Date of Publishing:

Introduction

The Privacy Act (PA) gives individuals the right of access to information about themselves that is under the control of a government institution, subject to certain specific and limited exemptions and exclusions. The PA also protects the privacy of individuals by giving them substantial control over the collection, use and disclosure of their personal information, and by preventing others from having access to that information. 

Section 72 of the PA requires the head of each government institution to prepare an annual report on the administration of the PA within the institution that is to be tabled in both Houses of Parliament. 

This report to Parliament, which is prepared and tabled pursuant to section 72 of the PA, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering the PA during the period of April 1, 2023 to March 31, 2024 (the reporting period).  

If you require more information or wish to make a request under the PA or the Access to Information Act, please direct your inquiries to the following:

Access to Information and Privacy Office 
National Security and Intelligence Review Agency Secretariat 
P.O. Box 2430, Station “D” 
Ottawa, Ontario, K1P 5W5  
Email: ATIP@nsira-ossnr.gc.ca

Who We Are

Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.  

The NSIRA Secretariat (the Secretariat) assists NSIRA in fulfilling its mandate. The Secretariat headed by an Executive Director, is designated as the government institution for the purposes of administering the PA and the Access to Information Act.

Mandate

The Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matter that a Minister of the Crown refers to NSIRA.  

NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, as well as whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Investigations

NSIRA is also responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:  

• any activity of CSIS or of CSE;
• decisions to deny or revoke certain federal government security clearances; 
• any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act; 
• reports made under section 19 of the Citizenship Act; and 
• matters referred under section 45 of the Canadian Human Rights Act.

Access to Information and Privacy Office – Organizational Structure

The Secretariat’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Secretariat meets its responsibilities under the PA and the Access to Information Act.  

For the reporting period, the Secretariat’s ATIP Office consisted of: 

• 1 full-time Access to Information Consultant;  
• 1 part-time Privacy Consultant;  
• 1 full-time ATIP Coordinator, who managed the Secretariat’s ATIP Office, and fulfilled the normal duties as Manager of Administrative Services for the Secretariat and NSIRA Members; and 
• the Secretariat’s Senior Counsel, Internal Services as well as Senior General Counsel supported the ATIP office when required. 

The Secretariat’s ATIP Office is responsible for the following: 

• monitoring compliance with ATIP legislation and relevant procedures and policies; 
• processing requests under both the PA and the Access to Information Act;  
• developing and maintaining policies, procedures, and guidelines to ensure that the Secretariat respects the PA and the Access to Information Act;  
• maintaining Personal Information Banks and conducting privacy impact assessments; 
• preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and 
• representing the Secretariat in dealings with the Treasury Board of Canada Secretariat (TBS), the information and privacy commissioners, and other government departments and agencies in matters pertaining to the PA and the Access to Information Act.  

During the reporting period, the Secretariat was a party to a service agreement under section 73.1 of the PA in which the Secretariat received administrative support from the Privy Council Office related to the tabling of the annual report in Parliament. The Secretariat was also a party to a service agreement under section 71.1 of the PA in which the Secretariat received ATIP Online services from TBS.  

To assist the Secretariat’s ATIP Office in meeting its overall legislative obligations, the Secretariat relied on a collaborative internal group of subject matter experts from all divisions.

Delegation Order

As the Head of the Secretariat, the Executive Director is responsible for the administration of the PA within the institution. Pursuant to section 73 of the PA, the Executive Director has delegated the ATIP Manager and ATIP Officer,  as well as individuals acting in these positions, to perform certain and specific powers, duties, and functions for the administration of the PA. These positions have limited delegation of authority under the PA and the Access to Information Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Delegation Order can be found in Appendix A (page 9).

Performance 2023-2024

Performance in Processing Privacy Requests

In addition to 5 requests that were outstanding from the previous reporting periods, the Secretariat’s ATIP Office received 22 formal requests during the current reporting period, bringing the total number of formal request to 27. Of these, the Secretariat’s ATIP Office closed 25 requests and processed approximately 4843 pages during the reporting period. 2 requests were carried over to the following reporting period.

Statistical Reports for 2023-2024

The Secretariat’s 2023-2024 Statistical Report on the PA and Supplemental ATIP Statistical Report for 2023-2024 were both previously validated by TBS.

Extensions and Completion Time of Closed Requests

During the reporting period, the Secretariat’s ATIP Office invoked extensions while processing 2 formal requests: 1 extension was completed within of 16 to 30 days, and 1 request was taken to seek an internal consultation. Both did not require extensions to consult with third parties. 

Of the requests completed during the reporting period: 

• 1 request, or 4% of the requests completed, was disclosed in its entirety. This request was completed within 16 to 30 days; 
• 1 request, or 4% of the requests completed, was disclosed in part. This request was completed within 121  to 180  days; 
• 16 requests, or 64% of the requests completed, resulted in no records. 1 request was completed within 0 to 15 days, 6 requests were completed within 16 to 30 days, 6 requests were completed within 31 to 60 days, and 3 requests were completed within 61 to 120 days; 
• 1 request, or 4% of the requests completed, was abandoned and completed; and 
• 6 requests, or 24% of the requests completed, were neither confirmed nor denied. 

The Secretariat’s responses to many requests required an intensive review of complex records, including extensive internal and external consultations. During the reporting period, the Secretariat’s on-time response rate decreased to 56% from 58.3% in the 2022-2023 reporting period due to a significant increase in the number of pages processed for formal requests.

Consultations 

During the reporting period, no privacy consultations were received. 

Complaints and Investigations 

Subsection 29(1) of the PA describes how the Office of the Privacy Commissioner (OPC) receives and investigates complaints from individuals regarding the processing of requests under the PA. During the reporting period, the Secretariat’s ATIP Office received 16 complaints, 2 of which were related to Access requests. 

In addition, 1 privacy breach-related investigation initiated by the Privacy Commissioner in Fiscal Year 2020-2021 continued during the reporting period and remained active on March 31, 2024.

Training and Awareness

The Secretariat took a customized approach to training subject matter experts on their legislative requirements, roles, and responsibilities. The Secretariat’s ATIP Office encouraged employees to take the ATIP training courses offered by the Canada School of Public Service (CSPS). New employees were required to complete an online training session entitled Fundamentals of Access to Information and Privacy within six months of joining the Secretariat and in January 2024, an internal ATIP training session was held. 

To ensure in-depth training is taken by employees of the NSIRA Secretariat who have functional or delegated responsibility for the administration of the PA and Privacy Regulations, the Senior Counsel, Internal Services participated in the 2023 Canadian Privacy Symposium offered by the International Association of Privacy Professionals. In addition, the ATIP Manager attended the 2023 Canadian Access and Privacy Association Conference as well as the 26th Annual Vancouver International Privacy & Security Summit.

Policies, Guidelines, and Procedures 

During the reporting period, the Secretariat implemented several initiatives to assist the Secretariat’s ATIP Office to operate more efficiently. For example, the Secretariat revised its Privacy Breach Plan and Procures Manual, revised its Privacy Protocol Template, and established a Privacy Risk Register. 

Initiatives and Projects to Improve Privacy 

During the reporting period, the Secretariat’s Information Technology division continued to develop an ATIP software tool for the Secretariat’s classified and unclassified systems.  

Summary of Key Issues and Actions Taken on Complaints 

The Secretariat meaningfully engaged with the OPC on all 16 active investigations during the reporting period and disclosed additional records in 1 of the 2 Access related complaints.   

Material Privacy Breaches 

During the reporting period, no material privacy breaches occurred.  

Privacy Impact Assessments 

During the reporting period, the Secretariat completed a Privacy Impact Assessment (PIA) of its investigations-related activities, which was shared with TBS and the OPC. In addition, the Secretariat made further revisions to its PIA on the creation of NSIRA in response to feedback received from TBS and continued to engage with TBS on PIB registration.  

Public Interest Disclosures 

During the reporting period, no public interest disclosures occurred. 

Monitoring Compliance 

Legislative deadlines for access requests were strictly monitored by using several Microsoft Lists trackers. The ATIP Manager organized ad hoc meetings to discuss request-related activities (such as whether internal consultations were necessary), determine deadlines, and ensure that all division members were informed of the status of requests. At bi-weekly team meetings with the Senior General Counsel and Senior Counsel, Internal Services, the ATIP Manager raised and discussed compliance with legislative and policy obligations. The Executive Director was also briefed on all ATIP compliance issues.  

For contracts issued during the reporting period, the Secretariat included a Standard Procurement Clause on the Handling of Personal Information or a Supplemental General Condition on Personal Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.

Appendices

Appendix A: Delegation Order

Access to Information Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.

Privacy Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.

Appendix B: 2023–2024 Statistical Report on the Privacy Act

Name of institution: National Security and Intelligence Review Agency

Reporting period: 2022-04-01 – 2023-03-31

Section 1: Request Under the Access to Information Act

1.1 Number of Requests

1.2 Channels of requests

Section 2: Informal requests

2.1 Number of informal requests

2.2 Channels of informal requests

2.3 Completion time of informal requests

2.4 Pages released informally

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time

3.2 Exemptions

3.3 Exclusions

3.4 Format of information released

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats

3.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests

3.5.3 Relevant minutes processed and disclosed for audio formats

3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests

3.5.5 Relevant minutes processed and disclosed for video formats

3.5.6 Relevant minutes processed per request disposition for video formats by size of requests

3.5.7 Other complexities

3.6 Closed requests

3.6.1 Requests closed within legislated timelines

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

3.7.2 Requests closed beyond legislated timelines (including any extension taken)

3.8 Requests for translation

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Section 5: Requests for Correction of Personal Information and Notations

Section 6: Extensions

6.1 Reasons for extensions and disposition of requests

6.2 Length of extensions

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services

8.2 Requests with Privy Council Office

Section 9: Complaints and Investigations Notices Received

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)

10.1 Privacy Impact Assessments

10.2 Institution-specific and Central Personal Information Banks

Section 11: Privacy Breaches

11.1 Material Privacy Breaches reported

11.2 Non-Material Privacy Breaches

Section 12: Resources Related to the Privacy Act

12.1 Allocated Costs

12.2 Human Resources

Note: Enter values to three decimal places.

Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act

Section 1: Open Requests and Complaints Under the Access to Information Act

1.1 Enter the number of open requests that are outstanding from previous reporting periods.

1.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.

Section 2: Open Requests and Complaints Under the Privacy Act

2.1 Enter the number of open requests that are outstanding from previous reporting periods.

2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.

Section 3: Social Insurance Number

Section 4: Universal Access under the Privacy Act