2019-2020 Annual Report to Parliament on the administration of the Privacy Act

1. Introduction

The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.

This annual report was prepared and submitted in accordance with section 72 of the Privacy Act and covers the period from April 1, 2019 to March 31, 2020.

2. Mandate of the Office of the Superintendent of Financial Institutions (OSFI)

Under its legislation, OSFI's mandate is:

Fostering sound risk management and governance practices

OSFI advances a regulatory framework designed to control and manage risk.

Supervision and early intervention

OSFI supervises federally regulated financial institutions and pension plans to determine whether they are in sound financial condition and meeting regulatory and supervisory requirements.

OSFI promptly advises financial institutions and pension plans if there are material deficiencies, and takes corrective measures or requires that they be taken to expeditiously address the situation.

Environmental scanning linked to safety and soundness of financial institutions

OSFI monitors and evaluates system-wide or sectoral developments that may have a negative impact on the financial condition of federally regulated financial institutions.

Taking a balanced approach

OSFI acts to protect the rights and interests of depositors, policyholders, financial institution creditors and pension plan beneficiaries while having due regard for the need to allow financial institutions to compete effectively and take reasonable risks.

OSFI recognizes that management, boards of directors and pension plan administrators are ultimately responsible for risk decisions, that financial institutions can fail, and pension plans can experience financial difficulties resulting in the loss of benefits.

In fulfilling its mandate, OSFI supports the government's objective of contributing to public confidence in the Canadian financial system.

The Office of the Chief Actuary is an independent unit within OSFI that provides a range of actuarial valuation and advisory services to the Government of Canada. In conducting its work, the OCA plays a vital and independent role towards a financially sound and sustainable Canadian public retirement income system.

3. Strategic Outcomes

Primary to OSFI's mandate and central to its contribution to Canada's financial system are two strategic outcomes:

1. A safe and sound Canadian financial system
2. A financially sound and sustainable Canadian public retirement income system.

For the purposes of the Privacy Act, the head of OSFI is the Superintendent and the responsible minister is the Minister of Finance.

4. Administration of the Privacy Act

4.1 Access to Information and Privacy (ATIP) Unit

The Access to Information and Privacy (ATIP) Unit is part of the Enterprise Information Management (EIM) directorate within the Information Management/Information Technology (IM/IT) Division. The unit is responsible for administering the Act for the Office of the Superintendent of Financial Institutions. As such, the ATIP unit coordinates the timely processing of requests under the legislation, handles complaints lodged with the Privacy Commissioner, and responds to informal inquiries. The ATIP unit also provides advice and guidance to Office staff on matters involving the Act.

The Manager, Privacy and Access to Information reports to the Director, EIM and is supported by an ATIP Officer and a Junior ATIP Officer. In 2018-2019, due to the increased demand for privacy impact assessments and privacy protocols for the use of personal information for a non-administrative purpose, OSFI created and staffed the Manager, Privacy position. This position is dedicated to overseeing the administration of the Privacy Act, Regulations and related policies as well as providing input and support to IM/IT projects and to ensure EIM considerations (e.g. Privacy, Information lifecycle management) are suitably addressed. Staffing is currently underway to hire a Privacy Officer to support this role. The ATIP unit also relied upon the support of contract resources.

4.2 Institutional changes to the administration of the Privacy Act

No significant institutional changes to the administration of the Privacy Act to report during this reporting period.

4.3 Education and Training

Training efforts over the last year have been focused on continued privacy awareness building with staff in service areas supporting project delivery in Information Management/Information Technology, with Regulatory Data Governance, and within the Office's senior and operational governance committees. Training efforts also focused on ATIP awareness for all OSFI staff as part of an Information Management and ATIP awareness program. OSFI held four awareness sessions and a total of 50 employees attended.

4.4 Processing of Privacy Requests

All formal privacy requests are submitted to the Manager, Privacy and Access to Information, who reviews and assigns them to an ATIP Officer. The Officer requests the information from the appointed sectoral ATIP Liaison Officer(s) concerned. In gathering the material and subsequently reviewing it, the ATIP Office provides advice and direction to ensure that the provisions of the Act are respected.

Assembled material is reviewed by the ATIP Officer and the Manager, Privacy and Access to Information. The material and the recommendations pertaining to each request are then submitted to the program area for validation. Once agreed, the release package is submitted to the Assistant Superintendent, Corporate Services for review and approval.

Employees have the right to review their personal records at intervals specified in the various collective agreements. To exercise this right, an employee contacts the appropriate official in the Human Resources and Administration Division. The review of personal records is considered informal and no data on these requests is compiled. The employee, however, does have the option of submitting a formal request under the privacy legislation. Employees of the Human Resources and Administration Division are aware of the provisions of the Privacy Act as they relate to the use and disclosure of personal information.

​

4.5 Delegation of Authority

Delegation orders set out what powers, duties and functions for the administration of the Privacy Act have been delegated by the head of the institution and to whom. Administration of the Privacy Act at OSFI is the responsibility of the Superintendent. The authority to claim exemptions and to issue various statutory notices has been delegated to the Assistant Superintendent, Corporate Services. The authority to issue various statutory notices has also been delegated to the Director, Enterprise Information Management, the Manager, Privacy and Access to Information and the ATIP Coordinator.

4.6 Monitoring Compliance

The time taken to process personal information requests and requests for the correction of personal information is tracked in the ATIP tracking system. The ATIP caseload is reviewed monthly with the Director, EIM and the anticipated responses to privacy requests are ultimately reviewed and approved by the Assistant Superintendent, Corporate Services. Concerns are raised as appropriate throughout the lifecycle of the request and priority is given to fulfilling OSFI's statutory obligations.

4.7 Summary of significant changes to programs, operations, policies or procedures

In 2019-2020, an external consultant was engaged to perform a LEAN assessment of OSFI's ATIP processes. Several recommedations were subsequesntly made and are under consideration. The most significant of these recommendations was the establishment of the ATIP Liaison role. The ATIP Office has since developed and implemented the role of ATIP Liaison within each sector. The Liaisons facilitate the ATIP process by acting as subject matter experts (SME's) and as a single point of contact for their respective sectors.

OSFI's existing Information Management/Information Technology (IM/IT) polices and infrastructure allowed the organization to avoid any significant disruptions relating to the COVID-19 pandemic and have had little effect on OSFI's ability to fulfill its responsibilities under the Privacy Act. The planned review of current ATIP procedures and the selection/training of new ATIP Liaisons was accelerated to coincide with OSFI's work-from-anywhere posture. With the closure of OSFI's offices on March 13th, employees were no longer able to access paper files. Requests received by OSFI through the mail are retrieved by the Manager, Access to Information and Privacy on a weekly basis.

4.8 Reading room

In accordance with the Privacy Act, a public reading room is available in Ottawa. It is located at 255 Albert Street, on the 16^th floor. The reading room was not available to the public as of March 13^th 2020 due to necessary restrictions arising from the COVID-19 pandemic.

5. Interpretation of the Statistical Report

Part 1 – Requests under the Privacy Act

Due to the nature of OSFI's work regulating and supervising financial institutions and private pension plans under federal jurisdiction, much of the information in the Office's possession is third-party business information rather than personal information about individuals. The financial institutions and pension plans are OSFI's clients. As OSFI does not provide services directly to individuals, the volume of personal information collected by the Office is relatively small. This information is generally limited to employment records of current and previous OSFI employees and information about individual contract consultants at OSFI.

In 2019-2020, six new requests were received. Since the inception of the Privacy Act, July 1, 1983, OSFI has received 67 privacy requests.

Part 2 – Requests closed during the reporting period

The following table summarizes the actions taken with respect to the completed requests:

For the 6 requests received in 2019-2020:

• 2 were completed in less than 15 days;
• 1 was completed in 16 to 30 days; and
• 3 were completed in 31 to 60 days.

Exemptions

No exemptions were applied during the reporting period.

Exclusions

No exclusions were cited during the reporting period.

Format of information released

No information was released pursuant to a request under the Privacy Act during the reporting period.

Relevant pages processed and disclosed by size of requests

497 relevant pages were processed and 439 pages disclosed during the reporting period.

Other complexities

To complete the processing of the requests, 2 required consultations during this reporting period.

Deemed refusal

There were no deemed refusals during this reporting period.

Request for translation

No requests for translation were made during this reporting period.

Part 3 – Disclosures under Subsections 8(2) and 8(5)

No disclosures were made pursuant to subsections 8(2)(e), 8(2)(m) or 8(5) of the Privacy Act during this reporting period.

Part 4 – Request for correction of personal information and notations

No requests for correction of personal information and no notations were made during this reporting period.

Part 5 – Extensions

Additional 30 day extensions were required for 3 requests during this reporting period:

• 1 pursuant to s.15(a)(i) – Large volume of pages;
• 2 pursuant to s.15(a)(ii) – External consultations.

Part 6 – Consultations received from other government institutions and organizations

No consultations from other government institutions and organizations were received during the reporting period.

Part 7 – Completion time of consultations on Cabinet confidences

No consultations with respect to Cabinet confidences were required during the reporting period.

Part 8 – Resources related to the Privacy Act

The cost to administer the Act during this reporting period was $239,930.

6. Complaints and Investigations

OSFI did not receive any complaints pursuant to the Privacy Act during this reporting period.

7. Privacy Breaches

There were no material privacy breaches reported during the 2019-2020 fiscal year.

8. Appeals to the Federal Court of Canada

8.1 Major changes implemented as a result of concerns or issues raised by the Privacy Commissioner of Canada in her annual report to Parliament

The Privacy Commissioner of Canada did not raise any concerns or issues related to OSFI, therefore no major changes were implemented.

8.2 Major changes implemented as a result of concerns or issued raised by other agents of Parliament

No major changes were implemented by OSFI, as other agents of Parliament did not raise any concerns or issues.

8.3 Number of applications or appeals to the Federal Court or the Federal Court of Appeal during the fiscal year

There were no privacy related applications or appeals to the Federal Court or the Federal Court of Appeal during this fiscal year related to OSFI.

9. Completed Privacy Impacts Assessments

No privacy impact assessments (PIA) were completed in 2019-2020; however, OSFI did complete 4 privacy protocols for personal information being used for a non-administrative purpose.

APPENDIX A

Statistical Report on the Privacy Act

Name of institution: Office of the Superintendent of Financial Institutions

Reporting period: 2019-04-01 to 2020-03-31

Section 1: Requests Under the Privacy Act

1.1 Number of requests

Section 2: Requests Closed During the Reporting Period

2.1 Disposition and completion time

TBS/SCT 350-63

2.2 Exemptions

2.3 Exclusions

2.4 Format of information released

2.5 Complexity

2.5.1 Relevant pages processed and disclosed

2.5.2 Relevant pages processed and disclosed by size of requests

2.5.3 Other complexities

2.6 Closed requests

2.6.1 Number of requests closed within legislated timelines

2.7 Deemed refusals

2.7.1 Reasons for not meeting legislated timelines

2.7.2 Requests closed beyond legislated timelines (including any extension taken)

2.8 Requests for translation

Section 3: Disclosures Under Subsections 8(2) and 8(5)

Section 4: Requests for Correction of Personal Information and Notations

Section 5: Extensions

5.1 Reasons for extensions and disposition of requests

5.2 Length of extensions

Section 6: Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and other organizations

6.2 Recommendations and completion time for consultations received from other Government of Canada institutions

6.3 Recommendations and completion time for consultations received from other organizations

Section 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services

7.2 Requests with Privy Council Office

Section 8: Complaints and Investigations Notices Received

Section 9: Privacy Impact Assessments (PIA) and Personal Information Banks (PIB)

9.1 Privacy Impact Assessments

9.2 Personal Information Banks

Section 10: Material Privacy Breaches

Section 11: Resources Related to the Privacy Act

11.1 Costs

11.2 Human Resources

Note: Enter values to two decimal places.

Supplemental Statistical Report on the Privacy Act

The following table reports the total number of formal requests received during two periods; 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

Table 4 – Requests Received

The following table reports the total number of requests closed within the legislated timelines and the number of closed requests that were deemed refusals during two periods 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

Table 5 – Requests Closed

The following table reports the total number of requests carried over during two periods; 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

Table 6 – Requests Carried Over

APPENDIX B

DESIGNATION / DÉLÉGATION

SCHEDULE 2

Designation Order - Privacy Act

Privacy Regulations