The Social Sciences and Humanities Research Council (SSHRC) is a federal agency that promotes and supports research and research training in the social sciences and humanities.
SSHRC is pleased to provide its annual report on the administration of the Privacy Act, as required by section 72 of the act. Annual reports are tabled in Parliament in accordance with this same section of the act.
The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and to provide individuals with a right of access to that information.
Administration of the Privacy Act
At SSHRC, processing requests under the Privacy Act and providing advice and support on matters pertaining to the legislation is the responsibility of the manager, Access to Information and Privacy (ATIP) and Corporate Operations. The ATIP office is located within SSHRC’s Corporate Strategy and Performance Division and the manager, ATIP and Corporate Operations, reports to its Executive Director. Both formal and complex informal requests are routed through the ATIP office, which holds records of all privacy requests received within the last two years. During the period covered by this report, the manager, ATIP and Corporate Operations spent, on average, one day per week administering the requests (formal and informal) and the various Treasury Board requirements related to the Privacy Act.
As part of its duties under the Privacy Act, SSHRC ensures that written notices are provided to SSHRC applicants, external reviewers, referees, merit review committee members and observers advising them of their rights and responsibilities under the act as well as how the information they access and/or supply is treated and protected in accordance with the legislation. These notices appear in program guides, in SSHRC’s online application and grants management systems, in the SSHRC Manual for Adjudication Committee Members, and in other pertinent material provided throughout the application and review process. Information pertaining to the protection and disclosure of personal information can also be found on SSHRC’s website, for both Grants and Fellowships and Scholarships.
In addition, merit review committee members, external reviewers and observers are advised of their responsibilities in relation to the Privacy Act and are required to sign a conflict of interest and confidentiality agreement to ensure that the material supplied and used throughout the review process is maintained in strict confidence at all times.
SSHRC’s president and senior management are kept informed of key decisions and developments in the administration and implementation of the act, as appropriate. The ATIP office provides a monthly report to the executive director, Corporate Strategy and Performance, and to the executive vice-president, Corporate Affairs. This monthly report enumerates current formal or informal requests under the Privacy Act, describes any privacy breaches and mitigation measures, and any complaints to the Office of the Privacy Commissioner.
When advice on the administration of the act is required, it is sought from one or several of the following: the Treasury Board of Canada Secretariat, Department of Justice legal counsel, the Office of the Privacy Commissioner (OPC), SSHRC’s ATIP consultant and other federal government ATIP offices.
Privacy Act Delegation Order
A copy of SSHRC’s delegation order for the Privacy Act is attached. The order—with the exception of paragraphs 8(2)(e) and 8(2)(m), which are reserved for the President, Executive Vice-president, and the Executive Director, Corporate Strategy and Performance—states that the persons holding the positions of Executive Vice-President; Executive Director, Corporate Strategy and Performance; and Manager, ATIP and Corporate Operations, are designated to exercise or perform all of the powers, duties and functions of the head of a government institution under the act, insofar as they may be exercised or performed in relation to SSHRC.
Statistical Report for Fiscal Year 2015-2016
The statistical report for the period of April 1, 2016 to March 31, 2017 is appended.
Two formal requests were received during the reporting period. This the same number as was received in 2015-2016. It is also slightly lower than the average of four formal requests per year over the last four fiscal years.
No requests were closed during the reporting period.
Four informal requests for access to personal information were received and processed by the ATIP office over the course of the fiscal year. SSHRC normally receives a higher number of informal requests compared to the number of formal requests. No consultations from other government institutions or organizations were received by SSHRC in the fiscal year.
Education and Training
Throughout the year, staff and management are reminded and encouraged to consult the ATIP office on any issues that might affect the implementation of the act when and where appropriate.
During 2016-17, the manager, ATIP and Corporate Operations delivered the standing annual training session open to all SSHRC staff. In addition, an extra open session was attended by approximately 10 staff. There was also a training session delivered to SSHRC’s management team with approximately 20 attendees. These sessions covered the principles of the privacy legislation, key concepts and definitions, SSHRC’s procedures for processing both formal and informal privacy requests, and employee responsibilities with respect to the act. SSHRC has added the in-house training session to the Management Accreditation Roadmap for 2017-18.
SSHRC’S New or Revised Policies, Guidelines and Procedures Related to Privacy
No new or revised access to information policies or guidelines were formally implemented during this past fiscal year. SSHRC’s ATIP staff have worked with staff in Research Programs to develop text relating to privacy in numerous memorandums of understanding, especially in relation to joint-funding initiatives.
SSHRC’s ATIP office, in collaboration with NSERC’s Corporate Secretariat, developed a set of best practices for the use of personal information in the testing and training of IT Platforms. These were circulated to senior management in both agencies to document the consistent use of personal information in ensuring that the ability of platforms (such as CRM) can support the agencies’ daily operations, but also to highlight the importance of safeguards for the use of personal information in staff training (such as using manufactured data when creating training resources that can be circulated broadly).
SSHRC is launching a two-year project to update its Info Source chapter and PIBs. This project will ensure complete transparency in how SSHRC collects, uses and discloses personal information.
Complaints and Investigations
One complaint with respect to the Privacy Act was filed with the Office of the Privacy Commissioner of Canada during the fiscal year 2015-2016. The complaint concerned the handling of personal information. SSHRC provided representations to the OPC concerning the complaint. The complaint investigation is ongoing.
Monitoring Processing Times
The executive director, Corporate Strategy and Performance, was regularly kept apprised (normally on a weekly basis) by the manager, ATIP and Corporate Operations of all matters and developments pertaining to requests, including processing time, consultations undertaken and any necessary extensions.
Material Privacy Breaches
No material privacy breaches occurred during the reporting period.
Privacy Impact Assessments
SSHRC did not complete any privacy impact assessments (PIAs) in the 2016-17 fiscal year.
Disclosures Under Subsection 8(2) of the Privacy Act
During the reporting period SSHRC made no disclosures pursuant to paragraph 8(2)(m) of the act, which pertains to disclosures of personal information in instances where there is a public interest in the disclosure or where disclosure would benefit the individual involved.