Annual Report, Privacy Act 2011-2012


The Privacy Act protects the privacy of Canadian citizens and permanent residents against the unauthorized use and disclosure of personal information about themselves held by a government institution. It also provides individuals with a right of access to that information and the right to correct inaccurate personal information. In addition, the Privacy Act legislates how the government collects, stores, disposes, uses and discloses personal information.

Section 72 of the Privacy Actrequires that the Head of every federal government institution submit an annual report to Parliament on the administration of this Act over the fiscal year. This report describes how the Correctional Service Canada (CSC) fulfilled its privacy responsibilities during the reporting period covering 2011-2012.

Our reporting Head, the Minister of Public Safety, has delegated the administration of the Privacy Act, including the reporting of the Annual Report, to the Commissioner of CSC.

CHAPTER I – Report on the Privacy Act


The Correctional Service of Canada was formed in 1979 through the amalgamation of the Canadian Penitentiary Service and the Parole Board of Canada. CSC has the fundamental obligation to contribute to public safety by actively encouraging and assisting offenders to become law-abiding citizens, while exercising reasonable, safe, secure and humane control. It does this by operating under the rule of law, in particular the Correctional and Conditional Release Act (CCRA), which provides its legislative framework. The Commissioner of CSC has the authority, extending from the CCRA, to issue directives, procedures and guidelines to carry out the agency’s operations.

CSC contributes to public safety by administering court-imposed sentences for offenders sentenced to two years or more. This involves managing institutions (penitentiaries) of various security levels and supervising offenders on different forms of conditional release, while assisting them in become law-abiding citizens. CSC also administers post-sentence supervision of offenders with Long Term Supervision Orders for up to 10 years.

CSC works closely with its Public Safety Portfolio partners, including the Royal Canadian Mounted Police (RCMP), the Parole Board of Canada (PBC), the Canada Border Services Agency (CBSA), the Canadian Security Intelligence Service (CSIS), and three review bodies, including the Office of the Correctional Investigator (OCI).

In consideration of CSC’s mandate, the agency collects and retains a substantial amount of personal information.


The Access to Information and Privacy Division (ATIP) reports to the Director General of Rights, Redress and Resolution, under the Policy Sector, and is responsible for the overall administration of the Access to Information Act and the Privacy Act. In addition, each sector, region, institution, parole office and community correctional centre has an Access to Information and Privacy liaison who assists the national ATIP Division in administering its overall responsibilities. The ATIP Division is comprised of:

  • 1 Director
    • 1 Administrative Assistant
  • 2 Managers of Operations - ATI
    • 8 Senior Analysts
    • 2 Junior Information Officer
  • 1 Manager Policy and Training - ATI
    • 1 Senior Analyst
  • 1 Manager Policy and Training - Privacy
    • 3 Policy Advisor
    • 1 Analyst - Privacy
  • 5 Team Leaders - Privacy
    • 29 Analysts - Privacy
    • 5 Junior Information Officers
  • 1 Office Manager
    • 10 clerks

The Division has a total of 71 full-time equivalents.

Pursuant to the Privacy Act (PA), ATIP has a responsibility to:

The public: providing guidance as to how to request information held by CSC; responding to PA requests; providing clarification on the types of records under CSC control; and providing explanations concerning PA processes and time frames. CSC also has a duty to assist individuals seeking to obtain personal information.

CSC: responding to both formal and informal requests under the PA; providing advice regarding the interpretation and application of the Act; developing and implementing policies, procedures and guidelines to ensure the effective application of the Act; promoting awareness and understanding of the Act by providing training.

Other federal government institutions: providing recommendations and consultations concerning the possible disclosure of CSC records which are the subject of requests.

Office of the Privacy Commissioner: cooperating with the Office of the Privacy Commissioner (OPC) to resolve complaints made by requesters.

ATIP is also responsible for:

Training and information sessions: ATIP delivers training sessions intended to familiarize CSC employees with the requirements of the PA, including how to properly handle personal information and how to prevent and report on privacy breaches as well as how to conduct Privacy Impact Assessments.

Annual Report to Parliament: ATIP prepares and submits separate ATIA and PA reports to the Commissioner for subsequent presentation to Parliament.

Info Source: ATIP must provide the TBS with up-to-date information about CSC’s organizational structure and personal information banks for publication in Info Source.

Privacy Impact Assessments: ATIP helps evaluate whether a specific project, system, service or initiative will have an actual or potential impact on the privacy rights of an individual.


The responsibilities associated with the administration of the Privacy Act, such as notifying applicants of extensions and transferring requests to other institutions, are delegated to the departmental ATIP Coordinator through a delegation instrument signed by the Minister of Public Safety. The approval of exemptions remains with the Director, the Deputy Directors as well as the Team Leaders. Delegation for public interest releases as well as research and statistics rests with the Commissioner, the Senior Deputy Commissioner and the Assistant Commissioner, Policy.

A detailed delegation instrument can be viewed in Appendix A.


Training & Awareness

The Policy and Training Unit plays a fundamental role in developing and delivering training to National Headquarters, Regional Headquarters and Institutions across Canada on Access to Information and Privacy related matters. During the current fiscal year, the ATIP Policy and Training Unit has delivered a total of 12 training sessions with 184 persons attending. Examples of training which reflect these numbers include:

  1. Training sessions for ATIP staff: The ATIP Policy and Training Unit (PTU) continued a series of Lunch and Learns specifically for ATIP staff. These training sessions focused on the application of different exemptions and have proven to be very successful. At the end of last fiscal year, the PTU provided extensive training to its ATIP staff on numerous sections of the Privacy Act. This reporting year, the PTU focused on section 26 – personal information of the PA, since most of our work is centered on the personal information of offenders.

    ATIP staff demonstrated an interest in learning more about CSC in general in order to provide insight into the records they review and the reason(s) for the application of certain exemptions. Therefore, the PTU organized a staff training day in which presentations were delivered by Victim Services, Offender Redress, OCI Liaison and Security Intelligence Officers. This proved to be quite successful and more of these sessions will be organized for the 2012-2013 fiscal year. As well, ATIP staff also visited two institutions in November – Collins Bay and Frontenac. The PTU organizes these visits on a yearly basis in order to foster education regarding the challenges of working in an institutional environment. Another visit is planned during the 2012-2013 fiscal year.

    Also, the Management Team received a presentation from Legal Services on solicitor-client privilege. This session was very informative and allowed for the dissemination of the information to respective teams.
  2. Training sessions to CSC staff: Numerous training sessions were provided to CSC staff at National Headquarters and regionally this fiscal year, including information sessions for:
    • New Wardens and Deputy Wardens
    • Security Intelligence Analysts and Officers
    • Legal Services
    • Information Management Services, Administrative staff
    • Information Management Services, Records Office
    The ATIP Division officials liaised with NHQ Information Management (IM) and Security staff to ensure that ATIP is part of CSC’s New Employee Orientation Program.
  3. Training ATIP Liaisons: ATIP Regional Liaisons were invited for a 3 day one-on-one training session with ATIP staff who guided them through the review of ATIP legislation, CSC’s Privacy Breach reporting system and the vetting of disciplinary reports. They were also given an opportunity to address any ATIP issues and questions they had.

    Regional ATIP Liaisons also delivered training sessions within their regions to staff and community partners including security intelligence officer assistants, community support staff, information management staff, New Employee Orientation Program training, administrative assistants, staff at the Regional Psychiatric Centre and training at the Preventive Security Intelligence staff conference. Regional ATIP Liaisons delivered a total of 17 training sessions with 427 persons attending.

    The Policy and Training Unit continues to provide advice and answer questions and concerns regarding training, policy and guidelines, interpretations of the Act, etc. through its GEN-NHQ Policy and Training email account. This has proven to be a very useful tool.

Policies, Guidelines, and Procedures

The ATIP Policy and Training Unit spent this year reviewing its policies and procedures to ensure they were compliant and reflected the most current information. This included the revision of its Process and Compliance Manual which serves as a guide for ATIP staff, and the rest of the department, on how to respond to ATIP requests and how to properly manage and safeguard personal information. It has been posted on ATIP’s InfoNet site where it can be easily accessed by all CSC employees.

The PTU completed the Privacy Impact Assessment template as per Treasury Board’s Directive on Privacy Impact Assessment. It serves as a comprehensive document to ensure all key privacy considerations are taken into account and are consistent with TBS requirements. It was approved by CSC’s Privacy Committee and is posted on ATIP’s InfoNet site.

The PTU continues its review of all CSC’s forms to ensure they contain the required privacy statements.

Following feedback from Treasury Board Secretariat (TBS), CSC ATIP is exploring ways to inform requesters of our duty to assist. Our internet site has a page dedicated to the duty to assist principles; however, we are looking at additional ways to transmit this information.

One of CSC ATIP’s priorities this year was to foster its relationship with the Office of the Privacy Commissioner. As a result, a paper has been developed which will serve as a guide for investigators at the Office of the Privacy Commissioner (OPC). The Guide to Understanding CSC Records provides a detailed explanation of the records held by CSC, the most common exemptions applied to these records and the reasons for the application of these exemptions.

