Access to Information and Privacy

2022-23 Annual Report on the Privacy Act

April 1, 2022 — March 31, 2023

On this page

1. Introduction

The Natural Sciences and Engineering Research Council of Canada (NSERC) is pleased to present to Parliament its annual report on the administration of the Privacy Act for 2022-23 (April 1, 2022, to March 31, 2023).

This report is prepared and tabled in accordance with section 72 of the Privacy Act which requires that the head of every federal institution prepare and submit an annual report to Parliament on the administration of the Act in the institution during the fiscal year.

1.1 Purpose of the Privacy Act

The purpose of the Privacy Act is to provide:

individuals with the right to access and correct personal information about themselves that is under the control of a government institution
the legal framework for the collection, retention, use, disclosure, disposition and accuracy of personal information in the administration of programs and activities by government institutions subject to the Act

For more information:

Access to Information and Privacy Coordinator

Natural Sciences and Engineering Research Council of Canada
125 Zaida Eddy Private, 2nd floor
Ottawa, ON K1R 0E3

Email: atip-aiprp@nserc-crsng.gc.ca

Telephone: 343-571-9689

1.2 Mandate of the Natural Sciences and Engineering Research Council

NSERC is a separate agency of the Government of Canada created in 1978. It is funded directly by Parliament and reports to it through the Minister of Innovation, Science and Industry.

The functions of NSERC, based on the authority and responsibility assigned to it under the Natural Sciences and Engineering Research Council Act (1976-1977, c.24), are to:

promote and assist research in the natural sciences and engineering, other than the health sciences; and
advise the Minister in respect of such matters relating to such research as the Minister may refer to the Council for its consideration.

NSERC’s Council is composed of a President and up to 18 other distinguished members selected from the private and public sectors. NSERC’s President is the Chief Executive Officer. The elected Vice-President is the Chair of the Council and of its Executive Committee. NSERC’s Council is advised on policy matters by various standing committees. Funding decisions are made by the President, or designate, on the basis of recommendations made by peer review committees.

1.3 Official core responsibility of NSERC

The Natural Sciences and Engineering Research Council of Canada (NSERC), through grants, fellowships and scholarships, promotes and supports research and research training in the natural sciences and engineering to develop talent, generate discoveries, and support innovation in pursuit of economic and social outcomes for Canadians.

2. Organizational Structure

The Access to Information and Privacy (ATIP) office resides in NSERC’s Governance, Risk & Compliance (GRC) Division under the Strategic, Corporate and Public Affairs (SCPA) Directorate.

The ATIP office is responsible for:

implementing and managing programs and services to Canadians relating to NSERC’s administration of the Access to Information Act and the Privacy Act
providing interpretation, advice and recommendations to NSERC employees as they fulfill their obligations under both Acts
delivering training to NSERC employees on both Acts to ensure compliance

The ATIP office is led by the ATIP Manager (who is also the ATIP Coordinator) who reports to the Executive Director, Governance, Risk and Compliance. The Manager is supported by an ATIP Analyst and two ATIP & Secretariat Officers. The ATIP office staff work together closely to process ATIP requests and to support NSERC employees on privacy-related matters. In total, four full-time employees at various levels administered the Access to Information Act and the Privacy Act in 2022–23.

This year’s focus was on developing capacity and building ATIP expertise within the ATIP office, eliminating the need for ATIP consultants. NSERC’s ATIP office addressed the backlog of access to information and privacy requests. Several were dated, large and complex requests requiring cross reference of files and external consultations.

NSERC was not party to any service agreements under section 73.1 of the Privacy Act during this reporting period.

3. Delegation Order

Pursuant to subsection 73(1) of the Privacy Act, the President of NSERC has delegated the powers, duties, and functions for the administration of the Privacy Act to the following NSERC officials:

Vice-President, Strategic, Corporate and Public Affairs
Executive Director, Governance, Risk and Compliance
Manager, ATIP & Governance

This Delegation of Authority was signed on August 15, 2022 and can be found in Appendix A.

4. Statistical Report

Statistical reports prepared by government institutions provide aggregate data on the application of the Access to Information Act and the Privacy Act. This information is made public annually in a statistical report that is included with the annual reports on access to information and privacy tabled in Parliament by each institution. NSERC's statistical report on the Privacy Act for 2022-23 is provided in Appendix B.

This year, institutions were required to report on the following additional criteria:

their capacity to receive requests and process records
open requests from previous reporting periods
open complaints from previous reporting periods
the impact of COVID-19-related measures on their ability to fulfill Access to Information Act and Privacy Act responsibilities, and any mitigation measures that were implemented
new authorities to collect or use Social Insurance Numbers and Universal Access

This information is included in the 2022-23 Supplemental Statistical Report on the Access to Information Act and Privacy Act and can be found in Appendix C.

5. Interpretation of the Statistical Report on the Privacy Act

This section provides an overview of key data on NSERC’s performance for the year, as reflected in the Statistical Report for 2022-23. (“Requests” here refers to formal requests under the Privacy Act.)

a) Material Privacy Breaches

In 2022-23, NSERC had no material privacy breaches therefore did not report any to the Office of the Privacy Commissioner (OPC) and to Treasury Board of Canada Secretariat (TBS, Privacy and Responsible Data Division) during the reporting period.

b) Privacy Impact Assessments

In 2022-23, NSERC did not submit any Privacy Impact Assessments (PIAs) to the OPC and to TBS’s Information Privacy Policy Division.

c) Public Interest Disclosures

Subsection 8(2) of the Privacy Act provides limited and specific circumstances under which institutions may disclose personal information without an individual’s consent. Such situations include when the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or where disclosure would clearly benefit the individual to whom the information relates.

In 2022-23, NSERC did not make any disclosures pursuant to paragraphs 8(2)(e) or 8(2)(m) of the Act. As a result of no disclosures being made pursuant to paragraph 8(2)(m) of the Act, NSERC did not have any notifications to the OPC pursuant to subsection 8(5).

d) Correction of Personal Information

Paragraph 12(2)(a) of the Privacy Act gives individuals a right to request a correction of personal information about them held by the federal government.

Three requests for corrections were carried over from 2018-19, five from 2019-20 and three from 2020-21. In fiscal year 2022-23, the three requests from 2018-19 and the three requests from 2020-21 were closed. The five requests from 2019-20 remain outstanding. A new request for correction of personal information was received during the reporting period and that request also remains outstanding. This means that six requests for correction of personal information were carried over into fiscal year 2023-24.

e) Complaints

Requesters have the right to register a complaint with the OPC regarding the processing of a request.

No privacy complaints from the previous fiscal year were carried over into the 2022-23 fiscal year. NSERC did not receive or conclude any new privacy complaints in the 2022-23 fiscal year. No privacy complaints were carried over into fiscal year 2023-24.

f) Audits, Compliance and Appeals

No privacy audits nor monitoring were conducted during the reporting period. There were no applications or appeals to the Federal Court or Federal Court of Appeal under the Privacy Act during 2022-23.

5.1 Requests Received and Carried Forward

In 2022-23, NSERC received a total of four privacy requests, two more than the previous fiscal year (two in 2021-22).

Twelve (12) active privacy requests were carried forward into 2022-23 from the previous reporting period (five from 2018-19, one from 2019-20, four from 2020-21 and two from 2021-22). A total of one request received in 2022-23 remains outstanding and is still within legislated timeline.

5.2 Requests Completed

Fifteen (15) privacy requests were completed and closed during the 2022-23 reporting period. This is two more than the previous fiscal year (13 in 2021-22). In total, NSERC processed 2442 pages of which 952 were disclosed in the 2022-23 reporting period. The gap reflects duplicated, non-relevant and withheld records. While NSERC processed slightly more privacy requests than in the 2021-22 reporting period, the number of pages processed was significantly lower this reporting period than in the previous year (in 2021-22 NSERC processed 5074 pages of which 1251 were disclosed). Of the privacy requests completed in 2022-23, ten were disclosed in part; two no records existed; and three requests were abandoned.

The percentage of completed requests for which records were “all disclosed” is 0%, for which records were “disclosed in part” is 67% for which “no records existed” is 13% and for which the “requests were abandoned” is 20%.

Figure 1: Privacy requests received, carried over and closed, 2018-19 to 2022-23

Requests received	Carry-over from previous fiscal year	Requests completed
2018-19	19	0	9
2019-20	7	10	9
2020-21	22	8	7
2021-22	2	23	13
2022-23	4	12	15

Figure 2: Number of pages processed and pages disclosed, 2018-19 to 2022-23

	Disclosed	Processed
2018-19	86	92
2019-20	252	271
2020-21	268	464
2021-22	1251	5074
2022-23	952	24423

5.3 Exemptions

For the privacy requests where the information was disclosed in part, NSERC invoked the following exemptions:

section 19(1)(c), personal information obtained in confidence of a province (five applications)
section 26, personal information about another individual (nine applications)
section 27, solicitor-client privilege (one application)

5.4 Extensions

Reasons for extensions

The legislation sets timelines for responding to privacy requests and allows for extensions, up to a maximum of 30 calendar days, in any of the following cases:

when complying with the timeline would interfere with operations as a result of:
- a review being required to determine exemptions or exclusions
- a large volume of pages requiring review
- a large volume of requests
- the documents being difficult to obtain.
when a consultation is required

An extension of more than 30 calendar days would be allowed if additional time is necessary, in any of the following cases:

for translation purposes
for purposes of converting the personal information into an alternative format

In 2022-23, NSERC invoked extensions for 11 completed privacy requests or 73% of all requests completed.

Of the 11 requests that were extended, 10 (91%) were extended because complying with the original 30-day time limit would have unreasonably interfered with operations, in accordance with paragraph 15(a)(i) of the Act.

Of the 10 requests extended in accordance with paragraph 15(a)(i):

one involved a large number of pages
nine were a result of a large volume of requests

The remaining request was extended for the purpose of conducting internal consultations in accordance with paragraph 15(a)(ii).

No extensions were invoked in 2022-23 for the purposes of translating materials.

5.5 Completion Times

Of the 15 privacy requests completed; five requests were completed within the legislated timeframe. One of those five requests was extended by 30 calendar days. The 10 other requests were completed outside legislated timelines. These 10 requests were extended by 30 calendar days and completed more than 365 days after the legislated timelines.

Here is the breakdown of number of completed requests, broken down by completion times: three completed within 1 to 15 days, one completed within 16 to 30 days, one completed within 31 to 60 days, 10 completed within more than 365 days.

The percentage of requests closed within legislated timelines is 33% (5 out of 15 cases).

5.6 Consultations from other Government Institutions and Organizations

NSERC received one consultation request from another government institution in 2022-23. The completion time was within 16 to 30 days and two pages were processed. This volume of privacy consultation requests is consistent with previous years. There were no consultation requests from other government institutions received in 2021-22 that were carried forward to 2022-23.

5.7 Impact of COVID-19-related Measures

In response to the public health measures implemented to minimize the effects of the COVID-19 pandemic, NSERC primarily operated remotely since 2021-22. From April 1, 2022, to March 31, 2023, NSERC’s ATIP office was at full operational capacity.

6. Services and Related Activities

Throughout the year, the ATIP office provided advice and recommendations to NSERC employees by reviewing various documents such as answers to Parliamentary Questions, Privacy Protocols, Privacy Attestations, Memoranda of Understanding, audits, evaluations, and security reports. The ATIP office provided training on an as needed basis on the provisions of the Privacy Act and its implications on NSERC programs and initiatives. The ATIP office distributed a weekly status report on privacy requests to NSERC senior management.

6.1 Info Source, Publicly Accessible Information, and Inquiry Points

Info Source: Sources of Federal Government and Employee Information provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. It provides individuals and employees of the government (current and former) with relevant information to access personal information about them held by government institutions subject to the Privacy Act and to exercise their rights under the Privacy Act.

NSERC’s funding policies, program descriptions, organizational structure and contact information can be found on its website. In accordance with the federal government’s policy on proactive disclosure, evaluation and audit reports are also posted on NSERC’s website. The NSERC website’s ATIP page provides background information on the Privacy Act and useful information about services provided.

NSERC also proactively discloses information on the federal government’s Open Government website, such as: ATIP monthly summaries, information on awarded grants, contracts as well as travel, hospitality, and conference expenses.

6.2 Informal Practices and Proactive Disclosure

NSERC encourages informal practices of providing information requested outside the ATIP process, provided that the information released is clearly only that of the requester.

In addition, NSERC proactively discloses peer review feedback to grant and award applicants. In 2022-23, NSERC proactively disclosed 13,771 redacted reports and reference letters from volunteer external reviewers for all funding opportunities that collect external reports, which pertains to 5,992 grant and award applications. These reports provide an assessment of the research proposal from subject-matter experts, funding recommendations about the application, and feedback to applicants on their proposals in relation to the program criteria. They are redacted in the spirit of the Privacy Act by NSERC program staff who have received training by the ATIP office.

6.3 Policies, Guidelines, and Procedures

Personal information collected and used by federal institutions is governed by the Privacy Act and related regulations, as well as a suite of policy from TBS. NSERC must comply with all these policies, directives and guidelines, and the NSERC President is accountable for compliance. This compliance framework is complex and often very demanding for small agencies. It is also evolving and being updated to reflect the reality of current day privacy concerns in our digital world.

In response to TBS’ Policy on Privacy Protection requiring that government institutions have a privacy protocol in place to establish rules and guidelines for employees who use personal information, NSERC and the Social Sciences and Humanities Research Council of Canada (SSHRC) jointly developed a Privacy Management Framework (PMF) and a Privacy Protocol as part of their larger commitment to developing a stronger culture of privacy protection and compliance. Privacy protocols are especially important for NSERC to implement due to the increased collection of self-identification information. The PMF and Privacy Protocol were finalized in 2021-22 and implemented across NSERC and SSHRC in the fall of 2022.

NSERC has not received authority for any new collection(s) or new consistent use(s) of Social Insurance Numbers during the 2022-23 reporting period.

6.4 Training and Awareness

In 2022-23, the ATIP office continued to provide regular advice and guidance to NSERC employees while also expanding the outreach activities and formal training sessions offered to them. All NSERC staff requiring direct access to Equity, Diversity and Inclusion (EDI) data are required to complete training on handling sensitive personal information. A total of 75 NSERC employees participated in six (6) EDI Data and Privacy Protection training sessions this reporting period. Redaction training was also delivered to approximately 20 NSERC program employees. In addition to the regular support and training that the ATIP office provided to NSERC employees, new privacy training material related to “privacy requirements in our day-to-day operations” was implemented to address gaps in the handling of sensitive information in the existing Security Awareness training.

Employees are reminded to complete the mandatory privacy training throughout the year through various means, e.g., new employee onboarding, HR training calendar, employee performance review.

NSERC is following the lead of TBS in modernizing its ATIP practices, and in providing employees with the tools/resources to think about privacy protection at the outset of a project or initiative. TBS has recently published the Digital Privacy Playbook on Canada.ca which is also posted on NSERC’s ATIP intranet page.

In this year’s reporting period, the total salary, goods, and professional services cost for the Privacy program was $195,344. This figure represents a decrease of 9.37% compared to $215,542 in 2021-22 and is higher than the $182,356 costs for 2020-21. This cost does not include the processing of the proactive disclosures to applicants described in 6.2, above.

6.5 Challenges

In 2022-23, NSERC started the year with a carry-over of 12 files from previous fiscal years. Four new privacy requests were received during the reporting period. Sustained focus on closing older requests had an impact on the overall compliance rate in 2022-23. These efforts, however, have resulted in a significant reduction in the number of requests that have been carried forward, and in resolving the backlog. This required the ATIP office to establish operational priorities and to claim appropriate extensions of time.

NSERC remained committed to assist requesters in refining their request and was able to eliminate the backlog. One file which is within legislated timeline was carried forward into the 2023-24 fiscal year.

The Privacy human resources utilized for this reporting period were estimated at 2.100 FTE, which is 4.76% less than 2.205 FTE reported for the 2021-22 fiscal year.

NSERC’s ATIP & Governance Manager position, the one ATIP Analyst position and the two ATIP & Secretariat positions are filled on a permanent basis. These positions remained filled and uninterrupted throughout the current reporting period. NSERC has made a commitment to build its internal ATIP unit and expertise to increase stability and improve ATIP service delivery.

Since early 2023, NSERC has adjusted to a new hybrid work model.

Download the report