Privacy Act, 2008-2009


The Privacy Act protects the privacy of individuals with respect to personal information about themselves held by a government institution and provides individuals with a right of access to that information.

Section 72 of the Privacy Act requires that the head of every federal government institution submit an annual report to Parliament on the administration of this Act during each financial year. This report describes how the Correctional Service Canada (CSC) fulfilled its privacy responsibilities during the reporting period covering 2008-2009.


CSC contributes to public safety by administering court-imposed sentences for offenders sentenced to two years or more. This involves managing institutions (penitentiaries) of various security levels and supervising offenders on different forms of conditional release, while assisting them to become law-abiding citizens. CSC also administers post-sentence supervision of offenders with Long Term Supervision Orders for up to 10 years.

CSC works closely with its Public Safety Portfolio partners, including the Royal Canadian Mounted Police, the National Parole Board, the Canada Border Services Agency, the Canadian Security Intelligence Service, and three review bodies, including the Office of the Correctional Investigator.

In consideration of CSC's mandate the agency collects and retains a substantial amount of personal information.


CSC is organized into three levels of management: national, regional and local operations. The Access to Information and Privacy Division reports to the Director General of Rights, Redress and Resolution, under the Policy Sector, and is responsible for the overall administration of the Access to Information Act and Privacy Act. In addition, each region and institution has an Access to Information and Privacy (ATIP) liaison which assists the national ATIP Division in administering its overall responsibilities.

The responsibilities of the ATIP Division are:

  • respond to access to information and privacy requests including consultation requests from other government institutions and informal requests for information;
  • respond to public and internal inquiries relating to the administration of the Access to Information Act and Privacy Act;
  • promote awareness and providing training regarding the Access to Information Act and Privacy Actand related policies and guidelines;
  • develop corporate-wide Access to Information and Privacy policies and practices to guide access to and protection of personal information;
  • oversee and manage privacy breaches;
  • coordinate and oversee the Privacy Impact Assessment Process;
  • revise Info Source and modify information holdings and personal information banks as required;
  • liaise and coordinate efforts with Information and Privacy Commissioners, other government departments and agencies and other key stakeholders;
  • analyse privacy practices in relation to CSC programs and policies.

As a result of an approved business case developed by the ATIP Division in fiscal year 2006-2007, the Division received additional permanent resources which resulted in staffing six administrative positions, three junior ATIP analysts, seven ATIP analysts, six senior ATIP analysts, two team leaders and two deputy directors this reporting period.

In consideration of the sensitive information CSC ATIP handles, on a daily basis, recruitment of knowledgeable and experienced ATIP professionals remains an ongoing challenge. It is anticipated that the new senior ATIP analyst positions and two additional deputy director positions will promote greater retention of the current staff; this promotes job advancement opportunities for experienced analysts who would otherwise have to move to another government institution for advancement opportunities. The retention of competent ATIP analysts allows for them to develop a much needed specialty in public safety issues. Retaining such analysts is paramount to improving CSC's compliance rates and for overall better administration of the legislation.

There are a total of 54 FTEs in the CSC ATIP Division.


During the reporting period, training on both the Access to Information Act and Privacy Act was delivered to approximately 100 employees in various sectors at national headquarters, as well as to approximately 300 employees in the Pacific Region. The ATIP Division has provided training in all regions in the last two reporting years, with the exception of the Quebec region where their ATIP liaison provides general ATIP training on a regular basis. During fiscal year 2009-2010, the ATIP Division will also travel to each of the regions to promote the recently developed Privacy Breach Guidelines and deliver awareness sessions to all sectors of NHQ.

A policy and training unit was created during this reporting period, which will play a fundamental role in developing a comprehensive learning and training plan geared to various parts of the organization on ATIP related matters, such as processing requests under both the Access to Information Act and Privacy Act, privacy breaches, Privacy Impact Assessments, and other related policies and guidelines. Though this unit only consisted of one permanent FTE during the reporting period, the unit will be expanding during fiscal year 2009-2010.


