The Social Sciences and Humanities Research Council (SSHRC) is a federal agency that promotes and supports research and research training in the social sciences and humanities.
SSHRC is pleased to provide its annual report on the administration of the Privacy Act, as required by section 72 of the Act. Annual Reports are tabled in Parliament in accordance with this same section of the Act.
The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and to provide individuals with a right of access to that information.
Administration of the Privacy Act
At SSHRC, processing requests under the Privacy Act and providing advice and support on matters pertaining to the legislation is the responsibility of the manager, Access to Information and Privacy (ATIP) and Corporate Operations. The ATIP office is located within SSHRC’s Corporate Strategy and Performance Division and the manager, ATIP and Corporate Operations reports to its executive director. Both formal and complex informal requests are routed through the ATIP office, which holds records of all privacy requests received within the last two years. During the period covered by this report, the manager, ATIP and Corporate Operations spent, on average, one-and-a-half days per week administering the requests (formal and informal) and the various Treasury Board requirements related to the Privacy Act.
As part of its duties under the Privacy Act, SSHRC ensures that written notices are provided to SSHRC applicants, external reviewers, referees, merit review committee members and observers advising them of their rights and responsibilities under the Act as well as how the information they access and/or supply is treated and protected in accordance with the legislation. These notices appear in program guides, in SSHRC’s online application and grants management systems, and in other pertinent material provided throughout the application and review process. Information pertaining to the protection and disclosure of personal information can also be found on SSHRC’s website, for both Grants and Fellowships and Scholarships.
In addition, merit review committee members, external reviewers and observers are advised of their responsibilities in relation to the Privacy Act and are required to sign a conflict of interest and confidentiality agreement to ensure that the material supplied and used throughout the review process is maintained in strict confidence at all times.
When advice on the administration of the Act is required, it is sought from one or several of the following: the Treasury Board of Canada Secretariat, Department of Justice legal counsel, the Office of the Information Commissioner of Canada (OIC), SSHRC’s ATIP consultant and other federal government ATIP offices.
Privacy Act Delegation Order
A copy of SSHRC’s delegation order for the Privacy Act is attached. The order—with the exception of paragraphs 8(2)(e) and 8(2)(m), which are reserved for the president, executive vice-president, and executive director, Corporate Strategy and Performance—states that the persons holding the positions of executive vice-president; executive director, Corporate Strategy and Performance; and manager, ATIP and Corporate Operations, are designated to exercise or perform all of the powers, duties and functions of the head of a government institution under the Act insofar as they may be exercised or performed in relation to SSHRC.
Statistical Report for Fiscal Year 2014-2015
The statistical report for the period of April 1, 2014 to March 31, 2015 is appended.
Four formal requests were received during the reporting period. This is a higher number than 2013-2014, in which zero formal requests were received; somewhat of an anomaly for SSHRC. It is also slightly higher than the average of three formal requests per year over the last four fiscal years.
Formal Requests Received
Of the requests closed during the reporting period, three requests were processed in less than 15 days and one request was processed in 31 to 60 days. In one case, no records responsive to the request were located. The remaining three requests were disclosed in part in electronic format.
Nine informal requests for access to personal information were received and processed by the ATIP office over the course of the fiscal year. SSHRC normally receives a higher number of informal requests compared to the number of formal requests. No consultations from other government institutions or organizations were received by SSHRC in the fiscal year.
Education and Training
Throughout the year, staff and management are reminded and encouraged to consult the ATIP office on any issues that might affect the implementation of the Act when and where appropriate.
The manager, ATIP and Corporate Operations delivered, during 2014-2015, two training sessions to approximately 32 staff members. One session was provided to the Chairs Secretariat, a tri-agency group housed within SSHRC composed of SSHRC, Natural Sciences and Engineering Council (NSERC) and Canadian Institutes of Health Research (CIHR) employees. The other session was the annual training opportunity open to all SSHRC staff. The sessions covered the principles of privacy legislation, key concepts and definitions, SSHRC’s procedures for processing both formal and informal requests, and procedures for the collection, use, security, preservation and disposal of personal information under SSHRC’s custody and control.
SSHRC’S New or Revised Policies, Guidelines and Procedures Related to Privacy
SSHRC began using Access Pro software (a case management and redaction tool) as of April 1, 2014. This software was used to process all requests under the Privacy Act received in the fiscal year.
Over the course of the fiscal year, SSHRC initiated and completed a privacy protocol for its Achievement Reporting (AR) project. Generally, a privacy protocol guides best practices for the handling of personal information for non-administrative purposes (no decision making component). Unlike a privacy impact assessment (PIA), a privacy protocol does not include a scaled-risk assessment but examines the proposed privacy practices of a program or initiative against the 10 principles for privacy protection established by the Canadian Standards Association.
Prior to this effort, SSHRC had not yet developed a general privacy protocol to be leveraged for initiatives such as AR. The purpose of the AR privacy protocol is therefore to assess SSHRC’s personal information practices and the business processes involving a new set of data collection tools branded as Achievement Reports. These reports will facilitate an increased focus on the results and impacts of SSHRC funding. The AR Privacy Protocol outlines the commitment to adhere to the identified privacy protection principles and related strategies for the collection, use, disclosure, retention and disposal of personal information.
SSHRC’s 2014 Info Source update was published in January 2015. In accordance with the Info Source Decentralized Publication Requirements, the chapter aligns with SSHRC’s 2014-2015 Program Alignment Architecture (PAA). Several substantive improvements to the chapter were made, both in response to feedback from TBS on the 2013 publication and based on SSHRC’s own review of the material. Several SSHRC-specific classes of records were updated, one standard Personal Information Bank that had been deregistered was removed and the following sections were added: Manuals, Additional Information and Reading Room. SSHRC will update its Info Source chapter, as needed, in order to ensure continued harmonization with the agency’s PAA and to confirm the accuracy and clarity of information.
SSHRC also continues to use and be guided by the joint Natural Sciences and Engineering Research Council (NSERC) and SSHRC Privacy and Security Breach Protocol, in effect since 2013, which provides the agencies with a clear and established process for responding to privacy incidents and/or breaches.
Complaints and Investigations
No complaints with respect to requests under the Privacy Act were filed with the Office of the Privacy Commissioner of Canada during the fiscal year 2014-2015.
Monitoring Processing Times
The executive director, Corporate Strategy and Performance was regularly kept apprised (normally on a weekly basis) by the manager, ATIP and Corporate Operations of all matters and developments pertaining to requests, including processing time, consultations undertaken and any necessary extensions. The transition to the use of Access Pro software greatly facilitated the ATIP office’s ability to monitor the time to process and respond to requests.
Material Privacy Breaches
No material privacy breaches occurred during the reporting period.
Privacy Impact Assessments
In the 2014-2015 fiscal year, SSHRC and NSERC (the agencies) jointly coordinated a PIA of the Research Portal and Microsoft Dynamics CRM platform for the management of grants and awards. The transition to the Research Portal and CRM technology platform is intended to modernize and replace existing technology and improve the agencies’ grant and award management systems.
The PIA was conducted to develop an informed assessment of the privacy risks associated with the use of the Research Portal and CRM and to provide recommendations to mitigate identified privacy risks to an acceptable level. While the majority of the work for the PIA was carried out in 2014-2015, the PIA was not formally approved until April 2015. It will therefore be reported on fully in next year’s statistical and annual reports.
Disclosures Under Subsection 8(2) of the Privacy Act
During the reporting period SSHRC made no disclosures pursuant to paragraph 8(2)(m) of the Act, which pertains to disclosures of personal information in instances where there is a public interest in the disclosure or where disclosure would benefit the individual involved.