Language selection

Government of Canada / Gouvernement du Canada

Search

Category: CBSA

Annual Report on the Privacy Act 2024-25

Date of Publishing:

Introduction

The Privacy Act (PA) gives individuals the right of access to information about themselves that is under the control of a government institution, subject to certain specific and limited exemptions and exclusions. The PA also protects the privacy of individuals by giving them substantial control over the collection, use and disclosure of their personal information, and by preventing others from having access to that information. 

Section 72 of the Privacy Act requires the head of each government institution to prepare an annual report on the administration of the PA within the institution that is to be tabled in both Houses of Parliament.

This report to Parliament, which is prepared and tabled pursuant to section 72 of the Privacy Act, describes the activities of the National Security and Intelligence Review Agency Secretariat (the Secretariat) in administering the Privacy Act during the period of April 1, 2024, to March 31, 2025 (the reporting period). 

If you require more information or wish to make a request under the Privacy Act or the Access to Information Act, please direct your inquiries to the following: 

Access to Information and Privacy Office 
National Security and Intelligence Review Agency Secretariat 
P.O. Box 2430, Station “D” 
Ottawa, Ontario, K1P 5W5  
Email: ATIP@nsira-ossnr.gc.ca

Who We Are

Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities. 

The Secretariat assists NSIRA in fulfilling its mandate. It is the Secretariat, headed by an Executive Director, that is the government institution for the purposes of the Privacy Act and the Access to Information Act (ATIA). 

Mandate

NSIRA has a dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities. 

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA. 

NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate. 

Investigations

NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about: 

  • any activity of CSIS or of CSE;
  • decisions to deny or revoke certain federal government security clearances; 
  • any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act
  • reports made under section 19 of the Citizenship Act; and 
  • matters referred under section 45 of the Canadian Human Rights Act.

Organizational Structure

The Secretariat’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, and procedures to ensure that the Secretariat meets its responsibilities under the PA and the ATIA. Since the last reporting period, the ATIP Office added and reclassified new personnel to assist with new policies implementation to comply with statutory requirements and increase of access requests to comply with statutory requirements under the PA and the ATIA. 

For the reporting period, the Secretariat’s ATIP Office consisted of: 

  • One (1) full-time Director, in addition to fulfilling normal duties as Director of Communications and Administrative Services for the Secretariat and NSIRA Members;
  • One (1) full-time ATIP Senior Advisor;
  • One (1) full-time ATIP Coordinator;
  • One (1) part-time ATIP Student;
  • Two (2) part-time ATIP Consultants; and
  • When required, the ATIP Office was supported by one (1) full-time Senior Counsel, Internal Services.

The Secretariat’s ATIP Office is responsible for the following: 

  • monitoring compliance with ATIP legislation and relevant procedures and policies; 
  • processing requests under both the Privacy Act and the Access to Information Act
  • developing and maintaining policies, procedures, and guidelines to ensure that the Secretariat respected the Privacy Act and the Access to Information Act
  • maintaining Personal Information Banks and conducting privacy impact assessments. 
  • preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and 
  • representing the Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Privacy Act and the Access to Information Act.

During the reporting period, the Secretariat was party to a service agreement under section 73.1 of the Privacy Act in which the Secretariat received administrative support from the Privy Council Office related to the tabling of this annual report in Parliament. The Secretariat was also party to a service agreement under section 71.1 of the Privacy Act, in which the Secretariat received ATIP Online services from the Treasury Board of Canada Secretariat. 

To assist the Secretariat’s ATIP Office in meeting its overall legislative obligations, the Secretariat relied on a collaborative internal group of subject matter experts from all divisions.

Delegation Order

As the Head of the Secretariat, the Executive Director is responsible for the administration of the PA within the institution. Pursuant to section 73 of the PA, the Executive Director has delegated the ATIP Director, the ATIP Senior Advisor, the ATIP Coordinator, as well as individuals acting in these positions to perform certain and specific powers, duties, and functions for the administration of the PA. These positions have limited delegation of authority under the PA and the Access to Information Act, in accordance with the delegation of authority instrument approved by the Executive Director in October 2024. A copy of the Delegation Order can be found in Annex A. 

Performance 2024-2025

Performance in Processing Privacy Requests

During the reporting period from April 1, 2024, to March 31, 2025, the Secretariat received 23 formal access to information requests, in addition to 3 requests carried over from the previous reporting period, for a total of 26 requests. Of these, the ATIP Office closed 18 requests and processed approximately 203 pages. Eight (8) requests were carried over into the next reporting period, all of which remained within the legislated timelines. 

Statistical Reports for 2024-2025

The Secretariat’s 2024-2025 Statistical Report on the Privacy Act and Supplemental ATIP Statistical Report for 2024-2025 were both validated by the Treasury Board Secretariat in July 2025.

Extensions

During the reporting period, the ATIP Office invoked an extension while processing one (1) request under paragraph 15(a)(ii) of the Privacy Act within 0 to 15 days. Invoking extensions on this request was necessary to accurately review a significant amount of records received for this request.

Completion Time of Completed Requests 

Of the 18 requests completed during the reporting period: 

  • 1 request, or 5.5% of the requests completed, was disclosed in part. This request was completed within 31 to 60 days;
  • 10 requests, or 55.5% of the requests completed, were neither confirmed or denied. 5 requests were completed within 0 to 15 days, and 5 requests were completed within 16 to 30 days;
  • 6 requests, or 33.3% of the requests completed, resulted in no records. 4 requests were completed within 16 to 30 days, and 2 requests completed within 31 to 60 days; and 
  • 1 request, or 5.5% of the requests completed, was abandoned. This request was completed within 31 to 60 days. 

During the reporting period, the on-time response rate increased to 83.3% from 56% from the 2023-2024 reporting period. 

Consultations 

During the reporting period, the ATIP Office received one (1) consultation request from another government department, consisting of 2 pages. This one (1) consultation request was completed within 0 to 15 days.

Complaints and Investigations 

Subsection 29(1) of the PA describes how the Office of the Privacy Commissioner (OPC) receives and investigates complaints from individuals regarding the processing of requests under the PA. During the reporting period, the Secretariat’s ATIP Office was the subject of one new complaint, and one report of findings from the OPC, which determined that the complaint was “not well founded”. Additionally, we also received eight reports of findings and recommendations from complaints from previous reporting periods. 

Training and Awareness

The Secretariat took a customized approach to training subject matter experts on their legislative requirements, roles, and responsibilities. The Secretariat’s ATIP Office encouraged employees to take the ATIP training courses offered by the Canada School of Public Service. New employees were required to complete an online training session entitled Fundamentals of Access to Information and Privacy within six months of joining the Secretariat and in November 2024, an internal ATIP training session was held. 

To ensure in-depth training is taken by employees of the NSIRA Secretariat who have functional or delegated responsibility for the administration of the PA and Privacy Regulations, the Senior ATIP Advisor attended the 2024 Canadian Access and Privacy Association Conference, while the ATIP Director attended the International Association of Privacy Professionals Global Privacy Summit 2024. 

Policies, Guidelines, and Procedures 

During the reporting period, the Secretariat’s ATIP Office advanced several initiatives to enhance its efficiency. Notably, it finalized key documents including the Privacy Breach Plan and Procedures Manual, and the Privacy Protocol Template. In addition, the Secretariat established a formal Privacy Impact Assessment policy to strengthen privacy governance and compliance.

Initiatives and Projects to Improve Privacy 

During the reporting period, the Secretariat did not implement or continue any new initiatives or projects related to privacy.

Summary of Key Issues and Actions Taken on Complaints 

During the reporting period, the Secretariat’s ATIP Office engaged meaningfully with the Office of the Privacy Commissioner on 10 active complaints. One complaint was received during this reporting period, while the remaining nine were carried over from previous periods. All complaints were resolved, and reports of findings were issued by the OPC, each concluding that the complaints were “not well founded.” Additionally, the Secretariat received one recommendation related to its Privacy Impact Assessment, which was finalized and fully implemented. 

Material Privacy Breaches 

During the reporting period, no material privacy breaches occurred. 

Privacy Impact Assessments 

During the reporting period, the Secretariat’s ATIP Office modified one (1) Privacy Impact Assessment related to the creation of the National Security and Intelligence Review Agency. The updated assessment web summary can be accessed here

Public Interest Disclosures 

During the reporting period, no public interest disclosures occurred.

Monitoring Compliance 

Legislative deadlines for privacy requests were closely monitored through the use of multiple Microsoft Lists trackers. In collaboration with the ATIP Senior Advisor, the ATIP Director organized ad hoc meetings to review request-related activities, set deadlines, and ensure that all relevant personnel within the ATIP Office and, when applicable, across the Secretariat were informed of the status of requests. Additionally, the ATIP Office held weekly meetings to strategize on meeting upcoming deadlines and to ensure accurate administration of statutory requirements and policy instruments. Compliance with legislative and policy obligations was also regularly raised and discussed by the ATIP Director during bi-weekly team meetings with the Secretariat’s Executive Director (Deputy Head) and the Senior Counsel, Internal Services. 

Appendices

Appendix A: Delegation Order

Privacy Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.

POSITION PROVISION OF THE PRIVACY ACT OR THE PRIVACY REGULATIONS
Executive Director
National Security and Intelligence Review Agency Secretariat 		Privacy Act:
8(2)(j), 8(2)(m), 8(4), 8(5), 9(1), 9(4), 10, 14, 15, 16, 17(2)(b), 17(3)(b), 18(2), 19(1), 19(2), 20, 21, 22, 22.3, 23, 24, 25, 26, 27, 27.1, 28, 33(2), 35(4), 51(2)(b), 72(1), 72(4)
Privacy Regulations:
9, 11(2), 11(4), 13(1), 14
Director, Central Administration & ATIP
National Security and Intelligence Review Agency Secretariat 		Privacy Act:
8(2)(j), 8(2)(m), 8(4), 8(5), 9(1), 9(4), 10, 14, 15, 16, 17(2)(b), 17(3)(b), 18(2), 19(1), 19(2), 20, 21, 22, 22.3, 23, 24, 25, 26, 27, 27.1, 28, 33(2), 35(4), 72(1), 72(4)
Privacy Regulations:
9, 11(2), 11(4), 13(1), 14
Senior Advisor, ATIP
National Security and Intelligence Review Agency Secretariat 		Privacy Act:
8(4), 8(5), 9(1), 9(4), 10, 15, 16, 17(2)(b), 17(3)(b), 18(2), 35(4)
Privacy Regulations:
9, 11(2)
ATIP Coordinator
National Security and Intelligence Review Agency Secretariat 		Privacy Act:
8(4), 8(5), 9(1), 9(4), 10, 15, 16, 17(2)(b), 17(3)(b), 18(2), 35(4)
Privacy Regulations:
9, 11(2)

Appendix B: 2024–2025 Statistical Report on the Privacy Act

Name of institution: National Security and Intelligence Review Agency

Reporting period: 2024-04-01 – 2025-03-31

Section 1: Request Under the Privacy Act

1.1 Number of Requests
  Number of Requests
Received during reporting period 23
Outstanding from previous reporting period 3
Outstanding from more than one reporting period 0
Total 26
Closed during reporting period 18
Carried over to next reporting period 8
Carried over within legislated timeline 8
Carried over beyond legislated timeline 0
1.2 Channels of requests
Source Number of Requests
Online 19
E-mail 2
Mail 2
In person 0
Phone 0
Fax 0
Total 23

Section 2: Informal requests

2.1 Number of informal requests
  Number of Requests
Received during reporting period 1
Outstanding from previous reporting periods 0
Outstanding from more than one reporting period 0
Total 0
Closed during reporting period 0
Carried over to next reporting period 0
2.2 Channels of informal requests
Source Number of Requests
Online 0
E-Mail 0
Mail 0
In person 0
Phone 0
Fax 0
Total 0
2.3 Completion time of informal requests
Completion Time
1 to 15 days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More than 365 Days Total
0 0 0 0 0 0 0 0
2.4 Pages released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
0 0 0 0 0 0 0 0 0 0

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time
Disposition of Requests Completion Time
0 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 1 0 0 0 0 1
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 4 2 0 0 0 0 6
Request abandoned 0 0 1 0 0 0 0 1
Neither confirmed nor denied 5 5 0 0 0 0 0 10
Total 5 9 4 0 0 0 0 18
3.2 Exemptions
Section Numbers of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 1
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 1
27 0
27.1 0
28 0
3.3 Exclusions
Section Numbers of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
3.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
0 1 0 0 0 0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
203 203 12
3.5.2 Relevant pages processed per request disposition for paper, e-record and dataset formats by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 1 0 0 0 0 0 0 0 0 0
Disclosed in part 0 0 1 203 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 1 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 10 0 0 0 0 0 0 0 0 0
Total 11 0 1 203 0 0 0 0 0 0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Disposition Consultation Required Assessment of Fees Legal Advice Sought Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0
3.6 Closed requests
3.6.1 Requests closed within legislated timelines
  Requests closed within legislated timelines
Number of requests closed within legislated timelines 15
Percentage of requests closed within legislated timelines (%) 83.33333333
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations/Workload External Consultation Internal Consultation Other
3 3 0 0 0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timeline Where an Extension Was Taken Total
1 to 15 Days 1 0 1
16 to 30 Days 1 1 1
31 to 60 Days 0 0 0
61 to 120 Days 0 0 0
121 to 180 Days 0 0 0
181 to 365 Days 0 0 0
More than 365 Days 0 0 0
Total 2 1 3
3.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Section 5: Requests for Correction of Personal Information and Notations

Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 6: Extensions

6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken 15(a)(i) Interference with operations 9(1)(b) Consultation 9(1)(b) Consultation
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
1 0 0 0 0 0 0 1 0
6.2 Length of extensions
Length of Extensions 15(a)(i) Interference with operations 9(1)(b) Consultation 9(1)(b) Consultation
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
1 to 15 days 0 0 0 0 0 0 0 0
16 to 30 days 0 0 0 0 0 0 1 0
31 days or greater               0
Total 0 0 0 0 0 0 1 0

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during reporting period 1 2 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 1 2 0 0
Closed during the reporting period 1 2 0 0
Carried over within negotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 1 0 0 0 0 0 0 1
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 1 0 0 0 0 0 0 1
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Complaints and Investigations Notices Received

Section 31 Section 33 Section 35 Court action Total
1 0 9 0 10

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)

10.1 Privacy Impact Assessments
Number of PIA(s) completed Number of PIAs modified
0 1
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks Active Created Terminated Modified
Institution-specific 2 1 0 1
Central 0 0 0 0
Total 2 1 0 1

Section 11: Privacy Breaches

11.1 Material Privacy Breaches reported
Number of material privacy breaches reported to TBS Number of material privacy breaches reported to OPC
0 0
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches
0
12.1 Allocated Costs
Expenditures Amount
Salaries $90,000
Overtime $0
Goods and Services $12,420
Professional services contracts $12,420
Other $0
Total $102,420
12.2 Human Resources
Resources Person Years Dedicated to Access to Information Activities
Full-time employees 0.000
Part-time and casual employees 2.000
Regional Staff 0.000
Consultants and agency personnel 1.000
Students 0.000
Total 3.000

Note: Enter values to three decimal places.

