- Introduction
- Review mandate
- Complaints mandate
- Organization Structure
- Delegation Order
- Highlights of the 2020-21 statistical report
- Training and awareness
- Privacy policies, guidelines, procedures and initiatives
- Complaints and investigations
- Monitoring processing time
- Material Privacy Breaches
- Privacy Impact Assessments
- Public Interest Disclosures
- Appendices
Date of Publishing:
Introduction
The National Security and Intelligence Review Agency (NSIRA) is pleased to submit to Parliament its annual report on the administration of the Privacy Act for the fiscal year commencing April 1, 2020, and ending March 31, 2021. This annual report is presented in accordance with section 72 of the Privacy Act, whose purpose is to protect the privacy of individuals with respect to the personal information held by a government institution and to provide a right of access to that information.
NSIRA is an independent and external review body that reports to Parliament on its operations under the National Security and Intelligence Review Agency Act (NSIRA Act). NSIRA reviews all Government of Canada national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also investigates public complaints regarding key national security agencies and activities.
Review mandate
NSIRA has a statutory mandate to review activities of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security and intelligence activities of all other federal departments and agencies. This includes, but is not limited to, the national security and intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency, the Department of National Defence, Global Affairs Canada, and the federal Department of Justice.
To fulfil its mandate, NSIRA has unfettered access to classified information. This includes any and all information held by, or under the control of, departments and agencies, including information subject to legal privilege. NSIRA independently determines which information is relevant to the conduct of its reviews. The sole exception to NSIRA’s right to access information is when the information is considered a Cabinet confidence.
In carrying out reviews, NSIRA may make any findings and recommendations it considers appropriate. In accordance with the NSIRA Act, however, it will pay particular attention to whether government activities are lawful and comply with ministerial direction, and to whether the activities are reasonable and necessary.
Complaints mandate
Some of the activities under NSIRA’s complaints mandate are the complaints investigation functions inherited from the Security Intelligence Review Committee (SIRC). SIRC was responsible for hearing public complaints regarding the actions of CSIS. SIRC was also responsible for complaints related to the Government of Canada security clearance process, as well as specific matters and reports referred to under the Citizenship Act and the Canadian Human Rights Act.
In addition to these SIRC-related activities, NSIRA investigates complaints against CSE, as well as complaints against the RCMP that are referred by the Civilian Review and Complaints Commission (CRCC). The CRCC will continue to review all other activities of the RCMP.
Organization Structure
The responsibility for the administration of the Privacy Act is delegated to NSIRA’s Executive Director and further subdelegated to the Access to Information and Privacy (ATIP) Coordinator, as set out in the Privacy Act Designation Order in Appendix A.
The person holding the position or acting in the position of Executive Director has full delegation to exercise or perform any of the powers, duties and functions under the Privacy Act. The ATIP Coordinator operates under a restricted delegation.
The ATIP Coordinator works with the Executive Director’s Office, Legal Services and the Review Directorate to meet requirements of the ATIP program.
The ATIP Coordinator is a member of the Corporate Services Directorate and trained in ATIP legislation and review.
Delegation Order
Pursuant to subsection 73 of the Privacy Act, the Executive Director of NSIRA has the duty to exercise full authorities under the Privacy Act legislation and regulations.
The Executive Director also designated the person holding the position or acting in the position of the ATIP Coordinator with delegation of specific sections and subsections (see Appendix A).
Highlights of the 2020-21 statistical report
This report is an accounting of NSIRA’s activities related to the administration of the Privacy Act in the 2020–21 fiscal year. NSIRA’s 2020-21 statistical report on the Privacy Act, from which the data in this report is derived, is provided in Appendix B.
Privacy Act requests
NSIRA received four new requests under the Privacy Act during the reporting period. Of those requests, three were closed within 30 days and one was closed between 61 and 120 days, representing 75% closed within legislated timelines. The request that needed an extension required NSIRA to consult with another Government of Canada department.
The following table shows that 100% of requests under the Privacy Act, where records existed, were disclosed in part.
Consultation requests
NSIRA did not received any requests for consultation under the Privacy Act during the reporting period.
Pandemic impacts
In March 2020, NSIRA implemented exceptional workplace measures to curb the spread of COVID-19 and to protect federal employees and the public. These measures have limited NSIRA’s access to a secure office space, as well as access to the facilities and information of the departments and agencies it reviews, delaying the completion of one Privacy Act request.
Training and awareness
During the reporting period, one employee participated in a specialized training session concerning responsibilities relating to access to information and privacy. Guidance to employees and managers on access to information matters was provided on an ad hoc basis (e.g., in person, by email and through NSIRA’s electronic newsletter).
Privacy policies, guidelines, procedures and initiatives
During the reporting period, NSIRA did not implement any new institution-specific policies, guidelines, procedures or initiatives related to the Privacy Act requirements. However, management is committed to implementing a policy, procedures and guidelines to support NSIRA and its employees in meeting their Privacy obligations.
Complaints and investigations
Over the period covered by this report, the Privacy Commissioner of Canada did not receive any complaints against NSIRA under the Privacy Act, nor did the Privacy Commissioner undertake any audit or investigation of NSIRA.
Monitoring processing time
Request processing time is monitored through the Access Pro software dashboard. The ATIP Coordinator notifies the Executive Director and suggests a course of action should any legislative timelines for responding to a Privacy Act request appear to be at risk.
Material Privacy Breaches
In March 2021, NSIRA was the victim of a cyber attack on its public-facing network. The resulting network breach was reported to the Office of the Privacy Commissioner (OPC) and the Treasury Board Secretariat (TBS). Consistent with the Privacy Act, TBS requirements and advice from the OPC, the affected individuals were notified of the breach and how it could affect them.
Privacy Impact Assessments
Over the fiscal year, NSIRA continued to work toward completing a privacy impact assessment (PIA) of its activities. Due to COVID-19 restrictions, the PIA was not completed by March 31, 2021, as previously communicated. NSIRA has since hired a consultant to complete the PIA and begun to implement preliminary recommendations.
NSIRA also intends to conduct a PIA with respect to material revisions made to its complaints investigation service line.
Public Interest Disclosures
No disclosures were made under paragraph 8(2)(m) of the Privacy Act during this reporting period.
Appendices
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2020–21 Statistical Report on the Privacy Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2019-04-01 – 2020-03-31
Section 1: Request Under the Privacy Act
1.1 Number of Requests
| Number of Requests | |
|---|---|
| Received during reporting period | 4 |
| Outstanding from previous reporting period | 0 |
| Total | 4 |
| Closed during reporting period | 0 |
| Carried over to next reporting period | 0 |
Section 2: Requests Closed During the Reporting Period
2.1 Disposition and completion time
| Disposition of Requests | Completion Time | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 1 | 0 | 1 | 0 | 0 | 0 | 2 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 2 |
| Request transferred | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Decline to act with the approval of the Information Commisioner | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 3 | 0 | 1 | 0 | 0 | 0 | 4 |
2.2 Exemption
| Section | Numbers of Requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 0 |
| 19(1)(b) | 0 |
| 19(1)(c) | 0 |
| 19(1)(d) | 0 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 0 |
| 21 | 1 |
| 22(1)(a)(i) | 0 |
| 22(1)(a)(ii) | 0 |
| 22(1)(a)(iii) | 0 |
| 22(1)(b) | 1 |
| 22(1)(c) | 0 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 0 |
| 22.4 | 0 |
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 1 |
| 26 | 1 |
| 27 | 1 |
| 27.1 | 0 |
| 28 | 0 |
2.3 Exclusions
| Section | Numbers of Requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
2.4 Format of information released
| Paper | Electronic | Other |
|---|---|---|
| 1 | 1 | 0 |
2.5 Complexity
3.5.1 Relevant pages processed and disclosed
| Number of Pages Processed | Number of Pages Disclosed | Number of Requests |
|---|---|---|
| 146 | 135 | 2 |
2.5.2 Relevant pages processed and disclosed by size of requests
| Disposition | Less Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 1 | 1 | 1 | 134 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 1 | 1 | 134 | 0 | 0 | 0 | 0 | 0 | 0 |
2.5.3 Other complexities
| Disposition | Consultation Required | Assessment of Fees | Legal Advice Sought | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 1 | 0 | 0 | 0 | 1 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 0 | 0 | 0 | 1 |
2.6 Closed Requests
2.6.1 Number of requests closed within legislated timelines
| Requests closed within legislated timelines | |
|---|---|
| Number of requests closed within legislated timelines | 3 |
| Percentage of requests closed within legislated timelines (%) | 75 |
2.7 Deemed refusals
2.7.1 Reasons for not meeting legislated timelines
| Number of Requests Closed Past the Legislated Timelines | Principal Reason | |||
|---|---|---|---|---|
| Interference with Operations/Workload | External Consultation | Internal Consultation | Other | |
| 1 | 0 | 1 | 0 | 0 |
2.7.2 Requests closed beyond legislated timelines (including any extension taken)
| Number of Days Past Legislated Timelines | Number of Requests Past Legislated Timeline Where No Extension Was Taken | Number of Requests Past Legislated Timeline Where an Extension Was Taken | Total |
|---|---|---|---|
| 1 to 15 Days | 0 | 0 | 0 |
| 16 to 30 Days | 0 | 0 | 0 |
| 31 to 60 Days | 0 | 1 | 1 |
| 61 to 120 Days | 0 | 0 | 0 |
| 121 to 180 Days | 0 | 0 | 0 |
| 181 to 365 Days | 0 | 0 | 0 |
| More than 365 Days | 0 | 0 | 0 |
| Total | 0 | 1 | 1 |
2.8 Requests for translation
| Translation Requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
Section 3: Disclosures Under Subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
Section 4: Requests for Correction of Personal Information and Notations
| Disposition for Correction Requests Received | Number |
|---|---|
| Notations attached | 0 |
| Requests for correction accepted | 0 |
| Total | 0 |
Section 5: Extensions
5.1 Reasons for extensions and disposition of requests
| Disposition of Requests Where an Extension Was taken | 9(1)(a) Interference With Operations | 9(1)(b) Consultation | 9(1)(c) Third-Party Notice | |
|---|---|---|---|---|
| Section 69 | Other | |||
| All disclosed | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 |
| No records exist | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 |
5.2 Length of extensions
| Number of requests where an extension was taken | 15(a)(i) Interference with operations | 15(a)(iii) Consultations | 15(b) Translation purposes or conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidence Section (Section 70) | External | Internal | ||
| 1 to 15 days | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 days | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 |
| 31 days or greater | 0 | |||||||
| Total | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 |
Section 6: Consultations Received From Other Institutions and Organizations
6.1 Consultations received from other Government of Canada institutions
| Consultations | Other Government of Canada Institutions | Number of Pages to Review | Other Organizations | Number of Pages to Review |
|---|---|---|---|---|
| Received during reporting period | 0 | 0 | 0 | 0 |
| Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 |
| Closed during the reporting period | 0 | 0 | 0 | 0 |
| Carried over to next reporting period | 0 | 0 | 0 | 0 |
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
| Recommendation | Number of Days Required to Complete Consultation Requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
6.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Number of Days Required to Complete Consultation Requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 Days | 16 to 30 Days | 31 to 60 Days | 61 to 120 Days | 121 to 180 Days | 181 to 365 Days | More Than 365 Days | Total | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 7: Completion Time of Consultations on Cabinet Confidences
7.1 Requests with Legal Services
| Number of Days | Less Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
| Number of Days | Less Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More Than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Section 8: Complaints and investigations
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 |
Section 9: Privacy Impact Assessments (PIA) and Personal Information Banks (PIB)
9.1 Privacy Impact Assessments
| Number of PIA(s) completed |
|---|
| 0 |
9.2 Personal Information Banks
| Personal Information Banks | Active | Created | Terminated | Modified |
|---|---|---|---|---|
| 0 | 0 | 0 | 0 |
Section 10: Material Privacy Breaches
| Number of material privacy breaches reported to TBS | Number of material privacy breaches reported to OPC |
|---|---|
| 0 | 0 |
Section 11: Resources Related to the Privacy Act
11.1 Costs
| Expenditures | Amount |
|---|---|
| Salaries | $24,082 |
| Overtime | $0 |
| Goods and Services | $0 |
| Professional services contracts | $0 |
| Other | $0 |
| Total | $24,082 |
11.2 Human Resources
| Resources | Person Years Dedicated to Access to Information Activities |
|---|---|
| Full-time employees | 0.300 |
| Part-time and casual employees | 0.000 |
| Regional Staff | 0.000 |
| Consultants and agency personnel | 0.000 |
| Students | 0.000 |
| Total | 0.300 |
Note: Enter values to three decimal places.
