Annual Report to Parliament on the Administration of the Privacy Act 2017-2018

Introduction

The purpose of the Privacy Act is to extend the laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal government institution, and to provide individuals with a right of access to that information.

Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust.

This is the fifth annual report prepared by the Communications Security Establishment (CSE) and tabled in Parliament in accordance with section 72 of the Act. It presents an overview of the agency’s activities and describes how the Access to Information and Privacy (ATIP) Office carried out its responsibilities under the Privacy Act during the reporting period 1 April 2017 to 31 March 2018.

Mandate of the Communications Security Establishment

In accordance with subsection 273.64(1) of the National Defence Act, CSE has a three-part mandate:

  1. To acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities;
  2. To provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and
  3. To provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.

The National Defence Act requires that CSE take appropriate measures to protect Canadians’ privacy. The independent CSE Commissioner reviews those measures to ensure they follow the requirements of the Act.

Structure of the Access to Information and Privacy Office

The ATIP Office is part of the Policy, Disclosure and Review group in CSE’s Policy and Communications Branch. The Minister of National Defence delegated all authorities under section 73 of the Privacy Act to the Deputy Chief, Policy and Communications; also the CSE ATIP Coordinator and Chief Privacy Officer for CSE, and most authorities to the Director, Disclosure, Policy and Review and to the Manager, Disclosure Management (previous Manager, ATIP). A copy of the Delegation Order setting out the responsibilities under the Act appears in Appendix I of this report.

The protection of privacy is a fundamental part of our organizational culture and remains of paramount importance in all functions across the organization. The ATIP Office includes a manager responsible for seven (7) full-time positions working in two distinct teams: ATIP Operations and Privacy Policy and Governance (PPG). The ATIP Operations team includes one (1) supervisor, two (2) analysts and one (1) support officer. The PPG consists of one (1) supervisor and two (2) analysts.

In addition to preparing reports for Parliament and Treasury Board Secretariat (TBS), the ATIP Office acts on behalf of CSE as the delegated authority in dealings with TBS, and representatives of the federal Information and Privacy Commissioners regarding CSE’s administration of legislation.

Specifically, the ATIP Operations team is responsible for the following activities:

  • Processing requests under the Access to Information Act and Privacy Act;
  • Responding to consultation requests from other government institutions;
  • Providing advice and guidance to senior management and staff of CSE on ATIP legislation and policy-related matters;
  • Supporting CSE’s legislative compliance obligations under the Acts, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in ATIP Communities of practice, such as the TBS ATIP Community meetings;
  • Drafting and implementing internal ATIP procedures, guidance documents and working aids; and,
  • Providing training to CSE staff on the administration of the Access to Information Act and the Privacy Act.

The Privacy Policy and Governance team is responsible for the following activities:

  • Providing advice and guidance to senior management and staff of CSE on privacy legislation and policy-related matters;
  • Providing expert privacy advice and assistance to business lines in the undertaking of Privacy Impact Assessments, privacy breach management, drafting of Privacy Notice Statements, and maintenance of Personal Information Banks;
  • Supporting CSE’s legislative compliance obligations under the Privacy Act, including the application of their associated regulations, policies and guidelines;
  • Representing CSE in privacy protection communities of practice;
  • Coordinating the annual update of the institution’s Info Source publication, which includes a description of the agency’s organizational structure and record holdings;
  • Drafting and implementing privacy-related internal procedures, guidance documents and working aids; and,
  • Providing training to CSE staff on the administration of the Privacy Act focusing on the protection of personal information.