As highlighted in the 2007-2008 ATIP Annual Report, recruitment and training of new ATIP analysts, combined with the high volume of requests, continue to make meeting compliance a challenge. It is expected that, with more training and mentoring, and with increased retention of the current ATIP staff, compliance rates will increase in future reporting years.


In 2008-2009, CSC received 6,809 Privacy Act requests, a slight decrease from fiscal year

2007-2008. 1,925 requests were carried over from that year totaling 8,734 requests which required processing. A total of 860,107 pages were processed. In addition, the Division processed 179 informal requests for personal information relating to harassment and disciplinary investigation reports, as well as 67 consultations from other government institutions and 2,146 miscellaneous requests for personal information consisting of requests for correctional records for Indian Residential School claims.

The Division completed 5,410 requests during the reporting period, which is 1,334 fewer than those completed in fiscal year 2007-2008. This decrease is attributed to the fact that several of the more experienced ATIP analysts who processed Privacy Act requests in the previous reporting year were promoted to senior ATIP analyst positions primarily responsible for processing Access to Information Act requests. New analysts responsible for processing requests under the Privacy Act required ongoing mentoring and training from their managers. Further challenges were faced as a result of multiple selection processes conducted during the year, which took managers away from their regular responsibilities.

Of the 5,410 requests completed during the reporting period, 1,090 requests were full disclosures, 3,207 were partial disclosures, 39 were withheld in their entirety, 666 were unable to process resulting from no records existing, 396 were abandoned by the applicant and 12 were transferred to other federal government institutions.


A breakdown of the exemptions/exclusions applied during this reporting period is as follows:

Exemption/Exclusion Description Number of times applied
Information obtained in Confidence 757
Federal Provincial Affairs 1
International Affairs and Defence 2
Law Enforcement and Investigation 2078
Individual sentenced for an offence 818
Safety of Individuals 43
Information about another individual 3,011
Solicitor-Client Privilege 22
Cabinet Confidences 1

Method of Access

Where information was available for release, copies were provided in 4,055 cases, examination in 16 of the cases and in 226 cases, examination was requested and copies were subsequently made.


A total of 894 extensions were required for the reasons outlined in the chart below:

Category 2
Interference 706
Consultation 184
Translation 4

Completion Time

During the reporting period, CSC completed 1,656 requests in less than 30 days, 1,306 between 31 and 60 days, 969 requests between 61 to 120 days, and 1,479 were completed in over 121 days.


The Office of the Privacy Commissioner (OPC) notified CSC of 177 complaints with regard to responses to Privacy Act requests that CSC processed. At the end of the reporting period, 79 findings were issued for these complaints: 64 were deemed well-founded; however the vast majority of these were time limit complaints. Five complaints were discontinued, five were deemed not well-founded", three were settled during the course of the investigation and two were resolved during the course of the investigation. The remaining complaints are still under investigation.

In addition, 177 findings were made in relation to complaints carried forward since fiscal year 2003-2004. Sixty of these were deemed not well-founded", 76 were well-founded, 21 were settled during the course of the investigation, 17 were discontinued and three were resolved.

CSC also received 10 complaints in regards to inappropriate use and disclosure of personal information (privacy breaches). Four findings were issued further to OPC investigation, which consisted of two "well-founded" complaints, one "discontinued" and one "settled" during the course of the investigation. The remaining complaints are still under investigation.


During the reporting period, CSC made 115 disclosures of personal information to an investigative body pursuant to 8(2)(e) of the Privacy Act. CSC also disclosed personal information pursuant to section 8(2)(f) [disclosure under an agreement or arrangement between the Government of Canada or an institution thereof and the government of a province]and 8(2)(g) [to a member of Parliament for the purpose of assisting the individual to whom the information relates]. (comment: are there numbers for the 8(2)(e) and 8(2)(f) pieces or are they part of the 115 quoted above?)

CSC disclosed personal information pursuant to 8(2)(m) of the Act [in the public interest or disclosure would clearly benefit the individual to whom the information relates] in 14 cases. These disclosures all related to information contained in investigation reports with regard to incidents involving serious bodily harm or death of an offender and were normally made to family members. In all cases the Office of the Privacy Commissioner was notified prior to the disclosure of the information and had no concerns.


During this reporting period a Privacy Management Framework (PMF) was approved in response to both an internal privacy audit conducted in 2006 and another by the Office of the Privacy Commissioner concerning Preliminary Impact Assessments.

The purpose of the PMF is to assist CSC in identifying improvements in its handling of personal information at the operational level and when developing new programs, as well as:

  • promoting collaboration within CSC in the management of personal information;
  • encouraging involvement in the management of personal information by Sectors, Regions, Institutions and Parole Offices;
  • enabling CSC to meet its legislated obligations under the Privacy Act;
  • demonstrating to stakeholders (public, victims, criminal justice partners etc.) that its personal information holdings are managed effectively, thus contributing to the goal of public safety.

Consistent with CSC's priority of strengthening management practices, the PMF will ensure that privacy is a core consideration in the management of personal information, so that policy and program development, management practices and service delivery reflect the spirit and requirements of the Privacy Act and, ensuing legal obligations are met in an environment of ongoing change.

As an operationally focused organization, CSC requires a means to communicate internally any risk issues affecting the collection, use and/or disclosure of personal information. In order to achieve this goal, and as recommended in the PMF, a Privacy Committee was established with a membership of senior officials and chaired by the Assistant Commissioner Policy Sector. The role of the Committee is to ensure that privacy is a core consideration in CSC's responsibilities

towards the public, employees, and offenders. More specifically the Committee is mandated to:

  • oversee the implementation of the PMF;
  • provide senior level review of privacy issues and challenges to the management of personal information at the operational level;
  • facilitate "culture" change so that NHQ, regional and institutional management and staff are engaged in mitigating risks in handling personal information;
  • review particular risk issues (privacy breaches, Privacy Impact Assessments) and monitor implementation of Treasury Board's PIA Policy;
  • analyze the impact on CSC of privacy issues raised by the privacy community, e.g. the Office of the Privacy Commissioner of Canada; and
  • promote Privacy Guidelines

The Committee held its first meeting in February 2009, and approved guidelines entitled "Interactions" which describe the relationship between the ATIP Division and CSC's Sectors, Regions, Institutions, District Offices and Parole Offices as it relates to overall responsibility and obligations ensuing from the Privacy Act and Treasury Board Secretariat (TBS) policies. The committee also reviewed and commented on guidelines developed for handling of privacy breaches in CSC. These guidelines, which serve to assist employees of CSC in dealing with privacy breaches, describe the process in the event of a breach, how they are to be reported, and how to conduct privacy risk assessments. It is anticipated that these guidelines will receive final approval by the Committee by summer 2009.


During this reporting period, CSC completed one Privacy Impact Assessment on the Electronic Monitoring Pilot Program (EMPP). The EMPP is a one year pilot project that will allow CSC to test the efficacy of using GPS technology as a supervision tool to assist in managing higher-risk offenders in the community. Furthermore, the EMPP will allow CSC to identify future needs and requirements in relation to a larger-scale, national electronic monitoring program. The privacy impact assessment examined potential privacy risks associated with this program and took appropriate actions to address these.

At the end of this reporting period there were three ongoing Privacy Impact Assessments which are expected to be completed during the next reporting period:

Computerized Mental Health Information Screening System (COMHISS) - CMHISS is a mental health screening process that is comprised of a computer administered psychometric test battery that objectively measures indicators of mental health including, but not limited to, depression, suicidal ideation, anxiety, and obsessive compulsive and psychotic disorders.

Data matching initiative between CSC Research Sector and the Institute for Clinical Evaluation Services (ICES) - The ICES initiative would serve to identify patterns of medical services utilization among Ontario Women with, and without, substance abuse problems.

Express Lane Staffing - An electronic service delivery tool internal to CSC used to make low risk staffing actions.


A total of $2,816,263.00 was spent in salary budget and $35,310.00 in operational spending.