Annual Report to Parliament on the Administration of the Privacy Act - 2024-2025
Table of Contents
- Introduction
- Organizational Structure
- Delegation Order
- Performance 2024-2025
- Training and Awareness
- Policies, Guidelines, and Procedures
- Initiatives and Projects to Improve Privacy
- Summary of Key Issues and Actions Taken on Complaints
- Material Privacy Breaches
- Privacy Impact Assessments
- Public Interest Disclosures
- Monitoring Compliance
- Annex A: Designation Order
Introduction
We are pleased to table the Annual Report to Parliament on the administration of the Privacy Act (the Act) for fiscal year 2024-2025, as required under section 72 of the Act. Global Affairs Canada is not reporting on behalf of wholly owned subsidiaries or non-operational institutions.
Note: The Department is referred to in this report as Global Affairs Canada (GAC). Its legal name, however, remains the Department of Foreign Affairs, Trade and Development, as set out in the Department of Foreign Affairs, Trade and Development Act.
Purpose of the Privacy Act
The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.
Mandate of the Institution
Global Affairs Canada, under the leadership of the Minister of Foreign Affairs, the Minister of International Trade, the Minister responsible for Canada-US trade, Intergovernmental Affairs and One Canadian Economy, and the Secretary of State (International Development), is responsible for advancing Canada’s international relations, including:
- developing and implementing foreign policy;
- fostering the development of international law, international trade and commerce;
- providing international humanitarian, development, and peace and security assistance;
- providing consular services for Canadians; and
- overseeing the Government of Canada’s global network of missions abroad.
Global Affairs Canada’s mandate is derived from the Department of Foreign Affairs, Trade and Development Act.
Operating Context
From the movement of people and goods around the world, to regional conflicts and changes caused by climate change, the world is more connected and interconnected than ever. Events within and beyond our borders influence Canadians’ peace, security and prosperity.
The world is seeing challenges and threats to peace and security, rules-based trade and equitable access to resources and assistance. Aggressive actions by both state and non-state actors mean that Canada must continue to work with allies and partners to address these challenges and threats. Canada is not immune to the economic threats posed by uneven supply chains, shifting alliances and deteriorating trade relations among nations.
As a result, Canada’s international activities must foster security and prosperity for Canadians through a full suite of policies and programs that promote peace and security, strengthen rules-based trade and contribute to humanitarian and development assistance.
Global Affairs Canada is the department responsible for managing Canada’s diplomatic and consular relations, international trade and development efforts around the world. In a continuously changing and unpredictable international setting, protecting Canadians remains Global Affairs Canada’s top priority.
Organizational Structure
The Access to Information and Privacy Protection Division (the ATIP Division) is responsible for the administration of the Access to Information Act (ATIA) and the Privacy Act (PA), including the processing of requests and consultations. The director of the ATIP Division reports to the Director General, who also serves as the Corporate Secretary, and who, in turn, reports to the Associate Assistant Deputy Minister, Strategy, Policy and Public Affairs.
In 2024-2025, the ATIP Division had 64 Full-Time Equivalent positions to fulfill the Department’s obligations under both the Access to Information Act and the Privacy Act. During the fiscal year, the ATIP Division filled, on average, 62 of those 64 positions and relied on up to seven ATIP consultants.
The ATIP Division is led by a director, who manages the teams that administer the Access to Information and Privacy Acts:
The Operational Unit is managed by four deputy directors who head one or two processing teams. There are seven team leaders who supervise processing teams. Two senior advisors, 22 analysts and five consultants are distributed throughout these teams. The Operational Unit is responsible for the processing and review of access, privacy and consultation requests. It also includes a team with dedicated resources to address complaints; the team, processes legacy complaints and works closely to resolve them with the Office of the Information Commissioner (OIC) and the Office of the Privacy Commissioner (OPC).
- The Privacy Policy Team is managed by a deputy director and includes a team leader, five analysts and a consultant who deal directly with privacy breaches, departmental complaints, privacy impact assessments and requests for privacy advice.
- The Policy and Governance Team is managed by a deputy director and includes a senior ATIP policy and governance advisor who coordinates process modernization, procedural updates and departmental training.
- The Business Practices and Systems Unit is managed by a deputy director and includes a manager of business practices and systems, an ATIP systems analyst, three system administrator and four ATIP clerks who process incoming and outgoing ATIP correspondence, imaging services, technical support and other administrative tasks.
- The Corporate Affairs Unit is managed by a deputy director and includes an administrative assistant and a consultant. This group is responsible for the oversight of the division’s human resources, budget management and general administration.
All employees are working within a hybrid model, with telework from home and in-office presence at headquarters (125 Sussex Drive). Global Affairs Canada did not have any regional ATIP staff during the fiscal year 2024-2025.
During the fiscal year 2024-2025, Global Affairs Canada did not have any service agreements pursuant to section 73.1 of the Privacy Act.
Delegation Order
As part of GAC’s transformation implementation plan, the Access to Information and Privacy Division revised its delegation instrument under the Privacy Act. The previous delegation order, signed in July 2017, no longer aligned with GAC’s new structure and operational needs. The updated delegation order is designed to enhance efficiency in processing Privacy Act requests by enabling a broader range of decision-makers such as Team Leaders and Senior Advisors.
The revised delegation instrument now authorizes Senior Advisors and Team Leaders within the ATIP Division to make a wider range of decisions and approve additional tasks. By empowering experienced supervisors and managers to exercise delegated authority, the Division aims to reduce bottlenecks and improve response times on ATIA requests.
In January 2025, pursuant to subsection 73(1) of the Privacy Act, the Minister delegated full authority to the Deputy Ministers, Associate Deputy Minister of Foreign Affairs, Assistant Deputy Minister and Associate Assistant Deputy Minister of Strategy, Policy and Public Affairs, the Director General of the Corporate Secretariat, the Director of the Access to Information and Privacy Division, the Deputy Directors of the Access to Information and Privacy Division and Team Leaders within the ATIP program. In addition, Senior Advisors were granted authority to issue time extension under the Act.
A copy of Global Affairs Canada’s signed Designation Order is provided in Annex A.
Performance 2024-2025
Number of Requests
In 2024-2025, the Department received 327 new requests under the Privacy Act, a decrease of 9% compared to the 2023-2024 fiscal year. At the beginning of the 2024-2025 fiscal year, a total of 78 requests were outstanding from the previous reporting periods; 54 requests were outstanding from the 2023-2024 fiscal year, and 24 requests were outstanding from more than one reporting period.
During the same reporting period, 329 requests were completed; a 4% decrease compared to the 2023-2024 fiscal year.
Text version
Privacy Requests
| 2020-2021 | 2021-2022 | 2022-2023 | 2023-2024 | 2024-2025 | |
|---|---|---|---|---|---|
| Received | 82 | 109 | 118 | 361 | 327 |
| Completed | 74 | 110 | 124 | 344 | 329 |
Active Requests Carried Over to the Next Reporting Period
At the end of reporting period, 29% of Global Affairs Canada’s requests that were carried over the next reporting period (2025-2026) were on time. The carry-over of active files at the end of fiscal year 2024-2025 was 76.
| 2018-2019 | 2019-2020 | 2020-2021 | 2021-2022 | 2022-2023 | 2023-2024 | 2024-2025 | Total | |
|---|---|---|---|---|---|---|---|---|
| On time | 0 | 0 | 0 | 0 | 0 | 0 | 22 | 22 |
| Late | 2 | 4 | 2 | 3 | 3 | 11 | 29 | 54 |
| Total | 2 | 4 | 2 | 3 | 3 | 11 | 51 | 76 |
Compliance Rate
The compliance rate is defined as the percentage of privacy requests that the Department responded within the deadline required under the Act. In 2024-2025, the departmental compliance rate for Global Affairs Canada was 71%. This means that 29% of privacy requests received a response beyond the deadline. The compliance rate for the reporting period decreased by 11% compared to the previous reporting period.
Text version
Compliance Rate
| 2020-2021 | 2021-2022 | 2022-2023 | 2023-2024 | 2024-2025 | |
|---|---|---|---|---|---|
| Percentage | 11% | 45% | 52% | 83% | 71% |
Extensions
During the reporting period, the Department took extensions on 22 out of the 329 requests it closed. The reasons for extension include 12 extensions taken under paragraph 15(a)(i) for interference with operations and 10 extensions under paragraph 15(a)(ii) for required consultation.
Completion Time
During the reporting period, the Department closed 158 closed in 15 days or less (48%), 60 requests closed within 16-30 days (18%), 41 requests closed within 31-60 days (12%), 26 requests closed within 61-120 days (8%), 12 requests closed within 121-180 days (4%), 18 requests closed within 181-365 days (6%), and 14 requests took over 365 days to complete (4%).
Text version
Completion Time
| 2023-2024 | 2024-2025 | |
|---|---|---|
| 1-15 day(s) | 258 | 158 |
| 16-30 days | 19 | 60 |
| 31-60 days | 16 | 41 |
| 61-120 days | 28 | 26 |
| 121-180 days | 10 | 12 |
| 181-365 days | 6 | 18 |
| 365+ days | 7 | 14 |
Disposition of Completed Requests
Of the 329 privacy requests closed during the 2024-2025 fiscal year, 32 were all disclosed (10%), 88 were disclosed in part (27%), 1 was all exempted (<1%), 21 had no records in existence (6%), and 187 were abandoned (57%).
Text version
Completion Time
| 2023-2024 | 2024-2025 | |
|---|---|---|
| All disclosed | 10 | 32 |
| Disclosed in part | 54 | 88 |
| All exempted | 1 | 1 |
| All excluded | 1 | 0 |
| No records exist | 14 | 21 |
| Request abandoned | 264 | 187 |
| Total | 344 | 329 |
Consultations from Other Institutions
Given its mandate and various responsibilities at the international level, the Department plays a key role under the Act on behalf of other institutions of the Government of Canada. Specifically, the Department consulted foreign governments on behalf of other federal government institutions when the latter needed to determine whether they could release records that originated abroad.
During the reporting period, the Department received three new consultations from other government institutions and had one consultation outstanding from the previous reporting period. Global Affairs Canada was able to complete 3 consultations requests during the fiscal year having reviewed 9 pages.
Of the three consultation requests closed this fiscal year, one request was closed within 0-15 days (33%) and two requests within 61-120 days (66%).
| Number of Days Taken | Number of Requests Closed | Percentage |
|---|---|---|
| 0-15 days | 1 | 33% |
| 16-30 days | 0 | 0% |
| 31-60 days | 0 | 0% |
| 61-120 days | 2 | 66% |
| 121-180 days | 0 | 0% |
| 181-365 days | 0 | 0% |
| More than 365 days | 0 | 0% |
Staffing
In 2024-2025, the ATIP Division had approximately 13.61 Person Years dedicated to privacy activities (personal information requests and privacy policy). This is consistent with the staffing level of the previous reporting period.
Text version
Person Years Dedicated to Privacy Activities
| 2020-2021 | 2021-2022 | 2022-2023 | 2023-2024 | 2024-2025 | |
|---|---|---|---|---|---|
| Total | 11.63 | 11.45 | 11.67 | 11.56 | 13.61 |
Training and Awareness
The ATIP Division continued to develop tools, guidance and training for ATIP analysts, ATIP liaison officers and subject matter experts across Global Affairs Canada.
Again, during the reporting period, the ATIP Division benefited from its Professional Development Program (PDP), which allows the Department to train and promote its ATIP analysts from junior (PM-01) to senior (PM-05) levels.
This long-standing program continues to be highly successful in addressing recruitment, retention, and succession planning issues. Most of the employees working in the ATIP Division are already part of the PDP and are eligible for promotion to the next level once they meet the required objectives. The PDP aims to build a more robust ATIP capacity within Global Affairs Canada by “growing its own”, thereby addressing the shortage of analysts and team leaders across the federal ATIP community.
During the reporting fiscal year, three employees from the Access to Information and Privacy Division at Global Affairs Canada participated in specialized training offered by the Association des professionels en accès à l’information et en protection de la vie privée (AAPI). Delivered over two weeks, the program consisted of four courses spanning six days, for a total of 42 instructional hours. The training provided in-depth knowledge of the Access to Information Act and the Privacy Act. Upon successful completion, participants were awarded a joint certificate from the Université de Montréal and the AAPI, attesting to the high quality and rigor of the training.
Additionally, the ATIP Division provided the following training modules to GAC employees:
- ATIP for liaison officers
- ATIP for reviewing officers
Due to GAC’s rotational employee structure, ATIP training sessions were made available upon request and attendance varied from one-on-one training to group training with up to 104 participants. During the fiscal year, a total of 67 training sessions were delivered to 1060 Global Affairs Canada employees. Of these, 65 presentations were delivered virtually using MS Teams and 2 training sessions were delivered in person.
The Privacy Policy Team maintains an updated spreadsheet, documenting all privacy training sessions conducted within the organization throughout the fiscal year, ensuring an accurate reflection of specific topics discussed and keeping track of employees’ increasing privacy awareness.
Over the reporting period, the Privacy Policy Unit contributed to a range of departmental training initiatives, with a continued focus on integrating privacy best practices into mandatory programs and operationally relevant learning series.
As part of the Global Security Reporting Program’s (GSRP) mandatory pre-posting training cycle for 2025, the Unit delivered targeted privacy training designed to prepare participants for the unique privacy considerations associated with international security reporting. This training emphasized the importance of protecting sensitive personal and operational information, aligning with applicable legislation and departmental policies. Delivered through interactive modules, the sessions used anonymized case studies to foster participant engagement while preserving confidentiality. These sessions supported the GSRP’s objective of strengthening the integrity and security of Canada’s global reporting network.
In collaboration with the Consular Training Unit, the Privacy Policy Unit also contributed to the 2024–2025 Consular Theme of the Month series. The new cycle launched in October 2024, building on the success of the previous year’s initiative. The Unit developed and delivered 4 sessions tailored to equip 205 consular staff with the knowledge and tools to manage personal information in accordance with legal and policy obligations with a focus on the practical application of confidentiality principles in consular operations, including the handling of sensitive information during service delivery abroad.
Together, these efforts reflect the Unit’s ongoing commitment to strengthening privacy awareness across operational contexts, reinforcing the Department’s broader mandate to protect personal information and uphold information security standards.
Policies, Guidelines, and Procedures
Privacy Tools and Initiatives
As part of its ongoing commitment to enhancing departmental privacy management practices, the Privacy Policy Unit launched a new Privacy Breach Assessment and Containment Tool to support employees, agents, and contractors in the timely identification, reporting, and mitigation of potential privacy breaches.
This tool is a critical addition to GAC’s broader privacy infrastructure and aligns with the implementation of the Privacy Management Framework, which has served as a foundational guide for privacy governance since its launch in November 2022. The tool offers step-by-step guidance for conducting preliminary assessments and immediate containment actions following the suspected or confirmed breach of personal information—whether in Canada, at missions abroad, or through third-party service providers.
All GAC personnel are reminded of their responsibilities under the Privacy Act, the TBS Directive on Privacy Practices, and departmental policies to safeguard personal information. This includes recognizing what constitutes a privacy breach—whether accidental or intentional—and understanding when such incidents must be reported. The tool ensures that breaches are assessed holistically, with a focus on the potential for significant harm to affected individuals. It also outlines roles and responsibilities in accordance with the Privacy Breach Management Toolkit and provides links to related policy instruments.
Initiatives and Projects to Improve Privacy
Integration of ATIP in Executive Performance Management Program (PMP)
In response to recent recommendations from the Office of the Information Commissioner to strengthen Canada’s access to information regime, GAC has taken concrete steps to enhance accountability and performance in this area. For the 2024-2025 fiscal year, GAC designated the “timeliness and completion of access to information and privacy request” as a corporate priority for its executives.
This priority was formally integrated into the Executive Performance Management Program (PMP) for 2024-2025.
ATIP Engagement at GAC’s Executive Committee and Corporate Management Meeting
In the 2024-2025 fiscal year, the Director General and Corporate Secretary of Global Affairs Canada, responsible for the administration of the Privacy Act, along with the Director of the Access to Information and Privacy Division, participated in key senior-level corporate governance meetings. They attended GAC’s Executive Committee in April 2024 and at GAC’s Corporate Management Meeting in November 2024.
At both meetings, the Director General and Corporate Secretary, and the Director underscored the critical importance of timely responses to ATIP requests and the need to reduce the backlog of outstanding taskings. They also shared best practices and strategies to support improved performance and compliance across the department.
New Software Solution for Processing Requests
The current case management software used to process requests is becoming obsolete and will no longer be supported by the vendor in the coming years. GAC is using this opportunity to replace the legacy software and leverage new technology to increase efficiencies in our service delivery and to better handle the large volume of ATIP requests. Deployment of the new solution is anticipated for fiscal year 2025-2026.
Human Resources and Talent Development
The hybrid work model continued to support staff retention in the ATIP Division during the 2024-2025 fiscal year. Like other government institutions, Global Affairs Canada faced ongoing challenges in recruiting skilled analysts, particularly at the senior level.
Despite these challenges, the ATIP Division achieved notable recruitment success, appointing 13 new employees – 10 of whom are new to the department. The Division also leveraged its Professional Development Program to support internal career growth, resulting in the promotion of seven existing staff members.
These efforts have contributed significantly to the ATIP Division’s operational success over the past year.
Summary of Key Issues and Actions Taken on Complaints
Complaints Received and Completed
During fiscal year 2024-2025, 28 complaints were made to the Office of the Privacy Commissioner of Canada regarding privacy requests to the Department. The reasons for the complaints are as follows:
| Reason for Complaint | Number of Complaints |
|---|---|
| Collection | 3 |
| Delay | 10 |
| Miscellaneous | 8 |
| Refusal – Exemptions | 6 |
| Refusal – General | 1 |
Over the course of the reporting period, 16 complaints against the Department were closed. The findings on closed complaints were as follows:
| Complaint Findings | Number of Complaints |
|---|---|
| Discontinued | 2 |
| Well-founded | 7 |
| Ceased to Investigate | 5 |
| Not well-founded | 2 |
All closed complaints regarding access to personal information were resolved by responding to or providing additional information to the requesters. The ATIP Division ensured continuous and consistent follow-ups on outstanding taskings, utilizing escalation procedures to fully respond to requesters and close complaints.
The ATIP Division continues to operate a team dedicated to managing complaints from the Office of the Privacy Commissioner (OPC). This team serves as the primary point of contact between Global Affairs Canada and the OPC, working closely and collaboratively to strengthen relationships and improve Global Affairs Canada’s ATIP program performance.
Management of Personal Information
No complaints received in 2024-2025.
Active Complaints Carried Over to the Next Reporting Period
| 2015 - 2016 | 2016 - 2017 | 2017 - 2018 | 2018 - 2019 | 2019 - 2020 | 2020 - 2021 | 2021 - 2022 | 2022 - 2023 | 2023 - 2024 | 2024 - 2025 | Total | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Active | 1 | 0 | 2 | 7 | 2 | 2 | 6 | 4 | 10 | 16 | 50 |
Material Privacy Breaches
During fiscal year 2024-2025, 6 material privacy breaches were reported to the Department. At the end of the fiscal year, 6 material privacy breach notifications were reported to the Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).
Material Breaches Reported to OPC and TBS 2024-2025
1. PBR-2024-00005 - The Consulate General of Canada, Shanghai (SHNGI)
Description
Disclosure of personal information, wrong recipient received the Passports (4), Canadian Birth Certificate, Canadian citizenship Certificate
Summary of Action
- May 17, 2024: The Assistant Trade Commissioner at SHNGI completed 9 of the 10 passport packages for delivery. When the courier arrived, an error occurred in the Shùnfēng app: the tracking numbers were not correctly linked to the packages. As a result, the delivery person could not match the packages with their records.
- May 17 – May 20, 2024: Due to the tracking error, four newly issued blue regular passports belonging to Canadian citizens were delivered to the wrong recipients. Client A received Client B’s passport, and vice versa. Similarly, Client C received Client D’s passport, and vice versa.
- May 20, 2024: The mission in Shanghai advised the Passport Foreign Operations (PFO) of a potential privacy breach involving the mis-delivery of personal documentation. The Consular Assistant contacted all affected clients, requesting that the incorrect passport packages be returned to SHNGI. On the same day, the parents of Client C and Client D informed SHNGI that they had connected via WeChat and exchanged the passports directly.
- May 21, 2024: The Consular Assistant formally notified PFO of the mailing error involving Client C and Client D. That day, Client A’s mother returned Client B’s passport package in person to SHNGI.
- May 22, 2024: SHNGI received Client A’s passport package via courier from Client B’s mother.
- May 23, 2024: PFO Operations instructed SHNGI to issue gratis replacements for all four affected passports.
- May 24, 2024: Deputy Management and Consular Officer in SHNGI responded to PFO Operations, inquiring whether replacements could be waived for clients who preferred to keep their current passports due to travel plans or personal convenience.
- May 27, 2024: Client A’s mother requested a gratis replacement. The other clients indicated they did not wish to replace their passports.
2. PBR-2025-00008 - The Consulate General of Canada, Hong Kong (HKONG)
Description
Credit card information disclosed with the third party (1): The third party who received the information was collaborative in disclosing the mistake and erasing the data from their records.
Summary of Action
- July 8, 2024: A passport applicant sent an email with the subject line “Re: RECEIPT - PPT DROP-IN 2024-07-08” to HKONG Consular mailbox. Later, the applicant reported that there appeared to be someone else’s personal information included at the very bottom of the email.
- July 15, 2024: The Consular Coordinator contacted the applicant via the HKONG Consular mailbox to request payment for passport fees, as the previously provided American Express card had failed. The email included a link for online payment and a portable document format (PDF) credit card authorization form.
- July 16, 2024: The applicant responded by embedding Visa and MasterCard details directly into the body of the email, including card numbers, expiry dates and security codes. The coordinator confirmed receipt of payment and proceeded with the application. However, later that same day, the coordinator mistakenly forwarded the applicant’s email—containing sensitive credit card information—to another client via the HKONG Consular mailbox.
- July 17, 2024: The unintended recipient alerted the consulate to the data breach, noting the presence of another individual's credit card information at the bottom of the email. Upon reviewing the mailbox, the Senior Consular Officer confirmed that the exposed data included one Visa card and one MasterCard, along with their full card numbers, expiry dates and security codes.
3. PBR-2025-00016 - The Embassy of Canada to Mexico, Mexico City (MXICO)
Description
Robbery of the FedEx truck transporting 12 Canadian passports in Mexico.
Summary of Action
- September 17, 2024: Mennonite agent informed the Embassy that FedEx reported an attempted robbery involving a passport shipment.
- September 19, 2024: A notification was sent to all 12 affected individuals.
- September 23, 2024: FedEx and Envipaq confirmed the truck carrying 12 Canadian passports to Cuauhtémoc, Chihuahua, was stolen. The package had shown as “Running late” for 10 days. The mission reported the theft and notified PFO and the Passport Security bureau (PPSD) of a potential privacy breach.
- October 8, 2024: The Access to Information and Privacy Division at Global Affairs Canada (RCP) was informed of the breach involving the stolen passports.
4. PBR-2024-00018 - The Embassy of Canada to the Philippines (MANIL)
Description
The agent inadvertently attached a rejected citizenship letter intended for a different client.
Summary of Action
- October 1, 2025: The agent inadvertently attached a rejected citizenship letter intended for a different client. He attempted to recall the message, but no word yet whether it was a success. The attachment included the applicant’s full name, the date the applicant’s father was granted citizenship, the file number, and the reason for ineligibility for Canadian citizenship.
5. PBR-2024-00019 - The Embassy of Canada in Israel (TAVIV)
Description
The passport was lost during delivery from the mission. Israel Post left the package at the front door without obtaining a signature. Upon arrival, the applicant found the envelope opened and its contents spilled. One minor was affected.
Summary of Action
- August 27, 2024: The envelope containing the birth certificate and Canadian passports was mailed to the client from TAVIV.
- September 18, 2024: The envelope was received torn open. Following September 18, 2024, the OPI waited for the parent to submit Form #203 and a statement of events to report the loss to Passport Protection.
- October 1, 2024: An email was sent to Passport Protection. The OPI received a response the following day, advising them to write to PFO.
- October 2 - 6, 2024: October 2 was a holiday in Israel, and the office was closed on October 3rd, 4th, 5th, and 6th.
- October 7, 2024: The email to PFO was sent.
- October 8, 2024: RCP received the email from PFO related to this breach.
- October 21, 2024: the passport was received. The father picked it up on October 31, 2024.
6. PBR-2024-00021 - The Consulate General of Canada, Monterrey (MNTRY)
Description
The personal information disclosed involved a sensitive situation in which X reported her allegedly abusive husband, Y; the receptionist forwarded X’s email to the Consular Officer and later disclosed her name during a phone call with Y. Two individuals were affected.
Summary of Action
- February 14, 2025: The receptionist forwarded an email from X, a Canadian citizen, to the Consular Officer. The email contained personal information about X and details regarding her situation.
- March 3, 2025: Y, the husband of X, called the Consulate. During the call, the receptionist asked Y, "Is X your wife?" and then transferred the call to the Consular Officer. In the conversation with the Consular Officer, Y questioned how the Consulate knew his wife's name and inquired about the assistance being provided to her.
- March 27, 2025: A notification was sent to the affected individuals by the mission in Mexico.
Privacy Impact Assessments
None.
Public Interest Disclosures
Subsection 8(2) of the Privacy Act provides that “personal information under the control of a government institution may be disclosed” without consent under certain specific circumstances.
During the 2024-2025 fiscal year, the Department made a total of 78 disclosures pursuant to paragraph 8(2)(m) of the Privacy Act. In 2 cases, the Department determined that the public interest in disclosing personal information clearly outweighed any invasion of privacy that could result. All other disclosures were determined to clearly benefit the individual to whom the information related.
Disclosures pursuant to subparagraph 8(2)(m)(i):
- 2 disclosures were made in the interest of public
Disclosures pursuant to subparagraph 8(2)(m)(ii):
- 8 disclosures were made to notify the relevant authorities of an individual’s detainment and arrest abroad.
- 2 disclosures were made to a family member as subject was distressed or missing abroad.
- 5 disclosures were made to a family member for next of kin notification.
- 12 disclosure was related to advising local authorities, or agencies regarding a child welfare
- 10 disclosures were related to advising authorities regarding a possible kidnapping.
- 7 disclosures were made to the local authorities to conduct a wellness check, and
- 32 disclosures were made to either the family, friend, doctor, or legal counsel of an individual requiring medical
In all instances notification to the Privacy Commissioner occurred after disclosure.
Monitoring Compliance
Ongoing Reporting
The ATIP Division prepares and distributes a weekly statistics report to the ATIP Division’s management team that tracks the number of requests that were received and closed, as well as any emerging trends and performance statistics. The report also allows for comparison of workload and completion rates in relation to the previous year to identify changes in ATIP processing.
Additionally, an active tasking report is generated and posted to the intranet weekly to identify all current active taskings within the Department. This report is available for all offices of primary interest (OPIs) to view and lists all open taskings by branch, highlighting late files.
During fiscal year 2024-2025, the Director General and Corporate Secretary continued to send the ATIP Twice Monthly Performance Report to deputy ministers, assistant deputy ministers and directors general, outlining the number of active taskings and compliance within each of the branches/special bureaus. The intent of this procedure is to call attention to the backlog of active taskings to senior management, thereby increasing compliance.
In addition to the Twice-Monthly ATIP Report, ATIP Quarterly Reports are produced in July, October, January and April, and are shared with the same senior officials. These reports provide an overview of the performance of branches and special bureaus in meeting their obligations under the Access to Information Act and Privacy Act, with a particular focus on the completion of taskings and overall compliance rates. The purpose of the Quarterly Reports is to highlight and acknowledge the ATIP-related work accomplished across the department and to promote continued accountability through close monitoring of compliance trends throughout the fiscal year.
Privacy Protection in Contracting
In reviewing contracts, the Privacy Policy Team provides privacy clauses that are written to call out privacy protections and regulatory requirements within the statement of work and then mapped to service-level agreements to ensure there are no questions concerning data privacy responsibilities, breach response, incident response, media press releases on breaches, and other considerations, as if the vendor were part of the organization.
As per the information sharing agreements, the Privacy Policy group ensure privacy protection assisted by the TBS Guidance on Preparing Information Sharing Agreements Involving Personal Information.
Annex A: Designation Order
Text version
Privacy Act Delegation Order
The Minister of Foreign Affairs, pursuant to section 73(1) of the Privacy Act, hereby designates the persons holding the following positions to exercise the powers, duties and functions of the Minister: all three Deputy Ministers and Associate Deputy Ministers, the Associate Assistant Deputy Minister of Stragety, Policy and Public Affairs, the Director General of the Coroporate Secretatriat, as well Director, Deputy Directors and Team Leaders of the Access to Information and Privacy Protection division. In addition, Senior Officials for Hostage Affairs, Emergency Management, Legal and Consular Affairs, as well as Heads of Mission can apply Paragraph 8(2)(m), and Senior Advisors can apply section 15.
- Date modified:
