Annual Report on the Administration of the Privacy Act
April 1, 2019 to March 31, 2020
Introduction
The Social Sciences and Humanities Research Council (SSHRC) is the federal agency that promotes and supports research and research training in the social sciences and humanities.
SSHRC is pleased to provide its annual report on the administration of the Privacy Act, as required by section 72 of the Act. Annual reports are tabled in Parliament in accordance with this same section of the Act.
The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and to provide individuals with a right of access to that information.
Administration of the Privacy Act
At SSHRC, the manager, Access to Information and Privacy (ATIP) and Corporate Operations, is responsible for processing requests under the Privacy Act and providing advice and support on matters pertaining to the legislation. The manager is supported by a policy analyst and a half-time ATIP officer. The ATIP office is located within SSHRC’s Corporate Strategy and Performance Division and the manager reports to its executive director. During the period covered by this report, the ATIP officer spent approximately half a day per week and the manager, ATIP and Corporate Operations and the policy analyst each spent approximately one and a half days per week processing requests and administering the various Treasury Board of Canada Secretariat (TBS) requirements related to the Act.
All formal requests and complex informal requests are handled by the ATIP office. Other SSHRC divisions may respond to informal requests for information, as appropriate. The ATIP office holds full records of all Privacy Act requests received within the last two years.
As part of its duties under the Privacy Act, SSHRC ensures that written notices are provided to SSHRC applicants, external reviewers, referees, merit review committee members and observers, advising them of their rights and responsibilities under the Act, as well as how the information they access and/or supply is treated and protected in accordance with the legislation. These notices appear in program guides, in SSHRC’s online application and grants management systems, in the SSHRC Manual for Adjudication Committee Members, and in other pertinent material provided throughout the application and review process. Information about the protection and disclosure of personal information for both grants and fellowships and scholarships can also be found on SSHRC’s website.
In 2019-20, SSHRC’s ATIP office continued to update its privacy management infrastructure and began consultations on its draft privacy management framework and privacy protocol.
In addition, merit review committee members, external reviewers and observers are advised of their responsibilities in relation to the Privacy Act and are required to sign a conflict of interest and confidentiality agreement to ensure that the material supplied and used throughout the review process is maintained in strict confidence at all times.
SSHRC’s president and senior management are kept informed of key decisions and developments in the administration and implementation of the Act, as appropriate. The ATIP office provides regular reports to the executive director, Corporate Strategy and Performance, who updates the executive vice-president, Corporate Affairs, who then briefs the president as needed.
When advice on the administration of the Act is required, it is sought from one or several of the following: the TBS, Department of Justice legal counsel, the Office of the Privacy Commissioner of Canada (OPC), SSHRC’s ATIP consultant and other federal government ATIP offices.
Privacy Act Delegation Order
The current delegation order was approved on March 1, 2015. The order states that the persons holding the following positions are designated to exercise or perform all of the powers, duties and functions of the head of a government institution under the Act insofar as they may be exercised or performed in relation to SSHRC:
- executive vice-president, Corporate Affairs
- executive director, Corporate Strategy and Performance
- manager, ATIP and Corporate Operations.
Exceptions are paragraphs 8(2)(e) and 8(2)(m), which are reserved for the president and the executive vice-president.
Statistical Report for Fiscal Year 2019-20
SSHRC received 10 formal requests during the reporting period, compared to 15 in the previous fiscal year.
SSHRC closed 10 requests during the reporting period. Two requests from 2019-20 were carried over to fiscal year 2020-21 to be closed in that fiscal year.
The ATIP office processed two informal requests for access to personal information over the course of the fiscal year. SSHRC now receives more formal requests than informal requests, a reversal of the previous trend.
Of the 10 requests closed during the reporting period, SSHRC processed four within 16 to 30 days, five were completed in 31 to 60 days, and one request was processed in 61 to 120 days. This year, no requests were closed within the first 30 days, but 90% were closed within their legislated deadlines, including extensions as allowed under the Act. Most requests related to students’ applications for scholarships and fellowships, which require consultations with referees’ institutions and therefore need a legal extension beyond the first 30 days.
Of the 10 requests closed, nine had responsive documents, all of which were disclosed in electronic format.
The statistics show that very few exemptions were applied in the 2019-20 fiscal year. Exempting provisions used multiple times within one request are reported only once per request. SSHRC employed section 26 in nine requests.
In one case, no records responsive to the request were located.
SSHRC received no consultations from other government institutions or organizations in the fiscal year.
Education and Training
Throughout the year, staff and management are reminded and encouraged to consult the ATIP office on any issues that might affect the implementation of the Act when and where appropriate.
During 2019-20, the manager, ATIP and Corporate Operations, provided training sessions to approximately 10 staff members. This session covers the principles of the privacy legislation, key concepts and definitions, SSHRC’s procedures for processing both formal and informal privacy requests, and employee responsibilities with respect to the Act. The session is part of SSHRC’s in-house training session to the Management Accreditation Roadmap.
SSHRC created and delivered formal training courses for staff members who require either direct access to or analyze sensitive personal information. The training responds to the SSHRC, Natural Sciences and Engineering Research Council (NSERC) and Canadian Institutes of Health Research (CIHR) joint initiative to collect equity, diversity and inclusion data for all applicants, co-applicants, collaborators and committee members. In total, the SSHRC ATIP team conducted sessions during which 42 SSHRC staff were trained. The initiative continues in the 2020-21 fiscal year, as required.
SSHRC’s New or Revised Policies, Guidelines and Procedures Related to Privacy
SSHRC’s ATIP staff have worked with staff in the Research Programs Directorate to develop and enhance text relating to privacy in many memorandums of understanding, especially in relation to joint-funding initiatives.
SSHRC began consultations on its draft privacy protocol and privacy management framework, which it plans to jointly implement with NSERC in the 2020-21 fiscal year.
SSHRC implemented changes to its privacy breach procedure to ensure faster closure of files and communication with affected parties. Breaches with a low- to medium-risk/impact are now reported to the executive director, Corporate Strategy and Performance, rather than to the executive vice-president, Corporate Affairs. The changes better align with the TBS ATIP Privacy Breach Management Tools and NSERC’s ATIP procedures, an important consideration given that the two agencies share a privacy breach protocol. SSHRC also implemented a service standard of 30 days for material and high-risk privacy breaches and 60 days for low- and medium-risk privacy breaches.
Complaints and Investigations
Four complaints were filed with the Office of the Privacy Commissioner of Canada (OPC) during 2019-20. One related to exemptions, while the other three were of a miscellaneous nature.
In 2019-20, SSHRC provided the OPC with representations for five complaints and received findings for three complaints: all three were not well founded. Two investigations were ongoing at the end of the fiscal year.
SSHRC experienced no court challenges related to privacy during the reporting period.
SSHRC experienced no audits relating the administration of ATIP legislation during the reporting period.
Monitoring Processing Times
The executive director, Corporate Strategy and Performance, was regularly kept apprised (normally on a weekly basis) by the Manager, ATIP and Corporate Operations, of all matters and developments pertaining to requests, including processing time, consultations undertaken and any necessary extensions.
Material Privacy Breaches
One material privacy breach was reported to the OPC and TBS and closed during the reporting period. The material privacy breach was due to a committee member’s breach of the Conflict of Interest and Confidentiality Policy of the Federal Research Funding Organizations. Due to the material privacy breach, SSHRC updated its privacy breach procedure to ensure it responds to all material privacy breaches within a 30-day timeline, as explained in the New or Revised Policies, Guidelines and Procedures Related to Privacy section above.
Privacy Impact Assessments
SSHRC launched two privacy impact assessments (PIAs) in the 2019-20 fiscal year, one for the Convergence application system and one for the New Frontiers in Research Fund.
Disclosures Under Subsection 8(2) of the Privacy Act
During the reporting period SSHRC made no disclosures pursuant to paragraph 8(2)(m) of the Act, which pertains to disclosures of personal information in instances where there is a public interest in the disclosure or where disclosure would benefit the individual involved.
- Date modified: