Access to Information and Privacy

2021-22 Annual Report on the Privacy Act

April 1, 2021 — March 31, 2022

On this page

1. Introduction
2. About NSERC
3. Organizational Structure
4. Interpretation of Statistical Report
5. Services and Related Activities
6. Complaints and Audits
7. Appendices
• Appendix A - 2021-2022 Delegation Order
• Appendix B - 2021-2022 Statistical Report on the Privacy Act
• Appendix C - 2021-2022 Supplemental Statistical Report on the Access to Information Act and the Privacy Act

---

1. Introduction

The Privacy Act (Revised Statutes of Canada, Chapter P-21, 1985) was proclaimed on July 1, 1983.

The Privacy Act provides Canadian citizens and permanent residents with the right of access to, and correction of, personal information about themselves that is under the control of a government institution. The Act also provides the legal framework for the collection, retention, use, disclosure, disposition, and accuracy of personal information in the administration of programs and activities by government institutions subject to the Act.

Section 72 of the Privacy Act requires that the head of every government institution prepare for submission to Parliament an annual report on the administration of this Act within the institution during each financial year. This report represents an overview of the activities of the Natural Sciences and Engineering Research Council of Canada (NSERC) for the reporting period of April 1, 2021, to March 31, 2022.

2. About NSERC

2.1 Mandate

NSERC is a departmental corporation of the Government of Canada created in 1978 as a federal agency. It is defined as a "separate employer" by the Public Service Staff Relations Act. NSERC is funded directly by Parliament and reports to it through the Minister of Innovation, Science and Industry.

NSERC promotes and assists research in the natural sciences and engineering, other than the health sciences. NSERC is the primary federal agency investing in post-secondary research and training in these disciplines.

NSERC's Council is composed of a President and up to 18 other members selected through Governor in Council appointment to set the strategy and high-level policies for NSERC, and to review and evaluate performance. Funding decisions are made by the President, or their designate, based on recommendations made by peer review committees.

2.2 Responsibilities

Through grants, fellowships, and scholarships, NSERC promotes and supports research and research training in the natural sciences and engineering to develop talent, generate discoveries, and support innovation in pursuit of economic and social outcomes for Canadians. NSERC works with universities, colleges, businesses and not-for-profits to remove barriers, develop opportunities and attract new expertise to make Canada's research community thrive.

3. Organizational Structure

3.1 The Organizational Structure

The Access to Information and Privacy (ATIP) Office resides in NSERC's Governance, Risk & Compliance (GRC) Division under the Strategic, Corporate and Public Affairs (SCPA) Directorate.

During the reporting period, a full-time ATIP Coordinator reported to the Executive Director, Governance, Risk and Compliance, and was assisted by an ATIP Analyst, starting in January 2022, and by two ATIP & Secretariat Officers for half of the reporting period (September 2021 to March 2022). Two ATIP consultants also supported ATIP operations (1 full-time position and 1 temporary part-time position).

3.2 The ATIP Office

The ATIP Office coordinates responses to requests submitted to NSERC under the Privacy Act. It also provides interpretation, advice, and recommendations to NSERC staff on the implications of the Privacy Act on their activities, and delivers training, education, and awareness sessions to staff. In 2021-22, ATIP staff provided privacy advice and guidance to NSERC staff on a wide range of programs and activities. ATIP Office activities also include:

• Processing and managing Privacy complaints.
• Providing advice and guidance to staff and senior management on privacy issues and ensure PMF is implemented.
• Preparing weekly ATIP reports for NSERC senior management, annual statistical and supplemental reports for the Treasury Board of Canada Secretariat (TBS), and an Annual Report to Parliament.
• Updating information on NSERC's website regarding privacy issues.
• Documenting and resolving privacy breaches.
• Coordinating updates to the Info Source publication.
• Providing feedback to Justice Canada on the modernization of the Privacy Act; and,
• Participating in forums for the ATIP community, such as the TBS ATIP Community meetings and working groups.

3.3 Delegation Order

Under section 3 of the Privacy Act, the President of NSERC is designated as the head of the government institution for purposes of the administration of the said act.

Pursuant to section 73 of the Privacy Act, deputy heads may delegate any of their powers, duties, or functions under the Privacy Act by signing an order authorizing one or more officers or employees of the institution, who are at the appropriate level, to exercise or perform said powers, duties or functions. This Delegation of Authority can be found in Appendix A.

4. Interpretation of Statistical Report

NSERC's 2021-2022 statistical report on the Privacy Act is provided in Appendix B.

Institutions were asked to report on how the COVID-19 pandemic affected their capacity to receive requests and process records. The 2021-22 Supplemental Statistical Report on the Access to Information Act and Privacy Act is in Appendix C.

4.1 Requests under the Privacy Act

In 2021-22, NSERC received two new privacy requests. Twenty-three (23) requests were carried forward from the previous reporting period (five from 2018-19, one from 2019-20 and 17 from 2020-21). Thirteen (13) of these requests were closed during the 2021-22 reporting period. A total of 12 requests remains outstanding.

Of the outstanding requests, five were received in 2018-19, one in 2019-20, four in 2020-21, and two in 2021-22. The two outstanding requests from 2021-22 are still within legislated timelines. The 10 other outstanding requests are not within legislated timelines. The number of new privacy requests received by NSERC in 2021-22 was significantly lower than the 22 new requests received in the preceding reporting period (2020-21).

In total, NSERC processed 5074 pages of which 1251 were disclosed in the 2021-22 reporting period. NSERC processed more requests than the 2020-21 reporting period (seven requests in 2020-21 and 13 requests in 2021-22). Also, the number of pages processed was significantly higher this reporting period than in the previous year (In 2020-21 NSERC processed 464 pages of which 268 were disclosed).

Figure 1: Number of privacy requests carried over, received, and closed from 2017 to 2022

Figure 2: Number of pages processed and pages disclosed from 2017 to 2022

4.2 Disposition of Requests Completed

Of the 13 privacy requests NSERC completed, six were fully disclosed, five were disclosed in part, and in two cases, no records existed.

4.3 Exemptions Invoked

For the privacy requests where the information was disclosed in part, NSERC invoked five exemptions under section 26 (personal information about another individual), one exemption under section 27 (Protected information – solicitors, advocates and notaries).

4.4 Extension of Time Limits

For the 13 privacy requests completed, 13 thirty-day extensions of time limits were taken past the initial 30 days. NSERC invoked 13 exemptions under 15(a)(i) meeting the original time limit would unreasonably interfere with the operations of the government institutions. (One request = Large volume of pages, 12 requests = Large volume of requests).

4.5 Completion Time

Of the 13 privacy requests completed; zero requests (0%) were completed within the legislated timeframe. The 13 requests were extended for an additional 30 days. The 13 requests were completed outside legislated timelines. All 13 requests were extended and completed within either 121-180 days (one request) or 181-365 days (12 requests).

4.6 Consultations

Consistent with 2020-21, no privacy consultations from other government institutions were received in 2021-22.

4.7 Impact of COVID-19

From April 1, 2021, to March 31, 2022, NSERC experienced operational challenges brought about by the COVID-19 pandemic. NSERC's access to information and privacy team continued to work from home during the full fiscal year. Early in the pandemic, NSERC's access to information and privacy team members did not have remote access to specialized access to information request processing software, and other resources available in the head office. The situation was resolved in 2021-22 but the backlog resulting from that disruption remained.

Even when full access to specialized ATIP software was available, the challenges of remote work added to the complexity of processing files, which impacted service delivery.

Remote work also led to an inability to process paper documents and secret documents. As of November 2021, the mailroom was able to receive protected records in paper format. In March 2022, NSERC launched a new extranet platform to provide requestors with their records securely and efficiently, rather than releasing large volume of records in a series of emails with password-protected PDF documents.

5. Services and Related Activities

Throughout the year, the ATIP Office provides advice and assists Agency staff by reviewing various documents such as answers to Parliamentary Questions, Privacy Protocols, Memoranda of Understanding, audits, evaluations, and security reports. The ATIP Office provided training on an as needed basis on the provisions of the Privacy Act and its impact on NSERC programs and initiatives. The ATIP Office distributed a weekly status report to senior management at NSERC pertaining to all Privacy requests.

5.1 Info Source, Publicly Accessible Information, and Inquiry Points

Info Source: Sources of Federal Government and Employee Information provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. It provides individuals and employees of the government (current and former) with relevant information to access personal information about them held by government institutions subject to the Privacy Act and to exercise their rights under the Privacy Act.

NSERC's funding policies, program descriptions, organizational structure and contact information can be found on its website. In accordance with the federal government's policy on proactive disclosure, evaluation and audit reports are also posted on NSERC's website. NSERC website's ATIP page provides background information on the Access to Information Act, and useful information about services provided.

NSERC also proactively discloses information on the federal government's Open Government website, such as: ATIP monthly summaries, information on awarded grants, contracts as well as travel, hospitality, and conference expenses.

5.2 Informal Practices and Proactive Disclosure

NSERC encourages informal practices of providing information requested outside the ATIP process, provided that the information released is clearly only that of the requester.

In addition, NSERC proactively discloses peer review feedback to grant and award applicants. In 2021-22, NSERC proactively disclosed 13,706 redacted reports and reference letters from volunteer external reviewers for all programs that collect external reports, which represents 5,739 grant and award applications. These reports provide a preliminary peer reviewed evaluation of the proposal from an impartial subject-matter expert, recommendations about the applicant based on previous collaborations or supervision, and feedback to applicants on the assessment of their proposals in relation to the program criteria. They are redacted in the spirit of the Privacy Act by program staff who has received training by the ATIP staff.

5.3 Policies, Guidelines, Procedures and Initiatives

Personal information collected and used by federal institutions is governed by the Privacy Act and related regulations, as well as a suite of policy from TBS. NSERC must comply with several policies, directives and guidelines, and the NSERC President is accountable. This compliance framework is complex and often very demanding for small agencies. It is also evolving and being updated to reflect the reality of current day privacy concerns in our digital world.

In response to TBS Policy on Privacy Protection requiring that government institutions have a privacy protocol in place to establish rules and guidelines for employees who use personal information, NSERC and SSHRC agreed to develop a joint Privacy Management Framework (PMF) and a Privacy Protocol as part of their larger commitment to developing a stronger culture of privacy protection and compliance. Privacy protocols are especially important for NSERC to implement due to the increased collection of self-identification information. The PMF and Privacy Protocol were finalized in 2021-22 and approved by senior management in Spring 2022.

Our institution has not received authority for any new collection(s) or new consistent use(s) of Social Insurance Numbers during the 2021-2022 reporting period.

5.4 Training

The ATIP Office continued its formal training and development activities in 2021-22. All staff requiring direct access to Equity, Diversity and Inclusion (EDI) data were required to undertake training on handling sensitive personal information. A total of 94 NSERC employees participated in nine EDI data training sessions either organized at NSERC or jointly with the Social Sciences and Humanities Research Council (SSHRC). Redaction training was also delivered to approximately 20 NSERC staff.

5.5 Expenditures

In this year's reporting period, the total salary, goods, and professional services cost for the Privacy program was $215,542. This figure represents an increase of over 18.2% compared to $182,356 in 2020-21 and is higher than the $109,649 in costs for 2019-20. This cost does not include the processing of the proactive disclosures to applicants described in 5.2, above.

5.6 Material Privacy breaches

NSERC had no material privacy breaches in 2021-22.

5.7 Privacy Impact Assessments

For the current reporting period, NSERC did not complete any privacy impact assessments.

5.8 Public Interest Disclosures

Paragraph 8(2)(m) of the Privacy Act concerns cases where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or where disclosure would clearly benefit the individual to whom the information relates.

During this reporting period, NSERC did not disclose any information under this section of the Act.

5.9 Corrections

Paragraph 12(2)(a) of the Privacy Act gives individuals a right to request a correction of personal information about them held by the federal government.

Three requests for corrections were carried over from 2018-19, five from 2019-20 and three from 2020-21. These requests were all from the same individual and they all remain outstanding. No new requests for correction of personal information were received during the reporting period.

5.10 Challenges

In 2021-22, NSERC started the year with a carry-over of 23 files from previous fiscal years. This situation, in addition to two new Privacy requests to process, put pressure on NSERC's limited ATIP resources in the first half of the year. This required the ATIP team to establish operational priorities and to claim appropriate extensions of time. NSERC remained committed to assist requestors in refining their request, but 12 files were carried forward into the 2022-23 fiscal year which is transferring the backlog issue into the cycle.

The Privacy human resources utilized for this reporting period were estimated at 2.205 FTE, which is 46.5% more than 1.505 FTE reported for the 2020-21 fiscal year. Of this 2.205 FTE, 1.455 came from full-time employees, 0.07 from consultants and agency personnel, 0.68 from part-time/casual employees and students.

NSERC is facing continued difficulties in staffing ATIP positions but was able to staff two ATIP & Secretariat Officer positions and one ATIP Analyst position on a permanent basis. NSERC has made a commitment to build its internal ATIP team and expertise in order to increase stability and improve service delivery.

6. Complaints and Audits

6.1 Complaints

Requesters have the right to register a complaint with the Office of the Privacy Commissioner (OPC) regarding the processing of a request.

NSERC carried over one privacy complaint from the 2020-21 fiscal year. This privacy complaint was closed in the 2021-22 fiscal year. NSERC received four new privacy complaints in the 2021-22 fiscal year. These four privacy complaints were closed in the 2021-22 fiscal year. No privacy complaints were carried over into the 2022-23 fiscal year.

6.2 Audits, Compliance and Appeals

No privacy audits nor monitoring were conducted during the reporting period. There were no applications or appeals to the Federal Court or Federal Court of Appeal under the Privacy Act during the year.

---

7. Appendices

• Appendix A - Delegation Order
• Appendix B - 2021-22 Statistical Report on the Privacy Act
• Appendix C - 2021-22 Supplemental Statistical Report on the Access to Information Act and the Privacy Act