Administration of the Privacy Act Annual Report
April 1, 2021 to March 31, 2022


This report is prepared in accordance with section 72 of the Privacy Act and is tabled in Parliament by the Minister of Health in accordance with the aforementioned section. It describes how the Canadian Institutes of Health Research (CIHR) fulfilled its responsibilities under the Act during the fiscal year beginning April 1, 2021 and ending March 31, 2022.

The Privacy Act provides citizens with the legislated right to access personal information held by the government, subject to certain limitations and specific exemptions, and protection of that information against unauthorized use and disclosure

CIHR was created in 2000 under the authority of the CIHR Act as the Government of Canada's health research investment agency. The mandate of CIHR as stated in the Act is:

To excel, according to internationally accepted standards of scientific excellence, in the creation of new knowledge and its translation into improved health for Canadians, more effective health services and products and a strengthened Canadian health care system.

CIHR is the largest funder of health research in Canada. Composed of 13 "virtual" institutes and three business portfolios, CIHR provides leadership and support to over 13,000 world-class researchers and trainees from all pillars of health research and from all regions of Canada.

Organizational Structure

CIHR is led by a President and a Governing Council comprised of up to 18 members appointed by Order-in-Council. The Governing Council sets the overall strategic direction and goals. It establishes, maintains and terminates Health Research Institutes and determines the mandate of each. As outlined in the legislation, the Governing Council is responsible for developing its strategic direction and goals; evaluating its performance, approving its budget; establishing a peer review process for research proposals submitted to CIHR; approving funding for research; approving other expenditures to carry out its objective; establishing policies; and dealing with any other matter that the Governing Council considers related to the affairs of CIHR.

The Access to Information and Privacy (ATIP) Office, part of the CIHR's Strategic Policy Division, administers the provisions of the Access to Information Act and the Privacy Act for CIHR and is accountable to the President of CIHR. The ATIP Compliance Office, which is comprised of 1 Senior ATIP Coordinator, 1 Senior ATIP Analyst and 1 Junior ATIP Officer, is responsible for the following activities:

CIHR was not party to any service agreements under section 73.1 of the Privacy Act during the 2021-2022 reporting period.

Delegation of Authority

The President of CIHR, as designated Head of CIHR under the Access to Information Act, exercises powers entrusted to the position by the Act, such as exemptions and exclusions.

In accordance with his authority under Section 73, the President has designated the Executive Vice-President; the Associate Vice-President, Government and External Relations; the Director General, Strategic Policy; the Senior Access to Information and Privacy (ATIP) Coordinator, the Senior ATIP Analyst and the Junior ATIP Officer to exercise his powers, duties or functions under the Act (See Appendix A - Delegation Order).

Highlights of the Statistical Report 2021-2022

a. Formal Requests

CIHR collects and manages a great deal of personal information to adjudicate thousands of research grant and scholarship proposals, making merit-based awards based on peer review.

During the April 1, 2021 to March 31, 2022 reporting period, CIHR received eight requests under the Privacy Act. Three requests were disclosed in part, four requests resulted in no records and one request was abandoned by the requestor. (See Appendix B - Statistical Report). The number of requests received over the past five years has fluctuated between zero and sixteen, this year represents an overall average number of privacy requests managed by CIHR.

b. Informal Requests

In 2021-2022, CIHR responded to more than 40 informal requests, all of which were received internally by CIHR employees. CIHR did not receive any informal requests from external sources.

Over the past five years, there has been a consistent increase in the volume of internal informal requests that have been made. Comparatively, in 2020-2021 and 2019-2020, over 30 informal requests were made, and CIHR addressed over 25 requests in 2018-2019 and 20 in 2017-2018. All of the informal requests received during the 2021-2022 reporting year came from business units related to the review of corporate documents and interpretation of the Privacy Act, primarily related to program and service delivery. These requests are not reflected in the statistical report in Appendix B.

c. Requests for Correction of Personal Information

During the 2021-2022 reporting period, CIHR did not receive any requests for correction of personal information.

d. Consultations

During the 2021-2022 reporting period, the CIHR Access to Information and Privacy Office did not receive any consultation requests from external sources.

CIHR managers and staff sought and obtained advice from the ATIP Coordinator on a regular basis for matters where there were privacy considerations in their programs or activities. In 2021-2022, CIHR contributed to the review and development of many new privacy notices. This work was done in response to the outcome of a privacy impact assessment conducted on the collection and use of Equity, Diversity and Inclusion data throughout funding opportunities. In depth and ongoing reviews of corporate practices were conducted with significant support and input from the Access to Information and Privacy Office.

e. Costs

During 2021–2022, the Access to Information and Privacy Office incurred $105,897 in salary costs to administer the Privacy Act. Owing to the difficulty of tracking all of the operational costs related to the administration of the Act, the costs and human resource statistics are conservative estimates. Almost all costs are attributable to salary, and include fractions of the salaries of the directors, managers and employees who participated in work related to the Act.

Training Activites

During the 2021-2022 fiscal year, Access to Information and Privacy (ATIP) related training was provided on request to staff at all levels through eight customized sessions. While most of these information sessions focused on privacy, there were nevertheless key concepts related to access to information and information management that were covered as well. These sessions were presented with a goal to enhance the knowledge, skills and perspectives of all employees, concerning Access to Information and Privacy. Remote work impacted the way training could be offered and its frequency. The ATIP Office continues to develop educational tools and deliver training sessions to CIHR staff.

Policies, Guidelines and Procedures

During the 2021-2022 reporting period, the CIHR implemented and revised several existing protocols and new policies concerning the collection, use and disclosure of personal information. Of particular note, new policies were developed to support the vaccination attestation process as well as office entry tracking and other activities impacted by COVID-19. In addition, a new Privacy Breach Protocol was created in consultation with multiple business units to direct employees in response to suspected privacy incidents.

Complaints and Investigations

CIHR received no privacy complaints during the reporting period.

Monitoring Process

The ATIP Office monitors the time to process requests and administer the Access to Information Act and the Privacy Act through weekly verbal status reports and a weekly written status report is provided to the Health Minister’s Office for their information. Any issues of significant interest are discussed with the President and Communications department on an as needed basis.

Material Privacy Breaches

No material privacy breaches occurred during the reporting period.

Privacy Impact Assessments

In 2021-2022, CIHR completed one Privacy Impact Assessment (PIA) on Equity and Diversity Self-identification (EDI). The CIHR EDI project aims to implement a system-driven solution to collect self-identification data from various stakeholder groups through the Self Identification Questionnaire and facilitate the use of EDI Data to make decisions for administrative purposes. The scope of this PIA was to review and assess the privacy protection practices and identify potential risks related to the personal information collected, used, managed, disclosed and retained by CIHR while operating the EDI data collection, use and disclosure. The PIA addressed three phases of EDI Self-ID data collection phases: Phase-1 from applicants, – Phase-2 from peer reviewers and Phase-3 from governance & advisory members.

Public Interest Disclosures

CIHR did not make any public interest disclosures under Subsections 8(2) and 8(5) of the Privacy Act during the reporting period.

Date modified: