at the Department.

Furthermore, to assist with these efforts, we recently released a Privacy by Design Checklist as an internal tool for the Department. This resource was designed to assist program leads in incorporating privacy into the design, development, and deployment of information technology, business practices, and networked infrastructures within the Department. It aligns with Seven Foundational Privacy Principles, ensuring privacy protection is integrated into all stages of development and use of programs, systems and services, in compliance with the PA.

Privacy Files

Over the reporting period, the Privacy Policy and Programs Unit worked to ensure privacy risks were thoroughly evaluated and addressed across a wide range of initiatives and projects. This ensured the protection of personal information and strengthened the Department’s compliance with privacy regulations. Throughout the reporting period, the Unit worked on a variety of privacy advice files (i.e., surveys, advice, notice statements).

External ATIP Digital Workspace and ATIP Toolkit

In May, the ATIP Division launched an external page on its Digital Workspace site, featuring an ATIP Toolkit that houses a variety of helpful resources on Access to Information and Privacy. The Toolkit offered employees quick and easy access to various privacy and access-to-information-related resources and information. It featured various infographics, one-pagers and fact sheets, as well as easily accessible forms and templates.

The Toolkit is regularly updated with new resources, serving as a valuable reference to ensure employees have the necessary information to navigate ATIP requirements and ensure compliance with both Acts across the Department.

Info Source Update

In September, the Department published an updated Info Source for the Department, which is a repository describing programs and activities, as well as personal information holdings. This process had not been completed since the updated Departmental Results Framework of 2023-2024. The Info Source ensures individuals and employees can exercise their rights under the PA and access their personal information held by the Department. The Privacy Policy and Programs Unit worked with program leads and with Business Management Centers to align the updated Info Source, by updating program description and renumbering Class of Records.

The Department has created procedures and guidelines to ensure Info Source is updated each year in line with TBS guidelines.

Outreach and Collaboration

The ATIP Division leveraged the services of various programs at the Department, which provided us with much-needed expertise and support. These partnerships allowed us to access specialized legal guidance and resources, enhancing our ability to navigate complex access to information and privacy matters.

Additionally, the ATIP Division remained committed to supporting our current staff through continuous training and professional development. We provided additional learning and training opportunities to our employees and OPIs so that they are well equipped to manage our workload effectively, and to continue fostering a positive and collaborative work environment.

ATIPXpress – Privacy Process Mapping

The ATIP Division and Privacy Policy and Programs Unit worked with the Change Management and Business Transformation team to review workflows at the Department for process mapping, in hopes of compiling research on relevant best practices. The process maps were also developed and shared as part of the interdepartmental ATIPXpress working group with other institutions, to identify any feedback for the vendor or important functional features for the ATIPXpress case management system.

Departmental Architectural Working Group

The Privacy Policy and Programs Unit continues to engage with the Departmental Architectural Working Group at the Department of Justice on various projects and submissions within the Department. The Working Group allows ATIP to offer its expertise, advice, input, as well as conduct privacy checklists and assessments when required on new or existing tools and programs.

Interdepartmental Collaboration

The ATIP Division engaged in a variety of interdepartmental working groups and sessions related to ATIP through GCCollab. Regular coordination with other departments allowed our team to stay in the loop regarding important updates and relevant best practices in relation to both Acts.

Interdepartmental Working Group on Privacy in Contracting Decisions

The Privacy Policy and Programs Unit also attended the monthly Interdepartmental Working Group on Privacy in Contracting Decisions to ensure employees remain up to date on best practices. The sessions covered various topics on personal information and contracting, such as protection measures, privacy clauses, compliance with legislative and policy requirements, and exceptions, as well as broader guidance. 

Interdepartmental Group on Privacy, Harassment and Disciplinary Files

The Privacy Policy and Programs Unit also collaborated with several other departments on privacy issues related to harassment and disciplinary files during the reporting period. The goals of the sessions are to discuss best practices, privacy implications, and strategies as well as to address common challenges.

OIC and OPC Connect Event

In November, the ATIP Director attended a Connect Event for chief privacy officers and chief information officers hosted by the OPC and the OIC r to discuss emerging trends and issues in ATIP.

Privacy Awareness Week 2024

The Privacy and Policy Programs Unit celebrated Privacy Awareness Week in May with the launch of our external Digital Workspace page. Our Unit released a variety of privacy-related resources for the Department and collaborated with the Center for Information and Privacy Law (CIPL) on the release of two one-pagers on personal information and publicly available information.

Data Privacy Week 2024

In January, ATIP celebrated Data Privacy Week and took part in the campaign’s global effort to raise awareness about the importance of respecting privacy, safeguarding data, and enabling trust. To mark the annual event, the Privacy Policy and Programs Unit published highlights and emerging privacy trends from the OPC’s Annual Report in our departmental weekly newsletter. We also developed a variety of resources that were made available to employees on our external Digital Workspace page, such as a Quick Reference Guide on Demystifying PIAs. Furthermore, we released our Internal Guidelines on Conducting PIAs at the Department, reflecting the recent updates to PIAs made by TBS.

These resources aimed to better inform employees of their rights and responsibilities regarding privacy and the handling of personal information and data.

Policies, Guidelines, Procedures and Initiatives

Updated Policies and Procedures

During the reporting period, the ATIP Division updated its policies and procedures to enhance productivity and efficiency in processing ATIP requests. Our goal was to provide the OPIs and liaison officers with a repository of up-to-date information where they can find several tools and guidance materials to help them with the processing of ATIP requests. Furthermore, we aimed to promote awareness of and inform the Department’s employees of their existing legal obligations and responsibilities under both the Act and ATIA.

Our internal policies were developed and published on the Departmental intranet, JUSnet, and the ATIP Division’s external Digital Workspace page.

These improvements will further the sharing of knowledge generally and clarify roles and responsibilities for all those involved in the processing of requests.

During the reporting period, the ATIP Division also completed the development of several new policies, guidelines, and supplementary resources for the Department and OPIs. By establishing clear requirements and guidelines, these new policies aimed to ensure compliance with the ATIA and PA, as well as protect both records, and the integrity of the ATIP framework within the Department.

The Privacy Policy and Programs Unit developed an internal Guide on Determining the Control of Records for the Purpose of the ATIA and the PA. It offers guidelines and requirements regarding the control of records at the Department. It also indicates the responsibilities of employees and management of all levels, as well as the role of relevant teams that must be consulted in matters of control (ATIP Division, Corporate Counsel, and CIPL).

It also outlines requirements regarding compliance, protection of personal information, proper handling of records and legal records, assessment of control of records, scenarios for authorized disclosure under subsection 8(2) of the PA, as well as reporting and documentation.

The guide was developed in consultation with ATIP Operations, Security, Business Management and Governance, Communications, Information Management, Corporate Counsel, the Legal Practices Policy Division, as well as CIPL.

Along with the Guide on Determining Control, the Privacy Policy and Programs Unit has also developed a policy on the Obstruction to the Right of Access of Information, in accordance with s. 67.1 of the ATIA.

This policy sets out existing obligations and responsibilities for employees under the ATIA and PA. It also aligns with those published by other departments to ensure that any suspected obstructions are handled in a consistent manner. The Department regularly receives ATIP requests and, as the obstruction to the right of access to records is a serious offence, it is important that the Department’s employees stay informed and have proper protocols in place to prevent, investigate, and address any suspected obstructions.

The policy was developed in consultation with CIPL, Chief Security Officer, the National Litigation Sector, the Legal Practices Policy Division, and Corporate Counsel.

Both the guide and the policy are in their final stages of approval and will be published internally in the new fiscal year.

Furthermore, new internal guidelines were also developed by the Privacy Policy and Programs Unit and offer programs and OPIs a department-specific framework for conducting PIAs and meeting obligations of the new TBS Standard on PIAs.

Quick reference guides were also developed to supplement the proposed policies on Obstruction to the Right of Access and the Control of Records once they are published. These guides were designed to provide employees with a clear and concise overview of their obligations and responsibilities under these policies, helping to ensure greater understanding and compliance. By offering easily accessible information in plain language, the guides aim to enhance employee awareness, ensure they are informed about privacy risks and responsibilities, and facilitate the effective implementation of the policies across the Department.

Improved Analytics and Technology

One of the main focuses of the ATIP Division’s ongoing modernization plan is the implementation of a new ATIP case management solution, ATIPXpress.  Adoption of this key initiative creates an opportunity to evaluate and formalize internal ATIP policies and procedures. It will also result in sustainable cooperation with key stakeholders through the exchange of knowledge, clarification of roles and improved analytics and reporting, demonstrating the Department’s commitment to continuous process improvement.

The ATIP Division has participated in training with the vendor to better understand how the system works and its various functions.

The ATIP Division continued to engage with the ATIPXpress Community of Practice and also hosts its own ATIPXpress sub working group. This interdepartmental working group was established to exchange best practices and identify areas for collaboration to ease the phasing in of the new case management system.

Several departments collaborated with the Department’s ATIP Division to develop resources such as workflows and process maps, and to discuss the modernization process. The main goal of these meetings and working sessions has been to identify how ATIPXpress fits within the multiorganizational needs of ATIP services and privacy professionals. There has also been a focus on refining existing activities and functions in Access Pro Case Management, rather than reinventing them and anticipating upcoming changes to the PA.

The ATIP Division invited TBS representatives to a session of our ATIPXpress sub-working group to discuss PIAs. Various departments shared their workflow maps on privacy processes (particularly PIAs) and flagged important inputs/outputs. With the help of TBS, the session assisted in identifying material deliverables (i.e. actions outside of logging data, such as intake emails or processes, filling out forms, generating reports, and sending final responses/notifications), to narrow down the functional needs of privacy Units for the ATIPXpress case management system.

During the reporting period, the Modernization team completed User Acceptance Testing sessions to gather feedback, and the production build for the software began currently with Shared Services Canada. The ATIP Division anticipates an introductory launch of the ATIPXpress software early into the new fiscal year.

Retention and Professional Development

Employee Wellbeing and Professional Development

In the previous fiscal year, the ATIP Division collaborated with the Change Management and Business Transformation team as part of the ATIP Modernization Strategy. They identified areas to promote employee retention, wellbeing, and professional development.

They have also led us to identify several topics and areas for training to assist the ATIP staff and OPIs. The ATIP Division held a variety of presentations and training for its internal employees. Some of these topics include:

ATIP training, language training, as well as other training to develop employee competencies and knowledge surrounding professional development, networking, technology and program-specific training were also regularly provided to employees throughout the reporting period.

Finally, ATIP Division employees participated in several internal and interdepartmental training sessions, information sessions and seminars related to access and privacy. These exchanges with other departments allowed our Division to stay up to date on the new ATIP practices and upcoming trends, while also contributing to our modernization and informing of best practices.

Commitment to Diversity and Employment

To be able to effectively serve the public, the Department and its workforce needs to accurately reflect the diversity of the Canadian population. The Department actively recruits members of Employment Equity designated groups and encourages them to self-identify.

Organizational Structure

The Director of the ATIP Division reports to the Senior General Counsel and Director General of the Legal Practices Branch (LPB) under the Management Sector. This structure allows us to focus on modernization initiatives, as well as benefit from additional legal and analytics services within LPB.  The Director is accountable for the development, coordination and implementation of effective policies, guidelines, systems, and procedures to efficiently process requests under the PA.

During the reporting period, the Department’s ATIP Division had a total of 31.38 full-time equivalent (FTE) positions working on Access to Information requests and Privacy files, and three consultants. To support the administration of the PA, the Privacy Policy and Programs Unit had a total of 11.94 FTE positions, 0.54 part-time and casual equivalent positions, 0.87 consultants, and 0.23 student positions.

The ATIP Division is organized into three units:

In addition, the ATIP Division is currently working on modernizing its ATIP management system to achieve better performance and is building a group with information technology experts. This group will ensure a smooth transition to the new platform.

Under section 73.1 of the PAct institutions reporting to the same minister can partner to share request-processing services. The Department currently has a Memorandum of Understanding (MOU) with the Law Commission of Canada as of 2023.

The Department’s ATIP Division is comprised of a dedicated workforce committed to access to information and the protection of privacy. This work includes:

The work of the ATIP Division is supported by 26 OPIs within the Department. These offices are responsible for locating and providing the records responsive to requests and providing recommendations about the disclosure of records in compliance with the provisions of the PA.

Delegation Order

The ATIP Director and ATIP Deputy Director have full authority delegated by the Minister for the administration of the PA.

For the purpose of increased executive oversight, full authority is also conferred to the Deputy Minister, the Associate Deputy Ministers, the Assistant Deputy Minister and Chief Financial Officer, Management Sector and the Senior General Counsel and Director General, Legal Practices Branch. A copy of the Department’s Delegation Order is at Annex A of this report.

Performance and Statistics

The Department is committed to transparency and accountability under the PA and continues to work to improve its performance to deliver the highest standards of service for access and protection of personal information.

Number of Requests

Overview of requests received and completed by the Department pursuant to the PA:
Fiscal year # of Requests Received # of Requests Completed # of Pages Processed # of Pages Released
2024-25 294 262 85 909 13 082
2023-24 565 528 28 012 7 049
2022-23 130 117 1664 632

The Department received 294 requests during the reporting period.

Many of the requests received in the previous fiscal year were determined to be spam requests. As a result, the total number of “legitimate” requests received in the previous reporting period was 177. Furthermore, a total of 91 requests were closed as spam this reporting period. The remaining 203 requests received were determined to be legitimate requests. This represents an increase of 14.7% in requests received compared to the previous reporting period.

In addition, 103 requests were outstanding from previous years, for a total of 397 active requests in 2024-2025. During the reporting period, 262 requests were completed, a significant decrease compared to the 528 requests closed in the previous reporting period. This decrease was due to the 388 “spam” requests closed in the previous fiscal year.

Of the 294 requests, 135 were carried forward to be completed in fiscal year 2025-2026, compared to 104 requests in the previous reporting period. This increase in requests carried forward reflects the overall increase in requests received by the Department.

Responding to formal privacy requests involved the review of 85,909 pages, of which 13,082 pages were disclosed. This is a significant increase once again compared to the previous reporting period and can be attributed to the increase in requests received.

Compliance Rate, Completion Times and Extensions

Out of 262 requests completed in the reporting period, 221 requests were completed within the legislated timelines under the PA. An increase in the compliance rate from 79% in the previous reporting to 84% in 2024-25 can be noted.

During the reporting period, the Department was able to close a total of 169 requests (64.5%) in 15 days or less, 42 requests within 16 to 30 days (16%), 13 requests within 31-60 days (5%), 12 requests within 61 to 120 days (4.6%), 7 requests within 121 to 180 days (2.7%), and 11 requests within 181-365 days (4.2%). In addition, eight requests took over 365 days to complete (3.1%). The chart below represents the number of requests completed (with percentage) per completion time for all completed requests.

Completion Time
Text version

Bar graph displaying completion time of requests as follows:

  • 1 to 15 days: 169 requests (65%)
  • 16 to 30 days: 42 requests (16%)
  • 31 to 60 days: 13 requests (5%)
  • 61 to 120 days: 12 requests (5%)
  • 121 to 180 days: 7 requests (3%)
  • 181 to 365 days: 11 requests (4%)
  • Over 365 days: 8 requests (3%)

The Department sought extensions to the prescribed time limits in 25 requests, pursuant to section 15(1)(a)(i) for interference with operations and with 15(1)(ii) for consultations.

Deemed Refusal Rate

The Department’s deemed refusal rate in this reporting period (i.e., the percentage of personal information requests that received a response beyond the deadline required under the PA) was 15.65% which means that 41 requests were closed past the legislated timelines. The deemed refusal percentage for the reporting period decreased compared to 20.83% in the 2023-2024 reporting period.

Deemed Refusal Rate
Text version

Line graph displaying deemed refusal rate as follows:

  • 2022-2023: 15%
  • 2023-2024: 20%
  • 2024-2025: 15.6%

Outstanding Requests

TBS collects statistical data from specific institutions (of which the Department is one) on the volume of their outstanding requests for personal information. The Department carried forward a total of 135 requests from the reporting period, including previous reporting periods.

Fiscal year open requests were received Open requests that are within legislated timelines as of March 31, 2025 Open requests that are beyond legislated timelines as of March 31, 2025 Total
Received in 2024-2025 30 44 74
Received in 2023-2024 20 20
Received in 2022-2023 0 12 12
Received in 2021-2022 0 11 11
Received in 2020-2021 0 10 10
Received in 2019-2020 0 4 4
Received in 2018-2019 0 1 1
Received in 2017-2018 0 1 1
Received in 2016-2017   1 1
Received in 2015-2016 or earlier 0 1 1
Total 30 105 135

Disposition of Completed Requests

Of the 262 requests closed in the reporting period, 26 requests (9.92%) did not have any responsive records to provide, 184 requests (70.23%) were abandoned by the requestor (large number due to spam requests), two requests were exempted in their entirety (0.76%), 47 requests (17.95%) were disclosed in part, while three requests were released in their entirety (1.15%).

Dispositions of completed requests
Text version

Bar graph displaying the dispositions of completed requests as follows:

  • Disclosed in part: 47
  • No relevant records: 26
  • Abandoned: 184
  • Released in their entirety: 3
  • Exempted in their entirety: 2

Requests, Exemptions and Exclusions

Exemptions invoked

The Department applied exemptions under the PA for 73 requests during the reporting period. The most frequently invoked exemption was section 26, which was applied in 47 requests. This is followed by section 27, which was invoked in 23 requests, and then section 21, which was invoked in three requests.

Exclusions cited

Information was excluded under section 69(1)(a) for two requests during the reporting period.

Informal Requests

The Department published on the Open Government Portal summaries of completed requests that do not contain personal or third-party information. Members of the public can submit informal requests for a copy of the previously released information.

No informal requests were received or processed during this reporting period.

Format of Information Released

Most applicants (287 requests) chose to receive information in an electronic format (online or by email) during the reporting period. The Department continued to use delivery via E-post Connect, a service offered at no charge to the requestor, and which is now the office’s primary method of record delivery. It allows for secure delivery of records in an electronic format and circumvents the issue of email size restrictions and the need for the recipient to have a compatible device to access the records. Only six requestors chose to receive information in paper copies by mail.

Consultations

During the reporting period, the Department received 15 requests from other government institutions and no requests from other organizations requesting recommendations regarding records originating from, pertaining to, or of interest to the Department. In addition, seven consultations were carried over from previous years, for a total of 22 consultations. In total, the Department was asked to review 1276 pages for these consultations.

Of the 22 consultations, 18 were completed during the reporting period (862 pages) and the remaining four were carried forward to be completed in fiscal year 2025-2026.

The completion times for the nine consultations completed were the following:

Salaries and Costs

The total cost for administering the PA during the reporting period was $1,337,845. This cost includes $1,208,564 in salaries and overtime, as well as operating costs totaling $129,281, which include $31,507 in professional service contracts.

These costs do not capture resources expended by the Department’s other sectors to meet the requirements under the PA.

Training and Awareness Activities

Training Sessions

The Department and ATIP Division continued to provide employee training to enhance understanding of the Acts, as well as employee wellbeing and professional development. Training sessions are provided on an ad hoc basis, while others are scheduled routinely throughout the fiscal year.

Departmental ATIP Training for Department Employees

During the reporting period, the ATIP Division regularly provided advice and formal training on the application of ATIP and privacy legislation to the Department’s employees who must review relevant records requested under the PA or are completing initiatives with privacy risks.

Formal training is provided to ATIP employees, Department employees, and those with functional or delegated responsibility under the PA, to ensure they are aware of the policies, procedures, and legal responsibilities under the PA and Privacy Regulations.

Formal awareness information sessions are also offered to other sectors within the Department to address the specific business and operational needs of the individual groups. Presentations on various ATIP topics were provided via MS Teams or in person to almost 400 employees over the reporting period.

The ATIP Division recently updated its training resources and training decks during the reporting period to reflect changes to the privacy policy suite, as well as to highlight obligations in our newly developed internal policies.

CIPL, in the Public Law and Legislative Sector of the Department, is responsible for providing legal advice to all departments on the interpretation and application of the ATIA and PA. It also offers training to departmental employees and to employees from other government departments.

ATIP training is part of the recommended courses under the values and ethics component of the Department’s Roadmap for new managers. An e-orientation deck is posted on the Department’s Intranet site for employee consultation.

Departmental informal training sessions will continue to be provided throughout 2025-2026 fiscal year.

Internal ATIP Division Training

The ATIP Division worked to ensure employees receive integral training to support their development, success, and wellbeing. Along with internal standard operating procedures and policies, ATIP Division employees also completed mandatory departmental training on issues such as security and cultural sensitivity.

The Department’s ATIP Division employees participated in a collection of awareness sessions with ATIP legal counsel to review recent jurisprudence and case law related to the PA. The ATIP Counsel participated in monthly ATIP Practice Group meetings during which information was exchanged and solutions proposed. The Practice Group is open to all Departmental legal counsel, including those from Legal Services Units, and its mandate is to discuss questions such as the right of access to information and privacy issues.

In addition, workshops and presentations were regularly provided within the ATIP Division on various topics concerning the application of the PAand related policy and procedures. This allowed the Department’s ATIP Division employees to benefit from each other’s experience and knowledge.

The Privacy Policy and Programs Unit invited the OPC’s Government Advisory Directorate to provide a training session to the ATIP Division. The session offered helpful information on PIAs and disclosures under section 8(2) of the PA, as well as an opportunity for questions and clarifications.

The ATIP Division also invited an external trainer to deliver a session on Exemption and Exclusion Provisions Under the ATIA and PA, providing an opportunity for the Division to engage in useful discussions and stay up to date on best practices.

Complaints, investigations and federal court cases

Complaints Filed

The ATIP Division has a dedicated team to manage complaints, serving as the primary liaison between the Department and the OPC. The team continued to work to strengthen relationships and improve the Department’s ATIP program performance. A complaints mailbox is also available to streamline complaints.

During the reporting period, the Department received 8 Notices of Intention to Investigate from the OPC during the reporting period. The reasons for the complaints were as follows:

Note: there can be multiple complaints related to one file.

Active Complaints

The chart below represents the number of active complaints with the OPC that are outstanding from previous reporting periods, broken down by the fiscal year in which they were received.

Two complaints remain active after the current reporting period.

Active Complaints
Text version

Bar graph displaying active complaints as follows:

  • 2024-2025: 1
  • 2023-2024: 0
  • 2022-2023: 1
  • 2021-2022: 0
  • 2020-2021: 0

Key Issues and Actions Taken on Complaints

During the reporting period, key issues raised by privacy complaints received by the Department included:

The ATIP Division took prompt action to resolve privacy complaints received during the reporting period. This included following up with OPIs to confirm the existence—or lack thereof—of records, as well as conducting new searches with OPIs to locate additional records. The application of exemptions in certain cases was also re-examined and confirmed with the OPI to assure its accuracy, as it relates to the records.

Delayed files were also prioritized through action plans, with analysts reassigned as necessary to successfully process the file within the designated timeframe. The ATIP Division also evaluated and provided comprehensive background on the reasoning for time extensions taken, as they relate to the complexities of the file.

Completed Investigations

The OPC may choose to investigate multiple files under one complaint. The number of investigations does not show how many files are being investigated, and there may be multiple finding dispositions based on the number of files investigated through a singular complaint. A total of six investigations were completed during the reporting period, some of which had been carried forward from previous years. Of the six investigations:

Well founded: The institution contravened the provision of the PA.

Well founded and resolved: The institution contravened a provision of the PA but has since taken corrective measures to resolve the issue to the satisfaction of the OPC.

Not well founded: There was no or insufficient evidence to conclude the institution/organization contravened the privacy legislation.

Resolved: The investigation revealed that the complaint is essentially a result of a miscommunication, misunderstanding, etc., between parties; and/or the institution agreed to take measures to rectify the problem to the satisfaction of the OPC.

Settled: The OPC helped negotiate a solution that satisfied all parties during the investigation and did not issue a finding.

Discontinued: The investigation was terminated before the allegations were fully investigated.

Early Resolution: Applied to situations in which the issue is resolved to the satisfaction of the complainant early in the investigation process and the OPC did not issue a finding.

Review by the Federal Court of Canada

During the reporting period, there were no applications filed before the Federal Court pursuant to section 41 of the PA.

Audits Conducted by the Privacy Commissioner

During the reporting period, no formal investigations were conducted by the Privacy Commissioner.

Monitoring compliance

The ATIP Division regularly monitored compliance with statutory requirements and timeliness associated with the processing of requests through ongoing communication with senior management and OPIs as necessary.

The workload was assessed daily, through the ATIP Case Management System, to ensure that workload was evenly distributed and effectively managed to meet statutory deadlines.

The Privacy Policy and Programs Unit reviews contracts, agreements, and arrangements to ensure privacy protections are included, and they are compliant with guidance from TBS.

The reading rooms at the Department’s headquarters in Ottawa and those located in the regional offices across Canada make available to the public the most recently published version of Info Source, as well as departmental publications and manuals. Many of these publications can be found on the Department’s website and the Treasury Board Secretariat’s websites.

Requests for the Correction of Personal Information

Paragraph 12(2)(a) of the PA provides that every individual is given access to personal information about themselves that has been used, is being used, or is available for use for an administrative purpose, is entitled to request correction of such information where the individual believes there is an error or omission therein.

The Department did not receive any requests for correction of personal information during the reporting period.

Administration of personal information

Advice

The ATIP Division acted as a resource on several occasions for Departmental officials as well as those from other government institutions, offering advice and guidance on the provisions of the legislation as well as related policies. The ATIP Division was consulted on the collection, use, disclosure and disposal or retention of personal information on a wide range of issues.

During the reporting period, the Department’s ATIP Division responded to a total of 109 formal and informal privacy advice requests. These included advice on Privacy Notice Statements, Protocols for Access to Employee Network Account requests, human resources projects, software and security-related procedures and documents, as well as publications.

Public Interest Disclosures

Paragraph 8(2)(m) of the PA permits the disclosure of personal information in situations where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure or when the disclosure would clearly benefit the individual to whom the information relates. The Privacy Commissioner must be informed of disclosures to be made under these provisions. During the reporting period, the Department did not disclose any personal information pursuant to paragraph 8(2)(m) in any instances.

Material Privacy Breaches

Material Privacy Breaches

During the reporting period, the Department reported one material breach to the OPC and to TBS Access to Information and Privacy Policy Division.

Misdirected Email Correspondence: An employee at the Department sent an email to the incorrect recipient in error, due to the wrong email being manually entered into the case management system. The email sent was in response to an email chain containing previous email correspondence between the Canadian public and the program. The email contained the original email sent to the office, which contained personal information about a crime committed against them, as well as their full name and email address. The breach was contained and reported to the TBS and the OPC.

Non-Material Privacy Breaches

The ATIP Division handled 16 non-material privacy breaches and privacy-related incidents throughout the reporting period. These files included personal information mistakenly shared through errors in email attachments, incorrect recipients, incorrect redactions, as well as unauthorized access and permissions granted in error.

Privacy Impact Assessments

Completed Privacy Impact Assessments

The Department has completed three PIAs during the reporting period.

LEX System:

The Justice legal case management system (LEX) is an application used to support the practice of law and the management/delivery of legal services to Government of Canada. It includes the following functions: legal file management; timekeeping management; document management and operational dashboards and reports. The system is used by managers, counsels, paralegals, and administrators involved in the provision of litigation, advisory, policy, legislation and regulatory drafting services in headquarters, regional offices and Departmental Legal Services Units.

Internet Evidence Gathering: A PIA was conducted regarding the privacy impacts associated with the collection, use, disclosure and retention of personal information and internet evidence by the Department from social media and other internet sites for use as evidence in civil litigation. Although litigation teams at the Department have, from time to time, engaged in the collection and use of personal information from social media sites as evidence in the context of civil litigation – in keeping with industry practices – formal policies and procedures governing those activities have not, until recently, been put in place. The Department launched an internal review of its online search and collection activities with a view to assessing the operational merits and impacts of those activities.

Vidcruiter: Vidcruiter is a Canadian company that offers an online video and pre-recording interviewing platform, as well as many different functionalities for human resources and hiring. A PIA was conducted to assess the use of this technology for staffing purposes, and to adopt its long-term or permanent use.

Completed PIAs at the Department  can be viewed on Info Source.

Ongoing Privacy Impact Assessments

Five PIAs have also been initiated or carried over from a previous reporting period. They are at various stages of completion. These active PIAs are primarily related to human resources functions and departmental-specific legal programs, including:

Social Media Monitoring: The Department’s Communications Branch has an interest in engaging in using a social media monitoring tool for searching/monitoring and analysis of social media traffic on issues relevant to the Department. As social media volumes are too large to navigate manually, the use of a tool allows the Department to engage in more targeted and broad searches of social media content, and see the information presented in a more consolidated fashion. Such a tool would allow the Department to better understand current opinions, sentiment and overall conversation on specific departmental issues to create communications products that resonate with target audiences.

Talent Management: The Department has implemented new Talent Management Plans and Talent Management (TM) processes for senior legal practitioners and non-senior cadres. Under these TM processes, the Department’s Human Resources Branch (HRB) plans to collect EE / ESG information. Due to HRB collecting, using, disclosing, and retaining personal information from process participants, and where that information may be used for administrative purposes, a PIA was considered important in protecting the privacy of the Department’s employees.

Office of the Federal Ombudsperson for Victims of Crime: The Office of the Federal Ombudsperson for Victims of Crime (OFOVC) ensures that the federal government meets its responsibilities to victims of crime. The OFOVC is currently implementing a new case management system.

Family Orders and Agreements Enforcement Assistance Act Program: The Department administers the Family Orders and Agreements Enforcement Assistance Act (FOAEAA) program. Under the FOAEAA, by means of the applications, authorized persons can request assistance from the federal government to located individuals in default of family obligations, to comply with legal garnishee summonses served on the Crown, to deny or suspend federal licenses.

Annex A – Delegation order

Annex A – Delegation order
Text version

The Department of Justice’s Delegation Order for the Access to Information Act and Privacy Act

The Minister of Justice of Canada pursuant to subsections 95(1) of the Access to Information Act and 73(1) of the Privacy Act, hereby delegates any powers, duties and functions under the Acts to the persons holding the positions set out in the schedule hereto, as well as to the persons occupying those positions on an acting basis. This delegation order replaces any previous delegation order.

Schedule

Position: The Deputy Minister and Associate Deputy Minister
Privacy Act and Regulations: Full Authority
Access to Information Act and Regulations: Full Authority (including for the Act as it was prior to June 21, 2019)

Position: The Director, Access to Information and Privacy Office
Privacy Act and Regulations: Full Authority
Access to Information Act and Regulations: Full Authority (including for the Act as it was prior to June 21, 2019)

Position: The Chief Financial Officer and Assistant Deputy Management Sector
Privacy Act and Regulations: Full Authority
Access to Information Act and Regulations: Full Authority (including for the Act as it was prior to June 21, 2019)

Position: The Senior General Counsel and Director General, Legal Practices Branch
Privacy Act and Regulations: Full Authority
Access to Information Act and Regulations: Full Authority (including for the Act as it was prior to June 21, 2019)

Position: The Chief of Operations, Chief of Policy and Legal Counsel, Access to Information and Privacy Office
Privacy Act and Regulations: 15, and the mandatory provisions of section 26 for all records
Access to Information Act and Regulations: 8(1), 9, 11, and the mandatory provisions of section 19 for all records

Position: The Senior Access to Information and Privacy Advisors
Privacy Act and Regulations: 15 for all records
Access to Information Act and Regulations: 8(1) and 9 for all records

Dated, at the City of Ottawa, this day of Oct 02, 2024.

Signed by the Honourable Arif Virani, Minister of Justice.