Annual Report on the Privacy Act 2019–2020

Annual Report on the Privacy Act 2019–2020 [PDF 4580 KB]

ISSN 2563-3104

Copyright/Permission to Reproduce

About the Canada Energy Regulator

The Canada Energy Regulator is the country’s new federal energy regulator established in the summer of 2019. It regulates pipelines, energy development and trade in the public interest with safety as its primary concern. The Minister of Natural Resources is responsible for this organization.

The Canada Energy Regulator (CER) was established by Parliament to regulate, among other things, the construction, operation and abandonment of pipelines that cross provincial or international borders; international power lines and designated interprovincial power lines; imports of natural gas and exports of crude oil, natural gas liquids, natural gas, refined petroleum products, and electricity; and oil and gas exploration and production activities in certain areas. The CER is also charged with providing timely, accurate and objective information and advice on energy matters.

For more information about the CER please visit our website.

The Privacy Act

The Privacy Act (the Act) gives individuals the right of access to information about themselves held by the federal government, with certain specific and limited exceptions. The Act protects an individual’s privacy by setting out provisions related to the collection, retention, use and disclosure of personal information.

In accordance with section 72 of the Act, the head of every federal institution is required to submit an Annual Report to Parliament on the administration of the Act following the close of each fiscal year. The Annual Reports are then tabled in Parliament pursuant to section 72 of the Act. This report describes how the Canada Energy Regulator fulfilled its privacy responsibilities during the fiscal year 2019–2020.

Tabling of the annual report

This annual report is prepared and is tabled in Parliament in accordance with section 72 of the Act.

1. Statistical Report and Interpretation

I. Requests received under Privacy Act

In 2019–2020, the CER received three requests under the Act. This is a similar number of requests received in the previous reporting period, increasing by only one.

• 
  Source and Description:

  Source:
  CER – Annual Report on the Privacy Act 2019–2020

  Description:
  This graph shows the number of requests received during reporting periods from 2014–15 to 2019–2020. The CER received two requests under the Act, a notable decrease as the CER received nine requests in the previous reporting period.

II. Costs

During 2019–2020, the CER Access to Information and Privacy (ATIP) Office incurred $22,750 in salary costs and $0 in goods and services costs to administer the Act.

With the similar number of requests from the previous year, the costs associated with privacy requests has remained stable.

During the COVID-19 pandemic work continued from home with minimal disruption and a slight increase in processing time.

See annex A for further statistical information.

2. Practices and procedures

I. CER Structure

Privacy requests at the CER are processed by the ATIP Office, which reports to the Vice President (VP), Data and Information Management, as the ATIP Coordinator.

Privacy requests are now received primarily through two channels; through the mail or the ATIP Online Request Service (AORS), which was established in late 2018. Requests received through the mail are logged into the CER’s records management system by the Information Management department and then forwarded to the ATIP Office.

The CER was among the first departments to onboard to the AORS. Two of the three privacy requests submitted in 2019–2020 were received via this new service.

As of the end of 2019–2020, the CER has 5 full-time employees, who allocate a portion of their time to activities related to the Act. This includes one Senior ATIP Officer, two ATIP Officers, an Administrative Assistant and a Director.

II. CER ATIP Training

Training was a significant area of focus for the CER’s ATIP Office this year.

In addition to promoting privacy awareness through in-person meetings, and online training, the ATIP Office also delivered a number of well-received internal presentations on ATIP as part of its training program.

During 2019–2020, the CER continued to require that all CER staff and contractors successfully pass the Access to Information and Privacy Fundamentals – I015 course offered by the Canadian School of Public Service (CSPS).

Training on the Access to Information Act and the Privacy Act was also offered by the ATIP Office which delivers both specialized training to respond to the needs of officers and clients, and general training to raise employees’ awareness of their responsibilities under these Acts. In this regard, the CER reviewed its ATIP training materials (i.e. tasking email, PowerPoint presentation, ATIP Tip Sheets, etc.) towards improving its training and communications with leadership and staff.

The ATIP Office anticipates that increased awareness of the Act amongst employees will improve their ability to collect records, help them better identify information for potential redaction, and enable them to better support the ATIP Office’s processing of requests. The ultimate goal being release packages that are responsive to requesters.

Training also focused heavily on employees’ obligations under the Privacy Act with respect to protection of personal information. This was a considerable focus area for the ATIP Office this year, in light of an uptick in privacy breaches. In this regard, the CER also reviewed its internal privacy breach procedures and practices to ensure staff are aware of their obligations in the event of a privacy breach. The CER has adopted TBS’ privacy breach management procedures, and utilizes the available suite of tools to assist in managing breaches.

For 2019–20, the ATIP Office is planning additional activities to raise awareness around ATIP and best practices, all towards improving the CER’s processing of requests. These activities will build on the previous “ATIP Tip of the Week” campaign, which started in 2016–17, where each week a new ATIP tip was posted on the screensavers of all CER staff. New screensaver tips have been developed and will be rolled out later this year. The CER looks forward to reporting on these activities in next year’s report.

The CER’s ATIP Officers received training by attending conferences/webinars offered by the Treasury Board‘s Information and Privacy Policy Department, as well as attending the Canadian Access and Privacy Association yearly conference held in Ottawa in November 2019. The ATIP Office also participated in this year’s Right to Know week.

III. CER Policies

Documentation and training materials on the
CER ATIP program are being updated and will be made available through the corporate intranet, along with links to other materials, such as the Acts, Treasury Board Secretariat policies and guidance documents, and a range of information management and guidance tools.

The CER adopted Treasury Board’s privacy breach management guidelines and is actively exploring opportunities to further integrate this approach into the processes. Other potential policy and process improvements are actively being explored that will support the ATIP Office in carrying out its mandate, and it is anticipated that several policies will be finalized over the next fiscal year. This includes drafting a not-as-yet approved policy on email management, as well as add-ons to the breach management policy.

The CER continued to examine its ATIP procedures this year. This was an effort to enable continuous improvement and to identify opportunities for efficiencies in processing access to information and privacy requests.

3. Delegation of authority

The Governor in Council has designated the NEB Chair and CEO with the authority to exercise the powers, duties and functions of the Act. The Chair and CEO had historically delegated this authority. With the change to the CER Act the delegated authority is now the CER CEO.

The ATIP Office is under the VP, Data and Information Management and authority has been permanently delegated.

This year, the Chair and CEO took steps to increase operational efficiency, improve the CER’s ability to respond to ATIP requests in a timely manner, and minimize disruption to the exercising of this authority. Under the current set of orders, there are three individuals that have been delegated full authority under the Act, instead of the previous one. They are: the VP, Data and Information Management (primary ATIP Coordinator), and the VP, Projects and Director, Access to Information and Privacy (alternate ATIP Coordinators). From an operational standpoint, granting this authority to three individuals ensures that files can be reviewed and signed-off without undue delay.

See annex B for a copy of the delegation orders.

4. Complaints and appeals to the Federal Court

During 2019–20, there were two complaints registered with the Office of the Privacy Commissioner. As always, the CER will continue to work closely with the Office of the Privacy Commissioner to resolve complaints in a timely and efficient manner.

No appeals were made to the Federal Court of Canada during 2019–20.

5. Privacy Impact Assessments

During the 2019–20 reporting period, no privacy impact assessments were completed.

The CER posts summaries of completed privacy impact assessments on its external website and forwards copies of completed assessment reports to the Office of the Privacy Commissioner.

6. Disclosure under paragraphs 8(2)(e) or (m) of the Privacy Act

The CER did not disclose any personal information under paragraphs 8(2)(e) or (m) of the Privacy Act.

7. Privacy breaches

There were eight privacy incidents reported to the ATIP Office during 2019–20. This is up from seven incidents in the prior year. These instances included five incidents where emails containing personal information (i.e. leave information, performance rating, and personal email) were either sent to the wrong address, were not received by the intended recipients, or were disclosed without proper authorization. One incident involved the temporary loss of a briefcase containing an emergency contact lists for CER employees with personal phone numbers. The briefcase was reported missing and returned. The final two incidents involved inappropriately secured documents in RDIMS.

In all instances, the ATIP Office applied the Treasury Board’s breach management procedures and worked with the relevant Office of Primary Interest and ATIP Coordinator to identify and implement administrative measures to mitigate the potential for future incidents (e.g. two-person verification of email addresses, ensuring emails sent to multiple recipients use the bcc line). Overall, these incidents have helped the CER improve its handling and classification of personal information, as well as its information management practices.

The CER’s ATIP Office has also made considerable effort to raise the level of awareness on our obligations to protect personal information. This heightened awareness is a likely contributor to the increased reporting. While we have room to improve, the CER is taking this as a considerable opportunity to further strengthen our collection, handling, storage, and transmission procedures around personal information. To this end, the ATIP Office is actively exploring ways to integrate Corporate Security requirements and information management practices towards a more comprehensive suite of training, training materials, and information products. The CER’s objective is to both minimize unauthorized disclosures and continually improve in our management of privacy breaches when they occur.

