Annual Report to Parliament on the Administration of the Privacy Act 2017-2018

Key Activities and Accomplishments

Education and Training

Privacy training at CSE ensures all employees are informed of their responsibilities with regard to the management of personal information in both mission and non-mission related activities. In 2017-2018, the ATIP Office delivered 8 comprehensive privacy awareness training sessions, reaching a total of 170 personnel. CSE’s commitment to the learning and development of its employees will continue with additional sessions in 2018-2019.

Additional privacy educational initiatives in 2017-2018 included promoting privacy awareness through the presentation of Privacy Awareness Week at CSE from May 15, 2017 to May 21, 2017. The Privacy Awareness Week gave the ATIP office the opportunity to further educate employees of their responsibilities with personal information and of the various resources available to them, including the Privacy Policy and Governance Office and Privacy Awareness Training.

Collectively, these efforts have increased awareness across the organization, resulting in a greater number of program managers and stakeholders consulting with CSE’s ATIP Operations Office and Privacy Policy and Governance Office for guidance on CSE privacy policies, procedures, and best practices for personal information management. A number of new initiatives promoting privacy awareness are planned throughout 2018-2019.

Institutional Privacy Policies and Procedures

The CSE privacy policy suite includes a broad-scoped CSE Administrative Privacy Policy promulgated October 2016. It outlines CSE’s obligations to manage and protect personal information in the course of its corporate functions in accordance with the Privacy Act, its regulations and Treasury Board Secretariat (TBS) policies relating to privacy. The Policy on Privacy Breaches for Non-Mission Related Activities outlines CSE’s obligations in the event of a privacy breach relating to non-mission activities. CSE did not make any changes to the privacy policy suite during the reporting period.

The Privacy Policy and Governance Office implemented Access Pro Case Management as its case management system. This system allows the Privacy Policy and Governance team to create, track and complete ongoing cases including Privacy Needs Analysis (PNA), Privacy Impact Assessment (PIA), Privacy Queries, and other projects.

Most notably, the PPG team revamped its privacy breach documentation to streamline its internal privacy breach investigation process. In 2018-2019, PPG plans to update the PNA form based on CSE client feedback, in order to further enhance CSE’s privacy considerations.

Other Initiatives

Coinciding with Privacy Awareness Week, CSE officially launched the Privacy, Policy and Governance Office website. This website provides CSE employees with information on privacy accountabilities, responsibilities and activities. CSE employees can access important resources and tools via the website to support the development of Privacy Notice Statements, Privacy Needs Analysis, Privacy Impact Assessments, Privacy Breach investigations, Personal Information Banks and to request Privacy Awareness Training.

ATIP Operations implemented an initiative with its Offices of Primary Interest (OPIs) in order to increase efficiency and timeliness in the processing of requests by shifting the initial review of records to the ATIP Office. This initiative will continue to be monitored for effectiveness throughout the next fiscal year.

Privacy Impact Assessments

Privacy Policy and Governance is currently drafting summaries for Privacy Impact Assessment completed to date, with the intention of posting them in 2018-2019.

During the 2017-2018 reporting period, CSE completed one (1) Privacy Impact Assessment pertaining to CERRID2. CERRID2 is CSE’s corporate electronic document repository (EDRMS) for official unclassified and classified documents. CERRID2 allows authorized users to create, save, share, find and protect records through the application of business rules, roles and access-based authentication controls.

In addition to the Privacy Impact Assessments, Privacy Policy and Governance received forty-three (43) Privacy Needs Analyses, and completed forty-two (42), during the 2017-2018 reporting period of activities and systems that CSE is considering to implement to support its programs.