Information & Ethics committee  Similar to the situation at CRA, at the CBSA, the delegation of instruments is set up in such a way as to limit it to certain individuals. I have full delegated authority and so do some of my managers. I'm very independent. I've been director of ATIP since 2010 and I have oversee

Information & Ethics committee  I would add that our agency records are always properly classified and properly designated. We have a departmental security officer who we follow regarding the strict security requirements on the safeguarding of the information. We have an IT infrastructure that keeps all of th

Information & Ethics committee  At CBSA we have policies that cover basically all possible legislative authorities for disclosure. We have a policy, for example, under section 107 of the Customs Act. We have a policy under the Privacy Act, section 8. We have a policy under SCISA. Granted, there might not be wri

Information & Ethics committee  At CBSA we do have a lot of privacy impact assessments under development. If I had to guesstimate, I would say we probably have 40 of them on the go right at the present time. We commonly do privacy impact assessments. We do an assessment of the need for privacy impact assessment

Information & Ethics committee  It's a good question. On a necessity test, I would say that the principle is already embedded in what we do every day. We don't collect information which we have no legal authority to collect. And we don't use it for a purpose for which we should not be using it. A necessity te

Information & Ethics committee  No, it would not. Granted, they're challenging and resource-intensive to put together, because they require a certain level of expertise, which you do not have normally in-house either within an ATIP office or within the agency or the program area. That is a challenge we need to

Information & Ethics committee  In regard to privacy impact assessments, we really appreciate the interactions we have with the Office of the Privacy Commissioner. We have regular dealings with them. We like to engage them early in the development of a privacy impact assessment to get their ideas and to see wh

Information & Ethics committee  I can go ahead. At CBSA, we have in place a robust privacy breach protocol, and it's aligned with Treasury Board standards. Any new requirements would be aligned with our breach protocol as well. All employees are trained to use the breach protocol, and there is a direct link

Information & Ethics committee  Yes. The most common complaint that we have today is delay. With the increase in requests that we have, trying to respond to some 11,000 privacy requests a year, the obvious complaint and the number one complaint is time delay. We're taking too much time to get back to the reques

Information & Ethics committee  We try to do that at the beginning, especially for policy development work. Early engagement is always the best, based on our experience. They have a lot of good ideas, information, and experience to share, so if you can start your deliberations with the Privacy Commissioner at t

Information & Ethics committee  In our opinion, yes, it would help reduce the burden. Having folks file requests by subject matter would stop what we commonly refer to in the ATIP community as “fishing expeditions”, whereby folks will ask for anything and everything without a subject, and sometimes without lim

Information & Ethics committee  We use the same system. It is commonly used in the federal government, because there are limitations out there as to who can produce an ATIP tracking system.

Information & Ethics committee  Most of the exemptions in legislation are discretionary. We go through the exercise of discretion. We have a look at what's being requested and when it's being requested. Has the plan been implemented? Are they just putting numbers back and forth? Is it a final decision? Then you

Information & Ethics committee  Yes, timing is everything with an ATIP request.

Information & Ethics committee  Generally speaking, how it works is that we get receipt of a request. They now come in at night with the online portals. Once we get a request, the front-end staff—in most ATIP shops you have an administrative staff—will log the request into the ATIP tracking system, which is the