8. Compliance

The CER achieved a compliance rating of 0% for completed privacy requests closed within the legislated timeframe in 2019–20.

There were over 7500 documents to be reviewed in response to the three privacy requests received in 2019–20. This represented a 750% increase in volume over the 1079 pages processed in the previous fiscal year.

With regards to the timeliness of processing privacy requests, the ATIP Office regularly communicates progress updates to the ATIP Coordinator through the ATIP Director. The ATIP Director receives weekly updates from the ATIP Office regarding the status of all active requests, and has access to a central tracker that is updated on a regular basis to establish action items or flag upcoming due dates.

Annex A – Statistical Information

Name of institution: Canada Energy Regulator

Reporting period: 2019-04-01 to 2020-03-31

Section 1: Requests Under the Privacy Act

Section 2: Requests Closed During the Reporting Period

2.1 Disposition and completion time

2.2 Exemptions

2.3 Exclusions

2.4 Format of information released

2.5 Complexity

2.5.1 Relevant pages processed and disclosed

2.5.2 Relevant pages processed and disclosed by size of requests

2.5.3 Other complexities

2.6 Closed requests

2.6.1 Number of requests closed within legislated timelines

2.7 Deemed refusals

2.7.1 Reasons for not meeting legislated timelines

2.7.2 Requests closed beyond legislated timelines (including any extension taken)

2.8 Requests for translation

Section 3: Disclosures Under Subsections 8(2) and 8(5)

Section 4: Requests for Correction of Personal Information and Notations

Section 5: Extensions

5.1 Reasons for extensions and disposition of requests

5.2 Length of extensions

Section 6: Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other Government of Canada institutions and other organizations

6.2 Recommendations and completion time for consultations received from other Government of Canada institutions

6.3 Recommendations and completion time for consultations received from other organizations

Section 7: Completion Time of Consultations on Cabinet Confidences

7.1 Requests with Legal Services

7.2 Requests with Privy Council Office

Section 8: Complaints and Investigations Notices Received

Section 9: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIB)

9.1 Privacy Impact Assessments

9.2 Personal Information Banks

Section 10: Material Privacy Breaches

Section 11: Resources Related to the Privacy Act

11.1 Costs

11.2 Human Resources

Note: Enter values to two decimal places.

2019–2020 Supplemental Statistical Report – Requests affected by COVID-19 measures

In addition to completing the forms for the Statistical Reports on the ATIA and Privacy Act for 2019–20, institutions are asked to complete this Supplemental Report to help identify the impact of COVID-19 measures on institutional performance for 2019–20 and going forward. The data requirements are set out in the tables below.

Supplemental Statistical Report on the Privacy Act

The following table reports the total number of formal requests received during two periods; 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

Table 4 – Requests Received

The following table reports the total number of requests closed within the legislated timelines and the number of closed requests that were deemed refusals during two periods 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

Table 5 – Requests Closed

The following table reports the total number of requests carried over during two periods; 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31.

Table 6 – Requests Carried Over

Annex B – Delegation Orders

Delegation of Authority pursuant to the Access to Information Act and the Privacy Act

I, the Chair and CEO of the National Energy Board, pursuant to section 73 of the Access to Information Act^{Note 1} and section 73 of the Privacy Act^{Note 2}, hereby designate the persons holding the positions set out in the Delegation of Authority Schedule attached hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Chair and CEO of the National Energy Board under the provisions of the Acts and related regulations set out in the schedule opposite each position. This designation supersedes all previous delegation orders.

Dated at the City of Calgary, in the Province of Alberta, this 17^th day of December 2018.

______________________________
Peter Watson
Chair and CEO

Delegation of Authority Schedule

Delegation of Authority pursuant to the Access to Information Act and the Privacy Act

I, the Chair and CEO of the National Energy Board, pursuant to section 73 of the Access to Information Act^{Note 3} and section 73 of the Privacy Act^{Note 4}, hereby designate the persons holding the positions set out in the Delegation of Authority Schedule attached hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Chair and CEO of the National Energy Board under the provisions of the Acts and related regulations set out in the schedule opposite each position. This designation supersedes all previous delegation orders.

Dated at the City of Calgary, in the Province of Alberta, this 28^th day of August 2019.

______________________________
Peter Watson
Chair and CEO

Delegation of Authority Schedule

Date modified:

2023-11-27