Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Issue sheets on the Transparency within the Department of National Defence and the Canadian Armed Forces

Table of Contents

Complaints against DND/CAF since 2019

Denial of access

Length of investigations

Privacy-breach notifications from DND/CAF

OPC collaboration with Office of the Information Commissioner

DND use of Cellebrite

Overview of Privacy Impact Assessment process

PIAs/Consultations with DND/CAF since 2019

Transfer of health records from CAF to VAC

Variance between Privacy Act vs Access to Information Act complaints

Privacy Act provisions applied to Access to Information requests

Transparency requirements under the Privacy Act

NSIRA report on CSE internal info-sharing

Privacy Act reform recommendations: access and transparency

Role and mandate of OPC; powers of Commissioner

Funding models for agents of Parliament

Appearance before the Standing Committee on National Defence (NDDN)

Complaints against DND/CAF since 2019

Key Messages

  • The OPC has accepted 290 complaints against DND/CAF over the last five fiscal years.
  • More than half (60%) of these were related to delays to process requests for access to personal information.
  • Of these accepted complaints, 22 are ongoing, with the balance (268) concluded. Of the concluded investigations:
    • 48% (128) complaints accepted were resolved through early resolution (a simple form of mediation);
    • 46% (122) were resolved through summary investigation, the majority of which were time limit complaints (110), with the balance related to access matters, retention issues, or other grounds for complaints such as allegations of improper use and disclosure of personal information;
    • 6% (18) were resolved through a full investigation, with the majority relating to allegations of improper collection, use and disclosure, of personal information (ex: complaints relating to the CAF’s Vaccine Mandate).
  • Since April 1st, 2024, we accepted 4 complaints against DND/CAF.
  • Overall, my Office has not experienced significant issues resolving complains with DND/CAF.

Background

  • Of the 46 closed time limit complaints in 2023-2024, the majority 67% (31) were resolved to the OPC’s satisfaction and 15 deemed refusals were issued.
  • Number of complaints accepted vs. received is used as not all complaints submitted by the public are deemed to be within the scope of the Privacy Act.
2019‑2020 2020‑2021 2021‑2022 2022‑2023 2023‑2024
33 51 53 74 78

Prepared by: Compliance

Denial of access

Key Messages

  • An individual may be denied access to their personal information for multiple reasons. The Privacy Act includes exceptions that allow federal government institutions to withhold (s.19 to 28) or to exclude (s.69 and 70) requested information. For example:
    • Disclosure could be injurious to the conduct of international affairs or the defence of Canada or its allies (s. 21)
    • Information was obtained during a lawful investigation (s. 22.1)
    • Information is about an individual other than the requester (s. 26)
    • Information is subject to solicitor-client privilege (s. 27)

Background

  • In 2023-2024, the OPC investigated 25 complaints against DND/CAF related to access and an additional 46 related to delays. Of the latter, 15 were found to have been deemed refusals.
  • If an institution fails to respond to a request in a timely manner under the Privacy Act, it could, following an investigation conducted by the OPC, be deemed to have refused access to personal information (absent any commitments by the institution to respond within a period found acceptable to the OPC).
  • If an individual was denied access and filed a complaint with the OPC, after the OPC has investigated a matter and issued a report, a complainant may request a hearing in the Federal Court (s. 41).

Prepared by: Compliance

Length of investigations

Key Messages

  • For the 85 complaints against DND/CAF under the Privacy Act closed in 2023-2024, the average treatment time was approximately 5 months:
    • 54% (46) of these complaints were resolved in 5.1 months using a mediated approach (early resolution).
    • 36% (31) were concluded in 2.7 months with a simplified report (summary investigations).
    • 9% (8) were completed in 13.9 months as they required a more in-depth investigation.
  • In general, DND/CAF are cooperative, and investigations against them are completed in reasonable timelines.
  • Delays may occur in few cases. This could be the case, for example, if an investigation is very complex (e.g. involves various stakeholders or the issue is novel).

