Annual report on the administration of the Privacy Act
April 1, 2015 to March 31, 2016

Introduction

The Social Sciences and Humanities Research Council (SSHRC) is a federal agency that promotes and supports research and research training in the social sciences and humanities.

SSHRC is pleased to provide its annual report on the administration of the Privacy Act, as required by section 72 of the Act. Annual Reports are tabled in Parliament in accordance with this same section of the Act.

The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and to provide individuals with a right of access to that information.

Administration of the Privacy Act

At SSHRC, processing requests under the Privacy Act and providing advice and support on matters pertaining to the legislation is the responsibility of the manager, Access to Information and Privacy (ATIP) and Corporate Operations. The ATIP office is located within SSHRC’s Corporate Strategy and Performance Division and the manager, ATIP and Corporate Operations reports to its executive director. Both formal and complex informal requests are routed through the ATIP office, which holds records of all privacy requests received within the last two years. During the period covered by this report, the manager, ATIP and Corporate Operations spent, on average, one-and-a-half days per week administering the requests (formal and informal) and the various Treasury Board requirements related to the Privacy Act

As part of its duties under the Privacy Act, SSHRC ensures that written notices are provided to SSHRC applicants, external reviewers, referees, merit review committee members and observers advising them of their rights and responsibilities under the Act as well as how the information they access and/or supply is treated and protected in accordance with the legislation. These notices appear in program guides, in SSHRC’s online application and grants management systems, in the SSHRC Manual for Adjudication Committee Members, and in other pertinent material provided throughout the application and review process. Information pertaining to the protection and disclosure of personal information can also be found on SSHRC’s website, for both Grants and Fellowships and Scholarships.

In addition, merit review committee members, external reviewers and observers are advised of their responsibilities in relation to the Privacy Act and are required to sign a conflict of interest and confidentiality agreement to ensure that the material supplied and used throughout the review process is maintained in strict confidence at all times.

SSHRC’s president and senior management are kept informed of key decisions and developments in the administration and implementation of the Act, as appropriate. The ATIP Office provides a monthly report to the Executive Director of Corporate Strategy and Performance and to the Executive Vice-President, Corporate Affairs.  This monthly report enumerates current formal or informal requests under the Privacy Act, describes any privacy breaches and mitigation measures, and any complaints to the Office of the Privacy Commissioner.

When advice on the administration of the Act is required, it is sought from one or several of the following: the Treasury Board of Canada Secretariat, Department of Justice legal counsel, the Office of the Information Commissioner of Canada (OIC), SSHRC’s ATIP consultant and other federal government ATIP offices.

Privacy Act Delegation Order

A copy of SSHRC’s delegation order for the Privacy Act is attached. The order—with the exception of paragraphs 8(2)(e) and 8(2)(m), which are reserved for the president, executive vice-president, and executive director, Corporate Strategy and Performance—states that the persons holding the positions of executive vice-president; executive director, Corporate Strategy and Performance; and manager, ATIP and Corporate Operations, are designated to exercise or perform all of the powers, duties and functions of the head of a government institution under the Act insofar as they may be exercised or performed in relation to SSHRC.

Statistical Report for Fiscal Year 2015-2016

The statistical report for the period of April 1, 2015 to March 31, 2016 is appended.

Two formal requests were received during the reporting period. This is a lower number than 2014-2015, in which four formal requests were received. It is also slightly lower than the average of four formal requests per year over the last four fiscal years.

Formal Requests Received
2010-2011 2011-2012 2012-2013 2013-2014 2014-2015
Formal Requests 2 3 8 0 4

Of the requests closed during the reporting period, one request was processed in less than 15 days and in the other case, no records responsive to the request were located. The records relating to the one request were disclosed in part in electronic format.

Nine informal requests for access to personal information were received and processed by the ATIP office over the course of the fiscal year. SSHRC normally receives a higher number of informal requests compared to the number of formal requests. No consultations from other government institutions or organizations were received by SSHRC in the fiscal year.

Education and Training

Throughout the year, staff and management are reminded and encouraged to consult the ATIP office on any issues that might affect the implementation of the Act when and where appropriate.

The manager, ATIP and Corporate Operations delivered, during 2015-2016, one training session to approximately 15 staff members (the annual learning/training opportunity open to all SSHRC staff). The session covered the principles of privacy legislation, key concepts and definitions, SSHRC’s procedures for processing both formal and informal requests, and procedures for the collection, use, security, preservation and disposal of personal information under SSHRC’s custody and control. The ATIP office also jointly developed a “10 Things You Need to Know” learning session about privacy and security breaches with the Corporate Security Office. The presentation, given by the manager, ATIP and Corporate Operations and the Departmental Security Officer,  was attended by approximately 60 SSHRC staff.

SSHRC’S New or Revised Policies, Guidelines and Procedures Related to Privacy

SSHRC’s ATIP staff have worked with staff in Programs to develop text relating to protection of privacy and access to personal information in numerous memorandums of understanding, especially in relation to joint-funding initiatives.  This is resulting in a standardized text that outlines roles and responsibilities for both providing appropriate safeguards in place for personal information and addressing access to personal information requests.

SSHRC staff, in collaboration with the Natural Sciences and Engineering Research Council (NSERC), have also developed a privacy breach flowchart that effectively represents the steps and process for responding to a privacy breach. This flowchart support the Privacy/Security Breach Protocol that was approved in 2013.  This Protocol provides the agencies with a clear and established process for responding to privacy incidents and/or breaches.

SSHRC’s 2015 Info Source update was published in March 2016. In accordance with the Info Source Decentralized Publication Requirements, the chapter aligns with SSHRC’s 2015-2016 Program Alignment Architecture (PAA). Several substantive improvements to the chapter were made, based on SSHRC’s own review of the material.  Specifically, SSHRC updated its Personal Information Bank for Grants and Awards Management (SSHRC PPU 0055) to include personal information collected in SSHRC’s updated Achievement Reports and specific instances where SSHRC shares personal information with government organizations that are jointly funding SSHRC researchers. SSHRC is launching a two-year project to update its Info Source chapter and PIBs.  This project will ensure complete transparency in how SSHRC collects, uses and discloses personal information.

Complaints and Investigations

No complaints with respect to requests under the Privacy Act were filed with the Office of the Privacy Commissioner of Canada during the fiscal year 2015-2016. 

Monitoring Processing Times

The executive director, Corporate Strategy and Performance was regularly kept apprised (normally on a weekly basis) by the manager, ATIP and Corporate Operations of all matters and developments pertaining to requests, including processing time, consultations undertaken and any necessary extensions. The transition to the use of Access Pro software greatly facilitated the ATIP office’s ability to monitor the time to process and respond to requests.

Material Privacy Breaches

No material privacy breaches occurred during the reporting period.

Privacy Impact Assessments

In the 2015-2016 fiscal year, SSHRC and NSERC (the agencies)  formally completed the PIA of the Research Portal and Microsoft Dynamics CRM 1.0 platform for the management of grants and awards. The transition to the Research Portal and CRM technology platform is intended to modernize and replace existing technology and improve the agencies’ grant and award management systems.

The PIA was conducted to develop an informed assessment of the privacy risks associated with the use of the Research Portal and CRM and to provide recommendations to mitigate identified privacy risks to an acceptable level. An Action Plan was developed and approved to address the risks highlighted by this PIA. The PIA Action Plan recommended seven follow-up activities be undertaken, four of which have been completed and the remaining three (relating to employee training, document disposition, and revisions to a Memorandum of Understanding that allows Common Administrative Services to share information) are underway.

SSHRC also created a Privacy Impact Assessment section on its public website to publish a summary and highlights of the PIA.

Disclosures Under Subsection 8(2) of the Privacy Act

During the reporting period SSHRC made no disclosures pursuant to paragraph 8(2)(m) of the Act, which pertains to disclosures of personal information in instances where there is a public interest in the disclosure or where disclosure would benefit the individual involved.