2021-2022 Annual Report to Parliament on the Administration of the Privacy Act

1. Introduction

The purpose of the Privacy Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.

This annual report was prepared and submitted in accordance with section 72 of the Privacy Act and covers the period from April 1, 2021 to March 31, 2022.

2. Mandate of the Office of the Superintendent of Financial Institutions (OSFI)

Under its legislation, OSFI’s mandate is:

Fostering sound risk management and governance practices

OSFI advances a regulatory framework designed to control and manage risk.

Supervision and early intervention

OSFI supervises federally regulated financial institutions and pension plans to determine whether they are in sound financial condition and meeting regulatory and supervisory requirements.

OSFI promptly advises financial institutions and pension plans if there are material deficiencies and takes corrective measures or requires that they be taken to expeditiously address the situation.

Environmental scanning linked to safety and soundness of financial institutions

OSFI monitors and evaluates system-wide or sectoral developments that may have a negative impact on the financial condition of federally regulated financial institutions.

Taking a balanced approach

OSFI acts to protect the rights and interests of depositors, policyholders, financial institution creditors and pension plan beneficiaries while having due regard for the need to allow financial institutions to compete effectively and take reasonable risks.

OSFI recognizes that management, boards of directors and pension plan administrators are ultimately responsible for risk decisions, that financial institutions can fail, and pension plans can experience financial difficulties resulting in the loss of benefits.

In fulfilling its mandate, OSFI supports the government’s objective of contributing to public confidence in the Canadian financial system.

The Office of the Chief Actuary is an independent unit within OSFI that provides a range of actuarial valuation and advisory services to the Government of Canada. In conducting its work, the OCA plays a vital and independent role towards a financially sound and sustainable Canadian public retirement income system.

3. Strategic Outcomes

Primary to OSFI’s mandate and central to its contribution to Canada’s financial system are two strategic outcomes:

1. A safe and sound Canadian financial system
2. A financially sound and sustainable Canadian public retirement income system.

For the purposes of the Access to Information Act, the head of OSFI is the Superintendent and the responsible minister is the Minister of Finance.

4. Administration of the Access to Information Act

4.1 Access to Information and Privacy (ATIP) Unit

The Access to Information and Privacy (ATIP) Unit is part of the Central Office Directorate within the Office of the Chief Financial Officer Division, Corporate Services and Transformation. The unit is responsible for administering the Act for the Office of the Superintendent of Financial Institutions (OSFI). As such, the ATIP unit coordinates the timely processing of requests under the legislation, handles complaints lodged with the Information Commissioner, and responds to informal inquiries. The ATIP unit also provides advice and guidance to Office staff on matters involving the Act.

The Manager, Privacy and Access to Information reports to the Chief Financial Officer and is supported by a senior ATIP Officer, an ATIP Officer and a Junior ATIP Officer.  Both the ATIP Officer and the Junior ATIP Officer are considered regional staff. The ATIP unit also relies upon the support of contract and student resources.

The Manager, Privacy reports to the Chief Financial Officer. The Privacy team also relies upon the support of contract resources.

4.2 Institutional changes to the administration of the Access to Information Act

For the period of FY 2021-2022, the ATIP unit reported to the Director, Strategic Governance, ATIP and Privacy Offices.  OSFI also introduced the role of Chief Privacy Officer in the same period.  For the 2022-2023 fiscal year, the ATIP unit will report to the Chief Financial Officer.

4.3 Education and Training

Training efforts in 2021-2022 have been focused on ensuring OSFI staff understand their roles and responsibilities in the effective management and protection of OSFI’s information resources as an enabler in the delivery of the ATI program through a combination of presentations, information sessions and information bulletins. Training efforts focused on ATIP awareness for new OSFI staff as part of an Information Management and ATIP awareness program (4 sessions, 32 participants)

4.4 Processing of Privacy requests

All formal privacy requests are submitted to the Manager, Privacy and Access to Information, who reviews and assigns them to an ATIP Officer. The Officer requests the information from the appointed sectoral ATIP Liaison Officer(s) concerned. In gathering the material and subsequently reviewing it, the ATIP Office provides advice and direction to ensure that the provisions of the Act are respected.

Assembled material is reviewed by the ATIP Officer and the Manager, Privacy and Access to Information. The material and the recommendations pertaining to each request are then submitted to the program area for validation. Once agreed, the release package is submitted to the Assistant Superintendent, Corporate Services for review and approval.

Employees have the right to review their personal records at intervals specified in the various collective agreements. To exercise this right, an employee contacts the appropriate official in the Human Resources department. The review of personal records is considered informal and no data on these requests is compiled. The employee, however, does have the option of submitting a formal request under the privacy legislation. Employees of the Human Resources and Administration Division are aware of the provisions of the Privacy Act as they relate to the use and disclosure of personal information.

4.5 Delegation of authority

Administration of the Privacy Act at OSFI is ultimately the responsibility of the Superintendent; However, delegation orders set out which powers, duties and functions relating to the administration of the Privacy Act, have been delegated by the head of the institution, and to whom.  Effective May 21st, 2021, all powers, duties or functions are delegated to the Assistant Superintendent, Corporate Services, the Special Advisor, Corporate Services, the Director, Strategic Governance, Access to Information and Privacy Offices and the Manager, Access to Information & Privacy.  This will be updated to reflect the organizational changes which have recently taken place.

4.6 Monitoring compliance

The time taken to process requests made under the Privacy Act is tracked in the ATIP tracking system. Proposed final responses to privacy requests are ultimately reviewed and approved by the Assistant Superintendent / Chief Operating Officer. Concerns are raised as appropriate throughout the lifecycle of the request and priority is given to fulfilling OSFI’s statutory obligations.

4.7 Summary of significant changes to programs, operations, policies, or procedures

There were no significant changes to ATIP programs, operations policies, or procedures in 2021-2022. With the easing of certain COVID-related restrictions, employees are once again able to access physical files.  Requests received by OSFI through the mail are retrieved by the Manager, Access to Information and Privacy as needed. Another change of note is that effective April 1st, 2022, the ATIP team will report to the Office of the Chief Financial Officer, Corporate Services and Transformation division.  This organizational change will be addressed in greater detail in the 2022-2023 annual report.

4.8 Reading room

 In accordance with the Access to Information Act, a public reading room is available in Ottawa. It is located at 255 Albert Street, on the 16th floor. The reading room was not available to the public as of March 31st, 2022, due to necessary restrictions arising from the COVID-19 pandemic.

5. Interpretation of the Statistical Report

Part 1 – Requests under the Privacy Act

Due to the nature of OSFI’s work regulating and supervising financial institutions and private pension plans under federal jurisdiction, much of the information in the Office’s possession is third-party business information rather than personal information about individuals. The financial institutions and pension plans are OSFI’s clients. As OSFI does not provide services directly to individuals, the volume of personal information collected by the Office is relatively small. This information is generally limited to employment records of current and previous OSFI employees and information about individual contract consultants at OSFI.

In 2021-2022, four new requests were received. Since the inception of the Privacy Act, July 1, 1983, OSFI has received 75 privacy requests.

Part 2 – Requests closed during the reporting period

The following table summarizes the actions taken with respect to the completed requests:

2.1 Disposition and Completion Time

For the 4 requests received in 2021-2022:

• 100% were closed within legislated timelines;
• There were no requests carried over from the previous reporting period, nor were any carried over to the next reporting period;
• 3 were completed in 16 to 30 days; and,
• 1 was closed in 31 to 60 days.

2.2 Exemptions

Section 26 was applied to 3 privacy requests. Section 27 was applied to 1 request.

2.3 Exclusions

No exclusions were cited during the reporting period.

2.4 Format of Information Released

During the reporting period, 3 requests under the Privacy Act were released electronically.

2.5 Relevant Pages Processed and Disclosed

3860 relevant pages were processed, and 907 pages were disclosed during the reporting period. 75% of the requests received during the reporting period were disclosed in part and OSFI was unable to process the remaining request as the request was abandoned.

2.6 Other complexities

There were no other complexities required during the reporting period.

2.7 Deemed Refusal

There were no deemed refusals during this reporting period.

2.8 Requests for Translation

No translations were requested in 2021-2022.

Part 3 – Disclosures under Subsections 8(2) and 8(5)

No disclosures were made pursuant to subsections 8(2)(e), 8(2)(m) or 8(5) of the Privacy Act during this reporting period.

Part 4 – Requests for correction of personal information and notations

No requests for correction of personal information and no notations were made during this reporting period.

Part 5 - Extensions

Additional 30-day extensions were required for 1 request during this reporting period:

• 1 pursuant to s.15(a)(i) – Interference with operations (large volume of pages).

Part 6 - Consultations received from other government Institutions

No consultations from other government institutions and organizations were received during the reporting period.

Part 7 – Completion Time of Consultations on Cabinet Confidences

No consultations with respect to Cabinet confidences were required during the reporting period.

Part 8 – Resources Related to the Privacy Act

The cost to administer the Act during this reporting period was $179,515.

6. Complaints and Investigations

OSFI did not receive any complaints pursuant to the Privacy Act during this reporting period nor are there any active complaints from previous reporting periods.

7. Privacy Breaches

There were no material privacy breaches reported during the 2021-2022 fiscal year.

8. Appeals to the Federal Court of Canada

8.1 – Major changes implemented as a result of concerns or issues raised by the Privacy Commissioner of Canada in his annual report to Parliament

The Privacy Commissioner of Canada did not raise any concerns or issues related to OSFI, therefore no major changes were implemented.

8.2 – Major changes implemented as a result of concerns or issues raised by other agents of Parliament

No major changes were implemented by OSFI as other agents of Parliament did not raise any concerns or issues.

8.3 – Number of applications or appeals to the Federal Court of the Federal Court of Appeal during the fiscal year

There were no access to information related applications or appeals to the Federal Court or the Federal Court of Appeal during this fiscal year related to OSFI.

9. Completed Privacy Impact Assessments

OSFI completed a single Privacy Impact Assessment in 2021-2022.  In June 2021, OSFI deployed the Annual Confidential Report (ACR) Power Automate solution, which automates the ACR process between HR and OSFI employees.  It has yet to be published on OSFI’s website.

10. Authority for new collection of Social Insurance Numbers

OSFI did not receive authority or undertake any new collections or consistent use of Social Insurance Numbers during the reporting period.

Appendix A – Statistical Report on the Privacy Act

Statistical Report on the Privacy Act

Name of institution: Office of the Superintendent of Financial Institutions

Reporting period: 4/1/2021 to 3/31/2022

Section 1: Requests Under the Privacy Act

1.1 Number of requests received

1.2 Channels of requests

Section 2: Informal requests

2.1 Number of informal requests

2.2 Channels of informal requests

2.3 Completion time of informal requests

2.4 Pages released informally

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time

3.2 Exemptions

3.3 Exclusions

3.4 Format of information released

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for *paper* and *e-record* formats

3.5.2 Relevant pages processed by request disposition for *paper* and *e-record* formats by size of requests

3.5.3 Relevant minutes processed and disclosed for *audio* formats

3.5.4 Relevant minutes processed per request disposition for *audio* formats by size of requests

3.5.5 Relevant minutes processed and disclosed for *video* formats

3.5.6 Relevant minutes processed per request disposition for *video* formats by size of requests

3.5.7 Other complexities

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

3.7.2 Request closed beyond legislated timelines (including any extension taken)

3.8 Requests for translation

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Section 5: Requests for Correction of Personal Information and Notations

Section 6: Extensions

6.1 Reasons for extensions

6.2 Length of extensions

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services

8.2 Requests with Privy Council Office

Section 9: Complaints and Investigations Notices Received

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs)

10.1 Privacy Impact Assessments

10.2 Institution-specific and Central Personal Information Banks

Section 11: Privacy Breaches

11.1 Material Privacy Breaches reported

11.2 Non-Material Privacy Breaches

Number of non-material privacy breaches: 2

Section 12: Resources Related to the Privacy Act

12.1 Allocated Costs

12.2 Human Resources

Supplemental Statistical Report on the Access to Information Act and the Privacy Act

Name of institution: Office of the Superintendent of Financial Institutions

Reporting period: 2021-04-01 to 2022-03-31

Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act

Enter the number of weeks your institution was able to receive ATIP requests through the different channels.

Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act

2.1 Enter the number of weeks your institution was able to process paper records in different classification levels.

2.2 Enter the number of weeks your institution was able to process electronic records in different classification levels.

Section 3: Open Requests and Complaints Under the Access to Information Act

3.1 Enter the number of open requests that are outstanding from previous reporting periods.

3.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods

Section 4: Open Requests and Complaints Under the Privacy Act

4.1 Enter the number of open requests that are outstanding from previous reporting periods.

Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.

Section 5: Social Insurance Number (SIN)

Did your institution receive authority for a new collection or new consistent use of the SIN in 2021-2022? : No

Appendix B – Designation Order: Privacy Act

Designation / Délégation

Privacy Act / Loi sur la protection des renseignements personnels

Jeremy Rudin
Superintendent of Financial Institutions/
Le surintendant des institutions financières