Annex C: Supplemental Statistical Report

Section 1: Requests Carried Over and Active Complaints Under the Access to Information Act

1.1 Requests carried over to next reporting period, broken down by reporting period received
Reporting Period
Requests Carried Over
Were Received		 Requests Carried Over that are Beyond Legislated Timelines as of March 31, 2025 Total
Requests Carried Over that are
Within Legislated
Timelines as of
March 31, 2025		 Requests Carried Over that are
Beyond Legislated
Timelines as of
March 31, 2025
Received in 2024-25 6 56 62
Received in 2023-24 0 0 0
Received in 2022-23 0 0 0
Received in 2021-22 0 1 1
Received in 2020-21 0 0 0
Received in 2019-20 0 0 0
Received in 2018-19 0 0 0
Received in 2017-18 0 0 0
Received in 2016-17 0 0 0
Received in 2015-16 or earlier 0 0 0
Total 6 57 63
1.2 Active complaints with the Information Commissioner of Canada, broken down by reporting period received
Reporting Period Active Complaints Were Received by Institution Number of Active Complaints
Received in 2024-25 1
Received in 2023-24 0
Received in 2022-23 0
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-20 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-16 or earlier 0
Total 1

Section 2: Requests Carried Over and Active Complaints Under the Privacy Act

2.1 Requests carried over to next reporting period, broken down by reporting period received
Reporting Period
Requests Carried Over
Were Received		 Requests Carried Over that are
Within Legislated
Timelines as of
March 31, 2025		 Requests Carried Over that are
Beyond Legislated
Timelines as of
March 31, 2025		 Total
Received in 2024-25 8 0 8
Received in 2023-24 0 0 0
Received in 2022-23 0 0 0
Received in 2021-22 0 0 0
Received in 2020-21 0 0 0
Received in 2019-20 0 0 0
Received in 2018-19 0 0 0
Received in 2017-18 0 0 0
Received in 2016-17 0 0 0
Received in 2015-16 or earlier 0 0 0
Total 8 0 8
2.2 Active complaints with the Privacy Commissioner of Canada, broken down by reporting period received
Reporting Period Active Complaints Were Received by Institution Number of Active Complaints
Received in 2024-25 0
Received in 2023-24 0
Received in 2022-23 0
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-20 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-16 or earlier 0
Total 0

Section 3: Social Insurance Number

Has your institution begun a new collection or a new consistent use of the SIN in 2024-25 No

Section 4: Universal Access under the Privacy Act

How many requests were received from foreign nationals outside of Canada in 2024-25 0

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Annual Report on the Access to Information Act 2024–25

Date of Publishing:

Introduction

The Access to Information Act (ATIA) gives Canadian citizens and permanent residents, as well as any person or corporation present in Canada, the right of access to information under the control of a government institution, subject to certain specific and limited exemptions and exclusions.

Section 94 of the ATIA requires the head of each government institution to prepare an annual report on the administration of the ATIA within the institution that is to be tabled in both Houses of Parliament.

This report to Parliament, which is prepared and tabled in accordance with section 94 of the ATIA, describes the activities of the National Security and Intelligence Review Agency Secretariat (the Secretariat) in administering the ATIA during the period of April 1, 2024, to March 31, 2025 (the reporting period).

If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:

Access to Information and Privacy Office
National Security and Intelligence Review Agency
P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5
Email: ATIP@nsira-ossnr.gc.ca

Who we are

Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.

The Secretariat assists NSIRA in fulfilling its mandate. It is the Secretariat, headed by an Executive Director, that is the government institution for the purposes of the Access to Information Act and the Privacy Act.

Mandate

NSIRA has a dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.

NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Investigations

NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:

  • any activity of CSIS or of CSE;
  • decisions to deny or revoke certain federal government security clearances;
  • any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
  • reports made under section 19 of the Citizenship Act, and
  • matters referred under section 45 of the Canadian Human Rights Act.

Organizational Structure

The Secretariat’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, and procedures to ensure that the Secretariat meets its responsibilities under the ATIA and the Privacy Act. Since the last reporting period, the ATIP Office added and reclassified new personnel to assist with the significant increase of access requests during the reporting period as well as develop and subsequently implement new policy tools to comply with statutory requirements under the ATIA and the Privacy Act.

For the reporting period, the Secretariat’s ATIP Office consisted of:

  • One (1) full-time Director, in addition to fulfilling normal duties as Director of Communications and Administrative Services for the Secretariat and NSIRA Members;
  • One (1) full-time ATIP Senior Advisor;
  • One (1) full-time ATIP Coordinator;
  • One (1) part-time ATIP Student;
  • two (2) part-time ATIP Consultants; and
  • When required, the ATIP Office was supported by one (1) full-time Senior Counsel, Internal Services.

The Secretariat’s ATIP Office is responsible for the following:

  • monitoring compliance with ATIP legislation and relevant procedures and policies;
  • processing requests under both the Access to Information Act and the Privacy Act;
  • developing and maintaining policies, procedures, and guidelines to ensure that the Secretariat respected the Access to Information Act and the Privacy Act;
  • maintaining Personal Information Banks and conducting privacy impact assessments.
  • preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
  • representing the Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.

During the reporting period, the Secretariat was party to a service agreement under section 96 of the ATIA in which the Secretariat received administrative support from the Privy Council Office related to the tabling of this annual report to Parliament. The Secretariat was also party to a service agreement under section 92 of the ATIA, in which the Secretariat received ATIP Online services from the Treasury Board of Canada Secretariat.

Part 2: Proactive Publications

The Secretariat ensured that the following proactive publication legislative requirements were met during the reporting period with the assistance of its Finance team:

  • Travel expenses;
  • Hospitality expenses; an
  • Contracts over $10,000.

To assist the Secretariat’s ATIP Office in meeting its overall legislative obligations, the Secretariat relied on a collaborative internal group of subject matter experts from all divisions.

Delegation Order

As the Head of the Secretariat, the Executive Director is responsible for the administration of the ATIA within the institution. Pursuant to section 95 of the ATIA, the Executive Director has delegated the ATIP Director, the ATIP Senior Advisor, the ATIP Coordinator, as well as individuals acting in these positions to perform certain and specific powers, duties, and functions for the administration of the Act. These positions have limited delegation of authority under the ATIA and the Privacy Act in accordance with the delegation of authority instrument approved by the Executive Director in October 2024. A copy of the Delegation Order can be found in Annex A.

Performance under Part 1 of the ATIA, 2024-2025

Performance in Processing Access Requests

During the reporting period from April 1, 2024, to March 31, 2025, the Secretariat received 93 formal access to information requests, in addition to 6 requests carried over from previous reporting periods, for a total of 99 requests. Of these, the ATIP Office closed 36 requests and processed approximately 2,055 pages. Sixty-three (63) requests were carried over into the next reporting period, 6 of which remained within the legislated timelines.

The number of formal requests received during this reporting period represented a significant increase compared to previous years. For context, only 16 formal requests were received in the prior reporting period.

Statistical Reports for 2024-2025

The Secretariat’s 2024-2025 Statistical Report on the ATIA and Supplemental ATIP Statistical Report for 2024-2025 were both validated by the Treasury Board Secretariat in July 2025.

Extensions

During the reporting period, while processing 16 requests, The Secretariat’s ATIP Office invoked extensions as follows: three (3) under paragraph 9(1)(a), 13 under 9(1)(b), and zero (0) under 9(1)(c):

  • Two (2) extensions of 30 days or less;
  • Four (4) extensions of 31 to 60 days;
  • Nine (9) extensions of 61 to 120 days;
  • Zero (0) extensions 121 to 180 days;
  • Zero (0) extensions of 181 to 365 days; and
  • One (1) extension of over 365 days

The responses to many requests required an intensive review of complex records, including extensive internal and external consultations due to a significant portion of the Secretariat’s information holdings consisting of sensitive and classified records created or originally received by other government institutions owing to NSIRA’s mandate.

Completion Time of Completed Requests 

Of the 36 requests completed during the reporting period: 

  • 26 requests, or 72.2% of the requests completed, were disclosed in part. 5 requests were completed within 0 to 15 days, 6 requests were completed within 16 to 30 days, 1 request was completed within 31 to 60 days, 8 requests were completed within 61 to 120 days, 4 requests were completed within 121 to 180 days, 1 request was completed within 181 to 365 days, and 1 request was completed after 365 days; 
  • 8 requests, 22.2% of the requests completed, resulted in no records. 2 requests were completed within 16 to 30 days, 3 requests were completed within 31 to 60 days, and 3 requests were completed within 61 to 120 days; 
  • 1 request, or 2.7% of the requests completed, were abandoned and completed within 121 to 180 days; and 
  • 1 request, 2.7% of the requests completed, was neither confirmed nor denied and completed within 16 to 30 days. 

Trends in Information Requests

The Secretariat reinforced NSIRA’s commitment to transparency by informing the public that its reports are accessible under the Access to Information Act. As a result, 89% of the 93 requests received were for a NSIRA report, while the remaining 11% pertained to other information under the Secretariat’s control, such as former Security Intelligence Review Committee (SIRC) reports. In total, 83 of the requests received were specifically for NSIRA reports. For a visual representation, see Table 2 below.

During the reporting period, the Secretariat’s on-time response rate increased to 47.2% from 18.7% from the 2023-2024 reporting period.

Consultations

During the reporting period, the Secretariat’s ATIP Office received 18 consultation requests from other government institutions, consisting of 656 pages. 6 requests were completed within 0 to 15 days, 8 requests were completed within 16 to 30 days, 1 request was completed within 61 to 120 days, and 3 requests were carried over into the following reporting period.

Out of the 18 consultation requests received, ten (10) consultation requests consisted of records contained within a NSIRA report, and the remaining eight (8) consultation requests consisted of records of considerable interest to the Secretariat.

Requests Treated Informally

In addition to 13 informal requests that were outstanding from the previous reporting period, the Secretariat’s ATIP Office received 69 informal requests, bringing the total number of informal requests to 82. During the reporting period, 71 informal requests were closed consisting of 6,879 pages, and 11 informal requests were carried over into the following reporting period.

Complaints and Investigations of Access Requests

Subsection 30(1) of the ATIA describes how the Office of the Information Commissioner (OIC) receives and investigates complaints from individuals regarding the processing of requests under the ATIA. The Secretariat’s ATIP Office was the subject of 4 access complaints during the reporting period. The Office of the Information Commissioner made a determination in favour of the Secretariat’s ATIP Office for 3 of these complaints during
the reporting period, while 1 complaint remained under investigation on March 31, 2025.

Training and Awareness

The Secretariat continued to adopt a tailored approach to training subject matter experts on their legislative obligations, roles, and responsibilities under the Access to Information Act (ATIA). Employees were encouraged to complete ATIP training courses offered by the Canada School of Public Service (CSPS). In March 2025, the ATIP Office delivered an interactive training session to all staff, focusing on the interpretation and application of
specific ATIA exemptions, including section 15 (International Affairs and Defence). The ATIP Office also regularly engaged with subject matter experts to assess the potential injury of disclosing limited and specific information within NSIRA reports subject to access requests.

New employees were required to complete the online training course Fundamentals of Access to Information and Privacy within six months of joining the Secretariat. Additionally, during onboarding sessions, the ATIP Office provided a brief overview of our roles and responsibilities within the Secretariat.

Policies, Guidelines, and Procedures

During the reporting period, the ATIP Office continued to improve efficiency-enhancing measures to assist with the increase of requests as well as respond to outstanding requests. The NSIRA Secretariat also updated the Delegation Order during the reporting period.

The Secretariat continued to engage with Library and Archives Canada on obtaining institution-specific disposition authorities.

Initiatives and Projects to Improve Access to Information

During the reporting period, the Secretariat’s Information Technology Division continued to enhance the ATIP Office’s software tools on both the unclassified and classified networks. In addition, the Secretariat proactively published NSIRA reports that were requested under the Access to Information Act on its website, further promoting transparency and enabling public access to information without the need for formal or informal requests.

Summary of Key Issues and Actions Taken on Complaints

During the reporting period, the ATIP Office received four (4) Notices of Intention to Investigate from the OIC pursuant to section 32 of the ATIA. The OIC issued three (3) section 37 Final Reports, all of which concluded the complaints were not well founded. One (1) section 32 notice was carried over into the following reporting period.

Proactive Publication under Part 2 of the ATIA

In accordance with subsection 81(b) of the ATIA, the Secretariat is listed as a government entity subject to the following proactive publication requirements:

  • Travel expenses (section 82);
  • Hospitality expenses (section 83);
  • Reports tabled in Parliament (section 84);
  • Contracts over $10,000.00 (section 86);
  • Grants and Contributions over $25,000.00 (section 87); and
  • Briefing materials prepared for the Executive Director (section 88)
Proactive Publication Requirements Table
Legislative Requirement Section of ATIA Publication Timeline Does requirement apply to your institution? (Y/N) Internal group(s) or positions(s) responsible for fulfilling requirement % of proactive publication requirements published within legislated timelines* Link to web page where published **
Apply to all Government Institutions as defined in section 3 of the Access to Information Act
Travel Expenses 82 Within 30 days after the end of the month of reimbursement Y Finance 100% open.canada.ca
Hospitality Expenses 83 Within 30 days after the end of the month of reimbursement Y Finance 100% open.canada.ca
Reports tabled in Parliament 84 Within 30 days after tabling Y ATIP 100% NSIRA Website
Apply to government entities or Departments, agencies, and other bodies subject to the Act and listed in Schedules I, I.1, or II of the Financial Administration Act
Contracts over $10,000 86 Q1-3: Within 30 days after the quarter
Q4: Within 60 days after the quarter		 Y Finance 80% open.canada.ca
Grants & Contributions over $25,000 87 Within 30 days after the quarter N
Packages of briefing materials prepared for new or incoming deputy heads or equivalent 88(a) Within 120 days after appointment N
Titles and reference numbers of memoranda prepared for a deputy head or equivalent, that is received by their office 88(b) Within 30 days after the end of the month received Y ATIP
Packages of briefing materials prepared for a deputy head or equivalent’s appearance before a committee of Parliament 88(c) Within 120 days after appointment Y ATIP

Monitoring Compliance

Legislative deadlines for access to information requests were closely monitored through the use of multiple Microsoft Lists trackers. In collaboration with the ATIP Senior Advisor, the ATIP Director organized any required meetings to review request-related activities, set deadlines, and ensure that all relevant personnel within the ATIP Office and, when applicable, across the Secretariat were informed of the status of requests. Additionally, the
ATIP Office held weekly meetings to strategize on meeting upcoming deadlines and to ensure accurate administration of statutory requirements and policy instruments. Compliance with legislative and policy obligations was also regularly raised and discussed by the ATIP Director during bi-weekly team meetings with the Secretariat’s Executive Director (Deputy Head) and the Senior Counsel, Internal Services.

Annex A: Delegation Order

Access to Information Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency Secretariat, pursuant to section 95 of the Access to Information Act*, hereby delegates the persons holding the positions or acting in the positions set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency Secretariat as the head of a government institution under the provision of the Access to Information Act or the Access to Information Regulations set out in the schedule opposite each position.

Annex B: Statistical Report on the ATIA

Statistical Report on the Access to Information Act

Name of institution: National Security and Intelligence Review Agency

Reporting period: 2023-04-01 – 2024-03-31

Section 1: Request Under the Access to Information Act

1.1 Number of Requests
Number of Requests
Received during reporting period 93
Outstanding from previous reporting periods 6
• Outstanding from previous reporting period 5
• Outstanding from more than one reporting period 1
Total 99
Closed during reporting period 36
Carried over to next reporting period 63
• Carried over within legislated timeline 6
• Carried over beyond legislated timeline 57
1.2 Sources of requests
Source Number of Requests
Media 68
Academia 4
Business (private sector) 1
Organization 1
Public 12
Decline to Identify 7
Total 93
1.3 Channels of requests
Source Number of Requests
Online 12
E-mail 79
Mail 2
In person 0
Phone 0
Fax 0
Total 93

Section 2: Informal requests

2.1 Number of informal requests
Number of Requests
Received during reporting period 69
Outstanding from previous reporting periods 13
• Outstanding from previous reporting period 13
• Outstanding from more than one reporting period 0
Total 82
Closed during reporting period 71
Carried over to next reporting period 11
2.2 Channels of informal requests
Source Number of Requests
Online 53
E-mail 16
Mail 0
In person 0
Phone 0
Fax 0
Total 69
2.3 Completion time of informal requests
Completion Time
0 to 15 days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More than 365 Days Total
36 10 2 10 6 5 2 71
2.4 Pages released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
5 153 1 157 0 0 0 0 0 0
2.5 Pages re-released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
43 1125 22 5444 0 0 0 0 0 0

Section 3: Applications to the Information Commissioner on Declining to Act on Requests

  Number of Requests
Outstanding from previous reporting period 0
Sent during reporting period 0
Total 0
Approved by the Information Commissioner during reporting period 0
Declined by the Information Commissioner during reporting period 0
Withdrawn during reporting period 0
Carried over to next reporting period 0

Section 4: Requests Closed During the Reporting Period

4.1 Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 5 6 1 8 4 1 1 26
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 2 3 3 0 0 0 8
Request transferred 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 1 0 0 1
Neither confirmed nor denied 0 1 0 0 0 0 0 1
Decline to act with the approval of the Information Commisioner 0 0 0 0 0 0 0 0
Total 5 9 4 11 5 1 1 36
4.2 Exemptions
Section Numbers of Requests
13(1)(a) 11
13(1)(b) 0
13(1)(c) 0
13(1)(d) 0
13(1)(e) 0
14 0
14(a) 0
14(b) 0
15(1) 22
15(1) – I. A. * 3
15(1) – Def. * 7
15(1) – S.A. * 4
16(1)(a)(i) 6
16(1)(a)(ii) 0
16(1)(a)(iii) 0
16(1)(b) 9
16(1)(c) 9
16(1)(d) 0
16(2) 11
16(2)(a) 0
16(2)(b) 0
16(2)(c) 0
16(3) 0
16.1(1)(a) 0
16.1(1)(b) 0
16.1(1)(c) 0
16.1(1)(d) 0
16.2(1) 0
16.3 0
16.31 0
16.4(1)(a) 0
16.4(1)(b) 0
16.5 0
16.6 0
17 4
18(a) 0
18(b) 0
18(c) 0
18(d) 0
18.1(1)(a) 0
18.1(1)(b) 0
18.1(1)(c) 0
18.1(1)(d) 0
19(1) 1
20(1)(a) 0
20(1)(b) 0
20(1)(b.1) 0
20(1)(c) 0
20(1)(d) 0
20.1 0
20.2 0
20.4 0
21(1)(a) 2
21(1)(b) 0
21(1)(c) 0
21(1)(d) 0
22 0
22.1(1) 0
23 11
23.1 0
24(1) 0
26 0

* I.A.: International Affairs
* Def.: Defence of Canada
* S.A.: Subversive Activities

4.3 Exclusions
Section Numbers of Requests
68(a) 0
68(b) 0
68(c) 0
68.1 0
68.2(a) 0
68.2(b) 0
69(1) 0
69(1)(a) 0
69(1)(b) 0
69(1)(c) 0
69(1)(d) 0
69(1)(e) 0
69(1)(f) 0
69(1)(g) re (a) 0
69(1)(g) re (b) 0
69(1)(g) re (c) 0
69(1)(g) re (d) 0
69(1)(g) re (e) 0
69(1)(g) re (f) 0
69.1(1) 0
4.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
1 25 0 0 0 0
4.5 Complexity
4.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
2055 2055 28
4.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 21 652 5 1403 0 0 0 0 0 14966
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 1 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 1 0 0 0 0 0 0 0 0 0
Declined to act with the approval of the information Commissioner 0 0 0 0 0 0 0 0 0 0
Total 23 652 5 1403 0 0 0 0 1 14996
4.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
4.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
4.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
4.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
4.5.7 Other complexities
Disposition Consultation Required Legal Advice Sought Other Total
All disclosed 0 0 0 0
Disclosed in part 0 0 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
Request abandoned 0 0 0 0
Neither confirmed nor denied 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0
Total 0 0 0 0
4.6 Closed requests
4.6.1 Requests closed within legislated timelines
  Requests closed within legislated timelines
Number of requests closed within legislated timelines 17
Percentage of requests closed within legislated timelines (%) 47.22222222
4.7 Deemed refusals
4.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations/Workload External Consultation Internal Consultation Other
13 12 1 0 0
4.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timeline Where an Extension Was Taken Total
1 to 15 Days 2 0 2
16 to 30 Days 0 0 0
31 to 60 Days 0 2 2
61 to 120 Days 0 8 8
121 to 180 Days 0 4 4
181 to 365 Days 1 0 1
More than 365 Days 2 0 0
Total 5 14 19
4.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 5: Extensions

5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken 9(1)(a) Interference With Operations/Workload 9(1)(b) Consultation 9(1)(c) Third-Party Notice
Section 69 Other
All disclosed 0 0 0 0
Disclosed in part 2 0 12 0
All exempted 0 0 0 0
All excluded 0 0 0 0
Request abandoned 0 0 1 0
No records exist 1 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0
Total 3 0 13 0
5.2 Length of extensions
Length of Extensions 9(1)(a) Interference With Operations/Workload 9(1)(b) Consultation 9(1)(c) Third-Party Notice
Section 69 Other
30 days or less 2 0 0 0
31 to 60 days 0 0 4 0
61 to 120 days 0 0 9 0
121 to 180 days 0 0 0 0
181 to 365 days 0 0 0 0
365 days or more 1 0 0 0
Total 3 0 13 0

Section 6: Fees

Fee Type Fee Collected Fee Waived Fee Refunded
Number of Requests Amount Number of Requests Amount Number of Requests Amount
Application 14 $70.00 78 $390.00 0 $0.00
Other fees 0 $0.00 0 $0.00 0 $0.00
Total 14 $70.00 78 $390.00 0 $0.00

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during reporting period 18 656 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 18 656 0 0
Closed during the reporting period 15 551 0 0
Carried over within negotiated timelines 3 105 0 0
Carried over beyond negotiated timelines 0 0 0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 5 2 0 1 0 0 0 8
Disclose in part 1 6 0 0 0 0 0 7
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 1 0 0 0 1
Other 0 0 0 0 0 0 0 0
Total 6 8 0 1 0 0 0 15
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Investigations and Reports of finding

9.1 Investigations
Section 32 Notice of intention to investigate Subsection 30(5) Ceased to investigate Section 35 Formal Representations
4 0 0
9.2 Investigations and Reports of finding
Section 37(1) Initial Reports Section 37(2) Final Reports
Received Containing recommendations issued by the Information Commissioner Containing orders issued by the Information Commissioner Received Containing recommendations issued by the Information Commissioner Containing orders issued by the Information Commissioner
0 0 0 3 0 0

Section 10: Court Action

10.1 Court actions on complaints
Section 41
Complainant (1) Institution (2) Third Party (3) Privacy Commissioner (4) Total
0 0 0 0 0
10.2 Court actions on third party notifications under paragraph 28(1)(b)
Section 44 – under paragraph 28(1)(b)
0
11.1 Allocated Costs
Ependitures Number of Requests
Salaries $110,000
Overtime $0
Goods and Services $220,000
• Professional services contracts $220,000
• Other $0
Total $330,000
11.2 Human Resources
Resources Person Years Dedicated to Access to Information Activities
Full-time employees 1.000
Part-time and casual employees 1.000
Regional Staff 0.000
Consultants and agency personnel 1.000
Students 0.500
Total 3.500

Note: Enter values to three decimal places.

Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act

Section 1: Requests Carried Over and Active Complaints Under the Access to Information Act

1.1 Requests carried over to next reporting period, broken down by reporting period received
Reporting Period Requests Carried Over Were Received Requests Carried Over that are Within Legislated Timelines as March 31, 2025 Requests Carried Over that are Beyond Legislated Timelines as of March 31, 2025 Total
Received in 2024-25 6 56 62
Received in 2023-24 0 0 0
Received in 2022-23 0 0 0
Received in 2021-22 0 1 1
Received in 2020-21 0 0 0
Received in 2019-20 0 0 0
Received in 2018-19 0 0 0
Received in 2017-18 0 0 0
Received in 2016-17 0 0 0
Received in 2015-16 or earlier 0 0 0
Total 6 57 63

Row 11, Col. 3 of Section 1.1 must equal Row 7, Col. 1 of Section 1.1 of the 2024-25 Statistical Report on the Access Report on the Access to Information Act

1.2 Active complaints with the Information Commissioner of Canada, broken down by reporting period received
Fiscal Year Open Complaints were received by institutions Number of Open Complaints
Received in 2024-25 1
Received in 2023-24 0
Received in 2022-23 0
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-20 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-16 or earlier 0
Total 1

Section 2: Requests Carried Over and Active Complaints Under the Privacy Act

2.1 Requests carried over to the next reporting period, broken down by reporting period received
Reporting Period Requests Carried Over Were Received Requests Carried Over that are Within Legislated Timelines as March 31, 2025 Requests Carried Over that are Beyond Legislated Timelines as of March 31, 2025 Total
Received in 2024-25 8 0 8
Received in 2023-24 0 0 0
Received in 2022-23 0 0 0
Received in 2021-22 0 0 0
Received in 2020-21 0 0 0
Received in 2019-20 0 0 0
Received in 2018-19 0 0 0
Received in 2017-18 0 0 0
Received in 2016-17 0 0 0
Received in 2015-16 or earlier 0 0 0
Total 8 0 8

Row 11, Col. 3 of Section 1.1 must equal Row 7, Col. 1 of Section 1.1 of the 2024-25 Statistical Report on the Privacy Act

2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
Reporting Period Active Complaints Were Received by Institutions Number of Active Complaints
Received in 2024-25 0
Received in 2023-24 0
Received in 2022-23 0
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-20 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-16 or earlier 0
Total 0

Section 3: Social Insurance Number

Has your institution begun a new collection or a new consistent use of the SIN in 2024-25? No

Section 4: Universal Access under the Privacy Act

How many requests were received from foreign nationals outside of Canada in 2024-25? 0

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Annual Report on the Access to Information Act 2023–24

Date of Publishing:

Introduction

The Access to Information Act (ATIA) gives Canadian citizens and permanent residents, as well as any person or corporation present in Canada, the right of access to information under the control of a government institution, subject to certain specific and limited exemptions and exclusions.

Section 94 of the ATIA requires the head of each government institution to prepare an annual report on the administration of the ATIA within the institution that is to be tabled in both Houses of Parliament. In addition, section 20 of the Service Fees Act requires the responsible authority to report to Parliament each fiscal year on all statutory fees processed during the reporting period.

This report to Parliament, which is prepared and tabled pursuant to section 94 of the ATIA and section 20 of the Service Fees Act, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering these Acts during the period of April 1, 2023 to March 31, 2024 (the reporting period).

If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:

Access to Information and Privacy Office
National Security and Intelligence Review Agency
P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5
Email: ATIP@nsira-ossnr.gc.ca

Who we are

Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.

The NSIRA Secretariat (the Secretariat) assists NSIRA in fulfilling its mandate. The Secretariat headed by an Executive Director, is designated as the government institution for the purposes of administering the ATIA and the Privacy Act.

Mandate

The Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matter that a Minister of the Crown refers to NSIRA.

NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, as well as whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Investigations

NSIRA is also responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:

  • any activity of CSIS or of CSE;
  • decisions to deny or revoke certain federal government security clearances;
  • any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
  • reports made under section 19 of the Citizenship Act, and
  • matters referred under section 45 of the Canadian Human Rights Act.

Access to Information and Privacy Office – Organizational Structure

The Secretariat’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Secretariat meets its responsibilities under the ATIA and the Privacy Act.

For the reporting period, the Secretariat’s ATIP Office consisted of:

  • 1 full-time Access to Information Consultant;
  • 1 part-time Privacy Consultant;
  • 1 full-time ATIP Coordinator, who managed the Secretariat’s ATIP Office, and fulfilled the normal duties as Manager of Administrative Services for the Secretariat and NSIRA Members; and
  • the Secretariat’s Senior Counsel, Internal Services as well as Senior General Counsel supported the Secretariat’s ATIP Office when required.

The Secretariat’s ATIP Office is responsible for the following:

  • monitoring compliance with ATIP legislation and relevant procedures and policies;
  • processing requests under both the ATIA and the Privacy Act;
  • developing and maintaining policies, procedures, and guidelines to ensure that the Secretariat respects the ATIA and the Privacy Act;
  • maintaining Personal Information Banks and conducting privacy impact assessments;
  • preparing annual reports to Parliament and other statutory reports, as well as other materials that might be required by central agencies; and
  • representing the Secretariat in dealings with the Treasury Board of Canada Secretariat (TBS), the information and privacy commissioners, and other government departments and agencies in matters pertaining to the ATIA and the Privacy Act.

