Privacy Trends and Statistical Overview
Highlights
- Western Economic Diversification Canada (WD) updated its Privacy Protection Policy in January 2011 to include information requirements such as privacy impact assessments (PIAs), establishing a privacy protocol and procedures for privacy breaches. A WD Directive on Privacy Breaches was also approved in January 2011 and a comprehensive Privacy Impact Assessment Handbook was drafted, complete with the Privacy Protocol.
- WD recognized Data Privacy Day on January 28, 2011. Staff messages and two posters, entitled Phishing – Don’t Take the Bait! and Beware of the Wi-Fi Predator! were placed throughout all offices.
- WD received one privacy complaint in 2010–2011 on information that was withheld pursuant to section 27 of the Privacy Act, pertaining to solicitor–client privilege, and subsection 21(1)(b) of the Access to Information Act, pertaining to government consultations and deliberations. The complaint investigation is ongoing and was carried forward into fiscal year 2011–2012. There were no appeals or applications submitted to the Federal Courts.
Challenges
- As federal departments venture into social media, issues about privacy protection, access, records retention and other regulatory requirements will pose a challenge.
Personal Information Requests Pursuant to the Privacy Act
In 2010–2011, (WD) received two requests for personal information under the Privacy Act and one request was carried forward from 2009–2010. All three requests were completed during the initial 30-day period. This is down by 50 percent from fiscal year 2009–2010; however, the department has not historically received many requests for personal information.
Records were partially disclosed on two requests, one of which the department was unable to process. In total, WD processed 449 pages for the requests, of which 372 pages were released in whole or in part.
No consultations or extensions were required when processing the personal information requests.
top of pageExemptions and Exclusions Invoked
WD invoked Section 27 of the Privacy Act and subsection 21(1)(b) of the Access to Information Act in whole or in part on one personal information request and Section 25 on a second request.
Further to the request for statistical information on exemptions and exclusions applied under the Act in the additional reporting requirements attached to the “Report on the Privacy Act,” WD did not invoke any of the exemptions or exclusion during the 2010–2011 reporting period (see page 11).
Permissible Disclosure of Personal Information
Personal information collected by (WD) in the course of its programs and activities is being disclosed only for the purpose for which it was collected, in accordance with paragraph 8(2)(a) of the Privacy Act.
WD did not disclose personal information for any other purposes as outlined in paragraph 8(2)(m) during the 2010–2011 reporting period.
Privacy Impact Assessments
In 2002, Treasury Board Secretariat (TBS) issued a policy that requires federal institutions subject to the Privacy Act to conduct PIAs before establishing new programs, systems or policies or before making any substantial modifications to an existing program, system or policy.
While the policy has been rescinded and replaced by a new (TBS) Directive on Privacy Impact Assessment, which came into effect on April 1, 2010, the requirement still exists to ensure that a PIA is conducted whenever personal information is used in an administrative decision-making process. WD did not complete any Preliminary PIAs or PIAs in 2010–2011 and, therefore, no assessments were forwarded to the Office of the Privacy Commissioner or PIA summaries posted on WD’s public Web site.
Further to the request for statistical information on PIAs, which was from the additional reporting requirements attached to the “Report on the Privacy Act,” the following clarifies comments that were reported (see page 11):
- Preliminary PIAs initiated – 1: WD initiated a Preliminary PIA for a Facebook initiative. Comments by the ATIP Unit were provided on the initial submission to ensure privacy considerations were adequately addressed. This initiative is not going forward, however, and, as a result, this Preliminary PIA did not proceed.
- PIAs initiated – 1: Early work began on a Core PIA about online reporting by WD’s clients using AccessKey technology. (TBS) was very helpful in the development stages of this initiative and concluded that WD’s draft Privacy Protocol covered the collection and use of the personal information for non-administrative purposes. As a result, this PIA did not proceed.
WD ensures that careful consideration of privacy risks with respect to the creation, collection and handling of personal information as part of its programs and activities.
Operational Costs to Administer the Act
WD’s total cost for administrating the Privacy Act in the ATIP Unit is estimated at $22,494, almost double the costs incurred in 2009–2010. This includes estimated salary costs associated with all ATIP Unit employees of $22,218, including a portion of the ATIP and Deputy ATIP Coordinator’s salaries and 25 percent of the ATIP Officer’s salary. In addition, other administrative costs associated with operating and maintenance costs are estimated at $276.
WD also tracks additional privacy-related costs incurred throughout the department, including salary costs of officials involved in the retrieval, review and recommendation phases of the personal information requests and translation services. These additional costs result in an overall cost of $22,966 to the department to administer all aspects of its activities related to the Act.
The increased salary costs can be collated directly with the development of new policies and procedures, such as a privacy protocol, PIAs and privacy breaches. In addition, as WD explored online reporting tools and social media options, a great deal of time was invested in researching and providing guidance to ensure privacy is considered in these initiatives.
The associated ATIP Unit employee resources for 2010–2011 are estimated at 0.31 of a full-time equivalent to administer the Act.