Due to the vast quantities of personal information handled by the CSC, the ATIP Division continues to be proactive in promoting awareness regarding the safeguarding of its information holdings.

InfoNet & Internet Updates and Maintenance

CSC’s ATIP Division continues to ensure its internal ATIP website is kept updated with the most current information in order to educate the wider CSC community on privacy related issues. The site includes information regarding policies and procedures, directives, privacy breach prevention and reporting, Privacy Impact Assessment procedures, and a list of ATIP Tips and Bulletins.

This fiscal year, ATIP’s external internet site was revised and updated to ensure it met Treasury Board’s requirements, to ensure it is in compliance with TBS’ requirement to reduce the ROT (redundant, outdated and trivial) content on departmental web sites, and most importantly, to bring greater awareness to the public of the ATIP process. The updated website is user-friendly and includes dedicated pages for instructions on submitting access and privacy requests and how to make a request for correction of personal information, the duty to assist, an up-to-date list of the completed Privacy Impact Assessments, and frequently asked questions. To view the changes to the ATIP Division’s Internet site, please visit:


CSC is responsible for providing comprehensive, accurate and up-to-date descriptions of its functions, programs, activities and Personal Information Banks (PIBs) that describe the collection, use, disclosure and retention of personal information in Info Source. CSC continues to be dedicated to updating its PIBs on an annual basis and ensuring they are aligned with the appropriate Class of Records.

The following is a list of PIBs CSC updated during the current reporting year:

  • Education and Training
  • Inmate Trust Fund – Current Savings Account
  • Offender Program Assignments and Payments
  • Victim-Offender Mediation
  • Victims

The ATIP Division’s Information Holdings can be viewed here:

CSC will be part of the Info Source Pilot Working Group in September 2012 on the decentralization of Info Source.


Throughout the 2011-2012 fiscal year, officials of the ATIP division have also supported the administration of the Privacy Act through many of its other activities, including:

  • Participating in a working committee with Departmental Security, IT Security and Information Management to develop an on-line training program to address all facets of protecting and managing personal information. This includes dedicated modules on the Privacy Act;
  • Participating in a working group for Electronic Monitoring (EM) and provided on-going advice to EM staff, as needed;
  • Providing ongoing advice to Information Management (IM) in relation to the audit on the safeguarding of offender records;
  • Participating as a member of the Government of Canada (GC) Forum on ATIP. The forum serves as a direct link to the ATIP community where members discuss issues including PIA, policy developments and training initiatives;
  • Attending networking functions with other ATIP colleagues such as the ATIP Community meetings presided by the Treasury Board, the annual Canadian Access and Privacy Association (CAPA) conference, the annual Information Commissioner and Privacy Commissioner’s breakfast and the annual PIA information session held by the Office of the Privacy Commissioner;
  • Coordinating a new training approach with CSC’s Information Management (IM) and Security partners – when ATIP delivers a training session to a large group, ATIP collaborates with IM and Security to ensure new staff receive a comprehensive overview of how ATIP works in tandem with information management and security. The coordinated approach has proven very effective;
  • Strengthening our communication and relationship with the Office of the Privacy Commissioner – ATIP has invited investigators to attend a learning session to understand how Preventive Security works within CSC and the penal institutions. It is our hope that these learning sessions will familiarize investigators with the unique challenges and issues of CSC; and
  • Providing advice on privacy matters from CSC staff, including how to report on and prevent breaches of personal information and ensure that corrective measures are implemented.



The ATIP Division continues to process a large number of privacy requests.

In addition to dealing with formal Privacy requests, the ATIP Division is also responsible for providing internal assistance to CSC officials by conducting informal reviews of documents for institutions, regions and National Headquarters. The ATIP Division processes informal Privacy requests including Boards of Investigation (BOIs), Harassment and Disciplinary investigations, Fact-finding investigation reports and requests from the province (including Coroners’ inquests and Crown Counsel reviews). These can be extremely time-consuming and are frequently urgent. The ATIP Division’s workload is such that the greater part of informal reviews are handled by the Policy and Training Unit and the Management Team.

The ATIP Division also continues with its review of requests relating to the Indian Residential School Settlement which was extended another year.

Until this fiscal year, CSC’s ATIP Division was one of the few government departments that continued to redact information manually. To address this inefficiency, the Division implemented a case management and electronic vetting system, AccessPro, in May 2011. This has proven to be a useful working tool and as we proceed with its complete implementation, modifications to our processes continue.

CSC ATIP is working towards eliminating its backlog. In an effort to reduce it and address future increases, ATIP received some additional funds during this fiscal year to help manage the increase in volume.


Statistical Report for the 2011-2012 Reporting Year

In 2011-2012, CSC received 10,685 Privacy Act requests. A total of 3,042 requests were carried over from the previous reporting year, totaling 13,727 requests requiring processing in 2011-2012. In total, 961,356 pages were processed. In addition, the Division processed 1,978 informal requests totaling 59,894 pages for personal information relating to Indian and Residential School Settlements, harassment, and disciplinary investigation reports, as well as 49 consultations from other government institutions and 14 miscellaneous requests for personal information. Please refer to Appendix B for the Statistical Report.

Figure 1: Formal Requests and carried over

In fiscal year 2009-2010 CSC processed 12,579 requests pursuant to the Privacy Act, in 2010-2011 CSC processed 13,864, and in 2011-2012 CSC processed 13,727. These numbers include formal requests, informal requests, consultation requests from other government departments, and miscellaneous requests.

Formal Requests and carried over

Disposition of Requests

Of the 9,099 requests completed during the 2011-2012 reporting period, 1,169 requests were full disclosures, 4,519 were partial disclosures, 92 were withheld in their entirety, 2,730 were unable to process resulting from no records existing, and 589 were abandoned by the applicant.

Figure 2: Disposition of Requests

Of the 9,099 requests completed during the 2011-2012 reporting period, 1,169 requests were full disclosures, 4,519 were partial disclosures, 92 were withheld in their entirety, 2,730 were unable to process resulting from no records existing, and 589 were abandoned by the applicant.

Disposition of Requests


A breakdown of the exemptions applied during this reporting period is as follows:

Exemption Description Number of Times Applied
Obtained in Confidence 1,192
Federal-Provincial Affairs 0
International Affairs and Defence 13
Law Enforcement & Investigation 3,685
Policing Services 0
Security Clearances 2
Individuals Sentenced for an Offence 964
Safety of the Individuals 86
Information about another individual 3,932
Solicitor-Client Privilege 50
Medical Record 2
Information to be published 0
Library/Museum Material 0

Completion Time

During the reporting period, CSC completed 3,998 requests in less than 30 days; 1,974 between 31 and 60 days; 1,038 requests between 61 to 120 days; and 2089 were completed in over 121 days.

Method of Access

Where information was available for release, copies were provided in 7,666 cases which included paper copies, electronic, CDs and examination.

Corrections and Notations

CSC received a total of 7 requests for correction to personal information. A total of 1 correction was made, and 2 notations attached. The remaining 4 were not made in accordance with the Privacy Act,but were dealt with pursuant to the Corrections & Conditional Release Act.

Consultations from Other Institutions

The ATIP Division’s workload also involves responding to consultations in response to formal requests received by other institutions. CSC works closely with its partners under the Public Safety portfolio such as CBSA, RCMP, CSIS, PBC, OCI, as well as Citizenship and Immigration in order to respond to consultations in a timely fashion.

During the 2011-2012 reporting period, the ATIP Division received a total of 58 consultations from other institutions processing requests under the Privacy Act.

The following chart provides the type and number of consultations received over the 2011-2012 reporting year:

Type Number
Other Federal Governments 48
Provincial Institutions or Municipalities 10
Foreign Governments or Institutions of States 0
Total 58


The Office of the Privacy Commissioner (OPC) notified CSC of 262 complaints with regard to responses to Privacyrequests processed by CSC. At the end of the reporting period, 170 findings were issued for these complaints.

The majority of the privacy complaints received during this reporting period concern denial of access and delay/time limit complaints. CSC processed over 9099 requests and received 262 complaints representing 4% of the requests processed by CSC.

The following chart provides a breakdown of the type of complaint made to the OPC:

Reason for Complaint Number
Access 125
Delay/Time Limits 100
Collection 1
Use and Disclosure 33
Retention and Disposal 1
Correction/Notation 2

The findings for the complaints closed during this reporting period are:

Finding Number
Discontinued 16
Not Well-Founded 46
Well Founded 83
Resolved 2
Not Resolved 0
Settled 23

The remaining complaints are under investigation.


Subsection 8(2) of the Privacy Act states that “personal information under the control of a government institution may be disclosed” under certain specific circumstances without the consent of the individual.

The mandate of CSC requires that it routinely shares personal information with other areas of the Criminal Justice Community and Law Enforcement Agencies (which includes municipal, provincial, international, federal police forces or other law enforcement bodies) to ensure the offenders are appropriately managed in a safe, secure and humane environment and to ensure the safety of the offender, other offenders, staff and the community at large.

The following is a statistical breakdown of disclosures pursuant to 8(2) of the Privacy Act:

Paragraph 8(2)(b)

Personal information may be disclosed “in accordance with any Act of Parliament or any regulation…that authorizes its disclosure.”

Under this paragraph of the Privacy Act, 2 requests were received and treated.

Paragraph 8(2)(c)

Personal information may be disclosed to comply “with a subpoena or warrant issued or order made by a court, a person or body with jurisdiction to compel the production of information” or to comply “with rules of court relating to the production of information.”

Under this paragraph of the Privacy Act, 2 requests were received and treated.

Paragraph 8(2)(d)

Personal information may be disclosed “to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada.”

Under this paragraph of the Privacy Act, 2 requests were received and treated.

Pargraph 8(2)(e)

Personal information may be disclosed “to an investigative body […] for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation…”

Pargraph 8(2)(f)

Personal information may be disclosed “under an agreement or arrangement between the Government of Canada [...] and the government of a province [or territory] [...] for the purpose of administering or enforcing any law or carrying out a lawful investigation.”

Pargraph 8(2)(m)

CSC disclosed personal information pursuant to 8(2)(m) of the Act [i.e., in the public interest or disclosure would clearly benefit the individual to whom the information relates] in 11 cases.

Nature of the 8(2)(m) disclosures

For example, limited offender information related to Boards of Investigation, transfer dates, locations and medical information.

The Privacy Commissioner was notified prior to the disclosure of personal information in all but one case.


There were no PIAs completed this reporting year; however, at the end of the reporting period there were 4 ongoing PIAs which are expected to be completed during the next reporting period.


CSC has a mechanism in place which allows for the systematic review of any initiatives or projects in order to determine if a PIA will be required. The PIA checklist is a tool that is completed by program areas, reviewed by the Policy and Training Unit and approved by the ATIP Director. Over the past year, the ATIP Division reviewed a total of 11 PIA checklists as follows:

Information Sharing with Revenue Quebec

The Ministry of Revenue Québec requires information concerning federally incarcerated offenders in the Quebec region. This information sharing will assist the Ministry in managing the new provisions of the Quebec Income Tax Act.

A new tax credit came into effect in July 2011 and is calculated at the beginning of each month. Incarcerated individuals are not entitled to this new tax credit.

A Memorandum of Understanding is already in place between the CSC and Revenue Québec to collect other related income tax information which is provided on an annual basis.  Therefore, the present agreement must be amended to include offender’s address, start date of incarceration and end date of incarceration. The transfer of information will be provided on a monthly basis via an encrypted electronic file.

Integrated Finance and Material Management System Upgrade

CSC’s current hardware platform which hosts its Finance and Material Management System will reach its end of its life cycle by December 2012, and will no longer be supported by the vendor. An upgrade to a later release of Oracle is required. CSC is committed to ensuring on-going support of mission critical financial and materiel systems and services to satisfy operational and business needs. Therefore, CSC decided to complete the upgrade by January 2012. The type of personal information being collected, used and disclosed by CSC will not be affected.

Timekeeping for Internal Audit

There is a need for CSC’s Internal Audit Branch to effectively collect, manage and track employee time. Automated timesheet software will allow the program area to reliably track project time and cost information to ensure that the Branch management can make both timely and sound business decisions. The software is a hosted website where each employee logs in with a password and records their times, dates, projects worked on and expenses while travelling. Management can then have a better understanding of workflow and will be able to re-allocate resources as necessary. Managers will only be able to see the information about the project they are assigned to and the information gathered will not be used to assess individual employee performance. Reporting of the information gathered in the system will be based on the project, not on individual employees.

Treatment Centre Performance Management Framework

In order to comply with Treasury Board’s Policy on Evaluation and as a result of an audit of the Regional Treatment Centres and Regional Psychiatric Centre, the Mental Health Branch had developed a Performance Management Framework (PMF). The PMF will monitor and report on the tasks and processes central to the provision of clinical services to patients admitted to the centres in order to determine better ways to meet clinical objectives. All personal information will be replaced with unique identifiers which can be shared for reporting purposes, and only those with a need to know will have access to the master list.

Somum Solutions

CSC has an operational requirement to acquire and implement an emergency broadcast messaging system to enhance its emergency readiness posture when responding to and managing any type of emergency incident impacting on the safety and security of personnel, the security of its client and the protection of its facilities and valuable assets. There is no change to how personal information is being collected, used, retained/disposed of or disclosed.

Nakisa Organizational Management Tool

The Nakisa Organizational Management Tool is software that allows the user to get a centralized view of the organization’s structure and workforce. This tool has been adopted by the Government of Canada and is used by Human Resources to analyze workforce information. Since the information relates to employee positions and organization charts, it is not considered to be personal information.

Fleet Tracking

Fleet Tracking is an initiative which will be used to identify maintenance on vehicles before they break down. Vehicles such as perimeter patrol vehicles and prisoner transfer vehicles are imperative to the day-to-day operations of CSC institutions. A black box will be placed on the computer of the vehicle which will collect the Vehicle Identification Number. The black box will send a signal to the external website informing of any mechanical problems as they occur. No personal information is collected as a result of this initiative.

Security and Information Awareness On-line Training

The Departmental Security Division will be contracting with a third party through the PWGSC procurement process to host a web based training module on Security and Information Awareness. The training will be mandatory for all CSC employees in order to meet the requirements of TBS’ Policy on Government Security. The supplier will be developing all content and providing CSC with a system to track completion.

Computerized Assessment of Substance Abuse for Men (CASA-M) Version 2

The existing CASA for Men was implemented in 2006. CASA-M provides information related to an offender’s level of substance use severity and dependence and life areas impacted by substance abuse. This information is useful for effective sentence management and research purposes which supports and informs appropriate correctional planning, the development of offender profiles, forecasting, policy development and identifying best practices. The new design will incorporate the ‘text to speech’ functionality. There are no changes to the collection, use, disclosure, retention or disposal of personal information. It merely provides for an updated computer platform that is in line with current technology and security protocols.

Arrival Expansion

The Arrival System will be used by the Main Records Office at National Headquarters (NHQ) to facilitate its control and tracking capabilities of CSCs physical information resource holdings regularly received, created, charged in, charged out, shipped and processed by the Main Records Office processing areas. The Arrival System is designed to track the physical location and movements of physical assets.

Crisis Response and Security Information Management System (CRSIMS)

CRSIMS is a system designed to manage, maintain and control electronic information and emergency response plans for CSC Headquarters, institutions, Parole offices, and Community Correctional Centres. The CRSIMS contains documents and plans for Security Services, Business Continuity Planning, Contingency Plans, Disaster Recovery and other pertinent services including plans maintained by the Technical Services Division and other information required for crisis management support.


ATIP continues to work with all liaisons on how to report on privacy breaches, implement corrective measures and prevent further privacy breaches, all with an aim to cultivate a culture of awareness regarding the importance of safeguarding personal information. An ongoing component of our training includes a comprehensive section on privacy breaches.

Staff is continuously reminded of their obligations to safeguard and protect personal information and adopt privacy sensitive approaches in the workplace.

Over the 2011-2012 reporting period, the ATIP Division processed 204 privacy breaches. Although CSC continues to see an increase in the number of privacy breaches, we attribute this to the ongoing education regarding the reporting of privacy breaches.

CSC’s Privacy Breach Guidelines provide employees with direction on the department’s privacy breach reporting mechanism. This guidance tool provides information on responsibilities, types of breaches, reporting and notification. In addition, it provides information on how to conduct a Privacy Risk Assessment (PRA) at the operational level where the impact and the circumstances of the breaches are best known.

All breaches are reported to ATIP’s Policy and Training Unit who provides recommendations if necessary, reports the breach to the OPC if required and monitors the breaches to ensure corrective measures are implemented to prevent a similar occurrence in the future. The unit also identifies areas which may require additional training on the protection of personal information.


CSC was named as the respondent in one federal court review related to a Privacy request. The case was dismissed before the hearing was held.


The ATIP Division expended a total of $4,204,410. Of this, $3,940,027 was in salary costs, plus an additional $105,260 in overtime. Operating costs totaled $159,123.

APPENDIX A – Privacy Act Delegation

The Minister of Public Safety, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto to exercise the powers and perform the duties and functions of the Minister as the head of a government institution, that is, the Correctional Service of Canada, under the sections of the Act set out in the schedule opposite each position.

The dots (•) represent the person(s) designated to exercise the powers and perform the duties and functions of the Minister under the section(s) of the Act.

Section Action Commissioner Senior Deputy Commissioner Assistant Commissioner Policy Director ATIP Deputy Director, ATIP Team Leaders, ATIP Regional Deputy Commi-ssioners Wardens & District Directors
8(2)(j) Disclose personal information for research purposes          
8(2)(m) Disclose personal information in the public interest or in the interest of the individual          
8(4) Retain copy of 8(2)(e) requests and disclosed records
8(5) Notify Privacy Commissioner of 8(2)(m) disclosures          
9(1) Retain record of use
9(4) Notify Privacy Commissioner of consistent use and amend index      
10 Include personal information in personal information banks      
14 Respond to request for access within 30 days; give access or give notice          
15 Extend time limit for responding to request for access          

Decide whether to translate requested information

18(2) May refuse to disclose information contained in an exempt bank    
19(1) Shall refuse to disclose information obtained in confidence from another government    
19(2) May disclose any information referred to in 19(1) if the other government consents to the disclosure or makes the information public    
20 May refuse to disclose information injurious to the conduct of federal-provincial affairs    
21 May refuse to disclose information injurious to international affairs or defence    
22 May refuse to disclose information prepared by an investigative body, information injurious to the enforcement of a law, or information injurious to the security of penal institutions    
23 May refuse to disclose information prepared by an investigative body for security clearances    
24 May refuse to disclose information collected by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board while individual was under sentence if conditions in section are met    
25 May refuse to disclose information which could threaten the safety of individuals    
26 May refuse to disclose information about another individual, and shall refuse to disclose such information where disclosure is prohibited under Section 8    
27 May refuse to disclose information subject to solicitor-client privilege    
28 May refuse to disclose information relating to the individual's physical or mental health where disclosure is contrary to the best interests of the individual    
31 Receive notice of investigation by the Privacy Commissioner
33(2) Right to make representations to the Privacy Commissioner during an investigation
35(1) Receive Privacy Commissioner's report of findings of the investigation and give notice of action taken
35(4) Give complainant access to information after 35(1)(b) notice
36(3) Receive Privacy Commissioner's report of findings of investigation of exempt bank
37(3) Receive report of Privacy Commissioner's findings after compliance investigation
51(2)(b) Request that Section 51 hearing be held in the National Capital Region      
51(3) Request and be given right to make representations in Section 51 hearings
72(1) Prepare annual report to Parliament            
77 Responsibilities conferred on the head of the institution by the regulations made under section 77 which are not included above

Dated, at the City of Ottawa, this
3rd day of September, 2010
Original signed by The Honourable Vic Toews, P.C., M.P.
Minister of Public Safety

APPENDIX B – Statistical Report

Statistical Report on the Privacy Act

Name of Institution:  Correctional Service Canada

Reporting Period:  2011-04-01 to 2012-03-31

PART 1 - Requests under the Privacy Act

  Number of Requests
Received during reporting period 10,685
Outstanding from previous reporting period 3,042
Total 13,727
Closed during reporting period 9,099
Carried over to next reporting period 4,628

PART 2 - Requests closed during the reporting period

2.1 Disposition and completion time
Disposition of requests Completion Time
1 to 15
16 to 30
31 to 60
61 to 120
121 to 180
181 to 365
More than
365 days
All disclosed 26 376 320 193 104 108 42 1,169
Disclosed in part 54 937 1,359 747 445 613 364 4,519
All exempted 2 24 36 14 3 9 4 92
All excluded 0 0 0 0 0 0 0 0
No records exist 2,052 288 208 49 22 55 56 2,730
Request abandoned 204 35 51 35 37 35 192 589
Total 2,338 1,660 1,974 1,038 611 820 658 9,099
2.2 Exemptions
Section Number
18(2) 0
19(1)(a) 29
19(1)(b) 7
19(1)(c) 300
19(1)(d) 856
19(1)(e) 0
19(1)(f) 0
20 0
21 13
Section Number
22(1)(a)(i) 858
22(1)(a)(ii) 47
22(1)(a)(iii) 34
22(1)(b) 818
22(1)(c) 1,928
22(2) 0
22.1 0
22.2 0
22.3 0
Section Number
23(a) 0
23(b) 2
24(a) 101
24(b) 863
26 3,932
27 50
28 2
2.3 Exclusions
Section Number
69(1)(a) 0
69(1)(b) 0
69.1 0
Section Number
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
Section Number
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
2.4 Format of information released
Disposition Paper Electronic Other formats
All disclosed 1,161 0 8
Disclosed in part 4,506 2 11
Total 5,667 2 19
2.5 Complexity
2.5.1 Relevant pages processed and disclosed
Disposition of requests Number of pages processed Number of pages disclosed Number of requests
All disclosed 52,340 50,052 1,169
Disclosed in part 869,180 756,614 4,519
All exempted 949 0 92
All excluded 0 0 0
Request abandoned 38,887 0 589
2.5.2 Relevant pages processed and disclosed by size of requests
Disposition Less than 100
pages processed
pages processed
pages processed
pages processed
More than 5000
pages processed
Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed Number of requests Pages disclosed
All disclosed 1,064 20,611 92 16,470 10 6,235 3 6,736 0 0
Disclosed in part 2,301 74,858 1,671 274,935 362 187,972 185 218,849 0 0
All exempted 89 0 3 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Abandoned 529 0 33 0 14 0 13 0 0 0
Total 3,983 95,469 1,799 291,405 386 194,207 201 225,585 0 0
2.5.3 Other complexities
Disposition Consultation
of fees
Legal advice
Other Total
All disclosed 7 0 0 0 7
Disclosed in part 153 0 0 0 153
All exempted 1 0 0 0 1
All excluded 0 0 0 0 0
Abandoned 7 0 0 0 7
Total 168 0 0 0 168
2.6 Deemed refusals
2.6.1 Reasons for not meeting statutory deadline
Number of requests closed past the statutory deadline Principal Reason
Workload External consultation Internal consultation Other
3,769 3,601 168 0 0
2.6.2 Number of days past deadline
Number of days past deadline Number of requests
past deadline where
no extension was taken
Number of requests
past deadline where
an extension was taken
1 to 15 days 390 207 597
16 to 30 days 269 156 425
31 to 60 days 220 217 437
61 to 120 days 371 340 711
121 to 180 days 196 230 426
181 to 365 days 223 362 585
More than 365 days 235 353 588
Total 1,904 1,865 3,769
2.7 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

PART 3 - Disclosures under subsection 8(2)

Paragraph 8(2)(e) Paragraph 8(2)(m) Total
104 11 115

PART 4 - Requests for correction of personnal information and notations

Requests for correction received 7
Requests for correction accepted 1
Requests for correction refused 4
Notations attached 2

PART 5 - Extensions

5.1 Reasons for extensions and disposition of requests
Disposition of requests where an extension was taken 15(a)(i)
Interference with operations
Translation or conversion
Section 70 Other
All disclosed 445 0 3 0
Disclosed in part 2,311 0 57 0
All exempted 36 0 2 0
All excluded 0 0 0 0
No records exist 146 0 4 0
Request abandoned 219 0 2 0
Total 3,157 0 68 0
5.2 Length of extensions
Length of extensions 15(a)(i)
with operations
Translation purposes
Section 70 Other
1 to 15 days 0 0 0 0
16 to 30 days 3,157 0 68 0
Total 3,157 0 68 0

PART 6 - Consultations received from other institutions and organizations

6.1 Consultations received from other institutions and organizations
Consultations Other government institutions Number of pages to review Other organizations Number of pages to review
Received during reporting period 48 3,492 10 206
Outstanding from the previous reporting period 1 126 0
Total 49 3,618 10 206
Closed during the reporting period 46 3,500 10 206
Pending at the end of the reporting period 3 118 0 0
6.2 Recommendations and completion time for consultations received from other government institutions
Recommendation Number of days required to complete consultation requests
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
Disclose entirely 4 4 0 0 0 0 0 8
Disclose in part 25 6 3 1 0 0 0 35
Exempt entirely 1 0 0 0 0 0 0 1
Excluded entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 1 0 0 0 1 0 0 2
Total 31 10 3 1 1 0 0 46
6.3 Recommendations and completion time for consultations received from other organizations
Recommendation Number of days required to complete consultation requests
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
Disclose entirely 4 0 0 0 0 0 0 4
Disclose in part 4 0 1 0 0 0 0 5
Exempt entirely 0 0 0 0 0 0 0 0
Excluded entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 1 0 0 1
Total 8 0 1 0 1 0 0 10

PART 7 - Completion time of consultations on Cabinet confidences

Number of days Number of responses received Number of responses past deadline
1 to 15 0 0
16 to 30 0 0
31 to 60 0 0
61 to 120 0 0
121 to 180 0 0
181 to 365 0 0
More than 365 0 0
Total 0 0

PART 8 - Resources related to the Privacy Act

8.1 Costs
Expenditures Amount
Salaries $3,258,231
Ovetime $101,914
Goods and Services $106,136
  • Contracts for privacy impact assessments
  • Professional services contracts
  • Other
Total $3,466,280
8.2 Human Resources
Resources Dedicated full-time Dedicated part-time Total
Full-time employees 42.00 8.00 50.00
Part-time and casual employees 8.00 0.00 8.00
Regional Staff 0.00 0.00 0.00
Consultants and agency personnel 0.00 0.00 0.00
Students 0.00 0.00 0.00
Total 50.00 8.00 58.00