Annual Report to Parliament on the Administration of the Access to Information Act 2018-2019

Introduction

The purpose of the Access to Information Act is to extend the present laws of Canada to provide a right of access to information in records under the control of a federal government institution in accordance with the principles that:

  • government information should be available to the public;
  • necessary exceptions to the right of access should be limited and specific; and
  • decisions on the disclosure of government information should be reviewed independently of government.

This is the sixth annual report prepared by the Communications Security Establishment (CSE) and tabled in Parliament in accordance with section 72 of the Act. It presents an overview of the agency’s activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Access to Information Act during the reporting period 1 April 2018 to 31 March 2019.

Mandate of the Communications Security Establishment

In accordance with subsection 273.64(1) of the National Defence Act, CSE has a three-part mandate:

  1. To acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities;
  2. To provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and
  3. To provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.

Structure of the Access to Information and Privacy Office

The ATIP Office is part of the Policy, Disclosure and Review group in CSE’s Policy and Communications Branch. The Minister of National Defence delegated all authorities under section 73 of the Access to Information Act to the Deputy Chief, Policy and Communications, the Director General, Policy, Disclosure and Review, the Director, Disclosures and Information Sharing, the Manager, Disclosures, and Supervisor, Access to Information and Privacy Operations. A copy of the Delegation Order setting out the responsibilities under the Act appears in Appendix I of this report.


The Access to Information and Privacy Office includes a manager responsible for twelve (12) mandated full-time positions working in two distinct teams: ATIP Operations and Privacy Policy and Governance (PPG). At the end of the reporting period, the ATIP Operations team consisted of one (1) supervisor, four (4) analysts and one (1) support officer, while the PPG consists of one (1) supervisor and two (2) policy analysts.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS, and representatives of the federal Information and Privacy Commissioners regarding CSE’s administration of legislation.

Specifically, the ATIP Operations team is responsible for the following activities:

  • Processing requests under the Access to Information Act and Privacy Act;
  • Responding to consultation requests from other government institutions;
  • Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
  • Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
  • Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
  • Providing training to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

  • Providing advice and guidance to senior management and staff of CSE on privacy legislation and policy-related matters;
  • Providing expert privacy advice and assistance to business lines in the undertaking of Privacy Impact Assessments, privacy breach management, drafting of Privacy Notice Statements, and maintenance of Personal Information Banks;
  • Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in privacy protection communities of practice;
  • Coordinating the annual update of the institution’s Info Source publication, which includes a description of the agency’s organizational structure and record holdings;
  • Drafting and implementing privacy-related internal procedures, guidance documents and working aids; and, Providing training to CSE staff on the administration of the Privacy Act with regards to the protection of personal information.