Administration of the Privacy Act Annual Report - 2008-2009

Introduction

The Privacy Act (hereafter the “Act”) came into force on July 1, 1983. Under subsection 12(1) of the Act, Canadian citizens, permanent residents and individuals present in Canada have the right to have access to their personal information that is under the control of the Government of Canada. This right of access is balanced against the legitimate need to protect sensitive information and to permit effective functioning of government, while promoting transparency and accountability in government institutions.

In addition, the Act protects an individual’s privacy by preventing others from accessing his or her personal information, and speaks to the collection, retention, accuracy, disposal, use and disclosure of personal information.

Overview of the Canadian Security Intelligence Service

In 1984, the Government of Canada passed an Act of Parliament for the creation of a civilian security intelligence service. This legislation not only gave birth to the Canadian Security Intelligence Service (CSIS), it also clarified the differences between security intelligence activities and law-enforcement work, bringing to an end the 120-year interlocking of Canada's security intelligence service with the federal police force. CSIS came into existence on July 16, 1984.

The Service is at the forefront of Canada's national security establishment and as such, its programs are proactive and pre-emptive. Its role is to investigate threats, analyze information and produce intelligence; it then reports to, and advises, the Government of Canada, so as to protect the country and its citizens. Key threats include terrorism, the proliferation of weapons of mass destruction, espionage, foreign interference and cyber-tampering affecting critical infrastructure.

Through its Security Screening Program, CSIS prevents non-Canadians who pose security concerns from entering Canada or receiving permanent resident status or citizenship; the Service also safeguards the confidential information of the Government of Canada from foreign governments and other entities that may present a risk.

CSIS's proactive role contrasts with the reactive one of law enforcement agencies such as police forces, which investigate crime and collect evidence to support prosecutions in courts of law.

Administration

The Access to Information and Privacy (ATIP) Section is located within the Secretariat Branch of the Assistant Director Secretariat. The ATIP Section currently has an establishment of 15 employees to fulfill the Service’s obligations under the Access to Information and Privacy Acts. During this reporting period, 14 positions were filled while one remained vacant. The one vacant position has since been filled. When fully staffed, the Section is comprised of an ATIP Coordinator, a Deputy Chief, three supervisors, nine analysts and one clerk. All of the staff in the Section are fully dedicated to the administration of the ATIP programs within CSIS. The CSIS Legal Services Branch provides legal advice as required.

The Delegation of Authority

The mandate of the ATIP Section is to act on behalf of the Minister of Public Safety Canada in promoting and enforcing compliance with legislation, regulations and government policy, and to create departmental directions, including standards, in all matters relating to the Access to Information Act and Privacy Act within CSIS. The Coordinator also acts as spokesperson for the organization in dealing with the Treasury Board Secretariat, the Information and Privacy Commissioners, and other government departments and agencies.

Requests Under the Privacy Act

The privacy client group for the ATIP section consists, for the most part, of individuals who were subject to the CSIS security clearance process and of members of the public interested in knowing if the Service had any information concerning them.

During the reporting period from April 1, 2008, to March 31, 2009, the CSIS ATIP Section received a total of 390 requests under the Privacy Act. This represents a decrease of 356 over the last reporting period, in which a total of 746 were received. A total of 83 were carried over from 2007-2008.

Of the 390 new requests, 255 could not be processed (no records were found or the Service was unable to confirm nor deny the existence of records) and one was re-directed to another federal institution.

Method of Access

In all 99 instances involving the disclosure of records, the applicants chose to receive their own copies.

Other Requests

CSIS also responded to 81 consultations regarding privacy requests involving CSIS records or issues.

The ATIP Section also acted a resource for CSIS officials and offered advice and guidance on the provisions of the legislation.

Disposition of Completed Requests

In 2008-2009, 432 requests were completed. The disposition of the completed requests was as
follows:

• 2 were fully disclosed;
• 97 were disclosed in part;
• 2 were excluded;
• 65 were exempted in entirety;
  
• 255 could not be processed (no records were found or the Service was unable to confirm nor deny the existence of records);
• 10 were abandoned by the applicant; and
• 1 was transferred.

Completion Time and Extensions

The 432 requests completed in 2008-2009 were processed in the following time frame:

• 284 within 30 days;
• 85 within 31 to 60 days;
• 48 within 61 to 120 days; and
• 15 in 121 or more days.

Exemptions Invoked

The ATIP Section invoked exemptions under the Act a total of 267 times, as follows:

• 21 times under section 19 (Information obtained in confidence);
• 118 times under section 21 (International affairs and defence);
• 15 times under section 22 (Law enforcement and investigation);
• 9 times under section 23 (Security clearances);
• 96 times under section 26 (Information about another individual); and
• 8 times under section 27 (Solicitor-client privilege);

Exclusions Cited

Exclusions were invoked one time under section 70 (Confidences of the Queen’s Privy Council for Canada).

Corrections and Notation

The ATIP Section received one correction request. The correction was denied and a notation was inserted in the file.

Costs

During 2008-2009, the ATIP Section incurred an estimated $486,852 in salary costs to administer the Privacy Act.

Privacy Impact Assessments

No Privacy Impact Assessments (PIA) were completed during this reporting period.

Data Matching and Data Sharing Activities

The Service is not in a position to publicly discuss data matching or data sharing activities for reasons of national security.

Education and Training

During 2008-2009, the ATIP Section continued to conduct ATIP awareness sessions for all new CSIS employees. A number of briefing sessions were also given to managers and other specialized groups.

Over the reporting period, 12 briefing sessions were given to 240 participants. The purpose of the sessions was to provide participants with an overview of the Acts, along with a better understanding of their obligations and the process within CSIS.

Reportable Disclosures of Personal Information Under Section 8 of the Act

During this reporting period, the Service disclosed personal information pursuant to paragraph 8(2)(g) on 25 occasions. It did not disclose any personal information pursuant to paragraphs 8(2)(e), 8(2)(f) and 8(2)(m) of the Act. As a rule, the Service does not make any disclosures under the authorities provided by paragraphs 8(2)(e), 8(2)(f) and 8(2)(m) of the Privacy Act. The disclosure of personal information obtained in the performance of the duties and functions of the
Service is made under subsection 19(2) of the CSIS Act, as authorized by paragraph 8(2)(b) of the Privacy Act.

Significant Changes to the Organization, Programs, Operations or Policy

In response to the Charkaoui v. Canada 2008 SCC 38 ruling, the Service issued a directive and interim guidelines for the retention of investigative material collected. The interim guidelines require the retention of virtually all operational notes. This change does not represent an additional collection of personal information but entails the retention of information that was previously destroyed.

This modification to our retention policy was brought to the Privacy Commissioner’s attention.

New Privacy Related Policies or Procedures Implemented

Policy development regarding the retention of operational notes is ongoing.

Changes as a result of issues raised by the Office of the Privacy Commissioner

None to Report

Complaints and Investigations

A total of 30 complaints were filed with the Office of the Privacy Commissioner of Canada in 2008-2009. The reasons for complaints were as follows:

• 11 Delay;
• 16 Refusal/Exemption; and
• 3 Refusal General.

During the same time period, 66 complaint investigations were completed. The breakdown is as follows:

• 16 Discontinued;
• 47 Not well-founded; and
• 3 Resolved.

Federal Court Cases

There are no new court cases involving the Service.

One case before the Federal Court Trial Division was concluded during the reporting period. The case was dismissed.