Annual Report to Parliament on the Administration of the Privacy Act 2024-2025

Introduction

Purpose of the Privacy Act

The Privacy Act came into force on July 1, 1983. Its purpose is to protect the privacy of individuals by imposing obligations on government institutions subject to the Act. These obligations limit the collection, retention, use, disclosure and disposal of personal information held by these government institutions. It also gives individuals the right of access to their own personal information, with limited and specific exemptions, and the rights to request the correction of that information. Individuals who are not satisfied with an institution's handling of their personal information or any matter related to a formal request made under the PA are entitled to complain to the Privacy Commissioner of Canada.

Tabling of this Report

This report is tabled in Parliament in accordance with section 72 of the Privacy Act under the direction of the Minister of Public Safety. The report describes how Public Safety Canada (Public Safety) administered and fulfilled its obligations under the Act between April 1, 2024, and March 31, 2025.

Mandate of Public Safety

Public Safety was created in 2003 to ensure coordination across all federal departments and agencies responsible for national security and the safety of Canadians. Our mandate is to keep Canadians safe from a range of risks such as natural disasters, crime and terrorism. Our mission is to build a safe and resilient Canada. Our vision is to, through outstanding leadership, achieve a safe and secure Canada and strong and resilient communities.

Legislation governing the department sets out three essential roles:

1. Support the Minister's responsibility for all matters related to public safety and emergency management not assigned to another federal organization
2. Exercise leadership at the national level for national security and emergency preparedness; and
3. Support the Minister's responsibility for the coordination of entities within the Public Safety Portfolio

The Department's three core responsibilities are: national security, community safety and emergency management.

Non-Operational Subsidiaries and Non-Operational Institutions

This report is not intended to fulfil reporting requirements for any non-operational subsidiaries or any non-operational institutions.

Organizational Structure

Public Safety

During the 2024-2025 fiscal year, the department was organized into seven branches: Emergency Management and Programs, Crime Prevention, Portfolio Affairs and Communications, National and Cyber Security, Corporate Management, Firearms Compensation Program, and the Indigenous Affairs Secretariat. The department also has a Chief Audit and Evaluation Executive and is supported by the Legal Services Unit.

Five Regional Offices represent the Atlantic, Quebec and Nunavut, Ontario, Prairies and Northwest Territories, and British Columbia and Yukon. These offices are the primary point of contact for the department at the regional level. Our regional offices provide support to departmental policy, program and operational areas across the organization, delivering core programs at the regional level, providing regional input and perspective, and supporting the coordination of federal responses to emergency events. Their networks of partnerships with provincial and territorial officials, other federal departments and agencies, and diverse communities and stakeholders, are essential to the Department's work.

The Public Safety Portfolio: Partner Agencies and Review Bodies

The Canada Border Services Agency (CBSA) manages the nation's borders by enforcing Canadian laws governing trade and travel, as well as international agreements and conventions. CBSA facilitates legitimate cross-border traffic and supports economic development while stopping people and goods that pose a potential threat to Canada.

The Canadian Security Intelligence Service (CSIS) investigates and reports on activities that may pose a threat to the security of Canada. CSIS also provides security assessments, on request, to all federal departments and agencies.

The Correctional Service of Canada (CSC) helps protect society by encouraging offenders to become law-abiding citizens while exercising reasonable, safe, secure and humane control. CSC is responsible for managing offenders sentenced to two years or more in federal correctional institutions and under community supervision.

The Parole Board of Canada (PBC) is an independent body that grants, denies or revokes parole for inmates in federal prisons and provincial inmates in provinces without their own parole board. The PBC helps protect society by facilitating the timely reintegration of offenders into society as law-abiding citizens.

The Royal Canadian Mounted Police (RCMP) is Canada's national police service and is the police of jurisdiction for all provinces and territories except Ontario and Quebec. The RCMP works at the community, provincial, territorial and federal levels to prevent crime; enforce the law; investigate offences; keep Canadians, and their interests, safe and secure; and assist Canadians in emergency situations/incidents. The RCMP also offers expertise at the international level by providing specialized training for police officers; conducting international policing activities, including peacekeeping; and sharing intelligence with trusted partners to support investigations, as well as disrupt and dismantle criminal operations.

The Civilian Review and Complaints Commission for the Royal Canadian Mounted Police (CRCC) investigates complaints from the public about the conduct of members of the RCMP in an open, independent and objective manner. The Commission also holds public hearings and conducts research and policy development to improve the public complaints process.

The Office of the Correctional Investigator (OCI) conducts independent, thorough and timely investigations about issues related to the Correctional Service of Canada. The OCI may initiate an investigation based on a complaint from (or on behalf of) an offender, as the result of a ministerial request, or on its own initiative.

The RCMP External Review Committee (ERC) is an independent agency that promotes fair and equitable labour relations within the RCMP. The Committee conducts an independent review of appeals in disciplinary, discharge and demotion matters, as well as certain kinds of grievances.

The Access to Information and Privacy (ATIP) Office

The department's Access to Information and Privacy (ATIP) Office is responsible for the coordination and implementation of policies, guidelines, and procedures to ensure departmental compliance with the Access to Information Act as well as the Privacy Act. In keeping with the department's role to support the Minister in the coordination of entities within the Public Safety Portfolio, it also plays a leadership role with respect to ensuring alignment of approach with the ATIP Offices of other Public Safety Portfolio organizations, where appropriate.

The ATIP Office is housed within the department's Portfolio Affairs and Communications Branch, and is headed by the Director of ATIP and Executive Services, who is also responsible for Ministerial Correspondence and Secretariat Services. It is divided into two teams, the ATIP Operations Unit and the Privacy Policy and Governance Unit (PPGU), each of which is headed by a Manager who reports to the Director of ATIP and Executive Services. In 2024-2025, the ATIP Office consisted of 15.7 full-time employees and had no regional ATIP staff or consultants.

Public Safety was not a party to any service agreements to provide services to other organizations under section 73.1 of the Privacy Act during the fiscal year.

Delegation Order

The following Delegation Order was in effect at the end of the reporting period.

The Minister of Public Safety, pursuant to section 73(1) of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister as the head of the Department of Public Safety and Emergency Preparedness, under the provisions of the Privacy Act and related regulations set out in the schedule opposite each position. This designation replaces all previous delegation orders.

Dated, at the City of Ottawa, this 11 day of June, 2025.

The Honourable Gary Anandasangaree, P.C., M.P.
Minister of Public Safety

Performance 2024-2025

The following sections provide an overview of specific key data points on Public Safety's processing of Privacy Act requests during the reporting period, as required by Treasury Board Secretariat. The full statistical report can be found in Annex A, and the Supplemental Statistical Report can be found in Annex B.

Volume of Requests

Over the past two fiscal years, the department has seen an increase in the number and size of requests received under both the Access to Information Act and the Privacy Act in comparison with previous years. This increase has placed pressure on the ATIP Office and the department.

During the 2024-2025 fiscal year, the ATIP Office received 101 formal requests under the Privacy Act and completed 84. These numbers were significantly higher than the previous year (by 110% and 68% respectively). The ATIP Office processed 8,139 pages, a 69% increase in comparison to the previous year.

Response within Legislated Timelines

The percentage of formal requests that were closed within the legislated timelines was 76%, a slight decrease (3%) compared to the previous year. This number was linked to the high overall volume of requests under both Acts and the resulting increase in overall workload being handled by the ATIP Office, and is comparable to compliance rates for other similar size organizations.

Active Requests as of March 31, 2025

At the end of the fiscal year, Public Safety had a total of 21 active requests that were carried over to the next reporting period. Of these, 7 were within the legislated timelines, while 14 were beyond the legislated timelines. These numbers were comparable to those reported by other similar size organizations.

Completion Times

The following table provides a breakdown of completion times for the 84 formal requests that were completed during the fiscal year. The distribution of completion times was comparable to previous years.

Reasons for Extensions

For the requests completed in 2024-25, a total of 25 extensions were taken during the fiscal year. All extensions were taken due to interference with operations.

Response Disposition

The following table shows the disposition of requests completed in 2024-25. This breakdown was consistent with previous years.

Consultations

During the year, the department received two consultations from other organizations, compared to one consultation received the previous year. One consultation was completed within 16 to 30 days, while the other was carried over to the new reporting period within negotiated timelines.

Active Complaints as of March 31, 2025

At the end of the fiscal year, Public Safety did not have any active complaints with the Office of the Privacy Commissioner (OPC). During the year, the ATIP Office worked closely with the OPC to establish timelines for the resolution of complaints and to ensure all complaints were addressed within the timelines established by the OPC. No concerns were identified by the OPC during the fiscal year with respect to the timely processing of complaint files by the department.

Training and Awareness

Public Safety remains committed to promoting awareness and providing ongoing training opportunities to all employees. During the year, the ATIP Office continued its outreach to the department to reinforce knowledge and understanding of the legislation and ATIP processes among policy and program areas. The ATIP Office provided 16 training and information sessions on the Access to Information Act and Privacy Act. A variety of subjects were presented, including strategies for retrieving records and applying exemptions, as well as requirements for proactive publication. A total of 238 people attended these sessions.

The PPGU also provides outreach and awareness concerning the department's privacy obligations, through department-wide communication modes such as InfoBulletin and by participating on various internal working groups and other fora. The PPGU frequently meets with employees to provide guidance on privacy and reviews new and existing programs and activities to support compliance with the provisions of the Privacy Act.

Policies, Guidelines, and Procedures

During the year, Public Safety's ATIP Office worked closely with external and internal partners to ensure continuous alignment with policies, guidelines, and procedures issued by Treasury Board Secretariat (TBS) and the Privy Council Office and to support security of information in both the remote and hybrid work environment. The ATIP Office also worked closely with areas of the department facing high volumes of requests and implemented special procedures on a case by case basis to mitigating workload pressures and to support compliance with legislated timelines to the extent possible.

In 2024-2025, the PPGU updated the department's suite of internal privacy policies and procedures to align with the new privacy policy and directive issued by TBS. New and existing programs, surveys, and other activities that involve the collection of personal information are required to complete a Privacy Checklist in order to document any personal information that may be collected, used, or disclosed, along with the level of risk and any mitigation measures in place related to that information. The PPGU works with program areas to ensure that standard or department-specific Personal Information Banks (PIBs) are in place for all personal information and that Privacy Protocols or Privacy Impact Assessments (PIAs) are completed in situations where a new collection, use, or disclosure of personal information will occur, or where significant changes are made to an existing collection, use, or disclosure. The PPGU also provides privacy review and analysis for Treasury Board Submissions.

During the year, the PPGU also updated its process for documenting and responding to privacy breaches to align with the updated TBS policy suite. PPGU also participated in interdepartmental risk-assessment exercises for data and cybersecurity breaches, and updated its procedures to ensure compliance with government-wide policies and to support a coordinated interdepartmental response.

Initiatives and Projects to Improve Privacy

During the year, the ATIP Office continued to provide dedicated support on high visibility files within Public Safety and the Portfolio that required a coordinated approach to the handling of ATIP requests, including the implementation of the Assault-Style Firearms Compensation Program, as well as files related to foreign interference, national security operations, border security, policing, and international affairs. The ATIP Office also continued to provide support in reviewing documents in response to Parliamentary Committee motions for document production. The ATIP Office also continued efforts towards modernizing the current request processing software, working closely with partners including Treasury Board Secretariat, Public Services and Procurement Canada, and Shared Services Canada to set up contracts for software licensing and server hosting. These efforts are scheduled to continue through 2025-2026 and are intended to streamline the ATIP process and support alignment with other government departments going forward.

During the year, the PPGU team continued to connect with a range of new internal clients, in order to increase opportunities to provide independent advice to Public Safety programs to support the safeguarding of personal information. The PPGU is also a member of the department's 3rd Party Solutions Approval Team (3PSAT), which reviews applications for new software and digital tools proposed for use by the department, and provides advice and guidance to ensure that privacy by design principles are taken into account during the approval of new digital solutions.

During the reporting period, the PPGU initiated efforts to build an inventory of programs and activities within the department that involve the collection, use, disclosure, retention, and disposal of personal information. This inventory will allow Public Safety to proactively identify areas requiring ongoing attention (such as increased protection and risk mitigation measures) to ensure that personal information remains protected in compliance with the department's legislative obligations under the Privacy Act.

Summary of Key Issues and Actions Taken on Complaints

As in previous years, Public Safety received a comparatively low volume of complaints on requests made under the Privacy Act. During the year, the OPC received five new complaints against the department and concluded five investigations on Public Safety files. Of these, none were deemed to be well-founded. The ATIP Office continued to maintain a constructive relationship with the OPC, meeting periodically with the OPC both at the Manager and the Director level to ensure ongoing alignment of approach, identify priority files for attention, and address any areas of concern as they arose. No specific issues were noted by the OPC during the year.

Material Privacy Breaches

Public Safety experienced one material privacy breach in 2024-2025 which involved sensitive personal information being sent to the incorrect individual. The PPGU took immediate measures to respond to the breach and implement containment and mitigation measures, in collaboration with TBS and the OPC and in line with departmental procedures and TBS policy requirements.

Privacy Impact Assessments

Two PIAs were completed during the reporting period. The first PIA was undertaken in preparation for a study on the prevalence of sexual coercion and violence in federal custody. The second PIA was undertaken in preparation for the launch of Phase 1 of the Assault-Style Firearms Compensation Program. Summaries for these PIAs have been made publicly accessible on Public Safety's website. Several other PIAs pertaining to departmental programs and initiatives were in progress during the year.

Public Interest Disclosures Pursuant to Paragraph 8(2)(m) of the Privacy Act

Paragraph 8(2)(m) of the Privacy Act provides the head of the institution with the authority to disclose personal information where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or where the disclosure would clearly benefit the individual to whom the information relates. No disclosures pursuant to paragraph 8(2)(m) of the Privacy Act were made by Public Safety during the fiscal year.

Monitoring Compliance

Public Safety maintains four recurring ATIP reports to inform senior management of the program during the fiscal year. These reports track a range of information including the list of new formal Privacy Act requests received by the department each week, deadlines assigned for retrieval, and the list of upcoming requests scheduled for release, as well as quarterly reporting on retrieval response times for Public Safety branches. Reports are shared weekly with Assistant Deputy Ministers (ADMs) and other senior officials and are discussed with senior management as required. In addition, ATIP performance is monitored at the ADM level through performance agreements and evaluations to ensure ATIP remains a priority within the department.

Compliance with the provisions of the Access to Information Act and the Privacy Act is also an explicit requirement enshrined within all contracts, information sharing agreements, and information sharing arrangements issued by the department. The ATIP Office also reviews contracts and information sharing agreements as required and provides advice and guidance with respect to privacy protections.

Annex A: Statistical Report on the Privacy Act

Reporting period: April 1st, 2024 to March 31, 2025

Section 1: Requests Under the Privacy Act

Section 2: Informal Requests

Section 3: Requests Closed During the Reporting Period

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper, e-record and dataset formats

• Number of Pages Processed: 8,139
• Number of Pages Disclosed: 3,910
• Number of Requests: 40

3.5.3 Relevant minutes processed and disclosed for audio formats

• Number of Minutes Processed: 0
• Number of Minutes Disclosed: 0
• Number of Requests: 0

3.5.5 Relevant minutes processed and disclosed for video formats

• Number of Minutes Processed: 0
• Number of Minutes Disclosed: 0
• Number of Requests: 0

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines

• Number of requests closed within legislated timelines: 64
• Percentage of requests closed within legislated timelines (%): 76.19047619

3.7 Deemed refusals

Section 4: Disclosure Under Subsections 8(2) and 8(5)

• Paragraph 8(2)(e): 0
• Paragraph 8(2)(m): 0
• Subsection 8(5): 0
• Total: 0

Section 5: Requests for Correction of Personal Information and Notations

Section 6: Reasons for Extensions

Section 7: Consultations Received from Other Institutions and Organizations

Section 8: Completion Time of Consultations on Cabinet Confidences

Section 9: Complaints and Investigations Notices Received

• Section 31: 5
• Section 33: 5
• Section 35: 1
• Court action: 1
• Total: 12

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy Impact Assessments

• Number of PIAs completed: 2
• Number of PIAs modified: 0

Section 11: Privacy Breaches

11.1 Material privacy breaches reported

• Number of material privacy breaches reported to TBS: 1
• Number of material privacy breaches reported to OPC: 1

11.2 Non-material privacy breaches reported

Number of non-material privacy breaches: 8

Section 12: Resources Related to the Privacy Act

Annex B: Supplemental Statistical Report on the Access to Information Act and the Privacy Act

Reporting period: April 1st, 2024 to March 31, 2025

Section 1: Requests Carried Over and Active Complaints Under the Access to Information Act

Section 2: Requests Carried Over and Active Complaints Under the Privacy Act

Section 3: Social Insurance Number

Has your institution begun a new collection or a new consistent use of the SIN in 2024-25? No

Section 4: Universal Access under the Privacy Act

How many requests were received from foreign nationals outside of Canada in 2024-25? 3

Date modified:

2025-11-05