Background

  • Two of the investigations included in our calculation of the average time to conduct an investigation in 2023-2024 were a part of special reports to Parliament, which involved multiple respondents and/or stakeholders, and/or many complaints against several federal institutions that all had to be closed at the same time – even when the complaint against DND was settled earlier or DND provided its representations in a timely manner:
    • investigation into federal institutions’ collection of employees’ vaccination status, including DND, as part of the Pandemic Special Report (19 months), and
    • one complaint against DND related to the GCkey Breach Special Report (40 months).

Prepared by: Compliance

Privacy-breach notifications from DND/CAF

Key Messages

  • Since April 1, 2019, the OPC has received 10 privacy breach reports from DND/CAF. Given the amount of personal information handled by this organization, we are concerned that breaches may be going undetected or are being mis-assessed, leading to under-reporting.
  • Each breach reported by DND since 2019 affected a relatively small number of individuals, i.e. between 1 and 2,500 affected individuals.
  • The nature of the 10 breach reports received since 2019 relate to the unauthorized access (5), unauthorized disclosure (4) and the loss (1) of personal information.
  • DND’s interactions with my Office’s Breach Response Unit (BRU) have been positive. DND has been appropriately responsive to BRU’s requests and forthcoming with information.

Background

  • While not specific to DND/CAF only, our Office is concerned about under-reporting in the federal public sector. Many government institutions subject to the Privacy Act that handle sensitive personal information have never reported or reported only a few privacy breaches.
    • This is a long-standing concern, which the OPC has raised with TBS. In response, TBS updated its privacy policies and agreed to raise awareness.
  • Specific breach causes include:
    • employee snooping (37 affected individuals),
    • leaked database (235 affected individuals),
    • ransomware attack (44 affected individuals),
    • misdirected email (915 affected individuals),
    • exposure of personal information on social media (3 affected individuals), BCC email omission (55 affected individuals),
    • BGRS/Sirva cyber incident (2300 affected individuals).
  • DND’s actions to address and mitigate reported privacy breaches have generally been satisfactory.

Prepared by: Compliance

OPC collaboration with Office of the Information Commissioner

Key Messages

  • The adoption of Bill C-58 in June 2019 amended the Access to Information Act (ATIA) by, among other things, giving the Office of the Information Commissioner (OIC) order-making powers.
  • It also made provisions requiring the OIC to consult the Privacy Commissioner when they intend to order a federal government institution to disclose records that were withheld under 19(1) of the ATIA.
  • 19(1) of the ATIA prohibits the disclosure of personal information contained in records requested under the ATIA.
  • To facilitate consultations between our two offices, the OPC and OIC signed a Memorandum of Understanding in December 2020. The intent was to establish a list of circumstances where a consultation between OIC and the OPC should occur to ensure there is adequate consideration of privacy rights.
  • Under these terms, the OIC consulted the OPC 19 times during the last 4 years; none involved DND/CAF records.

Background

  • Subsection 36.2 (ATIA): If the Information Commissioner intends to make an order requiring the head of a government institution to disclose a record or a part of a record that the head of the institution refuses to disclose under subsection 19(1), the Information Commissioner shall consult the Privacy Commissioner and may, in the course of the consultation, disclose to him personal information.
  • Number of files received during the last 4 fiscal years:
    FY 20-21 2 files (redacted)
    FY 21-22 3 files (redacted)
    FY 22-23 10 files (redacted)
    FY 23-24 4 files (redacted)

Prepared by: Compliance

DND use of Cellebrite

Key Messages

  • Following media reports, our office reached out to the DND in December 2023 to specifically ask about its use of digital forensics tools such as Cellebrite.
    • DND responded on December 12, 2023 that it did use such tools to “support lawful Defence activities” including investigations by Military Police, although it did not disclose which specific software it uses.
  • DND also stated in its response that it had several Privacy Impact Assessments underway “relating to Military Police activities” including one assessing Counter-Intelligence activities. We have not yet received these PIAs nor has DND provided an estimated submission date. We are continuing to follow up.
  • Our office recommends institutions consult with us before starting new programs or activities that involve personal information or when they have privacy-related questions.
  • While institutions are not required to consult with us, they are required, per section 4.2.2 of the Policy on Privacy Protection, to notify the OPC of planned initiatives that have a privacy impact.

Background

  • On December 6, 2023, the Standing Committee on Access to Information, Privacy and Ethics (ETHI) decided to undertake a study “concerning the use of technological tools capable of extracting personal data from telephones and computers in investigative processes” in response to a media story on the same topic. I appeared before ETHI on this study February 1, 2024.
  • In response to this study, my office contacted the thirteen federal institutions named in the original media story to ask them for details about their use of such technologies. DND was one of these institutions.

Prepared by: GA

Overview of Privacy Impact Assessment process

Key Messages

  • The obligation for federal departments to develop PIAs for new or substantially modified programs or activities is currently a policy requirement under s 6.3.1 of the TBS Directive on Privacy Impact Assessment.
  • The Directive requires federal departments to submit PIAs to the OPC and TBS. We rely on institutions to submit PIAs to our office and do not generally proactively seek them out. There are instances where programs are launched without a PIA.
  • Every PIA received by the OPC is reviewed and triaged based on privacy risk factors to determine which reports will be subject to an in-depth review and formal recommendations.
  • Our recommendations identify risks or gaps; however, our advice is non-binding and the OPC does not approve PIAs. Ultimate responsibility for privacy risk rests with the institution.
  • Along with our formal review of PIAs, the Government Advisory Directorate engages in consultations to provide informal advice to institutions early in the development and throughout the lifecycle of their programs and activities.

Background

  • Triage risk factors include the sensitivity and/or volume of the personal information implicated, the use of a new technology, public interest in the program, and whether the program involves vulnerable populations.
  • As a general practice, we rely on institutions to submit PIAs. We do not proactively attempt to identify programs for which PIAs should be conducted.
  • When we become aware of a potentially privacy invasive program for which we have not received a PIA, usually via media reports, we do often contact the institution for more information.
  • We request that institutions provide a response to our formal recommendations within eight weeks. This timeframe is often, but not always, followed.

Prepared by: GA

PIAs/Consultations with DND/CAF since 2019

Key Messages

  • Since March 2019, GA has engaged in 33 consultations and received 21 PIAs from DND, 16 of which were triaged for review.
  • The initiatives covered by these PIAs and consultations covered a range of issues including biometrics, open-source intelligence, staffing, and internal DND/CAF services.
  • Generally, DND has been open and responsive to the OPC’s advice during our interactions. Approximately 93% of PIA review recommendations were accepted, and we received response to 100% of our requests for information.
  • Despite this, there are some significant issues that remain unresolved, including DND’s position on the application of the Privacy Act (PA) to their overseas activities and DND’s use of use of “crown prerogative” as the legal (non-statutory) basis for their collection of information/intelligence.
  • Based on PIAs and consultations with my office, it appears that DND has taken the position that the PA does not govern their collection of personal information outside of Canada, a position with which we have concerns. We are engaged in ongoing discussion on this point.

Background

  • The issue of the extraterritorial application of the PA was first identified in a 2020 National Security and Intelligence Committee of Parliamentarians report on DND’s intelligence activities.
  • Our office initially provided comments to DND on this issue during our 2021 review of the Functional Directive: Guidance on the Handling and Protection of Canadian Citizen Information. We requested an update on DND’s discussions with the Department of Justice on this issue.
  • This request was re-iterated in our recommendation letter to the classified Defence Intelligence Enterprise PIA in December 2023. However, my office met with DND on April 30, 2024 to discuss this, among other issues related to the PIA. DND was receptive to our input, and we expect more PIAs from DND as well as continued discussion on this issue.

Prepared by: GA

Transfer of health records from CAF to VAC

Key Messages

  • Veterans Affairs Canada (VAC) and the Canadian Armed Forces (CAF) administer a wide range of health benefits and services to eligible individuals.
  • VAC collects Service Health Records as required from the CAF to determine eligibility for and administer the benefits and services.
  • To manage health services claims, VAC and CAF use the Federal Health Claims Processing Service (FHCPS), which is administered by a third-party contractor. We received a Privacy Impact Assessment (PIA) on the FHCPS from VAC in 2017.
  • We understand that there are challenges with the current FHCPS system as it relies heavily on paper processing and manual data entry, however, our analysis has determined that the program does not raise significant privacy concerns.
  • Our Office has also received PIAs from VAC on related health benefits and services, which outline that the transfer of Service Health Records from the CAF to VAC is facilitated under an information sharing agreement.
  • Our review of these PIAs did not identify any privacy concerns with such transfers.

Background

  • DND provided our Office with a PIA on the FHCPS in March 2024, which analyzes DND’s role in determining the eligibility of CAF clients for health services and ensuring the accuracy of health claims.
  • With the current FHCPS contract ending in 2026, the PIA examines both the current state and the development and design of a new solution.
  • The PIA did not raise significant privacy concerns and was not triaged for a secondary review.

Prepared by: GA

Variance between Privacy Act vs Access to Information Act complaints

Key Messages

  • At the federal level, I enforce the Privacy Act (PA) and the Information Commissioner enforces the Access to Information Act (ATIA.
  • PA complaints filed with my office either relate to an individual seeking access to their own personal information or to how a government institution failed to protect such information (e.g., improper use or disclosure).
  • ATIA complaints filed with the OIC focus on getting access to non-personal information held by a government institution in the name of transparency.
  • Unlike the OIC who can require government institutions to give information to a Complainant after investigating a matter (s. 36.1 ATIA), I cannot do so as my office lacks order-making powers.

Background

  • PA: All individuals, regardless of citizenship or where they are located, have the right to be given access to their own personal information held by a government institution under s. 12(1) PA [s. 2 of Privacy Act Extension Order, No. 2, SOR/89-206; Privacy Act Extension Order, No. 3, SOR/2021-174]
  • ATIA: Individuals and corporations that are present in Canada, and Canadian Citizens/Permanent Residents located anywhere, can be given access to records held by government institutions under s. 4(1) ATIA [Access to Information Act Extension Order, No. 1, SOR/89-207].
  • Both the PA (s. 63) and ATIA (s. 62) contain similar confidentiality provisions: Commissioners and staff shall not disclose information to 3rd parties about what comes to their knowledge in the performance of their duties or functions.
  • PA complaints are often about protecting personal information and maintaining privacy; ATIA complaints are often about making information public.
  • While the OIC’s limited order-making powers (i.e., only access) is enough to address most of their complaints, this would fall short for the OPC given most of our complaints focus on non-compliance with the collection, use and disclosure provisions — which can impact millions of Canadians. As such, we need wider order-making for both compliance & access complaints.

Prepared by: Legal

Privacy Act provisions applied to Access to Information requests

Key Messages

  • Even though the Access to Information Act allows Canadians to get information held by government institutions, certain provisions of the Privacy Act still apply to prevent personal information from being disclosed.
  • Certain Privacy Act provisions are incorporated or referenced directly in the Access to Information Act, such as the definition of “personal information” and the list of exceptions that allow for disclosure of personal information without consent.
  • The Privacy Act and Access to Information Act are intended to be a “seamless code”, construed harmoniously according to a “parallel interpretation model” [Leahy v. Canada (Citizenship and Immigration), 2012 FCA 227 at para 68].
  • Parliament ensured that both statutes recognize that the protection of privacy is paramount over the right of access (except as prescribed by law) [H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13 at para 2].

Background

  • Section 3 of the Access to Information Act (ATIA) incorporates by reference the definition of the term “personal information” found in s. 3 of the Privacy Act.
  • Subsection 19(1) of the ATIA states that “the head of a government institution shall refuse to disclose any record requested…that contains personal information”.
  • Subsection 19(2) of the ATIA nevertheless allows for certain exceptions for where personal information may be disclosed, namely when: (a) the individual to whom it relates consents to the disclosure; (b) the information is publicly available; or (c) the disclosure is in accordance with s. 8 of the Privacy Act.
  • If the Privacy Act applies to a record containing personal information, so will the ATIA (and vice versa); either both Acts apply or neither one does. Both Acts apply to information under the control of a government institution.

Prepared by: Legal

Transparency requirements under the Privacy Act

Key Messages

  • The Privacy Act plays a key role in keeping government institutions accountable/transparent by granting access to a requestor’s own personal information (in most circumstances).
  • Unlike Part 2 of the Access to Information Act—which requires the proactive publication of certain information (e.g., expenditures, briefing materials)—nothing under the Privacy Act requires making any personal information (as defined under that Act) publicly accessible or that it be proactively disclosed.
  • Privacy Act protections still apply to personal information contained in documents subject to proactive disclosure by government institutions; personal information will usually need to be withheld/redacted.

Background

  • Under section 3 of the Privacy Act, “personal information” (PI) is broadly defined as information “about an identifiable individual that is recorded in any form”; it has the same meaning/definition under the Access to Information Act at s. 3.
  • Section 12 of the Privacy Act grants individuals the right to access their own PI under the control of a government institution.
  • Transparency: getting access to one’s own PI under the Privacy Act helps shed light on how/why it is being used by government institutions; it also reveals how much information about you they have already collected; and it provides an opportunity to request that incorrect PI be corrected.
  • Usually, the categories of records subject to publication under Part 2 of the Access to Information Act, such as travel and hospitality expenses or briefing materials, do not contain “personal information” as defined under the Privacy Act. To the extent that they do, that information needs to be redacted, unless one of the exceptions in s. 8(2) applies.

Prepared by: Legal

NSIRA report on CSE internal info-sharing

Key Messages

  • In January 2024, the National Security and Intelligence Review Agency (NSIRA) published a report on their review of information-sharing within the Communications Security Establishment (CSE).
  • In it, NSIRA found that CSE’s information-sharing between the foreign intelligence and cybersecurity aspects of their mandate has not been sufficiently examined for compliance with the Privacy Act or the CSE Act and recommended that they seek legal advice on these activities.
  • My Office was not involved, but we welcome the opportunity to support NSIRA and have had a memorandum of understanding with them since 2021 to conduct joint investigations.
  • NSIRA would be better placed to answer any specific questions the Committee may have on the report.

Background

  • In examining CSE’s legal authority for sharing personal information between the intelligence and cybersecurity aspects of its mandate, NSIRA concluded that internal sharing may be consistent with the Privacy Act (the Act) in some circumstances but advised that CSE must assess the initial purpose of collection.
  • NSIRA recommended that CSE seek legal advice on the following questions:
    • whether internal sharing of information between the foreign intelligence and cybersecurity mandates comprises a use or disclosure of information for the purposes of the Act; and
    • whether such uses and/or disclosures comply with sections 7 and 8 of the Act.
  • CSE disagreed with the recommendation, noting it had already received legal advice on the matter from the Department of Justice.
  • In 2016, our Office reviewed CSE use of metadata and recommended clarification of their use and disclosure authorities, explicit safeguards, and specific retention limits. In our 2021 submission to Justice, we also stressed that the Act’s provisions for disclosures and information-sharing need more specific wording and regulation.

Prepared by: PRPA

Privacy Act reform recommendations: access and transparency

Key Messages

  • Parliament and the federal Department of Justice have studied Privacy Act reform a number of times over the years and my office has made recommendations, including pertaining to enhancing access and transparency.
  • For example, in my Office’s submission to the recent Department of Justice consultation, we outlined our support for proposed enhancements to transparency measures in the Act, given the critical role transparency plays in empowering citizens with the knowledge needed to exercise their rights.
  • We also made additional recommendations that:
    • Exceptions to the right to direct notification of individuals about collection be limited;
    • Privacy notices require minimum details including what information is collected, when and for what purposes;
    • Measures to enhance direct access be explored.

Background

  • Statutory reviews of the Privacy Act were conducted by ETHI in 2008 and 2016. OPC participated in both, issuing submissions with proposed recommendations.
  • In September 2021 the Department of Justice launched a consultation on modernizing the Privacy Act, publishing an online discussion paper. Transparency related proposals included: incorporating principles on openness and transparency; requiring “public information notices” in cases of indirect collection; publication requirements for privacy management programs and PIAs.
  • In our submission to the consultation, we noted our support for these proposals and also recommended that exceptions to direct notification be limited, that there be minimum content requirements for privacy notices and that measures for enhancing direct access to information be explored.

Prepared by: PRPA

Role and mandate of OPC; powers of Commissioner

Key Messages

  • The mission of my Office is to protect and promote the privacy rights of individuals.
  • My mandate is to oversee compliance with the Privacy Act, which governs federal institutions’ handling of personal information, and the Personal Information Protection and Electronic Documents Act (PIPEDA), our federal private-sector privacy law.
  • As an agent of Parliament, I operate independently to investigate and resolve complaints, provide recommendations and guidance, and promote understanding of the privacy rights of Canadians.
  • At present, recommendations that my office provides to federal government institutions are non-binding. Unlike the Information Commissioner, I do not have the ability to issue binding orders.

Background

  • The Privacy Commissioner can receive complaints about any issue outlined in Section 29 of the Privacy Act (i.e. an individual has been refused access to personal information they requested under section 12(1)).
  • The Privacy Commissioner may also initiate a complaint if satisfied that there are reasonable grounds to investigate a matter (s. 29(3)).
  • If a complaint is well-founded the Commissioner must report findings and any recommendations the Commissioner considers appropriate to the institution (s. 35 (1)) and must also report investigative findings to the complainant (s. 35(2)).
  • The Privacy Commissioner must report annually to Parliament on the activities of the Office (s. 38) and can make Special Reports to Parliament on matters of urgency or importance (s. 39)
    • For example, in February 2024, the Office tabled Special Reports on the RCMP’s collection of open-source information under Project Wide Awake and our Investigation of unauthorized disclosures and modifications of personal information held by Canada Revenue Agency and Employment and Social Development Canada resulting from cyber attacks.

Prepared by: PRPA

Funding models for agents of Parliament

Key Messages

  • We have advocated for a long-term stable funding mechanism that reflects the independent role played by Agents of Parliament, and also ensures their offices are properly funded.
  • Currently there is an inherent conflict of interest where the OPC scrutinizes Government compliance with privacy laws and relies on that same government for funding.
  • A funding mechanism that ensures stable and adequate funding to address emerging issues rapidly would be preferable to the current process.

Background

  • A letter to PCO dated January 31, 2019 was sent by the Agents of Parliament seeking an alternative to the existing funding mechanism process.
  • Not all Agents of Parliament have the same funding mechanism. The Parliamentary Budget Officer, for example, has the ability to request funds directly from the Speaker of the House and Senate.
  • In 2005, an Advisory Panel pilot project was launched to test a proposed new funding and oversight model for Agents of Parliament.
    • This panel had been convened in response to concerns that independence from government may be compromised by the fact that Treasury Board determines the amount of funding available to the Agents of Parliament.
  • The 2008 Corbett report concluded that the pilot project was a success and should be made permanent, given it achieved the key objective of reducing the perception of conflict of interest that was inherent in the pre-existing process.

Prepared by: Corporate

Table of Contents

Complaints against DND/CAF since 2019

Denial of access

Length of investigations

Privacy-breach notifications from DND/CAF

OPC collaboration with Office of the Information Commissioner

DND use of Cellebrite

Overview of Privacy Impact Assessment process

PIAs/Consultations with DND/CAF since 2019

Transfer of health records from CAF to VAC

Variance between Privacy Act vs Access to Information Act complaints

Privacy Act provisions applied to Access to Information requests

Transparency requirements under the Privacy Act

NSIRA report on CSE internal info-sharing

Privacy Act reform recommendations: access and transparency

Role and mandate of OPC; powers of Commissioner

Funding models for agents of Parliament

Date modified: