Privacy Act, 2009-2010

INTRODUCTION

The Privacy Act protects the privacy of individuals with respect to personal information about themselves held by a government institution and provides individuals with a right of access to that information.

Section 72 of the Privacy Act requires that the head of every federal government institution submit an annual report to Parliament on the administration of this Act during each financial year.  This report describes how the Correctional Service Canada (CSC) fulfilled its privacy responsibilities during the reporting period covering 2009–2010.

ORGANIZATION

CSC contributes to public safety by administering court-imposed sentences for offenders sentenced to two years or more.  This involves managing institutions (penitentiaries) of various security levels and supervising offenders on different forms of conditional release, while assisting them to become law-abiding citizens.  CSC also administers post-sentence supervision of offenders with Long Term Supervision Orders for up to 10 years.

CSC works closely with its Public Safety Portfolio partners, including the Royal Canadian Mounted Police, the National Parole Board, the Canada Border Services Agency, the Canadian Security Intelligence Service, and three review bodies, including the Office of the Correctional Investigator.

In consideration of CSC's mandate the agency collects and retains a substantial amount of personal information.

THE ACCESS TO INFORMATION AND PRIVACY DIVISION

CSC is organized into three levels of management: national, regional and local operations.  The Access to Information and Privacy Division reports to the Director General of Rights, Redress and Resolution, under the Policy Sector, and is responsible for the overall administration of the Access to Information Act and Privacy Act.  In addition, each region and institution has an Access to Information and Privacy (ATIP) liaison which assists the national ATIP Division in administering its overall responsibilities.

The responsibilities of the ATIP Division are:

  • respond to access to information and privacy requests including consultation requests from other government institutions and informal requests for information;
  • respond to public and internal inquiries relating to the administration of the Access to Information Act and Privacy Act;
  • promote awareness and providing training regarding the Access to Information Act and Privacy Act and related policies and guidelines;
  • develop corporate-wide Access to Information and Privacy policies and practices to guide access to and protection of personal information;
  • oversee and manage privacy breaches;
  • coordinate and oversee the Privacy Impact Assessment Process;
  • revise Info Source and modify information holdings and personal information banks as required;
  • liaise and coordinate efforts with Information and Privacy Commissioners, other government departments and agencies and other key stakeholders;
  • analyse privacy practices in relation to CSC programs and policies.

As highlighted in our 2008/2009 Annual Report, that year had been a year of transition and rebuilding for the ATIP Division.  In view of CSC ATIP's structural changes which ensured that it had a strong management team, the possibility to recruit senior ATIP analysts who were knowledgeable and experienced in dealing with sensitive information and public safety issues became achievable.

There are a total of 56 Full-term equivalents in the CSC ATIP Division.

TRAINING AND AWARENESS

During the reporting period, a fundamental role was played by the Policy and Training unit which delivered an extensive training program geared to CSC ATIP.  Training was also provided to numerous sectors at National Headquarters, the Regional Headquarters for the Pacific and Prairie regions and 8 institutions, in person or by videoconferencing.  This venture is continuing in the upcoming fiscal year.

The training consisted of ATIP related matters, such as processing requests under both the Access to Information Act and Privacy Act, privacy breaches, Privacy Impact Assessments, and other related policies and guidelines.

The unit consisted of one deputy director and one senior analyst.  Due to the increase awareness in all ATIP-related matters, this unit will most likely require additional resources in the upcoming year.

WORKLOAD

As highlighted in our previous ATIP Annual Reports, recruitment and training of new ATIP analysts, combined with the high volume of requests, continue to make meeting compliance a challenge.  It is expected that, with more training and mentoring, and with increased retention of the current ATIP staff, compliance rates will increase in future reporting years.

STATISTICS

In 2009-2010, CSC received 9,289 Privacy Act requests, a significant increase from fiscal year 2008-2009. 3,299 requests were carried over from the previous year totaling 12,579 requests which required processing.  In addition, the Division processed 253 informal requests for personal information relating to harassment and disciplinary investigation reports, as well as 62 consultations from other government institutions and 1,936 miscellaneous requests for personal information consisting of requests for correctional records for Indian Residential School claims.

The Division completed 9,489 requests during the reporting period, which are 4,079 more than those completed in fiscal year 2008-2009.  This increase is attributed to the fact that the analysts responsible for processing requests under the Privacy Act were provided with mentoring and training from their managers and the Senior ATIP Analysts dealt for the greater part with the processing of Access to Information requests.

Of the 9,489 requests completed during the reporting period, 1,309 requests were full disclosures, 5,012 were partial disclosures, 55 were withheld in their entirety, 2,569 were unable to process resulting from no records existing, 531 were abandoned by the applicant and 13 were transferred to other federal government institutions.

Exemptions

A breakdown of the exemptions/exclusions applied during this reporting period is as follows:

Exemption/Exclusion Description Number of times applied
Information obtained in Confidence 1,717
Federal Provincial Affairs 0
International Affairs and Defence 3
Law Enforcement and Investigation 3,546
Individual sentenced for an offence 1,035
Safety of Individuals 57
Information about another individual 4,864
Solicitor-Client Privilege 49
Cabinet Confidences 0

Method of Access

Where information was available for release, copies were provided in 5,967 cases, examination in 4 of the cases and in 350 cases, examination was requested and copies were subsequently made.

Extensions

A total of 2,749 extensions were required for the reasons outlined in the chart below:

Extensions
Interference 2587
Consultation 159
Translation 0

Completion Time

During the reporting period, CSC completed 3,628 requests in less than 30 days, 2,269 between 31 and 60 days, 1,426 requests between 61 to 120 days, and 2,166 were completed in over 121 days.

COMPLAINTS

The Office of the Privacy Commissioner (OPC) notified CSC of 197 complaints with regard to responses to Privacy Act requests that CSC processed.  At the end of the reporting period, 56 findings were issued for these complaints: 53 were deemed well-founded; however the vast majority of these were time limit complaints and three were deemed "not well-founded".  The remaining complaints are still under investigation.  In addition, 280 findings were made in relation to complaints carried forward from previous fiscal years.

CSC also received 20 complaints in regards to inappropriate use and disclosure of personal information (privacy breaches).  Eighteen findings were issued further to OPC investigation, which consisted of ten "well-founded" complaints, five "not well founded", two "discontinued" and one "settled" during the course of the investigation.  The remaining complaints are still under investigation.

DISCLOSURES PURSUANT TO 8(2)

During the reporting period, CSC made 143 disclosures of personal information to an investigative body pursuant to 8(2)(e) of the Privacy Act.  CSC also disclosed personal information pursuant to section 8(2)(f) [disclosure under an agreement or arrangement between the Government of Canada or an institution thereof and the government of a province].  This type of disclosure is usually done at the regional level since delegated authority has been given to the Regional Deputy Commissioners, Wardens and District Directors.

CSC disclosed personal information pursuant to 8(2)(m) of the Act [in the public interest or disclosure would clearly benefit the individual to whom the information relates] in 28 cases. These disclosures all related to information contained in investigation reports with regard to incidents involving serious bodily harm or death of an offender and were normally made to family members.  In all cases, the Office of the Privacy Commissioner was notified prior to the disclosure of the information and had no concerns.

PRIVACY RELATED POLICIES AND PROCEDURES

The Privacy Management Framework remains an important tool in CSC's day-to-day operations.  The Privacy Committee, which is chaired by the Assistant Commissioner Policy and Senior managers, meets on a quarterly basis.  As mentioned in the Annual Report of 2008-2009, the Committee has approved the guidelines developed for handling of privacy breaches in CSC. These guidelines, which serve to assist employees of CSC in dealing with privacy breaches, describe the process in the event of a breach, how they are to be reported, and how to conduct privacy risk assessments.

PRIVACY IMPACT ASSESSMENTS

During this reporting period, CSC completed four Privacy Impact Assessments.

Computerized Mental Health Information Screening System (COMHISS) - COMHISS is a mental health screening process that is comprised of a computer administered psychometric test battery that objectively measures indicators of mental health including, but not limited to, depression, suicidal ideation, anxiety, and obsessive compulsive and psychotic disorders.

Data matching initiative between CSC Research Sector and the Institute for Clinical Evaluation Services (ICES) - The ICES initiative would serve to identify patterns of medical services utilization among Ontario Women with, and without, substance abuse problems.

Express Lane Staffing - An electronic service delivery tool internal to CSC used to make low risk staffing actions.

Uniform Program – A program responsible for the overall management of its employee clothing entitlement program.

At the end of this reporting period there were three ongoing Privacy Impact Assessments which are expected to be completed during the next reporting period.

RESOURCES

A total of $ $2,924,369.00 was spent in salary budget and $153,867.00 in operational spending.

APPENDIX A – Privacy Act delegation

The Minister of Public Safety, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto to exercise the powers and perform the duties and functions of the Minister as the head of a government institution, that is, the Correctional Service of Canada, under the sections of the Act set out in the schedule opposite each position.

The dots (•) represent the person(s) designated to exercise the powers and perform the duties and functions of the Minister under the section(s) of the Act.

Schedule

Section Action Commissioner Senior Deputy Commi-ssioner Assistant Commissioner Policy Director ATIP Deputy Director, ATIP Team Leaders, ATIP Regional Deputy Commissioners Wardens & District Directors
8(2)(j) Disclose personal information for research purposes          
8(2)(m) Disclose personal information in the public interest or in the interest of the individual          
8(4) Retain copy of 8(2)(e) requests and disclosed records
8(5) Notify Privacy Commissioner of 8(2)(m) disclosures          
9(1) Retain record of use
9(4) Notify Privacy Commissioner of consistent use and amend index      
10 Include personal information in personal information banks      
14 Respond to request for access within 30 days; give access or give notice          
15 Extend time limit for responding to request for access          
17(2)(b) Decide whether to translate requested information          
18(2) May refuse to disclose information contained in an exempt bank    
19(1) Shall refuse to disclose information obtained in confidence from another government    
19(2) May disclose any information referred to in 19(1) if the other government consents to the disclosure or makes the information public    
20 May refuse to disclose information injurious to the conduct of federal-provincial affairs    
21 May refuse to disclose information injurious to international affairs or defence    
22 May refuse to disclose information prepared by an investigative body, information injurious to the enforcement of a law, or information injurious to the security of penal institutions    
23 May refuse to disclose information prepared by an investigative body for security clearances    
24 May refuse to disclose information collected by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board while individual was under sentence if conditions in section are met    
25 May refuse to disclose information which could threaten the safety of individuals    
26 May refuse to disclose information about another individual, and shall refuse to disclose such information where disclosure is prohibited under Section 8    
27 May refuse to disclose information subject to solicitor-client privilege    
28 May refuse to disclose information relating to the individual's physical or mental health where disclosure is contrary to the best interests of the individual    
31 Receive notice of investigation by the Privacy Commissioner
33(2) Right to make representations to the Privacy Commissioner during an investigation
35(1) Receive Privacy Commissioner's report of findings of the investigation and give notice of action taken
35(4) Give complainant access to information after 35(1)(b) notice
36(3) Receive Privacy Commissioner's report of findings of investigation of exempt bank
37(3) Receive report of Privacy Commissioner's findings after compliance investigation
51(2)(b) Request that Section 51 hearing be held in the National Capital Region      
51(3) Request and be given right to make representations in Section 51 hearings
72(1) Prepare annual report to Parliament            
77 Responsibilities conferred on the head of the institution by the regulations made under section 77 which are not included above

Dated, at the City of Ottawa, this

____th day of ___________, 2010

________________________________________ 
The Honourable Vic Toews, P.C., M.P.
Minister of Public Safety