Privacy Act, 2010-2011

CHAPTER I –Report on the Privacy Act

INTRODUCTION

The Privacy Act protects the privacy of Canadian citizens and permanent residents against the unauthorized use and disclosure of personal information about themselves held by a government institution. It also provides individuals with a right of access to that information and the right to correct inaccurate personal information. In addition, the Privacy Act legislates how the government collects, stores, disposes, uses and discloses personal information.

Section 72 of the Privacy Act requires that the Head of every federal government institution submit an annual report to Parliament on the administration of this Act over the fiscal year. This report describes how the Correctional Service Canada (CSC) fulfilled its privacy responsibilities during the reporting period covering 2010-2011.

Our reporting Head, the Minister of Public Safety, has delegated the administration of the Privacy Act, including the reporting of the Annual Report, to the Commissioner of CSC.

CSC's ORGANIZATION & MANDATE

The Correctional Service of Canada was formed in 1979 through the amalgamation of the Canadian Penitentiary Service and the Parole Board of Canada. CSC has the fundamental obligation to contribute to public safety by actively encouraging and assisting offenders to become law-abiding citizens, while exercising reasonable, safe, secure and humane control. It does this by operating under the rule of law, in particular the Correctional and Conditional Release Act (CCRA), which provides its legislative framework. The Commissioner of CSC has the authority, extending from the CCRA, to issue directives, procedures and guidelines to carry out the agency's operations.

CSC contributes to public safety by administering court-imposed sentences for offenders sentenced to two years or more. This involves managing institutions (penitentiaries) of various security levels and supervising offenders on different forms of conditional release, while assisting them in become law-abiding citizens. CSC also administers post-sentence supervision of offenders with Long Term Supervision Orders for up to 10 years.

CSC works closely with its Public Safety Portfolio partners, including the Royal Canadian Mounted Police, the Parole Board of Canada, the Canada Border Services Agency, the Canadian Security Intelligence Service, and three review bodies, including the Office of the Correctional Investigator.

In consideration of CSC's mandate, the agency collects and retains a substantial amount of personal information.

THE ACCESS TO INFORMATION AND PRIVACY DIVISION

The Access to Information and Privacy Division (ATIP) reports to the Director General of Rights, Redress and Resolution, under the Policy Sector, and is responsible for the overall administration of the Access to Information Act and the Privacy Act. In addition, each sector and region and institution has an Access to Information and Privacy liaison who assists the national ATIP Division in administering its overall responsibilities.

ATIP Division

Details

The ATIP Division is comprised of one Director, two Managers of Operations, one Manager of Policy and Training, five Team Leaders, as well as nine Senior Analysts, 20 Analysts and seven Junior Analysts as well as a support team of new employees. The Division also employs casual and term employees to aid with the workload. The Division has a total of 55 FTEs.

Pursuant to the Privacy Act, ATIP has a responsibility to:

The public: provides guidance as to how to request information held by CSC; responds to PA requests; provides clarification on the types of records under CSC control; and provides explanations concerning PA processes and time frames. CSC also has a duty to assist individuals seeking to obtain personal information.

CSC: responds to both formal and informal requests under the PA; provides advice regarding the interpretation and application of the Act; develops and implements policies, procedures and guidelines to ensure the effective application of the Act; promotes awareness and understanding of the Act by providing training.

Other federal government institutions: provides recommendations and consultations concerning the possible disclosure of CSC records which are the subject of requests.

Offices of the Information Commissioner and the Privacy Commissioner: cooperates with Office of the Privacy Commissioner (OPC) to resolve complaints made by requesters.

ATIP is also responsible for:

Training and information sessions: delivers training sessions intended to familiarize CSC employees with the requirements of the PA, including how to properly handle personal information and how to prevent and report on privacy breaches as well as how to conduct Privacy Impact Assessments.

Annual Report to Parliament: ATIP prepares and submits separate ATIA and PA reports to the Commissioner for subsequent presentation to Parliament.

Info Source: ATIP must provide the TBS with up-to-date information about CSC's organizational structure and personal information banks for publication in Info Source.

Privacy Impact Assessments: helps evaluate whether a specific project, system, service or initiative will have an actual or potential impact on the privacy rights of an individual.

DELEGATION of AUTHORITY

The responsibilities associated with the administration of the Privacy Act, such as notifying applicants of extensions and transferring requests to other institutions, are delegated to the departmental ATIP Coordinator through a delegation instrument signed by the Minister of Public Safety. The approval of exemptions remains with the Director, the Deputy Directors as well as the Team Leaders. Delegation for public interest releases as well as research and statistics rests with the Commissioner, the Deputy Commissioner and the Assistant Commissioner, Policy.

A detailed delegation instrument can be viewed in Appendix A.

HIGHLIGHTS & ACCOMPLISHMENTS 2010-2011

Training & Awareness

The Policy and Training Unit was created in 2008 with the aim of developing a comprehensive learning and training plan on ATIP related matters, such as processing requests under both the Access to Information Act and Privacy Act, reviewing and reporting on privacy breaches, conducting Privacy Impact Assessments, and other related policies and guidelines. The ATIP Division's Policy and Training Unit helps ensure that there is a systematic means by which to provide advice, assist OPIs with Privacy Impact Assessments (PIAs), and develop policies and procedures for the ATIP Division. It also ensures that regular training sessions are provided to CSC. The Policy and Training Unit plays a fundamental role in developing and delivering training to National Headquarters, Regional Headquarters and Institutions across Canada on Privacy related matters such as processing requests, reporting and reducing privacy breaches, conducting PIAs and other policies and guidelines. Though this unit only consists of 4 permanent FTEs as of the end of the 2010-2011 reporting period, the Unit hopes to continue expanding in the coming years.

During the current fiscal year, the ATIP Policy and Training Unit has delivered a total of 15 training sessions with 300 persons attending. Examples of training which reflect these numbers include:

  1. ATIP Lunch and Learns: In December 2010 a need was recognized to deliver training sessions for ATIP staff to ensure consistency in applying the Act and to promote a culture of continuous learning. To date, there have been 8 sessions delivered to ATIP staff on different exemptions, 4 in French and 4 in English. In total, 35 staff members participated in these sessions. Due to the success of these sessions, the ATIP Policy and Training Unit will continue to provide internal training sessions to its staff.
  2. Training sessions to CSC staff, including training of Institutional staff in the Prairie Regions (a total of 210 employees). Staff included Correctional Officers, Administrative staff, Parole Officers and other individuals working with offenders.
  3. Training ATIP liaisons (15 employees). Currently there are 5 ATIP liaisons in the Region who are relatively new and in need of specialized training. The Policy and Training Unit met one-on-one with 3 liaisons and followed up with a 3 day, on-site training session (with 13 attendees), which included NHQ and Regional liaisons.
  4. The ATIP division also provided awareness sessions to Security Intelligence Officers on ATIP (16 new officers, 8 instructors).
  5. ATIP provided an orientation session to new Wardens and Deputy Wardens (15). The ATIP Division officials also liaised with NHQ Information Management (IM) and Security staff to ensure that ATIP is part of CSC's New Employee Orientation Program.
  6. CSCorganizes visits to institutions on a yearly basis in order to fostereducation regarding the challenges of working in an institutionalenvironment.

The Policy and Training Unit created a dedicated GEN-NHQ Policy and Training account where all areas of CSC, including the regions, can direct their questions and concerns regarding training, policy and guideline advice, interpretations of the Act, etc. The Policy and Training Unit also offers a series of tailored training decks for staff and trainees to refer to.

The PTU e-mail address is available on our InfoNet – Appendix B

We have received positive comments regarding our Infonet site and training sessions and hope to expand and develop these sessions in the future.

Policies, Guidelines, and Procedures

The ATIP Policy and Training Unit has created a variety of reference tools in order to aid in educating the ATIP Division and employees of CSC on its roles and responsibilities. CSC's Privacy Committee has approved CSC's Privacy Impact Assessment (PIA) Framework which was designed to provide staff with the information and resources needed to conduct PIAs in an effective and efficient manner. The Framework describes CSC's internal PIA process and acts as a resource centralizing essential documents needed to conduct a PIA. This framework complies with TBS's directives on PIAs. The ATIP Division has received positive feedback regarding the streamlining of this group.

The ATIP Policy and Training Unit initiated a series of ATIP Tips/Bulletins to help create awareness of sections of the Privacy Act most commonly applied or questioned. This reporting year, 6 new bulletins were completed and posted on the InfoNet site; these are: Duty to Assist under the Privacy Act, how to make Correction Requests, how CSC is implementing the New Directives Issued by TBS on April 1st, 2010, how to conduct Privacy Impact Assessments, Permissible Disclosure of Personal information, pursuant to 8(2)(e) of the Privacy Act, and Permissible Disclosure of Personal information to provinces and municipalities pursuant to 8(2)(f) of the Privacy Act.

The ATIP Division's Bulletins are available on our InfoNet site – Appendix B

Other Policy developments include:

  • The development of a Guideline regarding Transitory Documents in order to aid in defining the parameters of transitory records.
  • A Compliance Manual, created as an authoritative guide for all ATIP staff. It details the processes surrounding the collection, retention, use and disclosure of personal information, the process and completion of PIAs, how to avoid and report on privacy breaches, as well as other information regarding the Privacy Act. It is anticipated that the Manual will provide staff with the resources and information to address many of their Privacy questions.
  • A Privacy Impact Assessment Template was formulated by the Policy and Training Unit, as per Treasury Board Secretariat Directives.
  • Our Privacy Breach Guidelines were expanded on in order to integrate feedback received from CSC staff. As a result, the Privacy Breach Guidelines have been updated and reissued.

Due to the vast quantities of personal information handled by the CSC, the ATIP Division is proactive in promoting awareness regarding the safeguarding of its information holdings.  Correctional Service Canada's mandate requires the sharing of personal information with other areas of the Criminal Justice Community and institutions. In addition, it obtains a variety of information provided by other agencies in order to administer its legislation and directives.  Every effort is taken to ensure that personal information is appropriately shared by validating personal identifiers such as: name, sex, date of birth, fingerprint series number (FPS) and in some cases physical features.

InfoNet & Internet Updates and Maintenance

With the aim of bringing greater awareness to the policies and guidelines of the Privacy Act, CSC's ATIP Division has updated its internal ATIP website as well as the public ATIP website.

In order to aid in educating the wider CSC community on ATIP related issues, the InfoNet site includes information regarding policies and procedures, directives, privacy breach prevention and reporting, PIA procedures, and a list of ATIP Tips and Bulletins. It also provides a training mechanism where requests for training can be made directly to the Policy and Training Unit by individuals or groups. Furthermore, as mentioned above, the Policy and Training Unit now has its own email account where questions can be directed regarding the Privacy Act.

CSC's public ATIP site has also been updated to include information regarding the Duty to Assist, how to make Corrections to Personal Information, general FAQ's regarding ATIP, as well as a list of PIAs categorized by year.

ATIP Division's InfoNet – Appendix B

To view the changes to the ATIP Division's Internet site, please visit: http://cscweb.csc-dev-scc/atip/index-eng.shtml

INFO SOURCE

CSC is responsible for providing comprehensive, accurate and up-to-date descriptions of its functions, programs, activities and Personal Information Banks (PIBs) that describe the collection, use, disclosure and retention of personal information in Info Source. CSC continues to be dedicated in updating its PIBs on an annual basis. During the current reporting year, CSC focused on updating the language of our PIBs, specifically as it relates to consistent use, disclosure and retention and in what circumstances personal information can be shared, pursuant to 8(2) of the Privacy Act.

The ATIP Division's Information Holdings can be viewed here: http://www.infosource.gc.ca/inst/1573/1573-fedemp00-eng.asp

The following is a list of PIBs CSC has updated during the current reporting year:

  1. Inmate Trust Fund: This bank describes information that is used to establish and administer an Inmate Trust Fund.

    The personal information is collected and used to manage inmate money and inmate pay to ensure that inmate financial transactions are properly authorized and recorded and that adequate financial information and support is provided to inmates to answer questions on transactions and account balances. The information is also used to ensure that receipt, transfers and disbursements of funds are administered in compliance with the CCRA and relevant CSC policies and directives. Personal information may include name, FPS (Finger Print System) number, information on the inmate's accounts and related financial transactions.  The Fund may also record the names and contact information of other individuals who contribute to an inmate's account.

  2. Offender Program Assignments and Payments: This bank describes information pertaining to the program assignments of offenders within institutions and in the community while serving a sentence administered by the Correctional Service Canada.  It also encompasses any operational information in this area that may be required by the CSC to carry out its mandate under the relevant statutes, including the administration of the payroll for inmates on assignments. Personal information is collected and used for managing program assignments including employment and vocational programs. This information is used to ensure that CSC is meeting the identified needs of offenders, in order to assist them to prepare for reintegration into the community as law-abiding citizens.  The information is also used to evaluate and assess inmates' progress in meeting towards their Correctional Plan goals and to administer inmate pay in accordance with the CCRA and relevant CSC policies and directives. Personal information may include inmate's name, FPS (Finger Print System) number, date of birth, biographical information, educational history, criminal history, employability and vocational assessment results, assignment information and pay level information.

CSC's BACKLOG PROJECT

During the current reporting period, the ATIP Division has taken great strides towards completing outstanding Privacyrequests. This includes contacting the requesters, working with them to narrow the scope of their requests and ensuring they are still interested in pursuing their request. During this time, we have been able to close a number of overdue requests successfully. CSC's ATIP Division is one of the top five departments that receive the most Privacy requests. The ATIP Division continues to be committed to reducing the number of outstanding Privacyrequests.

OPERATIONAL CHALLENGES

Workload

Over the last several years, the ATIP Division has experienced a significant increase in the size and complexity of its workload. Considering the vast amount of sensitive personal information that is handled on a daily basis the recruitment of knowledgeable and experienced ATIP professionals remains an ongoing challenge. In turn, this continues to make meeting compliance rates demanding. It is the Division's hope that with more training and mentoring, and with increased retention of the current ATIP staff, compliance rates will increase in future reporting years.

Workload Trends

Over the past number of years, the ATIP Division has seen a significant increase in the number of privacy requests received. In total, Privacy requests have increased by 65% since the 2000/01 Reporting Period.

The ATIP Division continues to process a number of informal Privacy requests (including Board of Investigations (BOIs), Harassment and Discipline investigations, and requests from the province). ATIP also anticipates an increase in volume of informal requests as the Indian Residential School Settlement (IRSS) enters its final year. These informal requests add considerably to the number of requests process by the ATIP Division on a yearly basis.

The following chart shows the steady increase in Privacy requests over the past number of years:

Workload (including carry overs)
2008-2009 2009-2010 2010-2011
Workload (including carry overs) 8734 12579 13864

THE ROAD AHEAD

CSC's ATIP Division is one of the few ATIP shops that currently redact information manually. To address this inefficiency, the Division will be implementing a case management and electronic vetting system, AccessPro Suite. The implementation date is scheduled for May 2011 and will result in the automation of several thousands of pages.

CHAPTER II – PRIVACY ACT STATISTICAL REPORT

Statistical Report for the 2010-2011 Reporting Year

In 2010-2011, CSC received 10,801 Privacy Act requests, which marks an increase from fiscal year 2009-2010. A total of 3,063 requests were carried over from the previous reporting year, totaling 13,864 requests requiring processing in 2010-2011. In total, 558,302 pages were processed. In addition, the Division processed 3,682 informal requests for personal information relating to harassment and disciplinary investigation reports, as well as 59 consultations from other government institutions and 64 miscellaneous requests for personal information consisting of requests for correctional records for Indian Residential School claims. Please refer to Appendix B for the Statistical Report.

Formal requests
2008-2009 2009-2010 2010-2011
Formal Requests 8734 12579 13864

Disposition of Requests

Of the 10,742 requests completed during the 2010-2011 reporting period, 1,405 requests were full disclosures, 5,832 were partial disclosures, 145 were withheld in their entirety, 2,532 were unable to process resulting from no records existing, 811 were abandoned by the applicant and 17 were transferred to other federal government institutions.

Disposition of Requests
Full disclosure Partial disclosure Withheld entirely Unable to process Abondonned Transferred
Requests 1405 5832 145 2532 811 17

Exemptions

A breakdown of the exemptions applied during this reporting period is as follows:

Exemption Description Number of Times Applied
Obtained in Confidence 1,451
Federal-Provincial Affairs 0
International Affairs and Defence 22

Law Enforcement & Investigation

4,771
Policing Services 3
Security Clearances 2
Individuals Sentenced for an Offence 1,145
Safety of the Individuals 70
Information about another individual 5,702
Solicitor-Client Privilege 66
Medical Record 4
Information to be published 2
Library/Museum Material 2

Completion Time

During the reporting period, CSC completed 4,946 requests in less than 30 days; 2,577 between 31 and 60 days; 1,302 requests between 61 to 120 days; and 1,917 were completed in over 121 days.

Method of Access

Where information was available for release, copies were provided in 6,742 cases, examination was provided in nine (­­9) of the cases and in 486 cases, examination was requested and copies were subsequently made.

Corrections and Notations

CSC received a total of seven (7) requests for correction to personal information. A total of one (1) correction was made, and one (1) notation attached. The remaining five (5) were not made in accordance with the Privacy Act but were dealt with pursuant to the Corrections & Conditional Release Act.

Consultations from Other Institutions

A significant amount of the ATIP Division's workload involves responding to consultations in response to formal requests received by other institutions.  CSC works closely with its partners under the Public Safety portfolio such as CBSA, RCMP, CSIS, PBC, OCI, as well as CIC in order to respond to consultations in a timely fashion.

During the 2010-2011 reporting period, the ATIP Division received a total of 59 consultations from other institutions processing requests under the Privacy Act.

The following chart provides the type and number of consultations received over the 2010-2011 reporting year:

type number
Other Federal Governments 51
Provincial Institutions or Municipalities 8
Foreign Governments or Institutions of States 0
Total 59

COMPLAINTS & INVESTIGATIONS

The Office of the Privacy Commissioner (OPC) notified CSC of 257 complaints with regard to responses to Privacy requests processed by CSC. At the end of the reporting period, 226 findings were issued for these complaints.

The following chart provides a breakdown of the type of complaint made to the OPC:

Reason for Complaint number
Time Limit 150
Collection 1
Extension 7
Refusal - Exemptions 70
Refusal - General 7
Retention and Disposal 1
Language 2
Use and Disclosure 19

Of these findings, 141 time limits were deemed well-founded, five (5) were not well founded and four (4) discontinued.  Of the remaining complaints (denial of access, section 4 to 8, language), 14 were well-founded; 47 not well-founded; four (4) were resolved; one (1) was "settled in the course of the investigation; and 10 were discontinued.  The remaining complaints are under investigation.

Finding number
Discontinued 14
Not Well-Founded 52
Well Founded 155
Resolved 4
Not Resolved 0
Settled 1

DISCLOSURE of PERSONAL INFORMATION PURSUANT TO 8(2)

Subsection 8(2) of the Privacy Act states that "personal information under the control of a government institution may be disclosed" under certain specific circumstances without the consent of the individual.

The mandate of CSC requires that it routinely shares personal information with other areas of the Criminal Justice Community and Law Enforcement Agencies (which includes municipal, provincial, international, federal police forces or other law enforcement bodies) to ensure the offenders are appropriately managed in a safe, secure and humane environment and to ensure the safety of the offender, other offenders, staff and the community at large.

The following is a statistical breakdown of disclosures pursuant to 8(2) of the Privacy Act:

Paragraph 8(2)(e)

Personal information may be disclosed "to an investigative body […] for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation…"

Under this paragraph of the Privacy Act, 120 requests were received and treated.

Paragraph 8(2)(f)

Personal information may be disclosed "under an agreement or arrangement between the Government of Canada [...] and the government of a province [or territory] [...] for the purpose of administering or enforcing any law or carrying out a lawful investigation."

Under this paragraph of the Privacy Act, 98 requests were received and treated.

Paragraph 8(2)(m)

CSC disclosed personal information pursuant to 8(2) (m) of the Act [i.e., in the public interest or disclosure would clearly benefit the individual to whom the information relates] in 25 cases.

Nature of the 8(2)(m) disclosures

For example, limited offender information related to specific incidents, transfer dates, locations and medical information.

The Privacy Commissioner was notified prior to the disclosure of personal information in all cases.

PRIVACY IMPACT ASSESSMENTS (PIAs)

Two additional PIAs were developed this reporting year:

Institute for Clinical Evaluation Sciences (ICES)

This PIA has been completed. The Privacy Commissioner has been notified and we are awaiting their comments. This is the first PIA that will allow for the disclosure of medical information to an outside body to conduct bona fide research on offenders.

HRSDC/CSC Joint PIA: Use and Disclosure of Information Relating to Federal Inmates for the Administration of the Old Age Security Act

In the spring of 2010, the Conservative government announced that they would be suspending Old Age Security benefits for offenders while they are incarcerated. The amendments to the Old Age Security Act suspend OAS benefit payments commencing with the date of the sentencing order to a federal penitentiary and payments will resume once the individual is released and will only be subject to a further suspension of OAS benefits if, for example, the parole and common-law partners of the incarcerated individual retrain the right to their OAS benefits. The joint PIA established the authorized disclosures of personal information to HRSDC for the administration of the OAS amendment.

At the end of the reporting period, there is one ongoing Privacy Impact Assessment which is expected to be completed during the next reporting period.

2010-2011 PRIVACY IMPACT ASSESSMENT (PIA) CHECKLISTS

CSC currently has in place a mechanism that allows for the systematic review of any initiatives or projects that may or may not require a PIA. The PIA checklist is a tool that is completed by program areas and reviewed by the Policy and Training Unit and approved by the ATIP Director. Over the past year, the ATIP Division reviewed a total of 20 PIA checklists. A sampling of checklists where no PIA was required is described below.

Web-IDSS

The Web-IDSS is an application developed by Public Health Agency of Canada for use in CSC. It contains some 200,000 assessment records for tuberculosis and blood borne and sexually transmitted infections. In order to ensure the assessment records are linked correctly to the patients, Web-IDSS uses the FPS number as a unique identifier for each "patient" in the application as well as the name and birth date to help identify individuals.

The current project plan involves deploying the application to the institutions and providing read-only access to infectious disease nurses who will be allowed to view and print records and reports. Access to electronic assessment records will better equip nurses in conducting assessments for infectious diseases by allowing them to review assessment history.

A PIA was not required as the program currently exists and there is no change as to how the personal information is being used, collected, retained/disposed of or disclosed. It is simply a more efficient way of having infectious disease nurses access assessment records for offenders they treat.

Food Services Information Management System

The Food Services Information Management System is an integrated database that will support the requirements of the Food Service operations across all Regions.  As the primary client for Food Services are offenders, certain data will be maintained in the system to assist in providing service to them. System account number, first and last names, FPS, gender, cell location and current religious or therapeutic diet requirements will be collected.

A PIA was not required because the database is an extension of an existing program and is intended to be operated by CSC and used only by CSC.

National Monitoring Centre – Bell Enhanced Per Agent

The objective of this project activity is to replace the National Monitoring Centre's (NMC) current service desk Automated Call Distribution system (ACD) with the Bell EPAS. The new solution is a key component of the NMC which is a 24/7 centralized operation that uses various technologies for ongoing communication to support institutional and community operations across Canada.

The Bell EPAS will be used to assess, monitor and supervise the calls coming into the NMC. It allows NMC Supervisors to provide support to officers during phone calls by listening in, intervening as necessary, messaging and managing call volume and distribution during staff breaks. It will also generate customized reports on the overall operational activities of the NMC.

A PIA was not required because the monitoring of phone calls is an ongoing operational activity and the only change to this program is the service provider.

Senior Deputy Commissioner Incident Investigation Tracking System (SDCIITS)

The SDCIITS will record, organize, centralize and consolidate data related to incidents in order to provide timely, accurate, and useful information when needed to the investigative analysts and Senior Deputy Commissioner. It will replace existing MS Excel based systems. The database will be used by staff of the Incident Investigations Branch at various stages at NHQ and within the Regions. It will be used to track investigations at different levels, provide a means of analyzing trends and investigations and provide timelines for investigations.

A PIA was not required as the program currently exists and there is no change as to how the personal information is being used, collected, retained/disposed of or disclosed.

Site Secure Software

Site Secure Software, a web-based security software, stores references to security files and assists the Departmental Security Program in tracking and auditing security incident files, employee protection files, CSC uniquely-numbered badge numbers, recognition "retired" badge information, key and padlock combination references.  Original files will be stored in approved secure cabinets. No personal information will be collected about offenders. The information collected will not be shared within or external to CSC.

A PIA was not required because the Departmental Security Division currently collects personal information manually for the same purposes as what is proposed in the new Site Secure system.

Wallace Wireless

Correctional Service Canada (CSC) requires a communication medium whereby e-mail and document transfer are to be available during crisis (disaster) and non-crisis situations. This is a system designed to manage, maintain and control electronic information and emergency response plans for CSC Headquarters and the regions. It is designed to provide electronic access to essential recovery information during an emergency that could impact the mandated CSC legal requirements.

A PIA was not required as the program already exists and there is no change to how personal information is being collected, used, retained/disposed of or disclosed.

Enhanced Integrity Screening (EIS)

The purpose of the EIS process is to support personal suitability assessments of CX and other external recruits.  This process requires searching new applicants online via publicly available information (PAI) databases primarily but is not limited to Canada and the US. Some of the PAI databases that will be used include, but are not limited to, social networking sites, personal property registries, land registries, corporation & business registries, news media, search engines, universities, colleges, and employer websites.

A PIA was not required for the EIS program since it is an extension of pre-existing HR programs and it falls under the Personal Information Bank regarding Personnel Security Screening.

Psychology and Mental Health Database

The PMHTD is designed to assist CSC managers with achieving a better sense of the demand for psychological and mental health services and the balance between the demand for service and the resources available to meet this need. The PMHTD was created to standardize data collection at the national level and assist in the tracking of a wide range of services provided by both psychologists and mental health professionals within all CSC institutions. The PMHTD will allow CSC to measure the demand for psychological services of all types, the services delivered to offenders, as well as the actual use of the psychological and mental health resources in place.

A PIA was not required because this program currently exists and there is no change in how personal information is being collected, used, retained/disposed of or disclosed.

Computerized Mental Health Intake Screening System (CoMHISS) – Version 2

This is an extension of the PIA which was completed and approved in 2009. In order to improve CSC's capacity to address mental health needs of offenders, CSC has implemented a six-part mental health strategy. The first element of this strategy is the metal health screening at intake for all offenders. CoMHISS will assist in meeting this element by helping identify offenders with mental health symptoms who require further mental health assessment and follow-up, as well as generating data for future mental health planning.

Only personal information provided by the individual at the time of collection (collected directly from the individual or with the consent of the individual for this disclosure / with no contextual sensitivities) is used. Only name, FPS, gender, indicators of mental distress based on the psychological tests results are elements of personal information collected.

A PIA was not required because the program currently exists and the program area is simply adding two new tests to the existing CoMHISS tests. There will be no change in how personal information is being collected, used, retained/disposed of or disclosed.

Victim Offender Mediation (VOM) Services

Restorative Opportunities (RO) is a Correctional Service of Canada (CSC) program, managed by the Restorative Justice Division. The RO program provides victims and offenders with an opportunity to enter into communication in order to address the harms caused by serious crime. VOM services available to participants include, but are not limited to, written correspondence, video message exchanges, face to face meetings, and shuttle mediation.

Both the CJI contracted mediators and the RO mediators require access to the personal information of both the victim participants and offender participants. This requires access to OMS, Radar, and paper files in order to complete the necessary assessments throughout the VOM process.

A PIA was not required because the Restorative Justice Division has been providing VOM services in BC since the early 1990's. The Restorative Opportunities is simply an extension of this service across Canada and appropriate safeguards are currently in place.

Integrated Workplace Management System

Correctional Service Canada (CSC) is seeking an Integrated Workplace Management System to support the management of the entire life cycle of its Real Property portfolio.  The Department currently uses over twelve systems to manage its Real Property Program. As a variety of stand-alone software programs are currently being used to manage this program, the current infrastructure presents a number of logistical challenges.

A PIA was not required. Although employee information (name, phone number and office location) is collected, used, retained/disposed of and disclosed, it does not constitute personal information under the Privacy Act.

Claims Settlement Management System (CSMS) Replacement Project

The Claims Settlement Management System (CSMS) Replacement project will migrate the existing system off its current platform. CSMS fulfills an operational requirement under the legislation governing Correctional Service Canada, specifically CD 234 – Claims Against the Crown and the Offender Accident Compensation Program.  The Corrections and Conditional Release Regulations require that effects of inmates are protected from loss or damage, and that there be a structure for submitting complaints and grievances.  The system provides a logging, tracking and reporting tool used to manage claims, including the ability to proactively monitor adherence to legislated response times.

Data includes FPS Number; first and last name; claim result; claim settlement amount; date inmate advised of decision/withdrawn; level where decision rendered; whether the employee/volunteer is liable and if so, indemnified; various dates: of accident, release, claim request; recommendation; percentage of disability; disability type; amounts paid; if claim result grieved, decision and settlement amount; final result; final settlement amount; whether a third party is liable.

A PIA was not required because all the personal information collected, used and disclosed after the upgrade will be the same as it has been collected, used and disclosed in the past.

AccessPro Suite

Privasoft has replaced ATIPflow with AccessPro Case Management, a flexible, case management system.  The ATIP Division will be moving from a manual redaction process to an electronic one by using AccessPro Redaction which works seamlessly with AccessPro Case Management. Together they are called AccessPro Suite.

All personal information will be at the Protected A and B levels only. Personal information may include the name of the requester, mailing address, telephone and facsimile numbers, e-mail address and other processing information related to the request, as well as personal information contained in institutional records that are relevant to the request.

A PIA was not required for the AccessPro Case Management system as it will not collect, use or disclose personal information in ways other than how it was collected, used and disclosed when using ATIPflow.

PRIVACY BREACHES

ATIP has been working diligently with the OPIs on how to report on privacy breaches, implement corrective measures and prevent further privacy breaches, all with an aim to cultivate a culture of awareness regarding the importance of safeguarding personal information. An ongoing component of our training includes a comprehensive section on privacy breaches.

Staff is continuously reminded of their obligations to safeguard and protect personal information and adopt privacy sensitive approaches in the workplace.

Over the 2010-2011 reporting period, the ATIP Division processed 168 privacy breaches.

In 2009, CSC's Privacy Committee developed Privacy Breach Guidelines which provide employees with direction on the department's privacy breach reporting mechanism.  This guidance tool provides information on responsibilities, types of breaches, reporting and notification.  In addition, it provides information on how to conduct a Privacy Risk Assessment (FPS) at the operational level where the impact and the circumstances of the breaches are best known.

All breaches are reported to ATIP's Policy and Training Unit who provides recommendations if necessary, reports the breach to the OPC if required and monitors the breaches to ensure corrective measures are implemented to prevent a similar occurrence in the future. The unit also indentifies areas which may require additional training on the protection of personal information.

FEDERAL COURT

CSC was named as the respondent in four (4) federal court reviews related to Privacy requests. In two cases, CSC was ordered to release information. The remaining two cases were dismissed.

RESOURCES

A total of $2,425,304.00 was spent in salary budget and $40,293.00 in operational spending.

APPENDIX A – Privacy Act Delegation

The Minister of Public Safety, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto to exercise the powers and perform the duties and functions of the Minister as the head of a government institution, that is, the Correctional Service of Canada, under the sections of the Act set out in the schedule opposite each position.

The dots (•) represent the person(s) designated to exercise the powers and perform the duties and functions of the Minister under the section(s) of the Act.

Schedule
Section Action Commissioner Senior Deputy Commissioner Assistant Commissioner Policy Director ATIP Deputy Director, ATIP Team Leaders, ATIP Regional Deputy Commi-ssioners Wardens & District Directors
8(2)(j) Disclose personal information for research purposes          
8(2)(m) Disclose personal information in the public interest or in the interest of the individual          
8(4) Retain copy of 8(2)(e) requests and disclosed records
8(5) Notify Privacy Commissioner of 8(2)(m) disclosures          
9(1) Retain record of use
9(4) Notify Privacy Commissioner of consistent use and amend index      
10 Include personal information in personal information banks      
14 Respond to request for access within 30 days; give access or give notice          
15 Extend time limit for responding to request for access          
17(2)(b)

Decide whether to translate requested information

         
18(2) May refuse to disclose information contained in an exempt bank    
19(1) Shall refuse to disclose information obtained in confidence from another government    
19(2) May disclose any information referred to in 19(1) if the other government consents to the disclosure or makes the information public    
20 May refuse to disclose information injurious to the conduct of federal-provincial affairs    
21 May refuse to disclose information injurious to international affairs or defence    
22 May refuse to disclose information prepared by an investigative body, information injurious to the enforcement of a law, or information injurious to the security of penal institutions    
23 May refuse to disclose information prepared by an investigative body for security clearances    
24 May refuse to disclose information collected by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board while individual was under sentence if conditions in section are met    
25 May refuse to disclose information which could threaten the safety of individuals    
26 May refuse to disclose information about another individual, and shall refuse to disclose such information where disclosure is prohibited under Section 8    
27 May refuse to disclose information subject to solicitor-client privilege    
28 May refuse to disclose information relating to the individual's physical or mental health where disclosure is contrary to the best interests of the individual    
31 Receive notice of investigation by the Privacy Commissioner
33(2) Right to make representations to the Privacy Commissioner during an investigation
35(1) Receive Privacy Commissioner's report of findings of the investigation and give notice of action taken
35(4) Give complainant access to information after 35(1)(b) notice
36(3) Receive Privacy Commissioner's report of findings of investigation of exempt bank
37(3) Receive report of Privacy Commissioner's findings after compliance investigation
51(2)(b) Request that Section 51 hearing be held in the National Capital Region      
51(3) Request and be given right to make representations in Section 51 hearings
72(1) Prepare annual report to Parliament            
77 Responsibilities conferred on the head of the institution by the regulations made under section 77 which are not included above

Dated, at the City of Ottawa, this
3rd day of September, 2010
Original signed by The Honourable Vic Toews, P.C., M.P.
Minister of Public Safety

APPENDIX B – InfoNet Screenshots

Policy & Training Unit Contact Information:

Details

This is a snapshot of the Access to Information and Privacy Division's (ATIP) internal website entitled Contact Us. It contains the address, phone number and email address for the ATIP office as well as the names, positions and email links for ATIP Management and the Policy and Training Unit. It also provides a link to ATIP's employee directory and a link to Treasury Board Secretariat's website where the contact information of other ATIP Coordinators and other federal institutions can be found.

ATIP TIPS Available on CSC's ATIP Infonet site:

Details

This is a snapshot of the Access to Information and Privacy Division's (ATIP) internal website entitled ATIP Tips. It contains policy documents for the internal use of CSC employees. They include:

  • ATIP Reviews of Boards of Investigation Reports.
  • ATIP Review of Records Containing Advice and Recommendations.
  • Best Practices: Processing requests pursuant to the Access to Information Act and Privacy Act.
  • Duty to Assist.
  • Guidelines for the Handling of Draft Documents.
  • New Directives from Treasury Board Secretariat.
  • Permissible Disclosure of personal information pursuant to 8(2)(e) of the Privacy Act.
  • Permissible Disclosure of personal information to provinces and municipalities pursuant to 8(2)(f) of the Privacy Act.
  • Personal Information - It's Everybody's Business.
  • Personal and Public Information of CSC Employees Privacy.
  • Impact Assessments.
  • Request for Correction.

CSC's ATIP Infonet Landing Page:

Details

This is a snapshot of the home page of the Access to Information and Privacy Division's (ATIP) internal website entitled Welcome to the ATIP Division. It contains information about the Access to Information Division, information about the Privacy and Access to Information Acts and the Duty to Assist, as well as Helpful Links.