Key takeaways for public servants from the 2019-2020 Annual Report
October 8, 2020
Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.
The Privacy Commissioner’s latest annual report was tabled in Parliament today.
The major theme of the report is Privacy in a Pandemic. It discusses the Office of the Privacy Commissioner of Canada’s work to assist public and private sector organizations during the public health care crisis as well as lessons drawn from that work.
Commissioner Daniel Therrien noted during a news conference that privacy and the pursuit of public health and economic recovery are not contradictory. They can, and must be, achieved concurrently.
“Federal laws are simply not up to protecting our rights in our rapidly evolving digital environment,” he says. “We need a legal framework that will allow technologies to produce benefits in the public interest while also preserving our fundamental right to privacy. This is an opportune moment to demonstrate to Canadians that they can have both.”
The annual report also highlighted some key issues that all federal institutions should take note of.
Issue 1 – Breach reporting:
We continue to believe that the number of privacy breaches reported to our office represents only the tip of the iceberg. For example, we have noted with some concern that very few privacy breach reports we receive from federal institutions are attributed to cyber security events (less than 2% compared to 42% in the private sector).
It is unclear why there is such a significant discrepancy between the public and the private sectors.
Federal institutions subject to the Privacy Act are required to notify the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board of Canada Secretariat of all material privacy breaches.
The Treasury Board Guidelines for Privacy Breaches state a breach is deemed “material” if the breach:
- Involves sensitive personal information; and
- Could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.
Takeaway:
- If your institution is the target of a cyber attack, such as malware, ransomware, social engineering or password attack that results in a material privacy breach, the incident must be reported to the OPC.
Issue 2 – Time-limit complaints:
Too many federal institutions are failing to meet their obligations to respond to personal information requests made under the Privacy Act within the specified time limits.
Our office receives many complaints from individuals alleging that a government institution has unjustly denied them timely access to their personal information.
We have therefore instituted a deemed refusal approach for time limit complaints, issuing deemed refusal findings to address situations where institutions are not responding in a timely or adequate manner, or are unable to commit to a release date for access to personal information requests.
An important component of the deemed refusal approach includes a process to conditionally resolve complaints where an institution commits to responding to personal information requests within an acceptable period of time.
In 2019-2020, we issued 146 deemed refusal letters to 11 institutions. By comparison, in 2018-2019, we issued 31 deemed refusals against three government institutions.
A deemed refusal finding allows Canadians to exercise their right to apply before the Federal Court in a timely manner if they have faced challenges when attempting to access their personal information.
Takeaways:
- Federal institutions must respond to personal information requests in accordance with the provisions set out in the Privacy Act.
- In instances where the OPC receives a complaint where a federal institution is alleged to have failed to respond to a request within the timelines prescribed in the Privacy Act, our office will engage the institution to negotiate a reasonable date by which it will respond (commitment date).
- In instances where an institution fails to provide the OPC a reasonable commitment date, our office may issue a deemed refusal finding, empowering complainants to pursue the matter in court.
Investigations:
The annual report also highlights several Privacy Act investigations that may be of interest to public servants:
- Leak about Supreme Court candidate highlights need for law reform
- Public disclosure of medical information during military trial consistent with Privacy Act
- Disclosure of personal information for litigation purposes permissible under the Privacy Act
- CBSA’s disclosure of medical information to a third party leads to complaint
- Video recording in the workplace at correctional institutions
- ESDC use of security camera footage for fact finding regarding employee’s hours worked
- CBSA should only retain travelers’ digital device passcodes when necessary
- CATSA notification of police about travellers with cannabis inconsistent with Privacy Act
Want to know more?
You can contact us through our website to report a privacy breach at your institution or via email at notification@priv.gc.ca. You can also find information on what to expect during a complaint investigation on our website.
Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.
- Date modified: