Administration of the Privacy Act Annual Report
April 1, 2024 to March 31, 2025
Introduction
This report is prepared in accordance with section 72 of the Privacy Act and is tabled in Parliament by the Minister of Health in accordance with the aforementioned section. It describes how the Canadian Institutes of Health Research (CIHR) fulfilled its responsibilities under the Act during the fiscal year beginning April 1, 2024 and ending March 31, 2025.
The Privacy Act provides citizens with the legislated right to access personal information held by the government, subject to certain limitations and specific exemptions, and protection of that information against unauthorized use and disclosure.
CIHR was created in 2000 under the authority of the CIHR Act as the Government of Canada’s health research investment agency. The mandate of CIHR as stated in the Act is:
To excel, according to internationally accepted standards of scientific excellence, in the creation of new knowledge and its translation into improved health for Canadians, more effective health services and products and a strengthened Canadian health care system.
CIHR is the largest funder of health research in Canada. Composed of 13 “virtual” institutes and three business portfolios, CIHR provides leadership and support to over 15,000 world-class researchers and trainees from all pillars of health research and from all regions of Canada.
Organizational Structure
CIHR is led by a President and a Governing Council comprised of up to 18 members appointed by Order-in-Council. The Governing Council sets the overall strategic direction and goals. It establishes Health Research Institutes and determines the mandate of each. As outlined in the legislation, the Governing Council is responsible for developing its strategic direction and goals; evaluating its performance; approving its budget; establishing a peer review process for research proposals submitted to CIHR; approving funding for research; approving other expenditures to carry out its objective; establishing policies; and dealing with any other matter that the Governing Council considers related to the affairs of CIHR.
The Access to Information and Privacy (ATIP) Office, part of the CIHR’s Strategic Policy Division, administers the provisions of the Access to Information Act and the Privacy Act for the CIHR and is accountable to the President of CIHR. The ATIP Compliance Office is comprised of one ATIP Manager, one Senior ATIP Analyst and one Junior ATIP Officer. The ATIP Office is responsible for the following activities:
- managing all responses to both formal and information requests made under both Acts;
- developing policies, guidelines and procedures with respect to fulfilling the Agency’s legislative requirements of both acts;
- promoting awareness of both acts, delivering training, and providing advice and guidance to ensure that employees and management understand their roles and responsibilities;
- monitoring compliance with both acts;
- participating in and contributing to the broader ATIP community of practice;
- preparing annual reports for tabling; and,
- updating the CIHR Info Source chapter annually.
CIHR was not party to any service agreements under section 73.1 of the Privacy Act during the 2024-2025 reporting period.
Delegation of Authority
The President of CIHR, as designated Head of CIHR under the Access to Information Act, exercises powers entrusted to the position by the Act, such as exemptions and exclusions.
In accordance with his authority under Section 73, the President has designated the Executive Vice-President; the Associate Vice-President, Government and External Relations; the Director General, Strategic Policy; the ATIP Manager; the Senior ATIP Analyst; and the Junior ATIP Officer to exercise his powers, duties or functions under the Act (see Appendix A - Delegation Order).
Performance 2024-2025
CIHR collects and manages a great deal of personal information to adjudicate thousands of research grant and scholarship proposals, making merit-based awards based on peer review.
a. Formal Requests
During the April 1, 2024 to March 31, 2025 reporting period, CIHR received 13 requests under the Privacy Act. One request was outstanding from the previous reporting period. Thirteen requests were closed during the fiscal year and 1 request was carried over to the next fiscal year. Of the 13 requests completed, 10 (77%) were completed within the first 30 days of reception and 3 requests were completed within 61 – 120 days. The three requests that were not closed within legislated timelines was due to workload and complexity of the records Three requests were disclosed in full, 5 requests were disclosed in part and 5 requests resulted in no records (see Appendix B - Statistical Report). A total of 7379 pages were processed and 1740 pages were released. The number of requests processed with pages released to requesters over the past five years has fluctuated between 2 and 11, and the volume of pages processed has fluctuated from 360 pages in 2020-2021 and 10562 in 2023-2024.
Table 1: Pages Processed
| 2020-2021 | 2021-2022 | 2022-2023 | 2023-2024 | 2024-2025 | |
|---|---|---|---|---|---|
| Requests Processed | 4 | 4 | 2 | 6 | 13 |
| Pages Processed | 360 | 4186 | 848 | 10562 | 7379 |
b. Informal Requests
In 2024-2025, CIHR responded to more than 60 informal requests, all of which were received internally by CIHR employees. CIHR did not receive any informal requests from external sources.
Over the past five years, there has been a consistent increase in the volume of internal informal requests that have been made. All of the informal requests received during the 2024-2025 reporting year came from business units related to the review of corporate documents and interpretation of the Privacy Act, primarily related to program and service delivery. These requests are not reflected in the statistical report in Appendix B.
c. Requests for Correction of Personal Information
During the 2024-2025 reporting period, CIHR did not receive any requests for correction of personal information.
d. Consultations
During the 2024-2025 reporting period, the CIHR Access to Information and Privacy Office received one consultation request from another Government institution. A total of 21 pages were reviewed. This consultation was closed within the reporting period.
CIHR managers and staff sought and obtained advice from the ATIP Coordinator on a regular basis for matters where there were privacy considerations in their programs or activities. In 2024-2025, CIHR contributed to the review and development of many new privacy notices. In-depth and ongoing reviews of corporate practices were conducted with significant support and input from the Access to Information and Privacy office.
e. Costs
During 2024–2025, the Access to Information and Privacy Office incurred $112,567 in salary costs to administer the Privacy Act. Owing to the difficulty of tracking all the operational costs related to the administration of the Act, the costs and human resource statistics are conservative estimates. Almost all costs are attributable to salary, and include fractions of the salaries of the directors, managers and employees who participated in work related to the Act.
Training Activities
During the 2024-2025 fiscal year, CIHR delivered on the training plan it developed during the previous reporting period. Specifically, over 500 employees attended one of the five “ATIP 101” sessions held during this fiscal year. Additionally, CIHR identified several business units which would benefit from training sessions focusing on their specific activities. Of note, tailored training sessions were delivered to members of Information Management/Information Technology, Secretariat on the Responsible Conduct of Research, Research Programs, and three of CIHR’s Institutes. The delivery of training helped to increase staff’s awareness of, and commitment to, fulfilling its obligations under the Privacy Act. Agency wide training will continue to be developed and delivered in the 2025-2026 fiscal year.
Policies, Guidelines and Procedures
While there were no significant revisions to current access to information policies, guidelines or procedures, CIHR dedicated time to reviewing efficiencies in the collection use and disclosure of personal information processes.
Initiatives and Projects to Improve Privacy
CIHR continues to develop its activities related to Privacy Act compliance, including the incorporation of privacy provisions within competition design, memorandums of understanding and the implementation of new programs such as the Tri-Agency Policy on Indigenous Citizenship and Membership Affirmation. CIHR continues to ensure that activities, including stakeholder engagement, outreach and recruitment, are compliant with privacy directive and policies and that any privacy risks are identified and mitigated.
Summary of Key Issues and Actions Taken on Complaints
CIHR did not receive and privacy complaints during the reporting period.
Material Privacy Breaches
No material privacy breaches occurred during the reporting period.
Privacy Impact Assessments
In 2024-2025, CIHR did not conduct any Privacy Impact Assessments (PIAs).
Public Interest Disclosures
CIHR did not make any public interest disclosures under Subsections 8(2) and 8(5) of the Privacy Act during the reporting period.
Monitoring Process
The ATIP Office monitors the trends and time to process requests and administer the Privacy Act. This includes providing performance reports on the status of files in progress in the ATIP office on a regular basis. Issues of significant interest are discussed with the Director General of Strategic Policy and the Associate Vice-President of Government and External Relations, and briefing is provided to the President and Communications department on an as needed basis.
- Date modified: