Annual Report to Parliament on the Administration of the Privacy Act 2017-2018

Statistical Report on the Administration of the Privacy Act

Number of Formal Requests

During this reporting period, CSE received 10 requests under the Privacy Act. In addition, five (5) requests outstanding from the previous reporting period were carried over, giving CSE a total of 15 requests to process. This is a decrease from the previous fiscal year, when 23 new requests were received. By the end of 2017-2018, CSE closed eight (8) requests and carried forward seven (7) into 2018-2019.

Disposition of Completed Requests

CSE closed 8 requests during this reporting period. Of these, four (4) were disclosed in part, one (1) resulted in no records and two (2) were abandoned by the applicant. There was also one (1) request where the existence of records was neither confirmed nor denied. This can be attributed to a request for records which, if they exist, would be located in CSE’s exempt personal information bank (CSE PPU 040) which contains records relating to CSE’s foreign intelligence files. No requests were disclosed in full.

Table: Disposition of Completed Requests
Disposition Number of Requests
2013-2014 2014-2015 2015-2016 2016-2017 2017-2018
Disclosed in part 10 7 7 6 4
All Exempted 8 0 0 0 0
No records exist 39 10 3 8 1
Request abandoned 10 5 5 2 2
Neither confirm nor Deny   2 1 6 1

Neither Confirm Nor Deny

Section 16(2) of the Act states that institutions do not have to tell a requester whether a record exists. When notifying a requester that it is invoking this provision, institutions must also indicate the part of the Act on which a refusal could reasonably be expected to be based if the record existed. Section 16(2) was designed to address situations in which the mere confirmation of a record’s existence (or non-existence) would reveal information that could be protected under the Act. It is recommended that the application of section 16(2) be limited to circumstances where the confirmation or denial of the existence of a record would be injurious to Canada’s foreign relations, the defence of Canada, law enforcement activities and the safety of individuals, and the possible disclosure of personal information. The application of subsection 16(2) was used on one (1) occasion during the 2017-2018 fiscal year.

Completion Time

During the 2017-2018 Fiscal Year, seven (7) of the completed Privacy Requests were closed within the legislative timeframe. The efficiency of the processing of Privacy Act requests has increased since CSE received its delegation in 2013. In general, the requests received during 2017-2018 were also less complex than those received in previous years.

Table: Completion Time
Completion Time Number of Requests
2013-2014 2014-2015 2015-2016 2016-2017 2017-2018
Closed within 30 days 52 18 12 22 7
31 to 60 days 5 1 0 0 0
61 to 120 days 9 1 2 0 1
121 to 180 days 1 0 0 0 0
181 to 365 days 0 1 1 0 0
More than 365 days 0 3 1 0 0

Exemptions to the Release of Information

The most common exemptions applied at CSE were sections 21 and 26 of the Privacy Act. Of the four (4) requests that were disclosed in part, section 21 was applied in all cases to protect information which could be reasonably expected to be injurious to the defence of Canada. Section 26 was applied in three (3) requests to protect information about an individual other than the applicant. The application of these exemptions is consistent with previous reporting periods.

Extension of the Time Limit

One (1) extension, based on Section 15 (a)(i) of the Privacy Act relating to interference of operations, was taken on requests under the Privacy Act during the 2017-2018 fiscal year.


CSE was consulted on two (2) requests during 2017-2018. These requests, received from another federal government institution, contained a total of 64 pages and were both closed during the reporting period. This number is consistent with consultations that were received in previous reporting periods.

Disclosure of Personal Information Under Paragraph 8(2)(m)

Subsection 8(2) of the Privacy Act describes the circumstances under which a government institution may disclose personal information under its control without the consent of the individual to whom the information relates. Such disclosures are discretionary and are subject to any other Act of Parliament.

Paragraph 8(2)(m) stipulates that an institution may disclose personal information for any purpose where, in the opinion of the head of the institution, the public interest in the disclosure clearly outweighs any invasion of privacy that could result from it or where the disclosure would clearly benefit the individual to whom the information relates.

CSE did not disclose any personal information pursuant to paragraph 8(2)(m) during the reporting period.

Fees and Costs

Total expenditures to administer the Privacy Act were $358,603. This represents the forecasted increase in expenditures from the previous fiscal year due to the establishment of the Privacy Policy and Governance team.

Complaints, Judicial Review and Audits

Individuals who are not satisfied with the processing of their privacy request or who feel that their personal information has been improperly collected, used or disclosed can file a complaint with the Office of the Privacy Commissioner of Canada.

CSE received two (2) complaints during the fiscal year. Two (2) previously-existing complaints were closed. One complaint was settled in the course of investigation, while the other was resolved, but is presently under judicial review in 2017-2018.

CSE’s Audit and Evaluation team continued their audit of CSE’s compliance with the Government of Canada Privacy Act and Privacy Regulations. The audit focuses on CSE’s compliance with the Privacy Act. It assess the extent to which CSE has developed and effectively uses its policy framework and administrative practices, ensuring sufficient governance, controls and risk management processes are in place to protect and manage personal information. The results and recommendations following this audit are expected in 2018-2019.

Monitoring Compliance

Using our case management software, the ATIP Office continued to produce reports on the time taken to process requests. These reports were shared with our ATIP Coordinator throughout the fiscal year. CSE’s Executive Committee (made up of DM and ADM level executives) is also informed of the status of Privacy Act requests on a weekly basis. CSE will continue to focus on improving our timeliness in 2018-2019.

Material Privacy Breaches

There were no material privacy breaches reported during the 2017-2018 fiscal year.