Annual Report to Parliament 2021-2022 on the Administration of the Privacy Act

On this page

• Introduction
• Organizational structure
  • RCMP
  • Access to Information and Privacy (ATIP) Branch
• Delegation Order
• Performance 2021-2022
  • Compliance
  • Requests received and closed
  • Completion time and extensions
  • Disposition of completed requests
  • Consultations with other institutions
  • Active outstanding requests from previous reporting periods
  • Active outstanding complaints from previous reporting periods
• Training and awareness
• Policies, guidelines, procedures and initiatives
  • ATIP Modernization
• Summary of key issues and actions taken on complaints or audits
  • Complaints and investigations
  • Court action
• Monitoring compliance
• Material privacy breaches
• Privacy Impact Assessments
• Public interest disclosures
• Appendix A - Delegation Order
• Appendix B – Statistical Report on the Privacy Act
• Appendix C - Supplemental Statistical Report on the Privacy Act

Introduction

The Royal Canadian Mounted Police (RCMP) depends on an informed public in order to maintain the trust and confidence of Canadians. In this regard, compliance with both the Access to Information Act (ATIA) and the Privacy Act (PA) is of critical importance. The purpose of the PA is to provide individuals with a right of access to personal information about themselves. The Act provides a right of access to information in accordance with the principles that government information should be available to the public and that necessary exceptions should be limited and specific. The RCMP takes these responsibilities seriously, and is committed to meeting the expectations of Canadians while protecting the integrity of the investigations undertaken on their behalf.

That said, the RCMP's Access to Information and Privacy (ATIP) program—which denotes both the dedicated ATIP personnel in the ATIP Branch in Ottawa as well as supporting personnel in divisions and business lines across the country—has faced numerous challenges over the past decade, which has hampered its ability to meet its obligations under both the ATIA and PA. As outlined in last year's annual report, the RCMP is taking concrete steps to improve its ATIP program and ultimately meet its obligations. Implementation on the RCMP's ambitious modernization effort, led by a comprehensive strategy, Access Granted: Restoring Trust in the RCMP's Access to Information and Privacy Program and supporting action plan is well underway.

This annual report outlines the first year of the implementation of the five-year strategy, and the RCMP is pleased to be able to report some significant improvements. We encourage all Canadians to monitor our progress through our public website.

While the RCMP has made significant strides over the past year, this reporting period was not without its challenges. The ongoing impact of the COVID-19 pandemic, as well as significant operational demands during the reporting period had negative impacts on the RCMP's compliance with the PA. Nevertheless, the RCMP ATIP Branch adapted to these challenges, and continues to examine new and innovative ways of working in order to meet the expectations of Canadians.

The RCMP is pleased to outline in this annual report details of the manner in which it discharged its responsibilities in relation to the Act during the reporting period. The report is prepared and tabled in Parliament in accordance with section 72(1) of the PA.

Organizational structure

Royal Canadian Mounted Police (RCMP)

For nearly 150 years, the RCMP has been Canada's national police service. As a federal, provincial, territorial and municipal policing body, the RCMP is unique in the world. The RCMP provides federal policing services to all Canadians and policing services under contract to the three territories, eight provinces, and more than 180 municipalities, including more than 750 detachments across Canadian communities, 600 Indigenous communities and three international airports.

The RCMP's mandate is multifaceted and includes preventing and investigating crime; maintaining peace and order; enforcing laws; contributing to national security; ensuring the safety of state officials, visiting dignitaries and foreign missions; and, providing vital operational support services to other police and law enforcement agencies within Canada and abroad.

The organization is subdivided into 16 divisions (ten provinces, three territories, National Division, Depot and National Headquarters in Ottawa), each of which is under the direction of a Commanding Officer or Director General. National Headquarters includes nine business lines and is structured as follows: Federal Policing; Contract and Indigenous Policing; Specialized Policing Services; Corporate Management and Comptrollership; Human Resources; Internal Audit and Evaluation; Legal Services; Professional Responsibility Sector; and, Strategic Policy and External Relations.

Access to Information and Privacy (ATIP) Branch

The RCMP established the ATIP Branch in 1983, as the central contact point for matters arising from both the ATIAand PA. The ATIP Branch falls within the RCMP's Strategic Policy and External Relations Directorate.

Traditionally, the Director of the ATIP Branch acts on behalf of the head of the institution as the Departmental ATIP Coordinator for the RCMP. The ATIP Coordinator ensures compliance with both the spirit and the intent of the ATIA and PA, as well as all associated regulations and guidelines. During this reporting period, the new Director General position of ATIP was also created, primarily tasked with leading the Program's broad modernization effort, as well as the new Privacy director to lead the Privacy Policy stream of the ATIP Branch.

Functionally, the ATIP Branch is divided into two areas:

Policy Team

This team monitors and develops internal policies, procedures and guidelines for the collection, retention, disposition, use and disclosure of all personal and non-personal information for RCMP-wide applications. These dedicated professionals provide policy advice and expertise to the RCMP on privacy-related issues, including supporting the drafting and development of Privacy Impact Assessments (PIAs). The team also offers support within the program to the ATIP analysts and the RCMP ATIP Coordinator, provides guidance to RCMP business lines and divisions across Canada with respect to sections 4 to 8 of the PA. In addition, the team reviews and creates internal policies that reflect Treasury Board Secretariat (TBS) policies and directives as well as expectations of the Office of the Privacy Commissioner (OPC) in order to meet its obligations in relation to the Info Source: Sources of Federal Government and Employee Information and PIAs within the RCMP.

Disclosure Team (Operations)

This team processes all formal requests under the ATIA and PA, including: working with requesters to discuss scope and clarity of their submissions; opening requests; and, tasking and receiving/importing records to and from Liaison Officers (LOs) within the RCMP's various business lines and divisions from across the country. The team also reviews records and provides disclosed pages to requesters, process informal access to information requests, review, and respond to complaints received through both the Offices of the Information Commissioner (OIC) and OPC.

It must be mentioned that significant efforts were undertaken during fiscal year 2021-22 to restructure and modernize the reporting structure of the Branch. While these changes were not implemented during the reporting period, they will be firmly in place next year. An overview of these efforts can be found in Section 6 of this report.

When tasking requests, the ATIP Branch works closely with LOs and record holders, known as Office of Primary Interest (OPIs). Some responsibilities of the LOs and OPIs include:

Liaison Officers (LOs)

LOs are responsible for forwarding all ATIP requests to the appropriate personnel (OPIs) within their business lines or divisions. Other responsibilities include: tracking submissions to ensure responsive records are sent by OPIs to the ATIP Branch; ensuring responses are on time; and documenting, and communicating internal RCMP ATIP processes to all who facilitate the processing of requests.

Office of Primary Interest (OPI)

As the record holders, some of the OPIs' responsibilities include: providing electronic copies of the responsive records; reviewing records for duplication; ensuring that the information falls within the scope of the request; notifying the ATIP Branch if records are voluminous; and, advising the Branch or LO if an extension is required.

Delegation Order

The Departmental ATIP Coordinator has full authority to administer the legislation. A copy of the signed Delegation Order is included in Appendix A. Of note, due to the approved reorganization of the Branch (see Section 6), this delegation order is being updated to reflect the new operational structure.

Performance

This section provides an overview of the RCMP's performance with respect to information requested under the PA for the 2021-2022 reporting year. The completed statistical report is found in Appendix B, and the supplemental statistical report is found in Appendix C.

The ATIP Branch also continued to work closely with its partners and stakeholders in finding solutions and reviewing processes to ensure that it responded to Canadians' requests in a satisfactory and timely manner.

Compliance

The ATIP Branch saw an increase in compliance for the number of requests closed within the legislated time frames under the PA. In the 2021-2022 fiscal year, compliance increased to 46.1% from 32.8% in the previous fiscal year. The increase is due, in part, to modifications in processes within the Branch, resulting in efficiencies and the utilization of contractors to complete files in order to address legislative compliance.

Requests received and closed

As noted in the Statistical Report in Appendix B, the RCMP received a total of 4,290 new requests under the PA in 2021-2022. In addition, there were 3,253 requests outstanding from the previous reporting periods for a total of 7,543 requests. Of these, 4,081 requests were completed and 3,462 carried over to the 2022-2023 fiscal year.

Generally, privacy requests cover a variety of topics, including information on police operational files, such as motor vehicle accidents, and employment files.

As demonstrated below, there has been an increase in the number of requests received compared to the previous reporting period. The number of requests received increased by less than 2% compared to the previous fiscal year and increased by 17% compared to the 2019-2020 fiscal year.

The graph also demonstrates that the number of requests closed this reporting period increased by 13% compared to the previous fiscal year, and was 10% lower than the 2019-2020 fiscal year.

Completion time and extensions

The ATIP Branch completed 1,153 (28%) requests in 30 days or less. During the reporting period, 733 (18%) requests were completed within 31-60 days, 326 (8%) were completed in 61-120 days, and 1,869 (46%) were completed in more than 120 days.

Of the requests that were closed, extensions between 16 to 30 days were sought on 3,275 files. This can be attributed, in part, to the number of requests with a large volume of pages, but more specifically to the ongoing challenges faced by the ATIP program that were exasperated by COVID-19.

Disposition of completed requests

Of the 4,081 requests completed in the 2021-2022 fiscal year, the dispositions of completed requests were as follows:

• 2,322 (56.9%) requests were disclosed in part;
• 974 (23.9%) requests were abandoned by requesters;
• 347 (8.5%) requests had no records located;
• 259 (6.3%) requests were fully disclosed;
• 171 (4.2%) requests had all material exempted;
• 8 (0.2%) requests were neither confirmed nor denied; and,
• 0 (0%) requests had all material excluded.

Consultations for other institutions

The number of consultations received and completed over the last three reporting periods has decreased significantly, which could possibly be a result of COVID-19 pandemic restrictions. During the current reporting period, the RCMP completed 86 consultations, totalling 3,077 pages reviewed. Of the 86 completed consultations, 56 were received from other Government of Canada institutions and 30 were received from other organizations.

Active outstanding requests from previous reporting periods

At the conclusion of the 2021-2022 fiscal year, a total of 3,462 requests were outstanding. Of those outstanding, 22% were carried over within legislated timelines, and 78% were carried over beyond legislated timelines. The fiscal years the carried over requests were received in are as follows:

• 2,567 (74.2%) received in 2021-2022;
• 500 (14.5%) received in 2020-2021;
• 219 (6.3%) received in 2019-2020;
• 145 (4.2%) received in 2018-2019;
• 15 (0.4%) received in 2017-2018;
• 8 (0.2%) received in 2016-2017; and,
• 8 (0.2%) received in 2015-2016 or earlier.

Active Outstanding Complaints from Previous Reporting Periods

At the conclusion of the reporting period, a total of 64 complaints were outstanding. The fiscal years the outstanding complaints were received in are as follows:

• 42 (65%) received in 2021-2022;
• 10 (16%) received in 2020-2021;
• 5 (8%) received in 2019-2020;
• 3 (5%) received in 2018-2019;
• 0 (0%) received in 2017-2018;
• 4 (6%) received in 2016-2017; and,
• 0 (0%) received in 2015-2016 or earlier.

Training and awareness

Continuous learning is a priority for the RCMP and the ATIP Branch is no exception. ATIP Branch staff are encouraged to seek out relevant courses and other learning opportunities as a means to enhance their knowledge and to improve their skills. For the 2021-2022 reporting year, the ATIP Branch held regular information sharing sessions where Branch staff discussed files and shared best practices. Informal briefings were also held to advise Branch staff of the implementation of new procedures to respond to the COVID-19 pandemic. As new technological tools were introduced to support remote collaboration during the pandemic, the RCMP was able to leverage these tools (particularly videoconferencing) to provide a number of training sessions to employees. In-house training and orientation was also provided to new ATIP Intake staff and virtual training was provided to ATIP LO's in several divisions and business lines across the country, including the Canadian Criminal Real Time Identification Services, Protective Policing, H Division (Nova Scotia) and J Division (New Brunswick).

During the reporting period, the ATIP Branch, in conjunction with the RCMP's Learning and Development Unit produced the Access to Information and Privacy Fundamentals online course available to all categories of RCMP employees. In addition to increasing their knowledge of the ATIA and the PA, this course also provides employees with a better understanding of their responsibilities when responding to information requests and best practices when managing personal information. While only live for a brief period of time within the reporting period, the course was taken by over 1,800 personnel, representing approximately 6% of the overall workforce.

Policies, guidelines, procedures and initiatives

ATIP Modernization

In November 2020, the Information Commissioner of Canada released the results of a systemic investigation of the RCMP's ATIP program, entitled Access at issue: The need for leadership. The report was highly critical of the RCMP's ATIP program and identified fifteen (15) recommendations for improvement. Subsequently, the Minister of Public Safety issued a Direction to the RCMP to action the recommendations of the OIC's review and submit a strategy outlining a way forward to be developed in consultation with the TBS. In response, the RCMP developed a comprehensive strategy entitled Access Granted: Restoring Trust in the RCMP's Access to Information Program, supported by a concrete action plan, outlining initiatives to modernize the program.

In developing the strategy, the RCMP recognized that it must not only have a robust capacity to respond to Canadians when they request access to information held by the RCMP, but also be able to provide strategic advice and guidance on privacy issues to ensure that program and policy development is done in full consideration of the various privacy impacts that could occur. It is for this reason that privacy is also a main focus of the RCMP's ATIP Modernization strategy. The RCMP is committed to implementing this strategy over the course of the next five years, to increase compliance rates and enhance public transparency. The RCMP has posted the strategy, and is providing quarterly updates, on the RCMP external website, and we encourage all Canadians to visit the site and monitor our progress https://www.rcmp-grc.gc.ca/en/access-information-and-privacy-programs-modernization-strategy.

Over the reporting period of this annual report, the RCMP has made significant progress in implementing the strategy. While more detail can be found on our external website, some key initiatives include:

• Restructure and reorganization of the ATIP Branch: The RCMP's modernization strategy recognizes that the RCMP's ATIP program has not been sufficiently resourced to provide the necessary attention on privacy in the digital age. As such, a critical element was to outline an organizational chart that provides the RCMP with the required capacity to support proactive and thoughtful analysis of privacy issues. As a result, the RCMP identified that a new privacy stream, with personnel dedicated to the review of privacy-related requests, the resolution of privacy complaints and breaches as well as a robust privacy policy capacity, was necessary for the organization's success. As such, the RCMP designed and began to implement a reorganization of the ATIP Branch. The new structure separates the Branch into three streams; Information (responsible for meeting the RCMP's obligations under the ATIA); Privacy Protection (responsible for meeting the RCMP's obligations under the PA); and Operational Support (responsible for providing critical support services for the entire Branch, such as intake, quality assurance, training and operational policy). Each stream is led by a dedicated director, with the Branch now reporting to a Director General. These changes are bringing new personnel into the Branch as well, with the ATIP Branch nearly doubling in size over the next five years. While these changes were authorized during the reporting period, and the RCMP was able to onboard the new Director of the Privacy, meaningful implementation did not commence until the 2022-23 fiscal year. The RCMP looks forward to providing more detail on this effort in our next annual report.
• New ways of working: The RCMP engaged PricewaterhouseCooper (PwC) to assist with its modernization efforts. Specifically, PwC performed a diagnostic review of the ATIP program, which included a Lean management approach to optimize the ATIP process for the program. Following the review, they rolled out the PERFORM training regime, which is designed to support culture and business process changes. Specifically, this training included the introduction to new skills and tools that were applied to day-to-day work. With the conclusion the training in December 2021, surveys issued to personnel indicated increases in employee expectations on effective management of workloads, employee motivation and open communications about wellbeing. To ensure that new business processes continue, sustainability plans were created for the Branch and are monitored monthly and updated quarterly.
• Focus on training: As part of broader modernization efforts, the RCMP ATIP Branch aggressively promoted the new training course to personnel, which directly resulted in the positive enrollment rate. Additional efforts are underway to develop new training and course offerings for ATIP Branch personnel and the broader organization that will be in place for the next reporting period. In fact, expanding training delivery forms a key part of the Branch's human resources strategy for ATIP modernization, succession planning, and employee retention. Further, the RCMP is examining the development of new training modules that focus specifically on privacy, including enhanced guidance on the development of PIAs.
• Sharing best practices: The RCMP is not the only organization modernizing their ATIP programs – change is underway across the Government of Canada. In order to ensure that the RCMP was benefiting from the lessons learned and work underway by its partners, and that partners were aware of work underway at the RCMP, an interdepartmental working group was established to exchange best practices and identify areas for collaboration.

The ATIP Branch continued to review its processes to improve operational effectiveness. During the reporting period of 2021-2022, the ATIP Branch accomplished the following:

• Reviewed employee work arrangements due to the COVID-19 pandemic restrictions and established new telework agreements as well as a reintegration protocol to allow more flexibility for its employees;
• Updated the Disclosure and Intake teams' standard operating procedures, which was part of the ATIP Branch's efforts to formalize its internal processes;
• Enhanced internal processes for facilitating the transfer of files within the RCMP, including the creation of national shared drives for classified information;
• Modified guidelines to address its on-time and backlog files, enabling processing efficiencies;
• Worked with business lines and divisional LOs to develop guidelines, standards and awareness communiques to further facilitate RCMP ATIP modernization; and,
• Continued to lead the interdepartmental working group for the development of business continuity plans specifically for ATIP programs, which led to greater information sharing among the participating departments.

Additionally, the ATIP Policy Unit completed the following:

• Completed a gaps analysis of the various operational and organizational policies related to ATIP, and developed a work plan to update them over the next five years;
• Updated Standard Operating procedures in the unit relating to Privacy Act 8(2) disclosures;
• Participated in quarterly meetings with the OPC's Government Advisory Directorate resulting in better communication concerning ongoing initiatives and consultations;
• Published new guidance on privacy breaches and privacy impact assessments to the Infoweb to raise awareness and enhance the RCMP's reporting of privacy breaches, supported by direct training on breaches to several departmental business lines;
• Participated in the established National Technologies Onboarding Program weekly core meetings to establish processes and address the RCMP's commitments related to the OPC's recommendations on the Clearview AI investigation;
• Participated in the Race-Based Data Collection Working Group;
• Actively engaged in the effort to procure and deploy Body Worn Cameras within the RCMP to ensure that privacy considerations were incorporated at the outset; and,
• Re-established the Exempt Bank Working Group.

The RCMP did not seek nor receive authority for any new collection or new consistent use of Social Insurance Numbers during the reporting period.

Summary of key issues and actions taken on complaints or audits

Complaints and investigations

During this reporting period, the RCMP continued to work collaboratively with the OPC to address complaints as efficiently as possible.

As part of this modernization strategy, a team of analysts dedicated to complaints was formed. Comprised of six employees, including consultants, the ATIP Branch's complaints team continued to enable the RCMP to respond more efficiently to complaints received through the OPC. This new unit not only ensured robust responses to complaints, but also worked proactively to identify and address issues before complaints were made.

Section 8 of the Statistical Report, found in Appendix B, provides data on the complaints received and closed. Specifically, for the 2021-2022 reporting period, the RCMP received and provided the following under the PA:

Section 31

The RCMP received 172 Section 31 notices, which represents 4.6% of all requests closed during the reporting period. The majority of the complaints received related to delays and deemed refusals, which can be attributed to the ongoing RCMP backlog and to the complex and/or voluminous nature of requests. Under this section, the OPC formally notifies the institution of their intent to investigate a complaint received.

Section 33

The RCMP received 11 Section 33 notices. Under this section, the OPC requests representations from both the complainant and the institution pursuant to an ongoing complaint investigation.

Section 35

The RCMP received 90 Section 35 notices. Under this section, the OPC issues a finding's report, which may include recommendations, for founded complaints upon the conclusion of the investigation.

Court action

Four court proceedings were actioned with respect to privacy requests processed within this current fiscal year, and three were discontinued during the reporting period.

Monitoring compliance

The ATIP Branch monitors compliance through weekly and monthly statistical reports, which include compliance rates, the number of files completed on time and those that are delayed, as well as complaints. Performance Dashboards to further identify trends and assist the ATIP Branch in strategically developing efficiencies were also created. The Branch's Management team reviews the weekly and monthly reports to manage workload and to determine any upcoming issues where processes could be improved. The reports are provided to the RCMP's Chief Strategic Policy and External Relations Officer (CSPERO), the Chief Administrative Officer (CAO) and the Commissioner in an effort to improve accountability.

The ATIP Branch is currently working to bolster its data reporting function by onboarding new technology and processes. This new technology will enable the ATIP Branch to be more strategic and transparent, by automatically capturing pertinent data to assist the ATIP Branch with its planning and public reporting as well as to identify areas where efficiencies may be found.

Material privacy breaches

As Canada's national police force, the RCMP is trusted to handle and protect the personal information of Canadians with professionalism and integrity. The RCMP places the utmost importance on this responsibility. To safeguard the personal information in its care, the RCMP has strict policies and procedures in place to prevent unauthorized access and disclosure across the organization. However, even with these rigorous procedures in place, privacy breaches still occur, often as a result of human error or failure to comply with RCMP policy. With every privacy breach, the RCMP takes steps to improve its processes to ensure that similar incidents do not occur again.

When a privacy breach is detected, the RCMP ATIP Branch follows the TBS guidelines to determine the privacy risks and reports all breaches, deemed material as per TBS guidelines, to the OPC and TBS.

During fiscal year 2021-2022, the RCMP reported a total of 13 material privacy breaches to the OPC and TBS. The following is a brief description of those breaches:

1. A third party company contracted by the RCMP's Canadian Firearms Program (CFP) for printing and mailing services was subject to a ransomware attack. This breach was discovered by the company's cyber security experts and was reported to the Canadian Centre for Cyber Security who determined that there was 60% chance that the data was not extracted. Affected individuals were notified of the incident via published notices on both the TBS website and the CFP website.
2. A retired RCMP member requested a copy of their medical file and discovered the file contained psychological reports and eye exam reports of two other employees. The employee returned the misfiled records to the RCMP. An RCMP employee then properly filed the documents, but failed to note the names of those impacted by the breach. As a result, the RCMP was unable to notify the affected parties. The unit is organizing privacy training for their employees and is exploring alternatives to paper records to avoid this type of incident from recurring.
3. A partially completed RCMP Security Form containing sensitive personal information related to twenty individuals was inadvertently copied to another individual. The unintended recipient deleted the message and the affected individuals, whose addresses were known, were notified. To prevent a recurrence, the employee involved completed supplementary security awareness training and the unit began using a new system that requires applicants to enter their information directly into an online portal instead of submitting and transmitting paper or scanned documents between applicants and unit personnel.
4. A certified criminal records check was mailed to the wrong recipient. The report was returned to the RCMP and the affected individual was notified. Employees of the unit were reminded to take extra care when processing these types of correspondence given their high level of sensitivity.
5. In an email sent to the family members of victims of the PS752 aviation disaster, an employee inadvertently copied, rather than blind copied, the distribution list. As such, the personal email addresses of the individuals were visible to all recipients. Recipients were asked to delete the original email and all affected parties were notified of the incident.
6. During a security screening course administered by the Canadian Police College (CPC), a video of recorded pre-employment polygraph was shown to participants to demonstrate the use of specific interviewing techniques. During the course, a participant recognized the individual in the video as an employee from their same agency. It was determined that CPC had not obtained the individual's consent to use their personal information for this purpose. When the breach was identified, course participants were asked to maintain confidentiality and not further discuss or disseminate the information shown, the video was removed from the course content and the affected individual was notified.
7. A supervisor sent an email to their manager seeking guidance concerning an employee's leave requirements but mistakenly included the employee's specific medical information/situation. Employees of the unit were reminded of their obligation to protect personal information and to not include specific references to employees and their medical information when seeking general guidance. The manager deleted the email and the affected individual was notified.
8. An RCMP Forensic Laboratory Service employee's work briefcase was stolen from their vehicle while at their personal residence. This briefcase contained hard copy files relating to five different investigations of serious offences. All five files contained personal information about identifiable individuals. The employee had authorization to take the files home as part of a remote work arrangement, however inadvertently left them in their vehicle overnight. Employees of the unit were reminded of the protocols in place to protect sensitive information and all affected individuals were notified.
9. A certified criminal records check was mailed to the wrong recipient. The recipient returned the record to the RCMP and the affected individual was notified. Employees of the unit were required to review the documented procedures and verify that the product and the envelope match prior to mail out.
10. A human resources employee sent a manager a screenshot of an employee's leave balance; however, the image inadvertently included another employee's medical note and sensitive correspondence. The recipient deleted the message and the affected individual was notified. The employee was instructed of the proper way to insert/share screenshots and reminded of their obligation to protect personal information.
11. Personal information related to an individual was inadvertently released to their landlord in an access to information release package. The recipient deleted the information and the affected individual was notified. The ATIP employee was reminded of their obligation to protect personal information.
12. Three criminal records checks were inadvertently mailed to the wrong recipients. The recipients returned to records to the RCMP and the affected individuals were notified. The unit conducted an investigation of their workflows to determine how these errors occurred and ways to mitigate similar breaches from occurring. As a result of this review, the unit has mandated hourly breaks for all employees and hired additional staff to ensure employees remain focused, take their time and have less volume to process overall. The unit is also exploring electronic means of transmitting records checks to clients which would eliminate the need to physically mail out correspondence.
13. An RCMP employee used the Police Records Information Management Environment (PRIME-BC) database to provide an individual's phone number and city to a relative. It was later discovered that individual is estranged from the relative and believes the relative may harm the individual. While the RCMP was unable to recover the information from the relative, they took operational steps to safeguard the individual. The employee who committed this breach was provided operational guidance and the incident was noted on their performance file.

Privacy Impact Assessments

During the reporting period, the RCMP completed one PIA for the Disability Case Management Solution as well as one PIA addendum to the existing Automated Licence Plate Recognition Program PIA. The PIA and the addendum were submitted to the OPC and TBS during the 2021‐2022 fiscal year.

Disability Case Management (DCM) Solution - Privacy Impact Assessment

The RCMP has procured a web-based DCM software solution specifically designed to support early intervention, proactive disability case management, return-to-work and workplace accommodation best practices and workflows. The implementation of this information technology solution will:

1. capture and protect members personal, injury/illness and medical information, as well as details regarding return-to-work plans and the duty to accommodate;
2. support effective coordination of case management activities among internal stakeholders to ensure the necessary supports for ill or injured members and facilitate successful and safe return to work;
3. minimize the administrative burden for approximately 100 disability management, occupational health and accommodation practitioners across the Force through built-in service standards, auto-generation of pre-defined disability case management tasks and working tools;
4. provide members with easy access to information pertinent to their case and facilitate the communication and submission of documents;
5. provide management with status information on employees that fall within their hierarchy; and,
6. provide management with on-demand reporting capability.

The DCM Solution allows for all information related to a disability management and accommodation case to be housed in one system, accessible as appropriate to the stakeholders involved. It will ensure both medical and non-medical documentation is complete and that RCMP management has real-time reporting on key metrics and trends in disability management. The DCM Solution will promote consistency in disability management across divisions; identify trends in workplace and health issues and gaps; enhance process efficiencies; and, will inform changes to the Occupational Health Management and Accommodation Program policies and strategies. In addition, it will allow management to monitor and evaluate disability management and accommodation efforts through management dashboards and the generation of pre-defined and custom reports.

Although a web-based DCM Solution may introduce certain challenges for the RCMP in the protection and handling of personal information, privacy remains central to the administration and service delivery of these Human Resource Programs.

The DCM Solution may present a moderate to high risk to the privacy of individuals. Although the inherent privacy impacts associated with the administration of the DCM Solution are likely more moderate than stated, the privacy risks attached to the collection and use of health information increases the program's overall risk rating.

In recognition of the inherent privacy risks associated with the performance and administration of the DCM Solution, the RCMP and/or its contractor are expected to implement important controls to manage and mitigate potential privacy issues.

Addendum to the Automated Licence Plate Recognition (ALPR) Program – British Columbia RCMP Border Integrity

The British Columbia RCMP Border Integrity Program will use utility pole mounted static ALPR cameras with a very narrow field of view (licence plates only). These cameras will be deployed at key points along the US/Canada International border to assist in the fight against illegal migration and cross border criminality. This initiative is separate and distinct from the BC ALPR Program currently in use by the BC Highway Patrol. Unlike BC Highway Patrol, the Border Integrity unit will not be running licence plates against Canadian Police Information Centre (CPIC) or the Insurance Corporation of British Columbia (ICBC) data sets instantaneously for hits.

The purpose of collecting the licence plate information is strictly for investigational purposes (i.e., cross border smuggling and criminality). As such, investigators would not know if the information captured had any evidentiary relevance unless a plate surfaced during the course of the investigation. This information would not likely be known immediately, so within seven (7) days investigators could then go back and review the data for that period. If no relevant information is captured, all data collected for that time frame would be automatically purged. Any relevant hit information would be retained for investigational purposes as per established retention periods.

A thorough review of the original PIA was conducted by the ATIP Branch. Recommendations were provided to the Program Manager to ensure that privacy risks were assessed and measures proposed to mitigate them.

In addition, during the fiscal year the RCMP ATIP Branch received 11 new PIAs, 48 new PIA questionnaires to determine the need for a PIA and responded to over 30 PIA‐related queries.

Public interest disclosures

During the 2021-2022 fiscal year, 51 disclosures were made pursuant to paragraph 8(2)(m) of the PA, which allows for disclosure when either the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or the disclosure would clearly benefit the individual to whom the information relates. The disclosures related to either the duty status of charged RCMP employees or the release of dangerous offenders into communities across Canada. In accordance with subsection 8(5) of the PA, the OPC was notified of all such disclosures in writing.

Appendix A - Delegation Order

Access to Information Act and Privacy Act Delegation Order

The Minister of Public Safety and Emergency Preparedness, pursuant to section 73 of the Access to Information Act and of the Privacy Act, hereby designates the persons holding the position set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers and functions of the Minister as the head of a government institution, that is, the Royal Canadian Mounted Police, under the section of the Act set out in the Schedule opposite each position. This designation replaces and nullifies all such designations previously signed and dated by the Minister.

Signed, at the City of Ottawa, this 4 day of December, 2015

The Honourable Ralph Goodale, P.C., M.P.
Minister of Public Safety and Emergency Preparedness

Appendix B – Statistical Report on the Privacy Act

Name of institution

Royal Canadian Mounted Police

Reporting period

April 1, 2021 to March 31, 2022

Section 1: Requests under the Privacy Act

Section 2: Informal requests

Section 3: Requests Closed During the Reporting Period

3.5 Complexity

3.6. Closed requests

3.7 Deemed refusals

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Section 5: Requests for Correction of Personal Information and Notations

Section 6: Extensions

Section 7: Consultations Received From Other Institutions and Organizations

Section 8: Completion time of consultations on Cabinet Confidences

Section 9: Complaints and investigations notices received

Section 10: Privacy Impact Assessments (PIA) and Personal Information Banks (PIB)

Section 11: Material privacy breaches

Section 12: Resources related to the Privacy Act

Note: Enter values to three decimal places.

Appendix C - Supplemental Statistical Report on the Privacy Act

Section 1: Capacity to Receive Requests

Section 2: Capacity to Process Records

Section 4: Open Requests and Complaints Under the Privacy Act

Section 5: Social Insurance Number (SIN)

Did your institution receive authority for a new collection or new consistent use of the SIN in 2021-2022?

No

Date modified:

2022-12-05