During the reporting period, the Secretariat was a party to a service agreement under section 96 of the ATIA in which the Secretariat received administrative support from the Privy Council Office related to the tabling of the Annual Report in Parliament. The Secretariat was also a party to a service agreement under section 92 of the ATIA, in which the Secretariat received ATIP Online services from TBS.

Part 2: Proactive Publications

The Secretariat ensured that the following proactive publication legislative requirements were met during the reporting period with the assistance of its Finance division:

  • travel expenses;
  • hospitality expenses;
  • reports tabled in Parliament; and
  • contracts over $10,000.00

To assist the Secretariat’s ATIP Office in meeting its overall legislative obligations, the Secretariat relied on a collaborative internal group of subject matter experts from all divisions.

Delegation Order

As the Head of the Secretariat, the Executive Director is responsible for the administration of the ATIA within the institution. Pursuant to section 95 of the ATIA, the Executive Director has delegated the ATIP Manager and ATIP Officer, as well as individuals acting in these positions, to perform certain and specific powers, duties, and functions for the administration of the ATIA. These positions have limited delegation of authority under the ATIA and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Delegation Order can be found in Appendix A (page 13).

Performance 2023-2024

Performance in Processing Access Requests

In addition to 5 requests that were outstanding from previous reporting periods, the Secretariat’s ATIP Office received 16 formal requests during the current reporting period, bringing the total number of formal requests to 21. Of these, the Secretariat’s ATIP Office closed 16 requests and processed approximately 15,323 pages during the reporting period. 5 requests were carried over to the following reporting period, 3 of the carried over requests were received during the reporting period.

Statistical Reports for 2023-2024

The Secretariat’s 2023-2024 Statistical Report on the ATIA and Supplemental ATIP Statistical Report for 2023-2024 were both previously validated by TBS.

Extensions and Completion Time of Closed Requests

During the reporting period, the Secretariat’s ATIP Office invoked extensions while processing 7 formal requests: 5 extensions of 31 to 60 days, 0 extensions of 61 to 120 days, 1 extension of 121 to 180 days, 0 extensions of 181 to 365 days, and 1 extension of 365 days or more, all of which required extensions to consult with third parties.

Of the requests completed during the reporting period,

  • 1 request, or 6.25% of the requests completed, was disclosed in its entirety. This request was completed within 181 to 365 days;
  • 5 requests, or 31.25% of the requests completed, were disclosed in part. 1 request was completed within 16 to 30 days, 1 request was completed within 61 to 120 days, 1 request was completed within 121 to 180 days, and 2 requests were completed after 365 days;
  • 0 requests, or 0% of the requests completed, were all exempted;
  • 10 requests, or 62.50% of the requests completed, resulted in no records. 1 request was completed within 16 to 30 days, 2 request were completed within 31 to 60 days, and 7 requests were completed within 61 to 120 days;
  • 0 requests, or 0% of the requests completed, were abandoned and completed; and
  • 0 requests, or 0% of the requests completed, were neither confirmed nor denied.

The responses to many requests required an intensive review of complex records, including extensive internal and external consultations due to a significant portion of the Secretariat’s information holdings consisting of sensitive and classified records created or originally received by other government institutions owing to NSIRA’s mandate. During the reporting period, the Secretariat’s on-time response rate decreased to 18.7% from 33.3% in the 2022-2023 reporting year due to a significant increase in the number of pages processed for formal requests.

Consultations

During the reporting period, the Secretariat’s ATIP Office received 20 consultation requests from other government institutions. 3 requests were completed within 0 to 15 days, 3 requests were completed within 16 to 30 days, 5 requests were completed within 31 to 60 days, 8 requests were completed within 61 to 120 days, and 1 request was completed within 121 to 180 days. The Secretariat’s ATIP Office closed all 20 consultations during the reporting period and processed approximately 549 pages.

Requests Treated Informally

During the reporting period, the Secretariat’s ATIP Office received 18 informal requests for records previously released under the ATIA, closed 6 informal requests, and carried over 12 informal requests into the 2024-2025 reporting period.

Complaints and Investigations of Access Requests

Subsection 30(1) of the ATIA describes how the Office of the Information Commissioner (OIC) receives and investigates complaints from individuals regarding the processing of requests under the ATIA. The Secretariat’s ATIP Office received 3 access complaints during the reporting period. 1 of these complaints was discontinued during the reporting period, while the other 2 complaints remained active on March 31, 2024.

Training and Awareness

The Secretariat took a customized approach to training subject matter experts on their legislative requirements, roles, and responsibilities. The Secretariat’s ATIP Office encouraged employees to take the ATIP training courses offered by the Canada School of Public Service (CSPS). The Executive Director held an awareness session for the Secretariat’s management team on the new Directive on Proactive Publication in the Fall of 2023 and senior management was briefed on Amending the Access to Information Regulations in June 2023. In addition, new employees were required to complete an online training session entitled Fundamentals of Access to Information and Privacy within six months of joining the Secretariat and in January 2024, an internal ATIP training session was held.

Policies, Guidelines, and Procedures

The Secretariat’s ATIP Office implemented certain efficiency-enhancing measures, such as online tracking tools, and continued to seek new opportunities to improve the efficiency and timeliness of request processing. For example, the Executive Director designated two officials within the Secretariat who were responsible for supporting the Executive Director’s accountability for proactive publication under various policies and guidelines specified under the ATIA.

The Secretariat continued to engaged with Library and Archives Canada on obtaining institution-specific disposition authorities.

Proactive Publication under Part 2 of the ATIA

In accordance with subsection 81(b) of the ATIA, the Secretariat is listed as a government entity subject to the following proactive publication requirements:

  • Travel expenses (section 82);
  • Hospitality expenses (section 83);
  • Reports tabled in Parliament (section 84);
  • Contracts over $10,000.00 (section 86);
  • Grants and Contributions over $25,000.00 (section 87); and
  • Briefing materials (section 88)

During the reporting period, the Secretariat’s proactive publications were published on open.canada.ca. of the total proactive publication requirements that were due during the reporting period, 80% were published within the legislated timelines.

Legislative Requirement Section Publication Timeline Institutional Requirement
All Government Institutions as defined in section 3 of the Access to Information Act
Travel Expenses 82 Within 30 days after the end of the month of reimbursement open.canada.ca
Hospitality Expenses 83 Within 30 days after the end of the month of reimbursement open.canada.ca
Reports tabled in Parliament 84 Within 30 days after tabling open.canada.ca
Government entities or Departments, agencies, and other bodies subject to the Act and listed in Schedules I, I.1, or II of the Financial Administration Act
Contracts over $10,000 86 Q1-3: Within 30 days after the quarter
Q4: Within 60 days after the quarter		 open.canada.ca
Grants & Contributions over $25,000 87 Within 30 days after the quarter N/A
Packages of briefing materials prepared for new or incoming deputy heads or equivalent 88(a) Within 120 days after appointment N/A
Titles and reference numbers of memoranda prepared for a deputy head or equivalent, that is received by their office 88(b) Within 30 days after the end of the month received N/A
Packages of briefing materials prepared for a deputy head or equivalent’s appearance before a committee of Parliament 88(c) Within 120 days after appearance N/A
Government institutions that are departments named in Schedule I to the Financial Administration Act or portions of the core public administration named in Schedule IV to that Act
Reclassification of positions 85 Within 30 days after the quarter N/A
Ministers
Packages of briefing materials prepared by a government institution for new or incoming ministers 74(a) Within 120 days after appointment N/A
Titles and reference numbers of memoranda prepared by a government institution for the minister, that is received by their office 74(b) Within 30 days after the end of the month received N/A
Package of question period notes prepared by a government institution for the minister and in use on the last sitting day of the House of Commons in June and December 74(c) Within 30 days after last sitting day of the House of Commons in June and December N/A
Packages of briefing materials prepared by a government institution for a minister’s appearance before a committee of Parliament 74(d) Within 120 days after appearance N/A
Travel Expenses 75 Within 30 days after the end of the month of reimbursement N/A
Hospitality Expenses 76 Within 30 days after the end of the month of reimbursement N/A
Contracts over $10,000 77 Q1-3: Within 30 days after the quarter
Q4: Within 60 days after the quarter		 N/A
Ministers’ Offices Expenses 78 Within 120 days after the fiscal year N/A

Initiatives and Projects to Improve Access to Information

During the reporting period, the Secretariat’s Information Technology division continued to improve our ATIP software tool for the Secretariat’s classified and unclassified systems.

Summary of Key Issues and Actions Taken on Complaints

During the reporting period, 3 complaints were received. 1 complaint was discontinued during the reporting period, while the other 2 complaints remained active on March 31, 2024.

Access to Information Act Fees for the Purposes of the Service Fees Act

The Service Fees Act requires a responsible authority to report annually to Parliament on the fees collected by the institution.

With respect to fees collected under the ATIA, the information below is reported in accordance with the requirements of section 20 of the Service Fees Act:

  • Enabling authority: Access to Information Act
  • Fee payable: $5.00 application fee is the only fee charged for an ATI request
  • Total revenue: $65.00
  • Fees waived: $15.00
  • Cost of operating the program: $360,421.00

Monitoring Compliance

Legislative deadlines for access to information requests were strictly monitored by using several Microsoft Lists trackers, as were proactive publication requirements. The ATIP Manager organized ad hoc meetings to discuss request-related activities (such as whether internal consultations were necessary), determine deadlines, and ensure that all division members were informed of the status of requests. At bi-weekly team meetings with the Senior General Counsel and Senior Counsel, Internal Services, the ATIP Manager raised and discussed compliance with legislative and policy obligations. The Executive Director was also briefed on all ATIP compliance issues.

During the reporting period, the Secretariat also continued to assess the feasibility of making information previously released under the ATIA available on its public-facing website.

Appendix A: Delegation Order

Access to Information Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.

Privacy Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.

Appendix B: 2023-2024 Statistical Report on the Access to Information Act

Name of institution: National Security and Intelligence Review Agency

Reporting period: 2023-04-01 – 2024-03-31

Section 1: Request Under the Access to Information Act

1.1 Number of Requests
  Number of Requests
Received during reporting period 16
Outstanding from previous reporting period 3
Outstanding from more than one reporting period 2
Total 21
Closed during reporting period 16
Carried over to next reporting period 5
Carried over within legislated timeline 3
Carried over beyond legislated timeline 2
1.2 Sources of requests
Source Number of Requests
Media 2
Academia 3
Business (private sector) 2
Organization 1
Public 8
Decline to Identify 0
Total 16
1.3 Channels of requests
Source Number of Requests
Online 12
E-mail 0
Mail 4
In person 0
Phone 0
Fax 0
Total 16

Section 2: Informal requests

2.1 Number of informal requests
  Number of Requests
Received during reporting period 18
Outstanding from previous reporting periods 0
Outstanding from more than one reporting period 0
Total 18
Closed during reporting period 6
Carried over to next reporting period 12
2.2 Channels of informal requests
Source Number of Requests
Online 11
E-Mail 7
Mail 0
In person 0
Phone 0
Fax 0
Total 18
2.3 Completion time of informal requests
Completion Time
1 to 15 days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More than 365 Days Total
0 2 0 4 0 0 0 6
2.4 Pages released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
2 25 0 0 0 0 0 0 0 0
2.5 Pages re-released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
4 93 0 0 0 0 0 0 0 0

Section 3: Applications to the Information Commissioner on Declining to Act on Requests

  Number of Requests
Outstanding from previous reporting period 0
Sent during reporting period 1
Total 1
Approved by the Information Commissioner during reporting period 0
Declined by the Information Commissioner during reporting period 1
Withdrawn during reporting period 0
Carried over to next reporting period 0

Section 4: Requests Closed During the Reporting Period

4.1 Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 1 0 1
Disclosed in part 0 1 0 1 1 0 2 5
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 1 2 7 0 0 0 10
Request transferred 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Decline to act with the approval of the Information Commisioner 0 0 0 0 0 0 0 0
Total 0 2 2 8 1 1 2 16
4.2 Exemptions
Section Numbers of Requests
13(1)(a) 1
13(1)(b) 0
13(1)(c) 0
13(1)(d) 0
13(1)(e) 0
14 0
14(a) 0
14(b) 0
15(1) – I. A. * 1
15(1) – Def. * 2
15(1) – S.A. * 0
16(1)(a)(i) 2
16(1)(a)(ii) 0
16(1)(a)(iii) 1
16(1)(b) 1
16(1)(c) 1
16(1)(d) 0
16(2) 0
16(2)(a) 0
16(2)(b) 0
16(2)(c) 0
16(3) 0
16.1(1)(a) 0
16.1(1)(b) 0
16.1(1)(c) 0
16.1(1)(d) 0
16.2(1) 0
16.3 0
16.31 0
16.4(1)(a) 0
16.4(1)(b) 0
16.5 0
16.6 0
17 0
18(a) 0
18(b) 0
18(c) 0
18(d) 0
18.1(1)(a) 0
18.1(1)(b) 0
18.1(1)(c) 0
18.1(1)(d) 0
19(1) 2
20(1)(a) 0
20(1)(b) 0
20(1)(b.1) 0
20(1)(c) 0
20(1)(d) 0
20.1 0
20.2 0
20.4 0
21(1)(a) 2
21(1)(b) 0
21(1)(c) 0
21(1)(d) 0
22 0
22.1(1) 0
23 3
23.1 0
24(1) 1
26 0

* I.A.: International Affairs
* Def.: Defence of Canada
* S.A.: Subversive Activities

4.3 Exclusions
Section Numbers of Requests
68(a) 0
68(b) 0
68(c) 0
68.1 0
68.2(a) 0
68.2(b) 0
69(1) 0
69(1)(a) 0
69(1)(b) 0
69(1)(c) 0
69(1)(d) 0
69(1)(e) 0
69(1)(f) 0
69(1)(g) re (a) 0
69(1)(g) re (b) 0
69(1)(g) re (c) 0
69(1)(g) re (d) 0
69(1)(g) re (e) 0
69(1)(g) re (f) 0
69.1(1) 0
4.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
1 5 0 0 0 0
4.5 Complexity
4.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
15323 15323 6
4.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 1 40 0 0 0 0 0 0 0 0
Disclosed in part 3 185 1 102 0 0 0 0 0 14966
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Declined to act with the approval of the information Commissioner 0 0 0 0 0 0 0 0 0 0
Total 4 225 1 102 0 0 0 0 1 14996
4.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
4.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
4.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
4.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
4.5.7 Other complexities
Disposition Consultation Required Legal Advice Sought Other Total
All disclosed 0 0 0 0
Disclosed in part 2 4 0 6
All exempted 0 0 0 0
All excluded 0 0 0 0
Request abandoned 0 0 0 0
Neither confirmed nor denied 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0
Total 2 4 0 6
4.6 Closed requests
4.6.1 Requests closed within legislated timelines
  Requests closed within legislated timelines
Number of requests closed within legislated timelines 3
Percentage of requests closed within legislated timelines (%) 18.75
4.7 Deemed refusals
4.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations/Workload External Consultation Internal Consultation Other
13 12 1 0 0
4.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timeline Where an Extension Was Taken Total
1 to 15 Days 0 0 0
16 to 30 Days 1 0 1
31 to 60 Days 2 5 7
61 to 120 Days 2 0 2
121 to 180 Days 0 1 1
181 to 365 Days 1 0 1
More than 365 Days 0 1 1
Total 6 7 13
4.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 5: Extensions

5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken 9(1)(a) Interference With Operations/Workload 9(1)(b) Consultation 9(1)(c) Third-Party Notice
Section 69 Other
All disclosed 0 0 0 0
Disclosed in part 3 3 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
Request abandoned 0 0 0 0
No records exist 0 1 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0
Total 3 4 0 0
5.2 Length of extensions
Length of Extensions 9(1)(a) Interference With Operations/Workload 9(1)(b) Consultation 9(1)(c) Third-Party Notice
Section 69 Other
30 days or less 0 0 0 0
31 to 60 days 3 2 0 0
61 to 120 days 0 0 0 0
121 to 180 days 0 0 0 0
181 to 365 days 0 0 0 0
365 days or more 0 0 0 0
Total 3 4 0 0

Section 6: Fees

Fee Type Fee Collected Fee Waived Fee Refunded
Number of Requests Amount Number of Requests Amount Number of Requests Amount
Application 13 $65.00 3 $0.00 0 $0.00
Other fees 0 $0.00 0 $0.00 0 $0.00
Total 13 $65.00 3 $0.00 0 $0.00

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during reporting period 20 549 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 4 189 0 0
Closed during the reporting period 20 549 0 0
Carried over within negotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 2 1 1 0 0 0 4
Disclose in part 3 1 4 6 1 0 0 15
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 1 0 0 0 1
Other 0 0 0 0 0 0 0 0
Total 3 3 5 8 1 0 0 20
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Investigations and Reports of finding

9.1 Investigations
Section 32 Notice of intention to investigate Subsection 30(5) Ceased to investigate Section 35 Formal Representations
2 1 0
9.2 Investigations and Reports of finding
Section 37(1) Initial Reports Section 37(2) Final Reports
Received Containing recommendations issued by the Information Commissioner Containing orders issued by the Information Commissioner Received Containing recommendations issued by the Information Commissioner Containing orders issued by the Information Commissioner
0 0 0 2 0 0

Section 10: Court Action

10.1 Court actions on complaints
Section 41
Complainant (1) Institution (2) Third Party (3) Privacy Commissioner (4) Total
0 0 0 0 0
10.2 Court actions on third party notifications under paragraph 28(1)(b)
Section 44 – under paragraph 28(1)(b)
0
11.1 Allocated Costs
Expenditures Amount
Salaries $90,000
Overtime $0
Goods and Services $270,421
Professional services contracts $270,421
Other $0
Total $360,421
11.2 Human Resources
Resources Person Years Dedicated to Access to Information Activities
Full-time employees 0.000
Part-time and casual employees 1.000
Regional Staff 0.000
Consultants and agency personnel 1.000
Students 0.500
Total 2.500

Note: Enter values to three decimal places.

Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act

Section 1: Open Requests and Complaints Under the Access to Information Act

1.1 Enter the number of open requests that are outstanding from previous reporting periods
Fiscal Year Open Requests Were Received Open Requests that are Within Legislated Timelines as March 31, 2024 Open Requests that are Beyond Legislated Timelines as of March 31, 2024 Total
Received in 2023-24 3 0 3
Received in 2022-23 0 1 1
Received in 2021-22 0 0 0
Received in 2020-21 0 1 1
Received in 2019-20 0 0 0
Received in 2018-19 0 0 0
Received in 2017-18 0 0 0
Received in 2016-17 0 0 0
Received in 2015-16 0 0 0
Received in 2014-15 or earlier 0 0 0
Total 3 2 5
1.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions Number of Open Complaints
Received in 2023-24 0
Received in 2022-23 0
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-20 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-16 0
Received in 2014-15 or earlier 0
Total 0

Section 2: Open Requests and Complaints Under the Privacy Act

2.1 Number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Requests Were Received Open Requests that are Within Legislated Timelines as March 31, 2024 Open Requests that are Beyond Legislated Timelines as of March 31, 2024 Total
Received in 2023-24 2 0 2
Received in 2022-23 0 0 0
Received in 2021-22 0 0 0
Received in 2020-21 0 0 0
Received in 2019-20 0 0 0
Received in 2018-19 0 0 0
Received in 2017-18 0 0 0
Received in 2016-17 0 0 0
Received in 2015-16 0 0 0
Received in 2014-15 or earlier 0 0 0
Total 2 0 2
2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions Number of Open Complaints
Received in 2023-24 0
Received in 2022-23 7
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-20 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-16 0
Received in 2014-15 or earlier 0
Total 7

Section 3: Social Insurance Number

Has your institution begun a new collection or a new consistent use of the SIN in 2023-24? No
How many requests were received from foreign nationals outside of Canada in 2023-24? 0

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information

Last Updated:

Status:

Published

Review Number:

19-03 (08-501-3)

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information: Report

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information

Report

Table of Contents
  1. HTML Version Coming Soon

Date of Publishing:

HTML Version Coming Soon

Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information: Backgrounder

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information

Backgrounder

Backgrounder

Early after its inception, the National Security and Intelligence Review Agency (NSIRA) conducted a review of how the Communications Security Establishment (CSE) shares Canadian Identifying Information (CII), such as names, email addresses, and IP addresses. This review focused on disclosures made to other Government of Canada departments. After many efforts to produce a declassified version of the report, NSIRA is now able to publish this review’s final report in redacted form.

When CSE gathers foreign signals intelligence, it removes any identifying information about Canadians and persons in Canada from its reports to protect privacy. However, government departments or foreign partners can request this information if they have legal authority and a valid operational reason.

NSIRA examined a sample of these disclosures made between July 1, 2015, and July 31, 2019. This included cases where CSE was assisting the Canadian Security Intelligence Service’s (CSIS) foreign intelligence collection under section 16 of the CSIS Act.

NSIRA found, based on the sample of disclosures it examined, that while CSE approved 99% of requests for CII disclosure from its domestic partners, 28% of all requests were not sufficiently justified to warrant the release of CII. NSIRA concluded that CSE’s implementation of the CII disclosure regime lacked rigour, and may not have complied with its responsibilities under the Privacy Act. As a result, NSIRA issued a compliance report under section 35 of the NSIRA Act.

NSIRA also found that CSE’s releases of CII collected under section 16 of the CSIS Act were conducted in a manner that was unlikely to have been communicated to the Federal Court by CSIS. CSIS had provided the Federal Court with testimony about its treatment of information about Canadians collected through section 16 of the CSIS Act. Yet, when NSIRA compared this testimony with how CSE handled information about Canadians collected when assisting CSIS in relation to section 16, NSIRA found notable discrepancies in the standards communicated to the Federal Court. CSIS was not involved in assessing or releasing the disclosures about which NSIRA had concerns; these disclosures were handled solely by CSE.

The report contains 11 recommendations, primarily focused on enhancing the rigour of CSE’s CII disclosure regime, including with respect to CII collected under section 16 of the CSIS Act.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of Government of Canada Institutions’ Disclosures of Information Under the Security of Canada Information Disclosure Act in 2023: Backgrounder

Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act in 2023

Backgrounder

Backgrounder

The Security of Canada Information Disclosure Act (SCIDA) is intended to facilitate information sharing across government for national security purposes. Disclosures under SCIDA tend to include considerable personal information, such as passport information, citizenship status, and information gathered by diplomatic missions.

NSIRA is responsible for annually reviewing disclosures made during the previous calendar year and submits a report with its findings and recommendations to the Minister of Public Safety.

Annual reviews of disclosures by NSIRA are key to ensuring that Government of Canada (GC) institutions use SCIDA in a manner that respects the Canadian Charter of Rights and Freedoms and the privacy rights of the individuals whose information is being disclosed.

This report describes the results of a review by NSIRA of SCIDA disclosures made in 2023. It was tabled in Parliament by the Minister of Public Safety, as required under subsection 39(2) of the NSIRA Act, on June 13 2025.

Since NSIRA began reviewing GC institutions’ compliance with the Act five years ago, it has made recommendations to promote higher levels of compliance among GC institutions. This has resulted in those institutions adjusting their practices and increasingly demonstrating an improved understanding of their obligations.

This year, for the first time in SCIDA’s history, NSIRA has found full compliance with the Act. As such, the report contains seven recommendations aimed at improving the practices of GC institutions to ensure that this high level of compliance is maintained.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of Government of Canada Institutions’ Disclosures of Information Under the Security of Canada Information Disclosure Act in 2023: Report

Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act in 2023

Report

Date of Publishing:

List of Acronyms

CBSA Canada Border Services Agency
CFIA Canadian Food Inspection Agency
CNSC Canadian Nuclear Safety Commission
CRA Canada Revenue Agency
CSE Communications Security Establishment
CSIS Canadian Security Intelligence Service
DND/CAF Department of National Defence/Canadian Armed Forces
FINTRAC Financial Transactions and Reports Analysis Centre of Canada
GAC Global Affairs Canada
GC Government of Canada
IRCC Immigration, Refugees and Citizenship Canada
NSIRA National Security and Intelligence Review Agency
PHAC Public Health Agency of Canada
PS Public Safety Canada
RCMP Royal Canadian Mounted Police
SCIDA Security of Canada Information Disclosure Act
TC Transport Canada

Glossary of Terms

Contribution test The first part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (paragraph 5(1)(a)).
Proportionality test The second part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will not affect any person’s privacy interest more than reasonably necessary in the circumstances (paragraph 5(1)(b)).

Executive Summary

The objective of this review was to determine whether Government of Canada (GC) institutions complied with the Security of Canada Information Disclosure Act (SCIDA)’s requirements for disclosure and record keeping in 2023. The review assessed GC institutions’ use of information-sharing arrangements, consistent with SCIDA’s guiding principles. The review also documented the volume of SCIDA disclosures and highlighted patterns in the SCIDA’s use across GC institutions and over time.

This is the fifth year that GC institutions have used the SCIDA and that NSIRA has reviewed their compliance with the act. Each year, NSIRA has made recommendations aimed at promoting compliance with the Act. Over the last five years, GC institutions have adjusted their practices and are increasingly demonstrating an improved understanding of their obligations. As a result, for the first time in SCIDA’s history, NSIRA found full compliance with the SCIDA. This allowed NSIRA to focus its review on in-depth analysis of the SCIDA’s contribution and proportionality tests.

For instance, some Immigration, Refugees and Citizenship Canada (IRCC) disclosures, albeit compliant with the SCIDA, presented a heightened risk of non-compliance with these two tests. One disclosure involving protest activity raised concerns regarding how IRCC arrived at the conclusion that the disclosure was related to activity that undermined the security of Canada, and thus complied with paragraph 5(1)(a) of the SCIDA. Three disclosures also raised concerns with regard to the amount of personal information that IRCC disclosed following its proportionality assessment, pursuant to paragraph 5(1)(b).

CSIS request letters, on which IRCC often relies to assess compliance with subsection 5(1), were at times unclear. This hindered IRCC’s effort to satisfy itself that the disclosure was authorised under the SCIDA.

IRCC provided templated statements on accuracy and reliability that were not always relevant or specific to the circumstances of the disclosure. In one case, the Canada Border Services Agency (CBSA) made a verbal disclosure that did not include an explicit statement about accuracy and reliability at time of disclosure. In addition, CBSA’s record of disclosure form contradicts the SCIDA by suggesting that the provision of information on accuracy and reliability is optional.

As encouraged by the SCIDA’s guiding principles, and as recommended by NSIRA previously, IRCC and the Communication Security Establishment signed an informationsharing agreement.

NSIRA made seven recommendations to mitigate risks of non-compliance and enshrine best practices in future years.

1. Introduction

Authority

This review was conducted pursuant to subsections 8(1)(b) and 39(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).

The review satisfies the NSIRA Act’s section 39 requirement for NSIRA to submit a report to the Minister of Public Safety on disclosures made under the Security of Canada Information Disclosure Act (SCIDA, Act) during the previous calendar year.

Scope of the Review

The objective of this review was to determine whether Government of Canada (GC) institutions complied with the SCIDA’s requirements for disclosure and record keeping. The review assessed GC institutions’ use of information-sharing arrangements, consistent with SCIDA’s guiding principles. The review also documented the volume of SCIDA disclosures and highlighted patterns in the SCIDA’s use across GC institutions and over time.

The review included all GC institutions that disclosed or received information under the SCIDA in 2023: the Canada Border Services Agency (CBSA), Communications Security Establishment (CSE), Canadian Security Intelligence Service (CSIS), Global Affairs Canada (GAC), Immigration, Refugees and Citizenship Canada (IRCC), and Royal Canadian Mounted Police (RCMP). The review also included Public Safety Canada (PS), which provides SCIDA-related policy guidance and training across the GC.

Methodology

NSIRA assessed administrative compliance with the SCIDA’s record keeping obligations in respect of all disclosures made in 2023.

NSIRA assessed substantive compliance with the SCIDA’s disclosure requirements for a targeted sample of 27 disclosures, selected according to the parameters described in Annex A.

Review Statements

The NSIRA Act grants NSIRA rights of timely access to any information in the possession or under the control of a department (except for cabinet confidences) and to receive from the department any documents and explanations NSIRA deems necessary. NSIRA monitors cooperation with access requests, including the completeness and accuracy of disclosures, which inform its overall assessment of a department’s responsiveness in each review.

All reviewees met NSIRA’s expectations for responsiveness during this review.

2. Background

The SCIDA provides an explicit, stand-alone authority to disclose information between GC institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.

Section 9 of the SCIDA prescribes record-keeping obligations for all institutions who disclose or receive information under the Act. Subsection 9(3) requires that these records be provided to NSIRA within 30 days after the end of each calendar year.

Subsection 5(1) of the SCIDA authorizes GC institutions to disclose information –subject to any prohibitions or restrictions in other legislation or regulations – to designated recipient institutions if the disclosing institution is satisfied that (a) the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (the “contribution test”); and (b) the information will not affect any person’s privacy interest more than is reasonably necessary in the circumstances (the “proportionality test”).

Subsection 5(2) requires disclosing institutions to, at the time of the disclosure,also provide information regarding the disclosure’s accuracy and the reliability ofthe manner in which it was obtained.

When a GC institution receives information under the Act, subsection 5.1(1)requires that the institution destroy or return any unnecessary personal informationas soon as feasible after receiving it.

The SCIDA’s guiding principles reinforce the notion that effective and responsible disclosure of information protects Canada and Canadians. Of note, subsection 4(c)suggests that GC institutions enter into an information-sharing arrangement when they regularly disclose information to the same recipient.

3. Findings, Analysis, and recommendations

Volume and Nature of Disclosures

In 2023, GC institutions made a total of 269 disclosures under the SCIDA (see Table 1).

Table 1: Number of SCIDA disclosures made in 2023, by disclosing and recipient institution [all disclosures (proactive disclosures)]

    Designated Recipient Institutions
Disclosing Institution   CBSA CFIA CNSC CRA CSE CSIS DND/CAF Finance FINTRAC GAC Health IRCC PHAC PSC RCMP TC TOTAL (proactive)
CBSA 2
(2)		 2
(2)
GAC 1
(1)		 10
(0)		 4
(0)		 15
(1)		 53
(32)
IRCC 58
(0)		 194
(7)		 252
(7)
TOTAL (proactive) 59
(1)		 204
(7)		 1
(0)		 6
(2)		 263
(10)

The number of disclosures increased 55% since 2022, reversing the slight downward trend in the number of disclosures observed across prior years. This shift is largely due to a 246% increase in disclosures from IRCC to CSIS. CSIS attributes this increase to a policy shift that led them to use the SCIDA to request information that IRCC previously provided under the Privacy Act.

As in previous years, disclosing institutions made the vast majority of disclosures following a request. Only 4% of disclosures were sent proactively by the disclosing institution.

Record Keeping Requirements – Section 9

Finding 1. NSIRA found that every institution that disclosed or received information pursuant to SCIDA in 2023 complied with their record keeping obligations under section 9, but some records were inaccurate or imprecise.

Section 9 of the SCIDA prescribes record-keeping obligations for all disclosing institutions, as well as institutions who receive information pursuant to a disclosure. These requirements include, among others, that records of the disclosure describe the information as well as indicate whether the information was destroyed or retained by the recipient. NSIRA’s cross-reference of records provided by disclosing and recipient institutions revealed some inaccuracies that were clarified through discussion with the institutions following receipt of their records:

  • Under paragraph 9(2)(a), CSE mislabelled the number of subjects that the disclosure pertained to in four (of 59) instances;
  • Under paragraph 9(2)(e), CSIS records included contradictory information as to whether the information received has been destroyed or retained; and
  • Under paragraph 9(1)(a), IRCC records included contradictory descriptions of the information disclosed.

NSIRA was unable to reconcile the information provided in relation to one case where the CBSA made a verbal disclosure to the RCMP. Based on the initial records provided by the RCMP and CBSA, NSIRA could not determine with certainty what personal information was shared, and when. In response to a recommendation from NSIRA’s SCIDA review for 2022, the CBSA developed a record of disclosure form to serve as a record overview. In this instance, the form was incomplete and contradicted the copy of the disclosure that was also provided to NSIRA.

As it did last year, NSIRA underscores the importance of administrative precision in preparing records, and notes that a record overview – when correctly prepared –supports compliance with SCIDA record keeping requirements.

NSIRA identified several instances in which the disclosing institution did not provide an explicit statement, under paragraph 9(1)(e), regarding the information that was relied on to satisfy the disclosing institution of the proportionality test. Three of these disclosures were included in NSIRA’s targeted sample for assessing the contribution and proportionality tests.

Contribution and Proportionality Tests – Subsection 5(1)

Finding 2. NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves under the contribution and proportionality tests in compliance with subsection 5(1) of the SCIDA.

To assess compliance with subsection 5(1), NSIRA first considered the explicit statements prepared by disclosing institutions under paragraph 9(1)(e), describing the information that was relied on to satisfy themselves that the disclosure was authorized under the Act. When an explicit statement was provided, NSIRA analysed and corroborated these statements by reviewing all other documents provided by GC institutions related to a given disclosure. Additional documents provided did not raise any concern with paragraphs 5(1)(a) and 5(1)(b) compliance.

For all 27 disclosures included in the sample, the disclosing institution provided anexplicit statement that demonstrated that they had satisfied themselves that thedisclosure would contribute to the recipient’s jurisdiction or its responsibilities.24.

For 24 of the 27 disclosures, the disclosing institution provided an explicit statement that demonstrated they had satisfied themselves that no one’s privacy would be affected more than reasonably necessary in the circumstances. In the remaining three disclosures, despite having no explicit statement, other documents provided by the disclosing institutions nevertheless demonstrated that they had satisfied themselves of the proportionality test.25.

While NSIRA found that institutions were generally compliant with paragraphs5(1)(a) and 5(1)(b), IRCC’s contribution and proportionality assessments demonstrated some deficiencies. These deficiencies form the basis of findings 3and 4.

Recommendation 1. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.

SCIDA’s Exception for Advocacy, Protest, or Dissent

Finding 3. NSIRA found that IRCC did not, in one instance, independently consider whether its disclosure related to activities that fell under the SCIDA exception for advocacy, protest, or dissent. Instead, IRCC satisfied itself of the SCIDA’s contribution test based on assumptions about how CSIS assessed activities that undermine the security of Canada.

The contribution test under paragraph 5(1)(a) requires the disclosing institution to assess whether the disclosure relates to activities that undermine the security of Canada. These activities are defined by the Act and include, for example, espionage, covert foreign-influenced activities, terrorism, and significant or widespread interference with critical infrastructure. In its definition of activities that undermine the security of Canada, subsection 2(2) of the SCIDA includes an exception for advocacy, protest, dissent, or artistic expression. These, in and of themselves, do not constitute activities that undermine the security of Canada. The legislated exception helps to distinguish between legitimate forms of political dissent and national security threats.

In one instance, CSIS requested detailed information from IRCC related to an individual. The request sought current and past passport applications and these contain a great deal of personal information3.CSIS justified its request with anexcerpt from a news article which cited a quote uttered publicly by the individualduring a protest.

IRCC did not request any additional rationale from CSIS. It disclosed the individual’s passport application, including some associate’s information, along with the individual’s passport number, place of issue, and dates of issue and expiry.

In response to a query from NSIRA regarding on what basis it satisfied itself of the contribution test, IRCC explained that it “relies on the partner to accurately describe that the individual is tied to an activity that may undermine the security of Canada.” The IRCC official who authorized the disclosure further explained that IRCC assumed that CSIS had not relied solely on the individual’s statements quoted in the news article given the limits of CSIS’s authority to investigate lawful advocacy, protest or dissent under the CSIS Act.

The CSIS Act includes an exemption preventing CSIS from investigating lawful advocacy, protest or dissent, without the presence of threat related activities itemised in the CSIS Act. However, the SCIDA’s use of “activity that undermines the security of Canada” is a purposeful departure from the CSIS Act’s “threat to the security of Canada”. The distinction reflects legislative intent that the disclosing institution perform its own, fit-for-purpose assessment.

Subsection 5(1) of the SCIDA explicitly places the onus on the disclosing entity to assure itself that the disclosure is authorized. The process by which an institution satisfies itself should be grounded in an independent and factual assessment. In that context, a mere acquiesce of a request would not be sufficient, nor would a de facto reliance on the recipient respecting their enabling legislation. The threshold of satisfaction imports an objective standard that must be based on facts.

PS guidance notes that although the threshold imposed by subsection 5(1) does not hold institutions to perfection, they must make all reasonable efforts to satisfy themselves that the information will contribute to the recipient’s national security mandate. When encountering activities occurring in the context of political dissent or a protest, NSIRA expects institutions with a national security mandate to exercise caution when requesting information relating to an activity protected under the Canadian Charter of Rights and Freedoms (Charter) to further an investigation. At the same time, in this case, IRCC should have obtained more information prior to disclosure, to substantiate what activities were undermining the security of Canada to ensure the exception did not apply.

Recommendation 2. NSIRA recommends that IRCC amend their SCIDA policy to underscore that IRCC must independently assess whether the disclosure is authorized. This assessment should consider whether the activity amounts to one of the exceptions to the SCIDA’s definition of activities that undermine the security of Canada.

IRCC’s New Approach to Proportionality Assessments

Finding 4. NSIRA found that, throughout the course of 2023, IRCC improved the rigour of its proportionality assessments regarding disclosure of passport information. However, NSIRA identified three instances where IRCC disclosed visa information without applying the same rigorous approach, which risked disclosing more personal information than reasonably necessary in the circumstances.

In summer 2023, IRCC adopted a “higher” standard to satisfy itself that no person’s privacy interest would be affected more than reasonably necessary when disclosing passport information to CSIS. According to IRCC, this shift was prompted by a previous NSIRA recommendation that IRCC be explicit in their records that the proportionality test was met. Not only did IRCC adjust their record keeping practices, but they also turned their attention to the substantive issue at hand. Indeed, IRCC closely examined the privacy impact their disclosures may have when responding to CSIS requests.

As a result, when dealing with the absence of additional rationale from CSIS, IRCC became more conservative in the disclosure of information. For example, IRCC began redacting associate’s information in passport applications, limiting the provision of historical applications, and refraining from disclosing applications of minors. They adopted an iterative approach to disclosing passport information, which cultivated a more appropriate weighting of individuals’ privacy interests vis-à-vis the recipient’s investigative needs.

IRCC’s new approach to assessing the proportionality of passport information disclosures was not well-received by CSIS, who characterize their receipt of redacted passport applications as a “massive” hindrance to section 12 investigations. In internal correspondence, a CSIS analyst noted that they would prefer that “IRCC not filter down the info and let them [CSIS] make the assessment based on the knowledge of [national security] threats”.

Still, the discretionary nature of SCIDA disclosures make it such that IRCC may choose what information to disclose, if any. IRCC’s SCIDA Standard Operating Procedure states that requests for disclosure must provide sufficient information to justify the release of associate’s information. Under the SCIDA, it is entirely within IRCC’s purview to seek and obtain such justification prior to disclosing information.

IRCC’s increased attention to privacy interests in the context of passport application disclosures was not imparted to disclosures of information collected from visa applications. It is important to note that this distinction is not a factor that should be considered when assessing proportionality. Under the SCIDA, the privacy interests of citizens and non-citizens must be similarly assessed, and only treated differently in a visa application if no reasonable expectation of privacy is assessed.

Annex B presents the details of three disclosures in relation to which IRCC disclosed visa information to CSIS, concerning over 20 individuals, without having first established facts relevant to the conduct of an informed proportionality assessment. In these cases, either the identities of the subject of the request were unknown or the link between the subject of the disclosure and the threat had yet to be established. NSIRA would have expected IRCC to follow a more iterative approach to disclosing this information, consistent with its approach to passport disclosures in the later part of 2023. Such an iterative approach would have entailed disclosing only basic information until a greater connection to the activity that undermined the security of Canada could be established or the identity of the individual could be confirmed.

Additionally, the cases presented in Annex B are not fully consistent with IRCC policy, which underscores that “disclosing […] more personal information than is necessary could constitute a breach of a person’s reasonable expectation of privacy, a right protected by the Canadian Charter of Rights and Freedoms”. This is an important consideration since the proportionality of a given disclosure may be a factor in determining its Charter reasonableness.

Under the SCIDA regime, and as explained in PS guidance, the proportionality testis conducted to help determine the scope of what can be disclosed, and not necessarily whether the disclosure should occur. Thus, it would have been warranted for IRCC to assess how the sharing of each piece of information would impact the privacy of the individuals in question.

Recommendation 3. NSIRA recommends that IRCC apply an iterative approach to its proportionality assessments, with a view to disclosing only the minimum information reasonably necessary in the circumstances to enable the recipient institution to further their investigation.

CSIS Request Letters

Finding 5. NSIRA found that CSIS requests to IRCC used inconsistent terminology and were often unclear about the relationship between the subject of the request and its investigation. At times, this lack of clear communication hindered IRCC’s efforts to satisfy itself that the disclosure was authorised under the SCIDA.

96% of IRCC disclosures to CSIS were in response to a request. IRCC used the information in CSIS’s request letters to assure itself that a disclosure met both the contribution and the proportionality tests. While IRCC is always at liberty to request more information from CSIS to satisfy itself that the disclosure is authorized, in the majority of disclosures requested by CSIS, IRCC based its assessments solely on the information provided by CSIS in the request letter.

NSIRA reviewed all request letters sent by CSIS to IRCC. CSIS used a wide variety of terms to describe the nature of its interest in the subject of a request, such as:

  • The subject came to the attention of the Service
  • The subject is of interest for possible involvement in
  • The subject is of interest in connection with
  • The subject is believed to be an associate of a target
  • The subject is related to the threat
  • The individual is the subject of a Service investigation
  • The subject is part of a Service investigation
  • The subject is very closely associated to a CSIS subject of investigation

In most cases, CSIS did not define these terms or provide any more information on why the subject was of interest.

Furthermore, CSIS used the same (or similar) words when referring to different levels of interest. For example, “associated with” and “part of a Service Investigation” were used in requests for individuals with no known involvement in threat related activities and for individuals who CSIS has reason to suspect are involved in threat activities. In another instance, CSIS’s request letter stated that the subjects were related to the threat, but the connection between the threat and the individuals had not been established.

As a result of these inconsistencies and lack of clarity, IRCC could not understand key nuances relevant to its proportionality assessments. This issue is compounded by the fact the CSIS tended to request “any and all information” associated with the subject(s) of a request.

The relationship between the information requested and an investigation is an important factor considered by IRCC when assessing proportionality. Indeed, IRCC’s new approach to assessing proportionality takes into consideration the fact that information on associates contained in passport applications may not be material to the investigation. As a result, IRCC has often opted to redact some associate’s information, unless CSIS provided some indication that they are, or could be, implicated in the threat activity. In one of the several instances where CSIS stated that the subject of the request was “very closely associated to a CSIS subject of investigation”, IRCC requested an explanation to clearly link the subject of the request to the investigation. When CSIS did not provide it, IRCC opted to cancel the disclosure as it was not satisfied that the disclosure would meet the proportionality test.

It is essential that CSIS convey information in a clear and consistent manner given that IRCC takes this information into account in conducting its proportionality assessments. This is especially true when IRCC is disclosing associate’s information. When requesting information under the SCIDA, recipient institutions should, as a matter of course, facilitate disclosing institutions’ compliance with SCIDA thresholds by using clear and consistent terminology.

In late 2023, CSIS began centralizing its process for requesting IRCC SCIDA disclosures and developed a standard request form, which should help with consistency. As no requests were made in 2023 using these standard forms, NSIRA could not assess the effect of these changes in practice.

Recommendation 4. NSIRA recommends that CSIS use consistent terminology, and be clear about the nature of the link that has been established between the subject of a request and its investigation, to assist IRCC in satisfying itself of the proportionality test.

Reliability and Accuracy Statement – Subsection 5(2)

Finding 6. NSIRA found that disclosing institutions provided information regarding the accuracy of the information and reliability of the manner in which it was obtained in relation to all disclosures. However, CBSA made one verbal disclosure that did not include an explicit statement on accuracy and reliability.

Under the SCIDA, departments are required to provide information on the accuracy and the reliability of the manner in which the information being disclosed was obtained. They must do so at the time of the disclosure.

All written disclosures made in 2023 contained a statement on accuracy and reliability. However, CBSA made one proactive verbal disclosure of a tip to the RCMP, previously described in paragraph 19, in which it did not provide an explicit statement regarding accuracy and reliability at the time of disclosure.

Although the same information was shared again in writing two weeks later, an explicit, written statement on accuracy and reliability was only shared with the RCMP nearly two months later, when the CBSA disclosed additional information about the subject.

Subsection 5(2) states that “information” regarding accuracy and reliability “must” be provided at time of disclosure. NSIRA assesses in this case that, by its very nature, relaying that the information disclosed was derived from a tip conveyed information regarding accuracy and reliability to the RCMP. That said, an explicit, written statement is considered best practice. While verbal disclosures are not prohibited by the SCIDA, PS guidance notes that “[i]nformal communication cannot be used in lieu of the formal disclosure process or to replace the formal recordkeeping obligations.”

Recommendation 5. NSIRA recommends that institutions avoid making verbal disclosures whenever possible. When they must occur, verbal disclosures should explicitly convey the requisite information on accuracy and reliability.

Finding 7. NSIRA found that CBSA’s record of disclosure form contradicts the SCIDA by allowing officials to opt out of providing information regarding accuracy and reliability.

Although CBSA policy correctly reflects the mandatory nature of providinginformation on accuracy and reliability, its new record of disclosure form does not.The form includes a yes/no checkbox to indicate whether a statement confirmingthe accuracy and reliability was provided to the recipient institution. If the CBSAofficial selects “no”, they are prompted to explain why they elected to not provide astatement. This implies that it is discretionary and leaves the opportunity for CBSAto opt out of the requirement.

Further, the form does not specify that the statement must be provided at the timeof disclosure, as the SCIDA specifically demands.

Recommendation 6. NSIRA recommends that CBSA harmonize its record of disclosure form with the SCIDA to convey the mandatory nature of providing information on accuracy and reliability at the time of the disclosure.

Finding 8. NSIRA found that IRCC used templated language to describe the disclosure’s accuracy and reliability that was not always relevant or specific to the circumstances of the disclosure.

All IRCC disclosures made in 2023 included the same accuracy and reliability statement:

The information in this disclosure was provided by the Subject as part of their various applications to IRCC. The Subject declared that the information they provided as part of their applications was truthful, complete and correct. The information in this disclosure is accurate and reliable in so far as the Subject was truthful in their submissions to our Department. IRCC holds no information that would call into question the accuracy and reliability of the information provided by the Subject.

There are several cases where this statement provided by IRCC did not reflect the specific circumstances of the disclosure. For example, the statement above was included in a disclosure where no immigration or passport records were found and the only information disclosed was the lack of records. The same statement was used in disclosures of child general passport applications, which are actually completed by parents or legal guardians rather than by the subject themselves. When solely disclosing citizenship status to CSE, IRCC still included the same statement, despite the information disclosed not being provided by the subject as part of their application. In one case, the IRCC used the same statement in the disclosure but nevertheless contradicted itself by also stating that there was some reason to believe the information might not be accurate.

All of these cases point to a tendency of copying the accuracy and reliability information without giving sufficient attention to the relevance of the statement.

When instructing on the accuracy and reliability statement, the PS SCIDA guide suggests that “formulaic (templated) language should be avoided, unless the nature and source of information disclosed is derived from a routine process.” IRCC produces a large number of disclosures every year. While some language can be recycled, it is necessary that the statement remain an accurate representation of each disclosure. NSIRA has previously recommended that statements be clear and specific to the circumstances of the disclosure.

Recommendation 7. NSIRA recommends that IRCC tailor its statements on accuracy and reliability as to ensure that each disclosure’s statement is specific to the circumstances of the case.

Information Sharing Agreement – Subsection 4(c)

Finding 9. NSIRA found that disclosures between IRCC and CSE that occurred following the enactment of their new information sharing agreement were compliant with both the SCIDA and their information sharing agreement.

In past SCIDA reviews, NSIRA noted that some departments regularly use the SCIDA in a manner that warrants information sharing arrangements (ISA), as encouraged by subsection 4(c) of SCIDA. In 2022, NSIRA recommended that IRCC and CSE develop an ISA to govern their SCIDA disclosures.

In August 2023, IRCC and CSE signed an ISA. As a whole, the new ISA between IRCC and CSE supports compliance with SCIDA, with all key legislated requirements from SCIDA being included in the ISA. The agreement also adheres to the guidance on preparing ISAs recently developed by PS.

Of the 24 disclosures made after the ISA implementation, all were deemed compliant with the new agreement. NSIRA looked at each disclosure made under the ISA and assessed them against a majority of the requirements outlined in the agreement.

4. Conclusion

This is the fifth year that GC institutions have used the SCIDA and that NSIRA has reviewed their compliance with the act. Each year, NSIRA has made recommendations aimed at promoting compliance with the Act. Over the last five years, GC institutions have adjusted their practices and are increasingly demonstrating an improved understanding of their obligations. As a result, for the first time in SCIDA’s history, NSIRA found full compliance with the SCIDA.

This review assessed GC institutions’ compliance with requirements for recordkeeping in respect of all 269 disclosures that were made and received in 2023. It assessed their compliance with requirements for disclosure in relation to a targeted sample of 27 disclosures. All were compliant with SCIDA requirements, but NSIRA found that IRCC’s contribution and proportionality assessments demonstrated some deficiencies. An increased understanding of the activities that undermine the security of Canada would support a more thorough proportionality assessment and greater utility of the disclosed information.

NSIRA made recommendations aimed at promoting compliance with SCIDA, particularly with regard to how departments determine whether the contribution and proportionality tests have been met.

Annex A. Sample of Disclosures

Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to the following parameters:

  • At least two disclosures per discloser-recipient pair, if available;
  • At least one proactive disclosure per discloser, if available;
  • At least one requested disclosure per recipient, if available;
  • All disclosures identified by recipient institutions as including personal information that was destroyed or returned under the SCIDA, subsection5.1(1);
  • All disclosures for which there is a high-level discrepancy in the discloser and recipient records;
  • All disclosures made by an institution that is not listed in Schedule 3 of the SCIDA;
  • All disclosures received by institutions added to Schedule 3 in the preceding year; and
  • All disclosures that, based on the review team’s preliminary assessment, present a heightened risk of non-compliance under section 5.

Annex B. Cases Relating to IRCC’s Disclosure of Visa Information

Disclosure 1 (Economic Security Threat)

IRCC proactively disclosed to CSIS the visa applications of several individuals who received a work permit in various research fields linked to economic security threat. These applications included personal information such as employment history, travel history, contact information, photos, passport information, and associate’s information. This was part of IRCC’s effort to proactively identify and share with CSIS information about individuals that may engage in activities that pose a threat to Canada’s economic prosperity.

While the national security concern posed by these types of economic security threats is well documented, the role that these individuals played in that space was unknown. IRCC selected the individuals in question based on one threat related criteria, but the other criteria used to narrow the pool individuals from several hundreds to a few individuals were unrelated to the threat the individuals posed. Indeed, IRCC chose these additional arbitrary criteria mainly for practical reasons.

For greater clarity, there was no information indicating that any of the several individuals in question were involved in activities that undermine the security of Canada. Most of these applications were not initially referred to CSIS for security screening by IRCC, meaning that the visa officer was fully satisfied that the applicants posed no threat. In one case, the application was sent for security screening but CSIS returned a favorable recommendation and the individual was granted a visa.

The proactive sharing of complete visa application packages with CSIS risked affecting these individuals’ privacy more than was reasonably necessary in the circumstances.

Disclosure 2 (Foreign Entity)

CSIS requested passport information about any individuals with a valid visa currently working for a specific foreign entity. IRCC did not have any passport applications for the individuals that matched the search criteria, but nevertheless disclosed entire visa applications for some individuals. IRCC also provided information about individuals who had previously worked at the foreign entity, and individuals who did not have a valid visa. This misalignment between what was requested and what was disclosed does not reflect a proper tailoring of information to meet SCIDA’s contribution and proportionality tests.

None of these individuals had been linked to a specific activity that undermined the security of Canada, either at the time of the request nor following the disclosure. CSIS and IRCC’s inability to characterize the nature of the individuals’ relationship to threat activities created a risk that IRCC’s disclosure may have affected their privacy more than was reasonably necessary in the circumstances.

Disclosure 3 (Bulk Data)

CSIS sent a letter to IRCC requesting the disclosure of information within immigration applications on individuals including a spreadsheet with certain identifying personal information (called “selectors”). While large data-set requests and disclosures are not prohibited by the SCIDA, the requirements imposed by the contribution and proportionality tests must be applied to every discrete piece of information disclosed. As such, this type of information would need to be responsibly assessed prior to disclosure.

While the CSIS request letter provides extensive rationale as to why the threat actor named in the request letter poses a threat to national security, the IRCC officials that authorized the disclosure did not have contemporaneous information on how these selectors, and, by extension the individuals linked to these selectors, are linked to the threat actor.

Nevertheless, IRCC disclosed significant personal details pertaining to several individuals. For example, the disclosure included a foreign state visa refusal, information about military service, a personal picture, and other documents that would have been provided as part of a visa application.

This disclosure included more information than what CSIS requested. Given that the identity of the individuals are unconfirmed, as CSIS’s request clearly stated that the purpose of this request was for identification, this suggests that IRCC risked disclosing more than the least amount of personal information necessary for CSIS to further its investigation.

While the legislative burden to ensure that the disclosure is authorized under SCIDA falls on the disclosing entity, in this case IRCC, it may be very complex fora disclosing entity to discharge its obligation under paragraphs 5(1)(a) and 5(1)(b)with these types of large data-sets requests, particularly when the requester provides very little rationale linking each selector or individual to the activity that undermines the security of Canada.

Annex C. Overview of SCIDA Disclosures in Prior Years

Disclosing Institution Designated Recipient Institutions under the SCIDA, Schedule 3
CBSAGACCNSCCRACSECSISDND/CAFFinance FINTRACGACHealthIRCCPHACPSRCMPTC TOTAL
2022
CBSA44
GAC3921253
IRCC5956115
RCMP11
TOTAL5995216173
2021
DND/CAF22
GAC244
IRCC687921149
TOTAL681222212195
2020
CBSA14
GAC251340
IRCC6061137159
RCMP113
TC22
Other¹⁰1
TOTAL6188136551215
2019
CBSA13
GAC2342
IRCC51713659
RCMP4138
TC12
TOTAL454111114

Annex D. Findings and Recommendations

Record Keeping Requirements – Section 9

Finding 1. NSIRA found that every institution that disclosed or received information pursuant to SCIDA in 2023 complied with their record keeping obligations under section 9, but some records were inaccurate or imprecise.

Contribution and Proportionality Tests – Subsection 5(1)

Finding 2. NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves under the contribution and proportionality tests in compliance with subsection 5(1) of the SCIDA.

Recommendation 1. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.

Finding 3. NSIRA found that IRCC did not, in one instance, independently consider whether its disclosure related to activities that fell under the SCIDA exception for advocacy, protest, or dissent. Instead, IRCC satisfied itself of the SCIDA’s contribution test based on assumptions about how CSIS assessed activities that undermine the security of Canada.

Recommendation 2. NSIRA recommends that IRCC amend their SCIDA policy to underscore that IRCC must independently assess whether the disclosure is authorized. This assessment should consider whether the activity amounts to one of the exceptions to the SCIDA’s definition of activities that undermine the security of Canada.

Finding 4. NSIRA found that, throughout the course of 2023, IRCC improved the rigour of its proportionality assessments regarding disclosure of passport information. However, NSIRA identified three instances where IRCC disclosed visa information without applying the same rigorous approach, which risked disclosing more personal information than reasonably necessary in the circumstances.

Recommendation 3. NSIRA recommends that IRCC apply an iterative approach to its proportionality assessments, with a view to disclosing only the minimum information reasonably necessary in the circumstances to enable the recipient institution to further their investigation.

Finding 5. NSIRA found that CSIS requests to IRCC used inconsistent terminology and were often unclear about the relationship between the subject of the request and its investigation. At times, this lack of clear communication hindered IRCC’s efforts to satisfy itself that the disclosure was authorised under the SCIDA.

Recommendation 4. NSIRA recommends that CSIS use consistent terminology, and be clear about the nature of the link that has been established between the subject of a request and its investigation, to assist IRCC in satisfying itself of the proportionality test.

Reliability and Accuracy Statement – Subsection 5(2)

Finding 6. NSIRA found that disclosing institutions provided information regarding the accuracy of the information and reliability of the manner in which it was obtained in relation to all disclosures. However, CBSA made one verbal disclosure that did not include an explicit statement on accuracy and reliability.

Recommendation 5. NSIRA recommends that institutions avoid making verbal disclosures whenever possible. When they must occur, verbal disclosures should explicitly convey the requisite information on accuracy and reliability.

Finding 7. NSIRA found that CBSA’s record of disclosure form contradicts the SCIDA by allowing officials to opt out of providing information regarding accuracy and reliability.

Recommendation 6. NSIRA recommends that CBSA harmonize its record of disclosure form with the SCIDA, to convey the mandatory nature of providing information on accuracy and reliability at the time of the disclosure.

Finding 8. NSIRA found that IRCC used templated language to describe the disclosure’s accuracy and reliability that was not always relevant or specific to the circumstances of the disclosure.

Recommendation 7. NSIRA recommends that IRCC tailor its statements on accuracy and reliability as to ensure that each disclosure’s statement is specific to the circumstances of the case.

Information Sharing Agreement – Subsection 4(c)

Finding 9. NSIRA found that disclosures between IRCC and CSE that occurred following the enactment of their new information sharing agreement were compliant with both the SCIDA and their information sharing agreement.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of Government of Canada Institutions’ Disclosures of Information Under the Security of Canada Information Disclosure Act in 2022: Backgrounder

Review of Government of Canada Institutions’ Disclosures of Information Under the Security of Canada Information Disclosure Act in 2022

Backgrounder

Backgrounder

ISSN: 2817-7525

This report presents findings and recommendations made in NSIRA’s annual review of disclosures of information under the Security of Canada Information Disclosure Act (SCIDA)It was tabled in Parliament by the Minister of Public Safety, as required under subsection 39(2) of the NSIRA Act, on November 1st, 2023.

The SCIDA provides an explicit, stand-alone authority to disclose information between Government of Canada institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.

This report provides an overview of the SCIDA’s use in 2022. In doing so, it:

  • documents the volume and nature of information disclosures made under the SCIDA;
  • assesses compliance with the SCIDA; and
  • highlights patterns in the SCIDA’s use across Government of Canada institutions and over time.

The report contains six recommendations designed to increase standardization across the Government of Canada in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Annual Report on the Privacy Act 2023-24

Date of Publishing:

Introduction

The Privacy Act (PA) gives individuals the right of access to information about themselves that is under the control of a government institution, subject to certain specific and limited exemptions and exclusions. The PA also protects the privacy of individuals by giving them substantial control over the collection, use and disclosure of their personal information, and by preventing others from having access to that information. 

Section 72 of the PA requires the head of each government institution to prepare an annual report on the administration of the PA within the institution that is to be tabled in both Houses of Parliament. 

This report to Parliament, which is prepared and tabled pursuant to section 72 of the PA, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering the PA during the period of April 1, 2023 to March 31, 2024 (the reporting period).  

If you require more information or wish to make a request under the PA or the Access to Information Act, please direct your inquiries to the following:

Access to Information and Privacy Office 
National Security and Intelligence Review Agency Secretariat 
P.O. Box 2430, Station “D” 
Ottawa, Ontario, K1P 5W5  
Email: ATIP@nsira-ossnr.gc.ca

Who We Are

Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.  

The NSIRA Secretariat (the Secretariat) assists NSIRA in fulfilling its mandate. The Secretariat headed by an Executive Director, is designated as the government institution for the purposes of administering the PA and the Access to Information Act.

Mandate

The Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matter that a Minister of the Crown refers to NSIRA.  

NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, as well as whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Investigations

NSIRA is also responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:  

  • any activity of CSIS or of CSE;
  • decisions to deny or revoke certain federal government security clearances; 
  • any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act
  • reports made under section 19 of the Citizenship Act; and 
  • matters referred under section 45 of the Canadian Human Rights Act.

Access to Information and Privacy Office – Organizational Structure

The Secretariat’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Secretariat meets its responsibilities under the PA and the Access to Information Act.  

For the reporting period, the Secretariat’s ATIP Office consisted of: 

  • 1 full-time Access to Information Consultant;  
  • 1 part-time Privacy Consultant;  
  • 1 full-time ATIP Coordinator, who managed the Secretariat’s ATIP Office, and fulfilled the normal duties as Manager of Administrative Services for the Secretariat and NSIRA Members; and 
  • the Secretariat’s Senior Counsel, Internal Services as well as Senior General Counsel supported the ATIP office when required. 

The Secretariat’s ATIP Office is responsible for the following: 

  • monitoring compliance with ATIP legislation and relevant procedures and policies; 
  • processing requests under both the PA and the Access to Information Act;  
  • developing and maintaining policies, procedures, and guidelines to ensure that the Secretariat respects the PA and the Access to Information Act;  
  • maintaining Personal Information Banks and conducting privacy impact assessments; 
  • preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and 
  • representing the Secretariat in dealings with the Treasury Board of Canada Secretariat (TBS), the information and privacy commissioners, and other government departments and agencies in matters pertaining to the PA and the Access to Information Act.  

During the reporting period, the Secretariat was a party to a service agreement under section 73.1 of the PA in which the Secretariat received administrative support from the Privy Council Office related to the tabling of the annual report in Parliament. The Secretariat was also a party to a service agreement under section 71.1 of the PA in which the Secretariat received ATIP Online services from TBS.  

To assist the Secretariat’s ATIP Office in meeting its overall legislative obligations, the Secretariat relied on a collaborative internal group of subject matter experts from all divisions.

Delegation Order

As the Head of the Secretariat, the Executive Director is responsible for the administration of the PA within the institution. Pursuant to section 73 of the PA, the Executive Director has delegated the ATIP Manager and ATIP Officer,  as well as individuals acting in these positions, to perform certain and specific powers, duties, and functions for the administration of the PA. These positions have limited delegation of authority under the PA and the Access to Information Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Delegation Order can be found in Appendix A (page 9).

Performance 2023-2024

Performance in Processing Privacy Requests

In addition to 5 requests that were outstanding from the previous reporting periods, the Secretariat’s ATIP Office received 22 formal requests during the current reporting period, bringing the total number of formal request to 27. Of these, the Secretariat’s ATIP Office closed 25 requests and processed approximately 4843 pages during the reporting period. 2 requests were carried over to the following reporting period.

Statistical Reports for 2023-2024

The Secretariat’s 2023-2024 Statistical Report on the PA and Supplemental ATIP Statistical Report for 2023-2024 were both previously validated by TBS.

Extensions and Completion Time of Closed Requests

During the reporting period, the Secretariat’s ATIP Office invoked extensions while processing 2 formal requests: 1 extension was completed within of 16 to 30 days, and 1 request was taken to seek an internal consultation. Both did not require extensions to consult with third parties. 

Of the requests completed during the reporting period: 

  • 1 request, or 4% of the requests completed, was disclosed in its entirety. This request was completed within 16 to 30 days; 
  • 1 request, or 4% of the requests completed, was disclosed in part. This request was completed within 121  to 180  days; 
  • 16 requests, or 64% of the requests completed, resulted in no records. 1 request was completed within 0 to 15 days, 6 requests were completed within 16 to 30 days, 6 requests were completed within 31 to 60 days, and 3 requests were completed within 61 to 120 days; 
  • 1 request, or 4% of the requests completed, was abandoned and completed; and 
  • 6 requests, or 24% of the requests completed, were neither confirmed nor denied. 

The Secretariat’s responses to many requests required an intensive review of complex records, including extensive internal and external consultations. During the reporting period, the Secretariat’s on-time response rate decreased to 56% from 58.3% in the 2022-2023 reporting period due to a significant increase in the number of pages processed for formal requests.

Consultations 

During the reporting period, no privacy consultations were received. 

Complaints and Investigations 

Subsection 29(1) of the PA describes how the Office of the Privacy Commissioner (OPC) receives and investigates complaints from individuals regarding the processing of requests under the PA. During the reporting period, the Secretariat’s ATIP Office received 16 complaints, 2 of which were related to Access requests. 

In addition, 1 privacy breach-related investigation initiated by the Privacy Commissioner in Fiscal Year 2020-2021 continued during the reporting period and remained active on March 31, 2024.

Training and Awareness

The Secretariat took a customized approach to training subject matter experts on their legislative requirements, roles, and responsibilities. The Secretariat’s ATIP Office encouraged employees to take the ATIP training courses offered by the Canada School of Public Service (CSPS). New employees were required to complete an online training session entitled Fundamentals of Access to Information and Privacy within six months of joining the Secretariat and in January 2024, an internal ATIP training session was held. 

To ensure in-depth training is taken by employees of the NSIRA Secretariat who have functional or delegated responsibility for the administration of the PA and Privacy Regulations, the Senior Counsel, Internal Services participated in the 2023 Canadian Privacy Symposium offered by the International Association of Privacy Professionals. In addition, the ATIP Manager attended the 2023 Canadian Access and Privacy Association Conference as well as the 26th Annual Vancouver International Privacy & Security Summit.

Policies, Guidelines, and Procedures 

During the reporting period, the Secretariat implemented several initiatives to assist the Secretariat’s ATIP Office to operate more efficiently. For example, the Secretariat revised its Privacy Breach Plan and Procures Manual, revised its Privacy Protocol Template, and established a Privacy Risk Register. 

Initiatives and Projects to Improve Privacy 

During the reporting period, the Secretariat’s Information Technology division continued to develop an ATIP software tool for the Secretariat’s classified and unclassified systems.  

Summary of Key Issues and Actions Taken on Complaints 

The Secretariat meaningfully engaged with the OPC on all 16 active investigations during the reporting period and disclosed additional records in 1 of the 2 Access related complaints.   

Material Privacy Breaches 

During the reporting period, no material privacy breaches occurred.  

Privacy Impact Assessments 

During the reporting period, the Secretariat completed a Privacy Impact Assessment (PIA) of its investigations-related activities, which was shared with TBS and the OPC. In addition, the Secretariat made further revisions to its PIA on the creation of NSIRA in response to feedback received from TBS and continued to engage with TBS on PIB registration.  

Public Interest Disclosures 

During the reporting period, no public interest disclosures occurred. 

Monitoring Compliance 

Legislative deadlines for access requests were strictly monitored by using several Microsoft Lists trackers. The ATIP Manager organized ad hoc meetings to discuss request-related activities (such as whether internal consultations were necessary), determine deadlines, and ensure that all division members were informed of the status of requests. At bi-weekly team meetings with the Senior General Counsel and Senior Counsel, Internal Services, the ATIP Manager raised and discussed compliance with legislative and policy obligations. The Executive Director was also briefed on all ATIP compliance issues.  

For contracts issued during the reporting period, the Secretariat included a Standard Procurement Clause on the Handling of Personal Information or a Supplemental General Condition on Personal Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.

Appendices

Appendix A: Delegation Order

Access to Information Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.

Privacy Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.

Appendix B: 2023–2024 Statistical Report on the Privacy Act

Name of institution: National Security and Intelligence Review Agency

Reporting period: 2022-04-01 – 2023-03-31

Section 1: Request Under the Access to Information Act

1.1 Number of Requests
  Number of Requests
Received during reporting period 22
Outstanding from previous reporting period 5
Outstanding from more than one reporting period 0
Total 27
Closed during reporting period 25
Carried over to next reporting period 2
Carried over within legislated timeline 2
Carried over beyond legislated timeline 0
1.2 Channels of requests
Source Number of Requests
Online 22
E-mail 0
Mail 0
In person 0
Phone 0
Fax 0
Total 22

Section 2: Informal requests

2.1 Number of informal requests
  Number of Requests
Received during reporting period 1
Outstanding from previous reporting periods 0
Outstanding from more than one reporting period 0
Total 1
Closed during reporting period 0
Carried over to next reporting period 1
2.2 Channels of informal requests
Source Number of Requests
Online 0
E-Mail 1
Mail 0
In person 0
Phone 0
Fax 0
Total 1
2.3 Completion time of informal requests
Completion Time
1 to 15 days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More than 365 Days Total
0 0 0 0 0 0 0 0
2.4 Pages released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
0 0 0 0 0 0 0 0 0 0

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 1 0 0 0 0 0 1
Disclosed in part 0 0 0 0 1 0 0 1
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 1 6 6 3 0 0 0 16
Request abandoned 1 0 0 0 0 0 0 1
Neither confirmed nor denied 0 4 1 0 1 0 0 6
Total 2 11 7 3 2 0 0 25
3.2 Exemptions
Section Numbers of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 0
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 1
27 1
27.1 0
28 0
3.3 Exclusions
Section Numbers of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
3.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
0 2 0 0 0 0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
4843 4843 9
3.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 1 0 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 1 4843 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 1 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 6 0 0 0 0 0 0 0 0 0
Total 8 0 0 0 0 0 1 4843 0 0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Disposition Consultation Required Assessment of Fees Legal Advice Sought Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 1 0 0 1
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 1 0 0 1
3.6 Closed requests
3.6.1 Requests closed within legislated timelines
  Requests closed within legislated timelines
Number of requests closed within legislated timelines 14
Percentage of requests closed within legislated timelines (%) 56
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations/Workload External Consultation Internal Consultation Other
11 10 0 1 0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timeline Where an Extension Was Taken Total
1 to 15 Days 4 0 4
16 to 30 Days 2 0 2
31 to 60 Days 2 0 2
61 to 120 Days 1 1 2
121 to 180 Days 0 1 1
181 to 365 Days 0 0 0
More than 365 Days 0 0 0
Total 9 2 11
3.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Section 5: Requests for Correction of Personal Information and Notations

Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 6: Extensions

6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken 15(a)(i) Interference with operations 9(1)(b) Consultation 9(1)(b) Consultation
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
2 0 1 0 0 0 0 1 0
6.2 Length of extensions
Length of Extensions 15(a)(i) Interference with operations 9(1)(b) Consultation 9(1)(b) Consultation
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
1 to 15 days 0 0 0 0 0 0 0 0
16 to 30 days 0 1 0 0 0 0 1 0
31 days or greater               0
Total 0 1 0 0 0 0 1 0

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Carried over within regotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Complaints and Investigations Notices Received

Section 31 Section 33 Section 35 Court action Total
3 10 3 0 16

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)

10.1 Privacy Impact Assessments
Number of PIA(s) completed Number of PIAs modified
1 1
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks Active Created Terminated Modified
Institution-specific 0 0 0 0
Central 0 0 0 0
Total 0 0 0 0

Section 11: Privacy Breaches

11.1 Material Privacy Breaches reported
Number of material privacy breaches reported to TBS Number of material privacy breaches reported to OPC
0 0
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches
0
12.1 Allocated Costs
Expenditures Amount
Salaries $100,000
Overtime $0
Goods and Services $15,475
Professional services contracts $15,475
Other $0
Total $115,475
12.2 Human Resources
Resources Person Years Dedicated to Access to Information Activities
Full-time employees 1.000
Part-time and casual employees 0.000
Regional Staff 0.000
Consultants and agency personnel 0.300
Students 0.500
Total 1.800

Note: Enter values to three decimal places.

Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act

Section 1: Open Requests and Complaints Under the Access to Information Act

1.1 Enter the number of open requests that are outstanding from previous reporting periods.
  Number of weeks
Able to receive requests by mail 52
Able to receive requests by email 52
Able to receive requests through the digital request service 52
1.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal Year Open Complaints Were Received by Institution Number of Open Complaints
Received in 2023-24 0
Received in 2022-23 0
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-21 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-26 0
Received in 2014-15 or earlier 0

Section 2: Open Requests and Complaints Under the Privacy Act

2.1 Enter the number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Complaints Were Received by Institution Open Requests that are Within Legislated Timelines as of March 31, 2024 Open Requests that are Beyond Legislated Timelines as of March 31, 2024 Total
Received in 2023-24 2 0 2
Received in 2022-23 0 0 0
Received in 2021-22 0 0 0
Received in 2020-21 0 0 0
Received in 2019-21 0 0 0
Received in 2018-19 0 0 0
Received in 2017-18 0 0 0
Received in 2016-17 0 0 0
Received in 2015-26 0 0 0
Received in 2014-15 or earlier 0 0 0
Total 2 0 2
2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal Year Open Complaints Were Received by Institution Number of Open Complaints
Received in 2023-24 0
Received in 2022-23 7
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-21 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-26 0
Received in 2014-15 or earlier 0
Total 7

Section 3: Social Insurance Number

Has your institution begun a new collection or a new consistent use of the SIN in 2023-24 No

Section 4: Universal Access under the Privacy Act

How many requests were received from foreign nationals outside of Canada in 2023-24 0

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified: