Administration of the Privacy Act Annual Report
April 1, 2020 to March 31, 2021
Introduction
This report is prepared in accordance with section 72 of the Privacy Act and is tabled in Parliament by the Minister of Health in accordance with the aforementioned section. It describes how the Canadian Institutes of Health Research (CIHR) fulfilled its responsibilities under the Act during the fiscal year beginning April 1, 2020 and ending March 31, 2021.
The Privacy Act provides citizens with the legislated right to access personal information held by the government, subject to certain limitations and specific exemptions, and protection of that information against unauthorized use and disclosure
CIHR was created in 2000 under the authority of the CIHR Act as the Government of Canada’s health research investment agency. The mandate of CIHR as stated in the Act is:
To excel, according to internationally accepted standards of scientific excellence, in the creation of new knowledge and its translation into improved health for Canadians, more effective health services and products and a strengthened Canadian health care system.
CIHR is the largest funder of health research in Canada. Composed of 13 “virtual” Institutes and three business portfolios, CIHR provides leadership and support to over 13,000 world-class researchers and trainees from all pillars of health research and from all regions of Canada.
Organizational Structure
CIHR is led by a President and a Governing Council comprised of up to 18 members appointed by Order-in-Council. The Governing Council sets the overall strategic direction and goals. It establishes Health Research Institutes and determines the mandate of each. As outlined in the legislation, the Governing Council is responsible for developing its strategic direction and goals; evaluating its performance, approving its budget; establishing a peer review process for research proposals submitted to CIHR; approving funding for research; approving other expenditures to carry out its objective; establishing policies; and dealing with any other matter that the Governing Council considers related to the affairs of CIHR.
The Access to Information and Privacy (ATIP) Office, part of the CIHR’s Strategic Policy Division, administers the provisions of the Access to Information Act and the Privacy Act for the CIHR and is accountable to the President of CIHR. The ATIP Compliance Office, which is comprised of 1 Senior ATIP Coordinator, 1 Senior ATIP Analyst and 1 Junior ATIP Officer, is responsible for the following activities:
- managing all response to both formal and information requests made under both Acts;
- developing policies, guidelines and procedures with respect to fulfilling the Agency’s legislative requirements of both acts;
- promoting awareness of both acts, delivering training, and providing advice and guidance to ensure that employees and management understand their roles and responsibilities;
- monitoring compliance with both acts;
- completing Privacy Impact Assessments (PIAs);
- coordinating reporting on privacy breaches;
- preparing annual reports for tabling; and,
- updating the CIHR Info Source chapter annually.
CIHR was not party to any service agreements under section 73.1 of the Privacy Act during the 2020-2021 reporting period.
Delegation of Authority
The President of CIHR, as designated Head of CIHR under the Privacy Act, exercises powers entrusted to the position by the Act, such as exemptions and exclusions.
In accordance with his authority under Section 73, the President has designated the Executive Vice-President; the Associate Vice-President, Government and External Relations; the Director General, Strategic Policy; the Senior Access to Information and Privacy (ATIP) Coordinator, the Senior ATIP Analyst and the Junior ATIP Officer to exercise his powers, duties or functions under the Act (See Appendix A - Delegation Order).
Highlights of the Statistical Report 2020-2021
-
Formal Requests
During the April 1, 2020 to March 31, 2021 reporting period, CIHR received six requests under the Privacy Act. One request was disclosed in full, three requests were disclosed in part and two requests resulted in no records (See Appendix B - Statistical Report). While the number of requests received over the past five years has fluctuated between zero and sixteen, this year represents an overall average number of privacy requests received. Since 2015-2016, CIHR has received 33 formal requests.
While CIHR receives only a small number of formal requests under the Act, it is worth noting that privacy issues permeate its programs and operations. This is not surprising given that CIHR collects and manages a great deal of personal information to adjudicate thousands of research grant and scholarship proposals, making merit-based awards based on peer review.
-
Informal Requests
In 2020-2021, it is estimated that CIHR responded to more than thirty informal requests. This is equal to the estimate for 2019-2020 and slightly higher than the 25 addressed in 2018-2019, as well as the volume of informal requests since 2015-2016, which averaged twenty two informal requests per year. This increase in the number of informal, internal Privacy requests may be linked to a strengthened presence and awareness of ATIP within CIHR. All of the informal requests received during the 2020-2021 reporting year came from employees related to the review of documents and interpretation of the Privacy Act. The ATIP Office is routinely asked to review corporate and project specific documents related to privacy issues prior to their release. These requests are not reflected in the statistical report in Appendix B.
-
Requests for Correction of Personal Information
During the 2020-2021 reporting period, CIHR received no requests for correction of personal information.
-
Consultations
During the 2020-2021 reporting period, the CIHR Access to Information and Privacy Office did not receive any consultation requests from external sources.
CIHR managers and staff sought and obtained advice from the ATIP Coordinator on a regular basis for matters where there were privacy considerations in their programs or activities.
-
Costs
During 2020–2021, the Access to Information and Privacy Office incurred $48,000 in salary costs to administer the Privacy Act. Owing to the difficulty of tracking all of the operational costs related to the administration of the Act, the costs and person year usage statistics are conservative estimates. Almost all costs are attributable to salary, and include fractions of the salaries of the directors, managers and employees who participated in work related to the Act.
Training Activities
During the 2020-2021 fiscal year, Access to Information and Privacy (ATIP) related training was provided to staff at all levels in five individual sessions. While most of these information sessions focused on privacy, there were nevertheless key concepts related to access to information and information management that were covered as well. These sessions were presented with a goal to enhance the knowledge, skills and perspectives of all employees, concerning Access to Information and Privacy. Remote work requirements in response to the
Covid19 pandemic impacted the way training could be offered and its frequency. Information Management and Technology tools have been developed to increase the resources available to offer more training in the 2021-2022 fiscal year. The ATIP Office continues to develop educational tools and deliver training sessions to CIHR staff.
The ATIP Coordinator attended the ATIP Coordinator and Practitioner Community meetings hosted by the Treasury Board Secretariat throughout the fiscal year, and also participated in online professional communities on GC Connex. These communities provide valuable information on trends and best practices within the ATIP community, updates on recent complaints and court cases, and tools to help improve service standards within the field.
Policies, Guidelines and Procedures
While there were no significant revisions to current access to information policies, guidelines or procedures, the CIHR implemented some new access to information processes for Privacy Impact Assessments, including a privacy compliance evaluation and a preliminary assessment process during the 2020-2021 reporting period.
Complaints and Investigations
The CIHR received no privacy complaints during the reporting period.
Monitoring Process
The ATIP Office monitors the time to process requests and administer the Access to Information Act through weekly verbal status reports and a weekly written status report is provided to the Health Minister’s Office for their information. Any issues of significant interest are discussed with the President and Communications department on an as needed basis.
Material Privacy Breaches
No material privacy breaches occurred during the reporting period.
Privacy Impact Assessments
CIHR initiated the undertaking of one new Privacy Impact Assessments during the reporting period, however the work will be carried over to the 2021-2022 fiscal year.
Public Interest Disclosures
CIHR did not make any public interest disclosures under Subsections 8(2) and 8(5) of the Privacy Act during the reporting period.
- Date modified: