Foreign Affairs, Trade and Development Canada
Symbol of the Government of Canada

Foreign Affairs, Trade and Development Canada

international.gc.ca

Archived Document

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated since it was archived. Web pages that are archived on the Web are not subject to Government of Canada Web Standards; as per the Communications Policy of the Government of Canada, you can request alternate formats by contacting us.

Review of the Access to Information - Privacy Protection Function at Foreign Affairs and International Trade Canada

(March 2005)

(PDF Version, 131 KB) *

Table of Contents

Executive Summary

This review of the Access to Information and Privacy Protection function at Foreign Affairs Canada (FAC) and International Trade Canada (ITCan) was conducted under the aegis of the Evaluation Division, Office of the Inspector General, Foreign Affairs Canada (FAC) and International Trade Canada (ITCan). It was undertaken at the request of the Access to Information and Privacy Protection Division (DCP) at FAC and ITCan.

Objectives

The objectives of the study were:

  • to review the various processes inherent to the function;
  • to assess the strengths and weaknesses of the function as it currently exists at FAC and ITCan; and
  • if applicable, to propose improvements to the appropriate aspects of the function.

Context

The Access to Information Act (ATI) was enacted in 1983 to provide Canadians with the legal right to access information held in various forms by federal departments and agencies. The ATI Act and the accompanying regulations set out the legal requirements for processing access requests, which the head of each government department or agency is responsible for applying within his/her organization. The Privacy Act, also implemented in 1983, commits the government to privacy and the protection of personal information used in the course of providing programs and services to the public. The Privacy Impact Assessment Policy, implemented in 2002, is one of several tools designed to meet this challenge. Privacy Impact Assessments provide a framework to ensure that privacy is considered throughout the design or re-design of programs and services.

The head of each organization may delegate one or more officers or employees to exercise or perform any of the powers, duties or functions under the Acts. In FAC, the Deputy Minister has entrusted the administration of both Acts to the Director, Access to Information and Privacy Protection Division (ATIP Office). The Office also has the same responsibilities for International Trade Canada (ITCan).

In his annual report, the Information Commissioner includes report cards on departments and agencies. The sole criterion is the percentage of requests that have been dealt with within the thirty day target set by the Act. Over the past four years, DFAIT has progressed from grade F to grade B in 2002. In 2003, DFAIT had regressed to grade D.

In 2003-2004, DFAIT received 527 requests and 568 consultations under the Access to Information Act. In addition, the Department received 148 new Privacy requests during the same period.

From the point of view of the ATIP function, the FAC ATIP Office is responsible for the Passport Office. ATI and privacy requests concerning the Passport Office are dealt with by DCP in the same manner as those concerning other divisions within FAC and ITCan.

Top of page

Summary of Findings

Through its data collection and analysis, the study has come up with the following findings:

  • In order to meet the requirements set under the Acts, FAC and ITCan need to provide more attention (including training) and resources into the ATIP function. Otherwise, the departments could be put at risk of repeatedly failing to meet the standards set by the Acts in terms of responding to requests and of handling sensitive personal information or data.
  • The current status of information management at FAC and ITCan is problematic. Information is decentralized, fragmented and spread among divisions at headquarters and missions overseas.
  • The current way of approving packages for release in response to ATIP requests includes an extra step that may reduce the risk of errors but likely increases the workload of both OPIs and DCP.
  • On the processing side, DCP currently uses a manual/paper review and redaction process, relying heavily on the use of colour photocopying. This process could be improved with the use of existing technology presently in service in other departments.
  • The number of ATIP requests per DCP employee is much higher than what is found in most government departments. Beyond new technologies, improvement in terms of compliance with the requirements of the two Acts can only come with additional FTEs.
  • In order to handle the present ATIP workload with regard to the Passport Office, additional resources are necessary, either within DCP or at the Passport Office.

Conclusions and Recommendations

Organizational Culture
  1. One way to mitigate the risk of an overly secretive bureaucracy would be to provide more widespread training and information sessions for employees. This awareness training could include general information (possibly made available on line), and the application of the sections of the Acts that are likely to be required at each employee's level or area of work.

    Processes

  2. Branches that have frequent ATIP requests could be encouraged to reduce the workload on the ATIP Office by preparing the justification for any severances as they put together the initial package, particularly where requests are relatively straightforward.

    Screening Records

  3. Screening records prior to sending them to Library and Archives Canada is only done by a few departments, however, it is considered a best practice among ATIP programs within the Government of Canada. By virtue of the type of work involved and the potential risks encountered, it belongs properly within the ATIP Office at FAC. It should, however, be recognized officially as part of the overall ATIP function and, accordingly, provided with the proper permanent resources.

    Information Management

  4. The current ATIP program delivery process in FAC and ITCan is heavily dependent upon paper files which are not always readily accessible when needed. In addition, the rotational nature of a large portion of the Departments means that there is a lack of corporate memory relating to previous ATIP requests and to the content of the relevant files. While the rotational nature of a large part of both Departments will remain, it is possible to improve, in part through new technology, the management of the information contained in departmental divisions.

    Equipment and Technology

  5. Based on the specifications of the software and on the experience of other federal departments and agencies, the acquisition of ATIPImage Advanced and, subsequently, InfoBank, would make a significant contribution to the efficiency of the ATIP function in FAC and ITCan.

    Human Resources

  6. Beyond technological improvements, the ATIP Office could only improve the performance in terms of compliance with the required time lines with additional personnel. This is compounded by the additional need for more resources to provide an adequate amount of ATIP training, both within the ATIP Office and throughout the department. This increase in human resources should be accompanied by the provision of sufficient accommodation space to also take into account the need for a secure work environment and adequate file storage.

    Passport Office

  7. In view of the issues stemming from the current way of delivering the ATIP function at the Passport Office, the status quo is not a viable option. The choice between making improvements to the status quo (i.e. FAC delivering the function) and creating a new ATIP Coordinator position (and Office) at the Passport Office depends on broader decisions concerning the status of the Agency vis-à-vis FAC. Either one of these two options would go a long way in addressing current issues and risks but at some financial costs.

    The Management responses to the above recommendations can be found on page 20 of this report.

1. Introduction

Top of page

1.1 Objective and Scope of the Review

This review of the Access to Information and Privacy Protection function at Foreign Affairs and International Trade Canada (DFAIT) was conducted under the aegis of the Evaluation Division, Office of the Inspector General, Foreign Affairs and International Trade Canada (DFAIT). It was undertaken at the request of the Access to Information and Privacy Protection Division (DCP) at DFAIT.

The objectives of the study were:

  • to review the various processes inherent to the function;
  • to assess the strengths and weaknesses of the function as it currently exists at FAC and ITCan; and
  • if applicable, to propose improvements to the appropriate aspects of the function.

In addressing those objectives, the authors were to be mindful of the following issues:

  • The current way that FAC and ITCan respond to access requests under both the ATI and Privacy Acts, handle privacy impact assessments, and various requests for advice under both Acts and related Treasury Board policies as well as do the screening of departmental documents prior to transfer to the National Archives, including strengths and weaknesses.
  • The environment and challenges, both internal and external, in which the ATIP Office operates within the departments.
  • An identification of the risks inherent to the function.
  • The departmental cultural factors that have a bearing on ATIP responses.
  • The level of understanding, within the departments, of the linkages between access to information and the various facets of departmental accountability.
  • Whether internal departmental systems, record-keeping, and information management facilitate or hinder the process of responding to access requests.
  • The extent to which the departments have in place information management guidelines and the effect of those guidelines, if any, on processing access requests.
  • The extent of the real burden of the workload associated with ATIP requests, privacy impact assessments, and the responsibility placed upon the Office to screen departmental documentation prior to sending it to the National Archives, on the departments and whether resources, in the ATIP Office and throughout the departments are appropriate to handle that workload.
  • The level of knowledge (or ambiguity) in the departments about what constitutes an accessible record.
  • The degree of effectiveness and efficiency of current ATIP processes in the departments and, if needed, what improvements could be brought to them.
  • The degree to which the ATIP Office is efficient in delivering the access to information and privacy protection function, including resources and technology tools to support delivery.

1.2 Methodology

This review relied mainly on two types of data gathering methods: documentation review and interviews with a range of stakeholders.

The study team reviewed the background information, reports and statistics provided by the ATIP Office and information available on-line on various federal departments' and agencies' web sites. In all, some 20 interviews were conducted with ATIP Office management and staff, various FAC and ITCan bureaux, and ATIP coordinators in other departments.

The information and data gathered through those two means were analyzed with a view to reaching conclusions about the current situation of the ATIP function within the two departments, including the Passport Office. The following sections of this report present the context, findings, conclusions and recommendations that flow from the analysis of the aggregated data.

Top of page

2. Background and Departmental Context

2.1 Background

This review examined the administration of the Access to Information Act and the Privacy Act in Foreign Affairs Canada (FAC) and International Trade Canada (ITCan), formerly jointly known as the Department of Foreign Affairs and International Trade (DFAIT).

The Access to Information Act (ATI) was enacted in 1983 to provide Canadians with the legal right to access information held in various forms by federal departments and agencies. The Act also created the Office of the Information Commissioner. The Commissioner is essentially an Ombudsman appointed by Parliament to monitor the administration of the Act and to investigate citizen complaints related to access to information. The ATI Act and the accompanying regulations are administered by the President of the Treasury Board. They set out the legal requirements for processing access requests, which the head of each government department or agency is responsible for applying within his/her organization. This must be done within the framework of the government-wide policy framework, which is necessary to ensure effective and consistent application of the legislation.

The Privacy Act, also implemented in 1983, commits the government to privacy and the protection of personal information used in the course of providing programs and services to the public. The Act imposes obligations on some 150 government departments and agencies to respect the privacy rights of Canadians by placing limits on the collection, use and disclosure of personal information. The Act also gives Canadians the right to access and correct personal information about them held by these federal government organizations. Oversight of the Act rests with the Privacy Commissioner of Canada who is also authorized to receive and investigate complaints.

There are a number of privacy risks associated with advances in technology. They include transact ion monitoring, data mining, common directory services, data matching, the use of common personal identifiers and the risks of identity theft and unintended disclosures of personal information. The ultimate challenge is to assist Canadians in understanding how the government handles their personal information and to trust it to do so responsibly. The Privacy Impact Assessment Policy, implemented in 2002, is one of several tools designed to meet this challenge. Privacy Impact Assessments provide a framework to ensure that privacy is considered throughout the design or re-design of programs and services. The assessments identify the extent to which proposals comply with all appropriate statutes. The end result of the Privacy Impact Assessment is assurance that all privacy issues have been identified and resolved or mitigated.

The head of each organization may delegate one or more officers or employees to exercise or perform any of the powers, duties or functions under the Act. Treasury Board policy also specifies that each department must designate an official known as the Access to Information and Privacy Coordinator, and that this official be no more than two reporting levels removed from the Deputy Head. The Access to Information and Privacy Coordinator is responsible on behalf of the Minister and the Deputy Minister for ensuring compliance with the Acts, Regulations, and policies.

In FAC, the Deputy Minister has entrusted the administration of both Acts to the Director, Access to Information and Privacy Protection Division (ATIP Office). The Office also has the same responsibilities for International Trade Canada (ITCan).

2.2 Departmental Context

Due to the international role of FAC and ITCan, the Departments face special challenges in the administration of the ATIP legislation. The interests of other states and international organizations as well as Canada's bilateral relations would be seriously affected were sensitive information released inappropriately. Similarly, FAC and ITCan hold data and information provided, usually in confidence, by provincial governments in Canada, by other federal departments and by the Canadian business sector.

DCP (ATIP Office) also faces certain challenges that may not affect other federal departments, including:

  • the need, in certain cases, to obtain documents held at diplomatic missions overseas in order to respond to requests
  • the high volume of cases requiring consultation with third parties and other governments and international organizations or multilateral bodies
  • the complexity and sensitivity of requests received
  • the increase in parallel litigation (e.g. in certain consular cases).

Furthermore, given the nature of the Departments' work, employees must often deal rapidly with urgent international crises. Thus, the Department must regularly balance the competing priorities of response to an urgent situation on the one hand with requests for access to information on the other.

Other federal government institutions are instructed to solicit the assistance of FAC in determining the extent to which documents were obtained in confidence or the extent to which disclosure of information would be injurious to the conduct of Canada's international affairs. The ATIP Office is responsible for consultations with foreign governments and international organizations, which are normally undertaken through Canadian posts abroad or, at times, through foreign missions resident in Canada. These consultations can be lengthy and complex. Their volume equals the amount of formal access requests received and requires comparable resources and processing effort.

Over the past 5 years, both the number of access to information requests and requests for personal information have continued to increase rapidly, as have the number of consultation requests from other departments and foreign governments. It is anticipated that interest in information held by FAC and ITCan will continue to grow as public awareness also increases.

Implementation of Treasury Board's policy on Privacy Impact Assessments, which came into effect on May 1, 2002, has already begun to have a significant impact on many parts of the Departments, including the Passport Office, and on the ATIP Office. It is likely that this impact will continue.

While both the Information and Privacy Commissioners prepare annual reports which are tabled in Parliament and made public, the Information Commissioner's report includes "report cards" on government organizations' performance in their responses to access requests under the ATI Act. The Commissioner essentially looks at compliance with the thirty day standard for responses as established by the Act and the attending regulations. Based on the Commissioner's yardstick, FAC and ITCan have not been faring well in terms of compliance. In his most recent Annual Report to Parliament, the Information Commissioner gave DFAIT a "D" rating for its "below standard compliance" with the ATI Act's deadlines in fiscal year 2003/2004. In his reply to the Commissioner's report card, the Deputy Minister undertook to have an independent study conducted of the Department's delivery and performance under the Act.

Since 1999, DFAIT (and its successor departments) and the ATIP function have been the subject of scrutiny by the Office of the Information Commissioner. The OIC has since been reporting annually on DFAIT and the access requests in a deemed-refusal situation. Over the past 4 years, DFAIT has progressed from grade F to grade B in 2002. In 2003, DFAIT had regressed to grade D, due to staff changes and shortages, and a number of complex requests.

Top of page

3. Description of the ATIP Function

3.1 Purpose and Objectives

The purpose of the ATIP function at FAC and ITCan is to fulfill the requirements of the applicable laws and government policies. In particular, the ATIP Office provides a service to Canadians on behalf of FAC and ITCan, in both Official Languages, by responding to requests for information under the Access to Information Act and the Privacy Act.

ATIP Office (DCP) employees work with requesters to ensure that they understand how best to obtain records which are held by FAC and ITCan and how the Acts are implemented. In addition, DCP employees ensure that a description of the personal information and program records that are held within the Departments are available in the TBS publication InfoSource which is updated annually. Moreover, DCP must provide annual reports to TBS on the administration of both Acts in FAC and ITCan.

DCP also reviews Privacy Impact Assessments (PIAs) and offers advice on ATIP issues to public servants and to Canadians and residents of Canada. The ATIP Office is also responsible for screening departmental records prior to transfer to the National Archives.

3.2 Governance and Structure

The Director of the Access to Information and Privacy Protection Division (the ATIP Office of FAC and ITCan) has been delegated full authority to exercise the powers of the Access to Information Act and the Privacy Act. The ATIP Director reports to the Director General of the Executive Services Bureau. In addition to the ATIP Director, the Deputy Minister of Foreign Affairs, the Deputy Minister for International Trade, and the Director General of the Executive Services Bureau are also designated with full powers, and all Heads of Mission are designated to act under Section 8(2) of the Privacy Act.

In addition to the Director, the ATIP Office has a complement of one Deputy Director, Team Leaders, analysts and support staff, all of whom are dedicated to access, privacy and directly related issues on a full-time basis.

3.3 Resources

In September 2003, the ATIP Office was comprised of 11 FTEs. Since that time, one position has been created from the Operational funds and one FTE (a CR-4 position) was transferred from the Deputy Minister's Office (USS). At the present time, the ATIP Office is comprised of 14 positions and 13 FTEs, including the Director and the Deputy Director. One position (administrative support) is vacant. In addition to the 13 FTEs, there are two ATIP consultants and one consultant responsible for the screening of documents prior to sending them to Library and Archives Canada. The latter is a part-time job.

The Director oversees the whole operations of the ATIP Office, with particular attention to the Access to Information matters. The Deputy Director handles all operational matters and concentrates particularly on Privacy matters. There are two team leaders, six analysts dealing with ATIP matters, one office administrator and two administrative support personnel (one other position is vacant).

The Director has identified the immediate need for eight additional FTEs. This would include four positions to "support the ATIP processing of case files" as well as one Policy Analyst to "support the Privacy function, training and policy issues". In addition, the needs have been identified by the ATIP Office for one screening specialist and two systems support FTE to support the new ATIPImage software which the Office expects in the near future.

Top of page

3.4 Main Activities

The main activities of the ATIP Office are as follows:

  • Responding to requests under both the ATI and Privacy Acts.
  • Providing advice on access and privacy matters as well as coordinating and reviewing Privacy Impact Assessments.
  • Developing, co-ordinating and implementing effective policies, guidelines and procedures to manage the Departments' compliance with both Acts.
  • Monitoring departmental compliance with both Acts, accompanying regulations and relevant procedures and policies; all requests submitted to the Departments within Canada or at Canadian missions abroad are replied to by the ATIP Office in Ottawa.
  • Promoting awareness of both Acts through briefings and guidance to departmental units on compliance with the legislation.
  • Responding to requests for release of personal information to federal investigative agencies under Section 8(2)(e) of the Privacy Act.
  • Consulting with foreign governments, on behalf of other government departments, through Canadian posts abroad or resident foreign missions in Canada.
  • Handling requests by foreign governments regarding the declassification and disclosure of Canadian documents.
  • Undertaking of appropriate notification or consultation with third parties before considering disclosure of any commercial information.
  • Screening departmental records prior to transfer to the National Archives.

3.5 Processes

3.5.1 Access to Information and Privacy Requests

This section describes the most frequently used steps in the process of responding to access to information and privacy requests. In practice, many requests involve additional process steps which vary from one request to another.

New requests under the Access to Information Act or Privacy Act received at the ATIP Office are first registered. Then, the Office tries to identify what information is requested, whether the Departments have that information and, if so, where it is located. After those steps, the Office contacts the Office of Primary Interest (OPI) which has the documents requested and asks that division or bureau to prepare a package.

The ATIP Office works closely with the OPI in order to determine what can or cannot be released. After discussions, both sides reach an understanding. DCP approves a "Proposed Release Package" which it sends to the OPI for final approval. In many instances, more than one OPI is involved. There are also possible consultations with missions abroad, with other departments or with organizations outside of government.

This process is iterative, involves several different sectors inside and outside of the Departments and can be protracted. In order to respect the requirements under the Acts, the whole process has to be completed within thirty days, unless an extension has been granted.

3.5.2 Privacy Impact Assessments

Institutions are responsible for demonstrating that their collection, use and disclosure of personal information respect the Privacy Act and fair information handling principles throughout the initiation, analysis, design, development, implementation and post-implementation review phases of their program and service delivery activities. Institutions are also responsible for communicating to Canadians the reasons why their personal information is being collected and how it will be used and disclosed. This is being done by preparing Privacy Notice Statements. In addition, institutions are responsible for updating the Treasury Board Secretariat's InfoSource publications which is the directory of government information holdings.

Privacy Impact Assessments (PIA) provide a framework to ensure that privacy is considered throughout the design or re-design of programs or services. The conduct of Privacy Impact Assessments is a shared management responsibility. The ATIP Office, in the name of the Deputy Minister, is accountable for determining if a PIA is required and then to review its content and completion for transmission to the Privacy Commissioner of Canada.

While relatively few PIAs have been conducted within DFAIT, FAC and ITCan since the Policy's inception in May 2002, several PIAs are currently underway. PIAs are processed for the Deputy Minister's approval by the Deputy Director of the ATIP Office. The ATIP Office is responsible for access to information and privacy issues concerning the Passport Office and, in this regard, the ATIP Office has participated in the development of PIAs for the Facial Recognition project and the Birth Certificate Verification project with the British Columbia Vital Statistics Agency (including the Sharing Agreement with that agency).

3.5.3 Screening Records

Another aspect of the work currently undertaken by the ATIP Office is the screening of departmental records prior to sending them to Library and Archives Canada (LAC). The process involves analyzing records to identify which ones should be reviewed by FAC or ITCan before being released to LAC, and making recommendations on records that are so identified and that are the subject of a request to LAC under Access to Information. To accomplish those tasks, FAC has hired under contract a former ambassador.

FAC is one of a handful of departments that undertake this type of review, along with Transport Canada, Fisheries and Oceans and the RCMP. The records review prior to sending them to LAC is considered a best practice within Records Management and ATIP programs of the Government of Canada that recoups the cost involved many times over by:

  1. Reducing the cost to review the large volume of records that would have to be reviewed in response to ATI requests of FAC and ITCan records at LAC to that related to only those records that are "flagged";
  2. Reducing the number of ATI requests by making more information available to Canadians without using an ATI request; and
  3. Mitigating the risk of releasing information that may be damaging to Canada's interests (for example, Canada's negotiating position in trade talks).
3.5.4 Historical Section - Informal Access Program

This program provides an avenue for academics and serious researchers who seek access to records held by FAC in order to carry out their work. The Communications Bureau (BCD) is responsible for this program. With the assistance of departmental divisions, access to records held by the Department is expedited outside the formal framework of the Access to Information Act while ensuring that sensitive information remains protected. Advice on disclosure on the part of the ATIP Office is mainly provided by the one consultant responsible for the screening of documents prior to sending them to Library and Archives Canada.

3.5.5 Internal Requests for Advice

The ATIP Office also acts as a resource for FAC and ITCan divisions and offers advice and guidance on the provisions of the ATIP legislation and related TBS policies. Those requests for advice deal with departmental issues relating to a range of matters from surveys, questionnaires, memoranda of understanding, information sharing arrangements, records management, data bases, contracts, privacy caveats and human resources issues. The number of those types of requests has more than doubled in 2004-2005 compared to the previous fiscal year.

Top of page

3.6 Workload

In 2003-2004, DFAIT received 527 requests and 568 consultations under the Access to Information Act. In addition, the Department received 148 new Privacy requests during the same period. The table below shows the volume of those requests and consultations received by DFAIT (and subsequently FAC and ITCan) since 1998-1999.

DFAIT - ATIP Requests and Consultations and Internal Requests for Advice, 1998-1999 to 2003-2004
 98/9999/0000/0101/0202/0303/04
FAC/ITCan
04/05
FAC/ITCan
ATI Requests386561437496529490/37226/41*
ATI Consultations263332421526540562/6313/55*
Privacy Requests6176118109120148/0126/1*
Privacy Consultations1079271933/025/0*
Investigative Bodies125102177138174246149/0*
Internal Consultations-----50/6110/5*
Complaints568697485561/125/4*
Number of pages processed1,6 M**123K153K165K153K169K50K*

* First nine months of 2004-2005

** Volume increase due to an ATI request on softwood lumber

While the numbers are showing an upward trend, especially for consultations and privacy requests, they do not provide a complete story of the evolution of the workload for the ATIP Office. In recent years, a few consular cases have given rise to requests under the Access to Information Act that have put a very heavy burden not only on the ATIP Office but also on other divisions in the Department.

4. Findings

4.1 Rationale and ATIP Foundations

The Access to Information Act and the Privacy Act impose on federal departments and agencies a number of obligations concerning the access to information on the part of Canadian citizens and the protection of personal information. In FAC and ITCan, the responsibility to implement both acts has been devolved by the Deputy Ministers to the Access to Information and Privacy (ATIP) Office.

The delivery of the ATI and Privacy functions is mandatory and compliance with regulations and policies is of high importance for Canadians, Parliamentarians and the Departments. Given that the Departments cannot control the inputs nor reduce the quality of the outputs or the deadlines, the only way to deliver these functions well is to embed their requirements into the organization's culture and to ensure that those entrusted with the delivery have the tools and resources to operate efficiently. The importance of the ATIP function makes it one of the intrinsic priorities of FAC and ITCan.

Top of page

4.2 Effectiveness

In the case of the ATIP programs at FAC and ITCan, measuring effectiveness has to be done using proxies. One indicator of effectiveness or success of the Access to Information function is the annual Report Card result handed out every year by the Information Commissioner. By all accounts, this is a simple yet effective indicator whose only measure relates to the percentage of access to information requests that have not been answered in the 30 day period allowed under the Act. After moving up from a F in 2000-01 to a D in 2001-02 and a B in 2002-03, DFAIT fell back to a D in 2003-04. That led the Deputy Minister, in his response to the Information Commissioner's Report Card, to state that this level of performance was unacceptable and that measures would be taken to improve the department's rating.

There are a number of factors that have a bearing on the effectiveness of the ATIP function, especially on the handling of the access to information requests, in FAC and ITCan. While not detracting from the need to improve the performance in the eyes of the Information Commissioner, they provide a partial explanation for the Departments' performance and possible indications of where improvements might be sought.

With regard to privacy protection, there have been relatively few Privacy Impact Assessments (PIAs) conducted within FAC and ITCan (and previously in DFAIT). Several are presently underway but facing delays by DCP. DFAIT, via the Passport Office, processed one of the most sensitive PIAs within the Government of Canada, one that dealt with the proposal to incorporate facial recognition technology based upon Canadian passport photographs.

The small number of PIAs being conducted in the departments appears to be related to a lack of resources dedicated to that aspect of the program. There are also delays in providing advice in various privacy matters. There are also no resources to update InfoSource and a serious lack of compliance with TBS InfoSource requirements.

Unless more attention and resources are put into this, the departments could be put at risk of mishandling sensitive personal information or data and of repetitively running afoul of the Access to Information Act and Privacy Act obligations imposed by TBS.

4.2.1 Consultations with Foreign Governments

Due to the international role of FAC and ITCan, the Departments face special challenges in the administration of the ATIP legislation as a possible result of the impact of the release of information provided in confidence by provincial governments, Canadian businesses and international organizations. Undertaking consultations in Canada is relatively straightforward. However, consultations with foreign governments can be much more complex for two reasons: few foreign governments require the same level of transparency as the ATI Act imposes and among those that have similar laws, those laws often reflect significantly different interests. Moreover, foreign governments are under no obligation to comply with the deadlines imposed by the ATI Act. The consequence is that those consultations consume a large amount of time and resources. As those consultation requests originating from other federal departments and agencies are increasing, this kind of pressure on ATIP Office's resources will also keep increasing. Dealing with those consultations already consumes almost half of the Office's resources.

4.2.2 Information Management

The current status of information management at FAC and ITCan is problematic. Information is decentralized, fragmented and spread over branches at headquarters and missions overseas. Also, that information is held mostly in paper format. It can cause OPIs and DCP to spend a significant amount of time looking for requested records. In addition, the current situation does not enable the Departments to demonstrate that they are providing all or most of the requested records.

The problem is caused in part by a combination of factors. The Departments operate mostly in a hard copy environment, with paper documents put in files. At the same time, because of the fact that many of the officers in OPIs are rotational, there is a lack of corporate memory at the division level, making retrieval of information even more difficult.

Good information management is essential to the efficient and effective delivery of the ATIP programs in any department. FAC and ITCan, like many other government institutions, are facing significant challenges implementing their Electronic Records and Document Management Solution. This major project, called InfoBank, and which is set to roll out, will give a major boost to the ability of OPIs to find requested information quickly and will significantly reduce the amount of information that is lost using the current systems. However, based upon the experience at other departments, InfoBank will also cause OPIs and DCP to spend more time reviewing a larger volume of records. On the positive side, InfoBank will have the capacity to maintain a severed copy of a record for future reuse by the OPI without needing to access the DCP records.

While the rotational nature of a good portion of the Departments is a given, information management would be improved through the deployment of some new technologies and systems, as discussed in the section 4.3.2 on "equipment and technology".

4.2.3 Organizational Culture

Delivering the ATIP programs is inherently frustrating to managers in the public service due to their lack of control and wide fluctuation in the amount of work involved in responding to ATIP requests against fixed deadlines. Managers expressed their exasperation with some requests that they perceive offer relatively little of value in relation to the large amount of work required to provide the response to the requester (for example, one request was for all documents with the word 'beef' in them).

The level of awareness and knowledge by employees of FAC and ITCan of the ATIP programs is similar to that found in other departments. In fact, there are generally two levels: a good level of understanding on the part of those employees who respond to a high volume of requests and a limited understanding by those who process relatively few requests. The frustrations felt by each of these groups at FAC and ITCan are quite different. Those with relatively few requests were satisfied with the level of support they receive from DCP while those who have to deal frequently with requests are more critical. This latter group expressed a desire for DCP staff to clarify requests, which would allow them to focus their efforts on relatively higher value work.

Another cultural aspect is, as described by the Information Commissioner, the tendency for public servants to be secretive. Based upon interviews with employees of the Departments, this characterization is more likely the result of their efforts to mitigate the risks involved with releasing information under the ATIP programs. Those risks are weighed against the risk of being perceived as secretive. This is particularly applicable at FAC, where employees are trained to consider the larger considerations of their actions, including the signals made by their actions. The other aspect of FAC culture that contributes to this perception is the reported tendency for employees to classify documents higher than necessary.

One way to mitigate the risk of an overly secretive bureaucracy would be to provide more widespread training and information sessions for employees. This awareness training could include general information (possibly made available on line), and the application of the sections of the Acts that are likely to be required at each employee's level or area of work.

4.2.4 Screening of Records

As stated before, the screening of records prior to sending them to Library and Archives Canada is a best practice within the federal government. Currently, this function within the ATIP Office is handled by a former ambassador hired on contract. While this arrangement appears to be working well, it remains that this function has the status of an "add-on" to what are considered the main functions of the Office.

By virtue of the type of work involved and the potential risks encountered, this function belongs properly within the ATIP Office at FAC. It needs, however, to be recognized officially as part of the overall ATIP function and, accordingly, provided with the proper permanent resources.

Top of page

4.3 Efficiency

A number of factors have an effect on the efficiency of delivery of the ATIP programs at FAC and ITCan. They include process, equipment and technology, and human resources.

4.3.1 Processes

The steps in the process to respond to a typical ATIP request were described in a previous section of this report. However, the description does not include the large number of other process steps that are not frequently encountered. By and large, the process steps are similar to those of other departments and agencies, with the following notable differences:

  • The ATIP Office goes back to the OPI for final approval of the proposed release package. This extra step is not a common practice; and
  • The amount of effort dedicated to consultations is significantly greater for DCP, due to the fact that consultations are with other governments.

The final OPI approval process involves the OPI collecting and forwarding all the records that may be covered by an ATI or Privacy request to DCP, where an ATIP analyst prepares a proposed release package. The proposed release package is returned to the OPI for their approval regarding its release.

This process was instituted to improve the speed of preparing relevant records to ATI requests. This additional step reportedly accomplished this objective and also reduced the risk of errors. However, it did not alleviate the workload either on OPIs nor on the DCP employees; indeed, this initiative likely increased their workload.

The more common practice in other departments is to expect each OPI to prepare the justification for not releasing any record or part of a record in accordance with the ATI Act or the Privacy Act at the time that relevant records are provided to DCP.

Branches that have frequent ATIP requests could be encouraged to reduce the workload on the ATIP Office by preparing the justification for any severances as they put together the initial package, particularly where requests are relatively straightforward.

4.3.2 Equipment and Technology

The technology used by the ATIP Office for registration and tracking is ATIPFlow. This is the standard registration and tracking tool for ATIP coordinators in the Government of Canada and it is considered a good product.

On the processing side, currently, DCP uses a manual/paper review and redaction process. The process of responding to requests relies heavily on the use of colour photocopying. One current problem is that the office has to rely on an old machine which is prone to breaking down and for which replacement parts are not readily available, thereby causing significant delays.

ATIPImage, if purchased by DCP, would allow ATIP officers to electronically highlight in different colours what is being severed and why, what are the OPI's recommendations, the ATI officer's agreed severances and those upon which the OPI and ATIP Office disagree. ATIPImage would process all the text that needs to be scanned. The Advanced version of ATIPImage includes some additional desirable functionality, such as improved security features. Our understanding is that the ATIP Office is presently making a business case for the purchase of ATIPImage Advanced. Such a system would improve the process in that there would be a lot less document management and much more electronic records management which would save time, photocopying and filing space. It should also improve morale in the ATIP Office by increasing the office's efficiency and effectiveness. (Other departments have found that ATIPImage improved their effectiveness by 10 to 15 percent).

Another real technology improvement for the processing of ATIP requests in the Departments would come from the introduction of InfoBank. Our understanding is that this software is due to be introduced in the Departments in the next few months. That technology holds the promise of significantly improving the efficiency of the OPIs and of DCP staff through the ability to quickly find and track all documents relevant to a particular ATIP request. One additional expected outcome from that technology is that the level of assurance that all the information was found would be significantly increased.

Based on the specifications of the software and on the experience of other federal departments and agencies, the acquisition of ATIPImage Advanced and, subsequently, InfoBank, would make a significant contribution to the efficiency of the ATIP function in FAC and ITCan.

4.3.3 Human Resources

Over the last year, staffing in the ATIP Office amounted to 11 full-time equivalents, plus the Director and the Deputy Director. In December 2003, the government announced the separation of the former Department of Foreign Affairs and International Trade (DFAIT) into Foreign Affairs Canada (FAC) and International Trade Canada (ITCan). However, the ATIP Office continues, for the moment, to process requests for both FAC and ITCan until such time as ITCan can fully accommodate and integrate this function within its operations.

FAC received 490 new access to information requests in 2003-2004. When added to the 213 requests carried forward from the previous fiscal year, this means that FAC was responsible for the processing of 713 requests during 2003-2004. The Department completed the processing of 575 requests, leaving 128 to be carried over to the next fiscal year, a significant improvement over the previous year. In addition, the Department received 562 consultation requests from other departments and other governments during 2003-2004. For its part, ITCan received 37 Access to Information requests in 2003-2004, 6 ATI consultations and no Privacy request.

According to the Treasury Board cost study in 2000, the annual increase in the number of ATI requests is 8% and the cost increase to process them is 7%. Those are the best indicators of future demand and cost increases for large departments such as FAC. In addition, the Treasury Board report forecasts that the number of privacy requests would increase by an average of 10% annually. The complexity of the requests is reportedly increasing, thereby increasing the time needed to process them. However, this factor is not easily quantifiable.

It is worth noting as well that TBS has not assessed the demand resulting from the introduction of the PIA policy in 2002. Moreover, TBS has not provided any increase in financial support to implement that policy requirement.

Based on the last three complete fiscal years, the average number of access to information requests received per ATIP employee at FAC is close to 50, well above most comparable departments. This has a bearing on the Department's capacity to comply with the time lines imposed by the Access to Information Act and as reflected in the Information Commissioner's Report Card.

As mentioned in a previous section of this report, the introduction in FAC of new technologies is likely to improve performance. However, as also noted above, that improvement has its limits and would not suffice to push the Department beyond the threshold of compliance, as measured by the Information Commissioner.

Beyond technological improvements, the ATIP Office could only improve its performance in terms of compliance with the required time lines with additional personnel. This is compounded by the additional need for more resources to provide an adequate amount of ATIP training, both within the ATIP Office and throughout the departments This increase in human resources should also be accompanied by the provision of sufficient space to also take into account the need for a secure work environment and adequate file storage.

Top of page

4.4 Lessons Learned

The Commissioner's grading system is simple for the general public to understand and it is based upon the deadlines set out in the ATI Act. While some people interviewed noted the drawbacks of that system (for example, it does not take into account the complexity of the requests received) and expressed their opinion that the Treasury Board should report on the departments' performance instead of the Information Commissioner, the grading system is unlikely to change significantly in the short or medium term. Consequently, FAC and ITCan must continue to expect that their performance will be measured in terms of the Commissioner's annual grading system, with the accompanying public attention that it commands.

Another lesson learned from other departments, notably Health Canada and Fisheries and Oceans, is that the number of ATI requests can be reduced by providing more information on the Departmental web sites. All departments do provide more information by proactively disclosing contract information, travel information and reclassifications, but FAC and ITCan could improve in this area by posting documents of significant interest, as measured by the number of similar requests, which is issue-specific.

5. Passport Office

5.1 Current Situation

The Passport Office is a Special Operating Agency (SOA) whose Chief Executive Officer reports to the Deputy Minister at FAC. The Passport Office is responsible for the issuing, revoking, withholding, recovery and use of Canadian passports. It is responsible for one or the largest personal information banks of the federal government, containing personal information about fifteen million Canadians. In addition, it provides guidance to missions issuing passports abroad and supervises all matters relating to Canadian travel documents. Although the Passport Office is a Special Operating Agency, the head of the institution as defined under the Acts is the Minister of Foreign Affairs.

From the point of view of the ATIP function, the FAC ATIP Office is responsible for the Passport Office, although, because of the latter's very specific responsibilities and physical separation from FAC, its relations with the ATIP Office are different from those of other OPIs. The focus on passports is reflected in the Agency's organizational culture which is probably closer to a small manufacturer than FAC's culture.

During fiscal year 2003-2004, with regard to the Passport Office, DCP responded to 23 ATI requests and 12 consultations under the Act. In addition, DCP received a number of privacy requests as well as 246 requests from investigative bodies. The other major effort during the past year was conducting Privacy Impact Assessments (PIAs) of the major crown projects at the Passport Office, which involved addressing a number of significant privacy risks (eg. facial recognition technology).

ATI and privacy requests concerning the Passport Office are dealt with by DCP in the same manner as those concerning other divisions within FAC and ITCan.

In his annual report, the Passport Office Ombudsman, in his role as the ATIP contact, identified several concerns about ATIP matters. Those issues include a lack of expertise in the Passport Office on the ATI and privacy issues, the lack of sufficient resources in DCP with the depth of experience in Passport Office's environment and requirements and the physical separation between the Agency and FAC.

In the course of an interview with the Ombudsman at the Passport Office, the following issues and risks were raised:

  • Some managers do not perceive ATIP as part of their role and have stated that they do not have the resources to undertake this work;
  • Documents are not screened prior to being sent to Library and Archives Canada;
  • The costs incurred due to the lack of support from DCP were significant over the past year;
  • The ATI contact does not have access to the information in ATIP Flow and therefore keeps a spreadsheet of the progress of requests.

Many of the same concerns are common to most OPIs within FAC and ITCan.

Top of page

5.2 Options

Faced with the issues described above, three possible options are proposed for the ATIP function at the Passport Office:

  • Maintain the status quo;
  • Make improvements to the status quo; and
  • Create a new ATIP Coordinator position and patriate the function at the Passport Office.

The advantages and disadvantages of each option are described below.

The status quo is effective, judging by the fact that the Passport Office regularly meets its deadlines for providing relevant records to DCP and that the quality of the suggested exclusions and exemptions is acceptable. In addition, the cost to provide the service is the lowest of the three options since it does not involve any additional capital or operational costs. However, this option does not address the issues and risks reported above and there is a continuing risk posed by the lack of awareness and capability to comply with the Acts.

The option of 'status quo plus' could involve a variety of measures, such as increased training to Passport Office employees about the two Acts, providing an additional resource under DCP (possibly paid for by the Passport Office), and/or installing ATIP Console on the ATIP contact's computer to enable that individual to keep track of requests and their status.

Advantages of this option would include improving program delivery, reducing the risk of undue release of information, improving tracking of requests. Among the disadvantages would be extra costs for both additional training and hiring of a new resource without really addressing the issue of physical and cultural separation between the Agency and FAC.

The option of creating a new ATIP Coordinator position at the Passport Office would provide an excellent level of awareness in and service to the Passport Office but add significantly to the Agency's costs related to the ATIP function.

In view of the issues stemming from the current way of DCP delivering the ATIP function for the Passport Office, the status quo is not a viable option. The choice between making improvements to the status quo and creating a new ATIP Coordinator position (and Office) at the Passport Office depends on broader decisions concerning the status of the Agency vis-à-vis FAC. Either one of these two options would go a long way in addressing current issues and risks but at some financial costs.

6. Elements of Risk

There are a number of risks of various types inherent to the ATIP function at FAC and ITCan. Following is a list of such potential risks:

  • The risk of not complying with the requirements of the Acts and thereby providing an inferior level of service to Canadians, which often results in complaints being filed with the Information and Privacy Commissioners of Canada and at times Federal Court action.
  • The risk of not assessing in a timely manner the privacy implications of new projects.
  • The risk of receiving repeated negative Report Cards from the Information Commissioner and of being declared non-compliant with the Access to Information Act, with all the negative publicity that this entails.
  • Another kind of risk is that of releasing, in response to an ATIP request, sensitive information which should have been excluded (e.g., consular, political and national security matters). This could happen by mistake when the ATIP Office staff is overworked.
  • The risk that overworked ATIP Office staff will become sick or seek employment somewhere else.
  • The risk that there will not be adequate succession planning with regard to the screening function (for documents being transferred to LAC).

Top of page

7. Conclusions and Recommendations

The following conclusions and recommendations flow directly from the findings reported and described above.

Organizational Culture
  1. One way to mitigate the risk of an overly secretive bureaucracy would be to provide more widespread training and information sessions for employees. This awareness training could include general information (possibly made available on line), and the application of the sections of the Acts that are likely to be required at each employee's level or area of work.

    Management Response

    Access to information and Privacy Protection Division (DCP) will develop a permanent and structured ATIP Awareness Program for departmental employees, in both official languages. The development and delivery of this Awareness Program will take place in fiscal year 2005/2006 with full implementation in fiscal year 2006/2007.

    Starting in 2005/2006, the Deputy Minister will reinforce, at senior management level, the department's obligation to meet ATIP legislative requirements and confirm a departmental commitment to maintain and build on substantial compliance. This reinforcement will be done on yearly basis.

    Processes

  2. Branches that have frequent ATIP requests could be encouraged to reduce the workload on the ATIP Office by preparing the justification for any severances as they put together the initial package, particularly where requests are relatively straightforward.

    Management Response

    DCP will discontinue the current practice of first gathering the relevant records from the Divisions, then going back to them a second time to seek their confirmation of the proposed exemptions. The Division will adopt a new process to obtain relevant records from the Divisions along with their comments on the perceived sensitivities of disclosing these particular records, thus eliminating a return visit to staff/subject experts. This new process will be implemented in fiscal year 2005/2006, and the monitoring of results will take place by the end of the fiscal year 2005/2006.

    Screening Records

  3. Screening records prior to sending them to Library and Archives Canada is only done by a few departments, however, it is considered a best practice among ATIP programs within the Government of Canada. By virtue of the type of work involved and the potential risks encountered, it belongs properly within the ATIP Office at FAC. It should, however, be recognized officially as part of the overall ATIP function and, accordingly, provided with the proper permanent resources.

    Management Response

    A Business Plan was developed outlining the rational for incremental Resources. Once approved the additional incremental FTEs will help build a permanent and sustained screening capacity within the DCP. A detailed three (3) year action plan will be developed in consultation with Chief Information Officer (SXD) and the Historical Section (BCPH) of the Outreach Programs and E-Communications Division (BCP) in fiscal year 2006/2007. Results will be monitored at the end of each fiscal year.

    Information Management

  4. The current ATIP program delivery process in FAC and ITCan is heavily dependent upon paper files which are not always readily accessible when needed. In addition, the rotational nature of a large portion of the Departments means that there is a lack of corporate memory relating to previous ATIP requests and to the content of the relevant files. While the rotational nature of a large part of both Departments will remain, it is possible to improve, in part through new technology, the management of the information contained in departmental divisions.

    Management Response

    DCP will participate in Information Management Strategies such as the implementation of InfoBank by Integrated Information Management Services (SXKI). The Division will also negotiate a service level agreement with Chief Information Officer (SXD). This will be done within fiscal year 2005/2006.

    Equipment and Technology

  5. Based on the specifications of the software and on the experience of other federal departments and agencies, the acquisition of ATIPImage Advanced and, subsequently, InfoBank, would make a significant contribution to the efficiency of the ATIP function in FAC and ITCan.

    Management Response

    DCP will implement the ATIP Image software application, which DCP purchased. The software will be fully operational by the end of fiscal year 2005/2006.

    Human Resources

  6. Beyond technological improvements, the ATIP Office could only improve the performance in terms of compliance with the required time lines with additional personnel. This is compounded by the additional need for more resources to provide an adequate amount of ATIP training, both within the ATIP Office and throughout the department. This increase in human resources should be accompanied by the provision of sufficient accommodation space to also take into account the need for a secure work environment and adequate file storage.

    Management Response

    Senior Management approved 15 additional resources and the DCP Organizational Plan. DCP will develop Human Resource and Staffing Plan in order to staff 10 new FTEs in fiscal year 2005/2006 and 5 FTEs in fiscal year 2006/2007.

    DCP will move to larger and more suitable accommodations within headquarters. In fiscal year 2005/2006, it will locate part of its staff in temporary additional accommodations, with the intention to move all of its staff to one common work area within headquarters in fiscal year 2006/2007.

    DCP will develop and implement a structured Staff Training Program for existing and new employees of the division by the Fall 2005.

    Passport Office

  7. In view of the issues stemming from the current way of delivering the ATIP function at the Passport Office, the status quo is not a viable option. The choice between making improvements to the status quo (i.e. FAC delivering the function) and creating a new ATIP Coordinator position (and Office) at the Passport Office depends on broader decisions concerning the status of the Agency vis-à-vis FAC. Either one of these two options would go a long way in addressing current issues and risks but at some financial costs.

    Management Response

    DCP will develop a proposal in collaboration with Passport Canada on options for the administration of all requirements under both the Access to Information Act and the Privacy Act.

    This will be done in fiscal year 2005/2006.

Office of the Inspector General

* If you require a plug-in or a third-party software to view this file, please visit the alternative formats section of our help page.

Footer

Date Modified:
2012-10-16