This Annual Report to Parliament is for the 2007–2008 fiscal year, as required under subsections 72(1) and 72(2) of the Privacy Act.
On behalf of the Government of Canada, the Department of Foreign Affairs and International Trade is Canada’s face and voice to the world, working to advance Canada’s political and economic interests in the international community as well as to apply Canadian experience to help address global issues.
The three leading areas of focus for the Department in 2007–2008 were Canada’s mission in Afghanistan, and greater engagement in the Americas as well as in emerging markets, with a particular emphasis on China and India. The Department manages Canada’s political, economic and cultural relations with other nations on a bilateral basis as well as through the international organizations to which Canada belongs. These include the World Trade Organization, the United Nations, the G8, the Commonwealth, La Francophonie, the Organization of American States, the Organisation for Economic Co–operation and Development (OECD) and the North Atlantic Treaty Organization (NATO).
The Department provides an assertive foreign policy that pursues Canadian interests, projects Canadian values and culture worldwide, and protects Canada’s security. It supplies business (trade and investment), passport and other services to Canadians travelling, working or doing business abroad. And it supports the international activities of federal, provincial and territorial partners at Canada’s missions around the world.
In 2007–2008, the Department had 11,965 Full–time Equivalents and its workforce is made up of three groups. First, Canada–based rotational staff, mainly Foreign Service officers, administrative support employees and information technology specialists, relocate regularly between headquarters and Canada’s missions abroad. Second, non–rotational staff work primarily at headquarters. Third, locally engaged staff work at missions abroad.
Under Section 73 of the Act, the Minister’s authority is delegated to enable the Department to meet its legislated requirements as well as exercise its powers. Responsibility for all sections of the Act has been delegated to the Deputy Ministers, the Corporate Secretary (previously the Director General of Executive Services), to the Director of the Access to Information and Privacy Protection Division as well as to Heads of Mission but only as it relates to disclosure under section 8(2)(m) of the Privacy Act (public interest or will benefit the subject individual). (See Annex A)
Passport Canada, as a special operating agency, was at the time of preparing this report exploring the possibility of having its own full ATIP delegation authority in order to administer all Access to Information Act and Privacy Act matters as they relate to the management and delivery of passport services.
The Access to Information and Privacy Protection Division (”ATIP Office”) is responsible for the administration of the Privacy Act including the processing of requests and consultations. The Director of the ATIP Office reports to the Corporate Secretary, who in turn reports to both the Deputy Minister of Foreign Affairs and the Deputy Minister of International Trade.
Over the reporting period, the ATIP Office increased in size and restructured itself with the addition of twelve (12) new full–time equivalents in 2007–2008. The division now includes five teams of processing Analysts reporting to two Deputy Directors. The Deputy Directors and the Manager of Business Practices and Systems report to the Director.
Steps have been taken since 2004–2005 to strengthen the departmental capacity and compliance with the Access to Information Act and the Privacy Act as well as related TBS policies. Given its mandate and various responsibilities at the international level, DFAIT plays a key consultation role under both Acts on behalf of other government departments (OGDs).
There are an ever increasing number of ATIP requests facing DFAIT. The graph in Figure 2 represents DFAIT’s increase in ATIP requests since 1995/96 as well as the current and expected ATIP workload. The expected workload for 2008–09 is based on the increase that the Department has experienced in the first half of this fiscal year in comparison with the same period in previous years. The expected number of requests for 2009–10 is based on the average annual increase of 13.2% above the expected 2008–09 numbers.
Of importance to note as well as is that recent comparisons with other government departments such as the RCMP, DND, Justice and Industry Canada show that DFAIT’s ATIP requests continue to increase at a greater rate.
The assessment of the ATIP Office’s workload at the end of fiscal 2007–2008 as well as its projected volume of new ATIP requests for 2008/2009 clearly demonstrates that even with its existing complement of 42 full–time equivalents (FTEs), this will not be enough to address the current and projected workload. Thus, the Department will continue to struggle in its attempts to meet legislative and TBS policy obligations.
Other challenges include:
Improving compliance with the Access to Information Act and the Privacy Act is a departmental priority, especially in light of growing requests to the Department for information related to the Government’s key international priorities such as Afghanistan. As well, improved compliance and commitment to these legislative responsibilities has been identified as a Government of Canada priority, reflected in the following instruments:
Federal Accountability Act – commitment to openness, transparency and accountability of its program activities as it relates to the obligations under the Access to Information Act and the Privacy Act.
Management Accountability Framework (MAF). Effectiveness of Information Management Indicator (number 12) is: “Governance and management of information and records in a manner that supports the outcome of programs and services, operational needs and accountabilities, and the administration of the Privacy and Access to Information Acts.”
TBS policies on Access to Information and Privacy speak of the “quasi-constitutional” role played by ATIP and the importance of compliance to government accountability and the democratic process.
TBS Privacy Impact Assessment Policy was introduced in May 2002 and DFAIT must establish the required resources to ensure its compliance. In addition, as a result of TBS’ 2005 Management of Information Technology Security (MITS) requirements, DFAIT must ensure the security of information and information technology (IT) assets which includes the requirement to prepare Privacy Impact Assessments for most of its systems.
Services for Canadians comprise one of three strategic outcomes under the Department’s Program Activity Architecture (PAA). ATIP is one of the key services provided to the general public by the Department in Canada, and better service requires improved compliance with the relevant Acts. Furthermore, given the additional function of the departmental ATIP office of consulting foreign governments on the release of information originating with them, there is a major component of ATIP implementation that includes managing our international relationships and ensuring partners that their information is managed appropriately.
The following section explains in more detail the TBS statistical report as provided in Annex B.
Between April 1, 2007 and March 31, 2008, the Department received three hundred and fifteen (315) requests for information under the Privacy Act. In addition, thirty (30) requests were carried over from the previous fiscal year. During the reporting period, two hundred and seventy–four (274) requests were completed and seventy–one (71) remained active as of March 31, 2008.
The number of requests submitted to the Department has been increasing at an average annual rate of 18% since the 1995–1996 fiscal year. (See Figure 3) In 2007–2008, the number of Privacy Act requests received by DFAIT increased by 55.4%.
The distribution of completed requests is as follows:
|Disclosed in Part||74|
|Nothing Disclosed (Excluded)||0|
|Nothing Disclosed (Exempt)||0|
|Unable to Process||58|
|Abandoned by the Applicant||34|
The exemption most commonly used by the Department during the period was section 26 [Information about another individual]. It was invoked in seventy–three (73) requests.
When a request contains records that are of a greater interest to another institution, the Access to Information and Privacy Coordinator of that institution is consulted. Between April 1, 2007 and March 31, 2008, the Department received thirty–three (33) consultations under the Privacy Act from other federal government institutions.
The number of consultations received by the Department has been increasing at an average annual rate of 17.4% since the 1995–1996 fiscal year. In 2007–2008, the number of Privacy Act consultations received by DFAIT increased by 43.5
During the reporting period, 28 consultations were completed under the Privacy Act representing 1,235 pages.
In return, the Department consulted other government institutions the following number of times during the reporting period.
|Other Federal Governments||21|
|Privy Council Office (Cabinet Confidences)||0|
|Provincial Institutions or Municipalities||3|
|Foreign Governments or Institutions of States||5|
Subsection 8(1) of the Privacy Act states that “personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.”
Subsection 8(2) of the Privacy Act states that “personal information under the control of a government institution may be disclosed” under certain specific circumstances
Personal information may be disclosed “for any purpose in accordance with any Act of Parliament or any regulation made there under that authorizes its disclosure.”
Under this paragraph of the Privacy Act, three (3) requests were received and treated.
Personal information may be disclosed “to an investigative body […] for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation…”
Under this paragraph of the Privacy Act, two hundred and forty–nine (249) requests were received and treated.
Personal information may be disclosed “under an agreement or arrangement between the Government of Canada [...] and the government of a province [or territory] [...] for the purpose of administering or enforcing any law or carrying out a lawful investigation.”
Under this paragraph of the Privacy Act, two hundred and seven (207) requests were received and treated.
Personal information may be disclosed “to a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem.”
The department did not disclose any personal information pursuant to this paragraph.
Personal information may be disclosed “for any purpose where, in the opinion of the head of the institution,
(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or
(ii) disclosure would clearly benefit the individual to whom the information relates.”
Under this paragraph of the Privacy Act, thirteen (13) requests were received and treated.
During the reporting period, eleven (11) complaints against the Department were filed with the Privacy Commissioner of Canada.
|Reason for Complaint|
|Refusal – Exemptions||1|
|Refusal – General||2|
|Discontinued||0||No Action Required||11|
|Not Well–Founded||6||Well Founded||4|
During this reporting period, no Federal Court activity affecting DFAIT was noted under the Privacy Act.
The Annual Report of the Office of the Privacy Commissioner (OPC) did not single out the Department of Foreign Affairs and International Trade nor was it highlighted in any special reports of the OPC.
However, during the report period, the OPC conducted an Audit of the Personal Information Management Practices of Passport Canada’s operations. The Final Report of the Audit is expected to be tabled before the end of calendar year 2008.
The Privacy Impact Assessment (PIA) Policy, which was introduced by TBS in May 2002, is a step–by–step evaluation of the flow of personal information held within a given program or service. This process enables the Department to determine whether new technologies, information systems, initiatives, and proposed programs or policies meet federal government privacy requirements.
In addition, as a result of TBS’ 2005 Management of Information Technology Security (MITS) requirements, DFAIT must ensure the security of information and information technology (IT) assets which includes the requirement to prepare Privacy Impact Assessments for most of its systems.
A Privacy Impact Assessment (PIA) is conducted when it is clear that the program or system will collect, use or disclose personal information, and/or if it will be performed by a contractor, and/or if there is data matching, and/or if the personal information will be shared with other government institutions, other jurisdictions, third parties, cross border, etc. A PIA outlines salient points about new or existing personal information handling activities, including hard copy format or through technology systems, by answering questions about the information that will be collected, who will be able to access the information, how the information and data will be maintained, what administrative controls will be in place, and how the decision to use the information was made.
A Preliminary Privacy Impact Assessment (PPIA) is normally conducted at the early stage of a project when it is unclear if the program or system will collect, use or disclose personal information, whether or not it is collected directly or indirectly, if the personal information will be shared or not with third parties, etc. Conducting a PPIA will often clarify if a full PIA is required.
During the reporting period, DFAIT initiated four (4) new PPIAs and two (2) new PIAs as well as submitted one (1) PPIA and six (6) PIAs to the Office of the Privacy Commissioner (OPC) for review. No PPIA/PIAs were published during the reporting period as the ATIP Office was revamping its departmental Internet website for a full update in November 2008. The following information pertains to PPIA and PIA activities in 2007–2008:
The Integrated Management System (IMS) is the departmental Enterprise Resource Planning system used for accounting, which includes posting pay summary transactions, controlling, budgeting, inventory management, procurement and asset accounting. All financial and material transactions are reflected in IMS.
Status: At the time of reporting, the PPIA was being prepared by the Corporate Financial Systems Unit.
Bill C–14 is an act to amend the Citizenship Act granting citizenship to persons adopted abroad by Canadian citizens. It came into force on December 23, 2007 and it will respond to new demands for Canadian passports following the changes.
Status: At the time of reporting, the PPIA was being prepared by Passport Canada.
Passport Canada has approached Public Works and Government Services Canada’s Industrial Security Sector to acquire their Online PSSS. This web application, which was created to assist in the collection of information for personnel security purposes, will replace the existing paper based information–gathering system. The collection of personal information itself will not change.
Status: During the reporting period, this PPIA was submitted to the DFAIT ATIP Office for review and was returned to Passport Canada with recommendations for revisions. At the time of reporting, Passport Canada was still working on revising the PPIA.
Infobank is an information management system. It is DFAIT’s version of a Records Documents Information Management System (RDIMS).
Status: During the reporting period, TBS provided DFAIT with a copy of its PPIA for RDIMS which was being modified by DFAIT to draft its own PPIA on Infobank.
The International Trade Missions Division is primarily responsible for the planning, coordination and execution of trade missions abroad led by the Prime Minister, the Minister of International Trade and/or senior departmental officials on behalf of Foreign Affairs and International Trade Canada.
Status: The PPIA was submitted to the OPC on August 14, 2007. The OPC provided some recommendations and a response to the OPC’s recommendations was being prepared during this reporting period.
The Consular Affairs Bureau provides information and assistance services to Canadians living and travelling abroad. When an individual requests services or assistance from Consular Affairs, a consular case is created. In order to better manage consular cases, COSMOS delivers a comprehensive set of tools designed to facilitate the management of consular cases, the issuance of emergency and standard passports for Canadians abroad, and the registration of Canadians abroad. Through the COSMOS system, missions are able to better assist Canadians while travelling abroad.
Status: The PIA was being prepared during the latter half of this reporting period.
The Department has a computer network known as SIGNET D. This network is used primarily for unsecured information processing, storage, and management as well as unsecured messaging (up to Protected A). The network is nearly 15 years old and has gone through several revisions. SIGNET D is the network operating environment and related protocols which run on top of MITNET (DFAIT’s telecommunications network), thereby providing a single departmental infrastructure to support data and voice applications. Where SIGNET D is a higher–level network environment and provides operating connectivity for users, the MITNET provides the low–level network connectivity protocols and the physical infrastructure. It connects the LANs at Canada’s 160 missions in 111 countries, and directly serves more than 10,000 people, of whom more than 6,000 work outside Canada.
Status: A PIA for SIGNET D already existed, but was being updated to include MITNET. The PIA was received by the ATIP Office for review during this report period.
As a core member of Team Canada Inc., the Trade Commissioner Service of the Department provides “In Market Assistance” to experienced exporter and Canadian companies who have researched and targeted their markets. The Trade Commissioner Service’s role is to promote the economic interests of Canada abroad such as export market development, foreign direct investment in Canada, science and technology networking and international research and development collaboration.
Status: The PIA was submitted to the OPC on April 7, 2007. The OPC provided recommendations and a response was being prepared at the end of this reporting period. Since then the OPC concurred with all the recommendations for mitigating measures and the file was closed.
Following certain United Nations resolutions on combating terrorism, the International Civil Aviation Organization adopted new passport specifications that included a global blueprint for the integration of biometric identification information into passports and other machine–readable travel documents. These new specifications require the inclusion of an embedded chip and the storage on that chip of the passport–holder’s photo. In 2004, the Canadian government instituted its National Security Policy and presented an implementation plan to pursue initiatives reinforcing border security.
Status: This PIA was submitted to the OPC on March 19, 2008. DFAIT subsequently received the OPC’s recommendations and, at the time of drafting this report, a response was being prepared.
Dialogue is a web based application that will allow the Center of Learning for International Affairs and Management to produce customized online 360 and 180 degree feedback questionnaires and reports.
Status: This PIA was submitted to the OPC on August 14, 2007. The OPC provided recommendations and a response was being prepared during this reporting period.
DFAIT’s Export Controls Division is responsible for evaluating and approving applications for permits to export controlled and strategic goods and technology. It is also responsible for issuing export permits for controlled goods, tracking goods exported against authorized permits and supporting other import/export processes such as delivery verification. Export permit issuance and management process is designed to ensure that Canadian exports do not contribute to the production or use of nuclear, chemical or biological weapons. The EXCOL replaces the legacy paper–based permit system that has been in operation since 1988. EXCOL is an interactive and computerized application that allows clients to submit export applications and certificates on–line using Secure Channel.
Status: The PIA was submitted to the OPC on August 14, 2007. The OPC provided recommendations and a response was being prepared during this reporting period.
The Department’s secure computer network known as SIGNET–C4 is used primarily for secure text processing and secure messaging. It is nearly ten years old and is being replaced by a new system, SIGNET–C5. The new C5 system has essentially the same functionality to C4 but with up–to–date hardware and software.
Status: The PIA was submitted to the OPC on April 5, 2007. The OPC provided recommendations and a response was being prepared during this reporting period.
The Export Import Controls System is a mission critical system that enables licensed Canadian Customs Brokers to apply online for the necessary permits for the importation and exportation of certain goods to and from Canada.
Status: The PIA was submitted to the OPC on February 26, 2008. DFAIT subsequently received the OPC’s recommendations and, at the time of drafting this report, a response was being prepared.
During this reporting period, the ATIP Office did initiate discussions with the Protocol Office for the implementation of a new information sharing arrangement with the Province of Quebec as it relates to the Department’s Diplomatic Registry System. This arrangement may also involve data matching activities between the federal and provincial governments, that of which was being explored. A PIA will be developed in 2008–2009 to address all these privacy implications.
During 2007–2008, the ATIP Office ensured that all ATIP Analysts regardless of their years of experience received the necessary training and tools to do their job effectively. In addition, each Analyst in the ATIP Office now has a dedicated mentor/coach (a.k.a. Team Leader) whose primary responsibilities is to ensure that there is a continuous and positive learning environment for their proper development as ATIP specialists. Also, Individual Learning Plans were developed in consultation with each employee within the ATIP Office to ensure that all training and development needs have been addressed.
The ATIP Office also developed a Professional Development Program in order to “grow its own” ATIP Analysts from within DFAIT since the federal ATIP Community is starving for experienced ATIP Analysts. Such a program will also improve overall retention and succession planning.
While ATIP Awareness sessions have been given to departmental officials over the years, the ATIP Division initiated the implementation of a structured and departmental–wide ATIP awareness program to ensure that officials across the Department understand their roles and responsibilities vis–à–vis ATIP. The ATIP Office also initiated the development of an on–line ATIP tutorial for the departmental Intranet site. The ATIP Office has also been developing a more in–depth hands–on training program for ATIP Liaison Officers across the Department.
In 2007–2008, the ATIP Office initiated the implementation of a streamlined ATIP tasking process that was instituted across DFAIT in October 2008. This single gateway into the program areas will provide for a common ATIP tracking system to improve efficiencies and to measure performance.
During this reporting period, the ATIP Office did not institute any new internal policies as it relates to the Privacy Act.
The following are improvements that have been made over the last year or so as well as ongoing initiatives to improve the overall ATIP function at DFAIT:
Continued to build a more stable and robust capacity within the departmental ATIP Division with the addition of 12 new full–time equivalents in 2007–2008. Improved recruitment and retention of ATIP personnel to build towards a more sustainable ATIP function for the long–term, including the development of a Professional Development Program for succession planning purposes. The majority of the positions were staffed from competitive processes and deployments. In addition, staff morale and commitment to the Department have improved. DFAIT is also advocating government–wide solutions to staffing such as more centralized recruitment of ATIP specialists.
Reduced the workload per analyst ratio with the addition of new staff and the continued use of consultants to help with the backlog. A revised case management strategy was implemented to align available resources to address the backlog as well as the current and expected workload.
Built a more structured training capacity for ATIP divisional staff drawing on both in–house and external ATIP educational programs. The ATIP Office now has two Deputy Directors, a Manager of Business Practices and Systems as well as five Team Leaders whose primary responsibilities are to ensure that all necessary training, mentoring and coaching is provided to divisional staff and that all the necessary tools are made available. Also updating the divisional policy and procedures manuals.
Ensured that the Foreign Affairs and International Trade sides of DFAIT now have an identical ATIP process.
Started to build a permanent policy capacity within the ATIP Division in order to ensure that the necessary resources are available to meet various ATIP–related TBS requirements such as: the Privacy Impact Assessment Policy. There is a significant volume of Privacy Impact Assessments that are currently being prepared to meet both the PIA Policy as well as TBS’ Management of Information Technology and Security (MITS) requirements. Other reporting requirements, that require extensive work by a Policy team, include annual ATIP reports to Parliament, annual statistical reports to TBS, Report Cards to the Information Commissioner of Canada as well as continuous updates to the departmental ATIP websites (Intranet and Internet), all of which have a direct impact on MAF results.
Submitted to TBS in June 2008 an update to the annual publication InfoSource after almost 7 years of neglect due to lack of resources within the ATIP Division, which will no doubt improve compliance with Indicator #12 of the MAF. Given the extent of the work required due to years of neglect, TBS accepted that DFAIT start as a first phase in 2008 by aligning its InfoSource chapter with DFAIT’s current Program Activity Architecture as well as primary program holdings. The next phase of the update in 2009 will be an in–depth review of all its information holdings including all personal information banks.
Another long overdue project that saw fruition very recently is DFAIT’s Internet ATIP website which was completely revamped and updated. For example, as required by TBS’ Privacy Impact Assessment Policy, the website now includes summaries of Privacy Impact Assessments that were completed by DFAIT over the last six years since the Policy was in effect in May 2002.
Created a departmental IM/IT/ATIP Working Group to address various issues within DFAIT relating to information management and technology. For example, the ATIP Office’s inability to liaise with all DFAIT clientele in an efficient and effective manner on the secure network and thus an over–reliance on hardcopy versus obtaining records electronically.
Initiated the introduction of a streamlined ATIP tasking process across DFAIT with designated ATIP Liaison Officers for a single gateway into all the Bureaux and ADM Offices. This in turn provides a much–improved ATIP tracking system in order to measure performance and to gain ATIP efficiencies.
Introduced monthly ATIP performance reports to senior management, which in turn will improve overall departmental understanding and commitment to ATIP compliance.
Initiated the implementation of a structured and departmental–wide ATIP awareness program to ensure that officials across the Department understand their roles and responsibilities vis–à–vis ATIP. Preliminary steps have also been taken to develop an on–line ATIP tutorial for the departmental Intranet site.
The Corporate Secretariat has also planned to hire a consultant with expertise in business processes to further examine the ATIP function at DFAIT in order to provide recommendations for additional improvements to the overall ATIP program activity.
And finally, the ATIP Office will also develop another Business Case in the hope of securing additional funding to ensure that the required permanent resources are in place which would result in: