2023-2024 Annual Report to Parliament on the Administration of the Privacy Act

Royal Canadian Mounted Police (RCMP)

The RCMP continues to modernize on the heels of its 150th anniversary in May 2023. The RCMP's Strategic Plan, Vision150 and Beyond, represents an ambitious path to a modern, inclusive and trusted RCMP. This plan saw a renewed focus on technology, digital policing and improvements to organizational culture. As a federal, provincial, territorial and municipal policing body, the RCMP provides federal policing services to all Canadians and policing services under contract to the 3 territories, 8 provinces, and more than 150 communities delivered through more than 700 detachments across Canada, 600 Indigenous communities and 3 international airports.

The RCMP's mandate is multifaceted and includes: preventing and investigating crime; maintaining peace and order; enforcing laws; contributing to national security; ensuring the safety of state officials, visiting dignitaries and foreign missions; and, providing vital operational support services to other police and law enforcement agencies within Canada and abroad.

A Commissioner leads the RCMP and is supported by a Senior Executive Committee (SEC) made up of regular members, civilian members and public servants. The role of SEC is to develop, promote and communicate strategic priorities, strategic objectives, management strategies and performance management for the purpose of direction and accountability.

The organization is subdivided into 15 divisions (10 provinces, 3 territories, Depot Division and National Headquarters in Ottawa), each of which is under the direction of a Commanding Officer or Director General.

National Headquarters includes 10 business lines and is structured as follows: Federal Policing, Contract and Indigenous Policing, Specialized Policing Services, Corporate Management and Comptrollership, Human Resources, Internal Audit and Evaluation, Professional Responsibility Sector, Strategic Policy and External Relations, and Legal Services.

May 2023 brought about an internal re-organization which saw the ATIP Branch re-align itself under the Chief Information Officer responsible for the Information Management and Information Technology (IM/IT) Program. Even though this is not a common structure within government, it unites data, Information Management (IM) and Information Technology (IT) with ATIP enabling the modernization of the ATIP program. These benefits include a more high-profile role for the Branch in areas such as digital records management, open government, and the declassification of historical records.

Access to Information and Privacy (ATIP) Branch

The RCMP established the ATIP Branch in 1983, as the central point of contact for all matters arising from both the Access to Information Act (ATIA) and/or the Privacy Act (PA). For the majority of this reporting period, the ATIP Branch fell within the IM/IT Branch of Specialized Policing Services.

The Director General acts on behalf of the head of the institution as the Departmental Access to Information and Privacy Coordinator for the RCMP. The ATIP Coordinator ensures compliance with both the spirit and the intent of the ATIA and PA, as well as all associated regulations, policies and guidelines. The Director General position is also tasked with leading the program's broad modernization efforts.

Compliance

The ATIP Branch saw an increase in compliance for the number of requests closed within the legislated time frames under the PA. In the 2023-2024 fiscal year, compliance increased to 61% from 55% in the previous fiscal year. The increase is due, in part, to modifications in processes within the Branch, resulting in efficiencies, increased efforts in human resources (staffing, training, retention) and the utilization of contractors to complete complex late files in order to address legislative compliance.

Requests received and closed

As noted in the Statistical Report in Appendix B, the RCMP received a total of 7,808 new requests under the PA in 2023-2024. In addition, there were 4,988 requests outstanding from the previous reporting periods for a total of 12,796 requests. Of these, 6,822 requests were completed and 5,974 carried over to the 2024-2025 fiscal year.

Privacy requests cover the personal information of requesters in a variety of records and mediums (such as audio/video), including information on police operational files, such as motor vehicle collisions, and employment files.

As demonstrated in the graph below, there has been an increase in the number of requests received compared to the previous reporting period. The number of requests received increased by 64.6% compared to the previous fiscal year and increased by 82% compared to the 2021-2022 fiscal year. The increase in the number of PA requests received is directly related to the education efforts of the Branch. Guidance has been added to the TBS portal guiding more requesters to the PA to request their own personal information. This has benefits to requesters as the PA requests can be made free of charge, have an expanded right of access, and grants requesters the right to correction, none of which exists under the ATIA. The increase here is matched to a decrease in requests made under the ATIA.

The graph also demonstrates that the number of requests closed this reporting period increased by 112% compared to the previous fiscal year. The outstanding result is a combination of several factors including the shifting of Privacy requests from the access to information (ATI) team to the PA team, a focus on quick hits, increased staffing, and several process improvements.

Completion time and extensions

The ATIP Branch completed 2,334 (34%) requests in 30 days or less. During the reporting period, 1,869 (27%) requests were completed within 31 to 60 days, 558 (8%) were completed in 61 to 120 days, and 2,091 (30%) were completed in more than 121 days.

Section 15 of the PA allows institutions to extend the statutory time limits to respond to a request beyond 30 days.

For the requests closed during the 2023-2024 reporting period, the RCMP sought a total of 5,018 extensions under section 15(a)(i), which pertains to unreasonable interference with operations.

No extensions under section 15(a)(ii) were taken for consultations.

Disposition of completed requests

Of the 6,822 requests completed in the 2023-2024 fiscal year, the dispositions of completed requests were as follows:

• 3,238 (47%) requests were disclosed in part
• 1,970 (29%) requests were abandoned by requesters
• 701 (10%) requests had no records located
• 362 (5%) requests were fully disclosed
• 516 (7%) requests had all material exempted
• 35 (less than 1%) requests were neither confirmed nor denied
• 0 (0%) requests had all material excluded

Note: percentages have been rounded and do not add up to 100

Consultations for other institutions

During the current reporting period, the RCMP completed 105 consultations, totalling 12,156 pages reviewed. Of the 105 completed consultations, 53 were received from other Government of Canada institutions and 52 were received from other organizations. This is a marked increase from the previous reporting period, where RCMP reviewed only 62 requests and 6,234 pages. The RCMP continues to put an equal focus on consultations as a service to the ATIP community and in line with the expectations of the Privacy Commissioner.

Active outstanding requests from previous reporting periods

At the conclusion of the 2023-2024 fiscal year, a total of 5,974 requests were outstanding. Of those outstanding, 14% were carried over within legislated timelines, and 86% were carried over beyond legislated timelines. The fiscal years where the carried over requests were received in are as follows:

• 3,099 (52%) received in 2023-2024
• 1,490 (25%) received in 2022-2023
• 795 (13%) received in 2021-2022
• 405 (7%) received in 2020-2021
• 152 (3%) received in 2019-2020
• 24 (less than 1%) received in 2018-2019
• 4 (less than 1%) received in 2017-2018
• 3 (less than 1%) received in 2015-2016
• 1 (less than 1%) received in 2014-2015 or earlier

Note: percentages have been rounded and do not add to 100

Active outstanding complaints from previous reporting period

At the conclusion of the reporting period, a total of 128 complaints were outstanding. The fiscal years where the outstanding complaints were received in are as follows:

• 112 (88%) received in 2023-2024
• 11 (9%) received in 2022-2023
• 1 (less than 1%) received in 2021-2022
• 1 (less than 1%) received in 2020-20210
• 0 (0%) received in 2019-2020
• 3 (less than 1%) received in 2018-2019
• 0 (0%) received in 2017-2018 or earlier

Note: percentages have been rounded and do not add up to 100

Section 8 of the Privacy Act

In relation to legislative requirements for disclosure of personal information in accordance with Section 8 of the Privacy Act, the ATIP Privacy Policy Unit (PPU) reviewed 791 pages relating to paragraph 8(2)(f) disclosures, processed 22 paragraph 8(2)(e) disclosures, 20 paragraph 8(2)(m) disclosures and continued to provide advice and guidance on all other provisions of Section 8. Further, in addition to the work of the PPU highlighted in the specific sections below, the unit continued to support the organization by responding to 124 privacy policy related inquiries.

Policies, guidelines and procedures

Throughout this reporting period, the ATIP Branch continued to modernize and update internal policies and procedures to ensure alignment with current reporting standards. These changes will continue to be developed and instituted in the 2024-2025 reporting period.

During 2023-2024, the ATIP Branch accomplished the following:

• Enhanced internal processes for facilitating the transfer of files within the RCMP, including the creation of national shared drives for classified information
• Updated the ATI, Privacy and Operations teams’ standard operating procedures, which was part of the ATIP Branch’s efforts to formalize internal processes
• Modified guidelines to address its on-time and backlog files, enabling processing efficiencies
• Worked with business lines and divisional LOs to develop guidelines, standards and awareness communiques to further facilitate RCMP ATIP modernization, and continued with regular by-weekly meetings to resolve challenges as quickly as possible
• Continued to lead the interdepartmental working group for the development of business continuity plans specifically for ATIP programs, which led to greater information sharing among the participating departments
• Reviewed employee work arrangements and implemented a hybrid work model for its employees, allowing more flexibility in terms of work-life balance
• Weekly meetings held with ATIP Branch, RCMP Communications, and Parliamentary Affairs ensured the organization was able to properly brief the Commissioner and Minister’s offices should questions arise. These meetings also provided insight to the ATIP Branch of topics that generated media interest and would likely result in requests
• Successfully piloted the temporary hiring of employees from across the country who can work remotely, to support the divisions
• Onboarded remote employees as part of ATIP Branch modernization to increase the pool of ATIP experienced employees outside of the National Capital Region
• Development of new operational policies for unique types of materials. As an example, a new directive has been approved by ATIP Branch and the Human Source Unit on how to process requests containing source information

Our divisional LOs are also working to modernize and establish processes and workflows. Specifically, J Division (New Brunswick) is building their team and providing information sessions on ATIP to their employees. A total of 5 training sessions were given this past year, reaching over 150 employees. F Division (Saskatchewan) has also provided training to their employees on ATIP processes, privacy breaches, and informal information sharing. In consultation with the Privacy Policy Unit, F Division also completed a privacy impact assessment (PIA) related to interpersonal violence disclosure protocols. In E Division (British Columbia), the annual popular and well-attended Information Governance Days of Summer learning event was held, where training on all topics of Information Management (IM) is offered. During these two weeks, a training and information session on ATIP was presented to a division-wide audience. IM is a pivotal foundation for ATIP to be successful and efficient to meet legislative requirements as an organization. E Division continues to hold monthly calls throughout the year, increasing training and awareness for OPIs on ATIP obligations and to gain efficiency for the Division. As volumes of requests continue to increase steadily, E Division is working with limited resources to complete requests and respond to backlogs in a timely and fulsome manner under pressures of operations, legislative requirements, and organizational gaps in knowledge and awareness, while endeavoring to build resources to support a program from the division.

On top of an already busy workload, a significant effort was put forth by all LOs in the divisions and business lines to task a backlog of requests that had grown over the previous two reporting periods as a result of COVID-19 and office restrictions that were different in each jurisdiction and rapidly changing.

Additionally, the Privacy Policy Unit (PPU) completed the following:

• Continued work on the development of standard operating procedures, updated policies and its privacy framework, as well as efforts towards restructuring RCMP personal information banks.
• Completed a review of its policy and guidance documents on Privacy Impact Assessments (PIAs). The new guidance documents include a detailed PIA Handbook, a high-level PIA Guide, an updated interim PIA Template, and the implementation of a new Privacy Impact Assessment Questionnaire template that includes a short PPU assessment as well as identified risk mitigation strategies for the program to adopt.
• Developed internal Standard Operating Procedures (SOPs) on Privacy Impact Assessment Questionnaires (PIAQs) in accordance with Treasury Board guidance and directives on privacy.
• Updated internal SOPs relating to privacy breaches and complaints received in relation to Section 4-8 of the Privacy Act. In addition, to ensure the organization is provided with timely and useful advice, the PPU developed an internal SOP for responding to inquiries.

ATIP modernization

In November 2020, the Information Commissioner of Canada released the results of a systemic investigation of the RCMP’s ATIP program, entitled Access at issue: The need for leadership. The report was highly critical of the RCMP’s ATIP program and identified 15 recommendations for improvement. Subsequently, the Minister of Public Safety issued a Direction to the RCMP to action the recommendations of the OIC’s review and submit a strategy outlining a way forward to be developed in consultation with the TBS. In response, the RCMP developed a strategy entitled Access Granted: Restoring Trust in the RCMP’s Access to Information Program, supported by an action plan, outlining initiatives to modernize the program.

The RCMP began implementation of the strategy in the 2021-2022 reporting period and is committed to seeing it through over the course of the next several years. The objective is to increase compliance rates and enhance public transparency. The RCMP posted the strategy, and is providing regular updates on the RCMP external website, and we encourage all Canadians to visit the site and monitor our progress at https://www.rcmp-grc.gc.ca/en/access-information-and-privacy-programs-modernization-strategy.

Over the reporting period, the RCMP continued to make progress in implementing the strategy. While more details can be found on our external website, some key initiatives include:

Pillar 1: Our people

• The Professional Development Program approved in the previous reporting period is up and running. Employees have been matched with mentors and are working diligently towards their first promotions. This program is helping to facilitate the recruitment, training and retention of highly skilled analysts to properly support the RCMP.
• Training remains at the core of the Branch. This is fundamental to employee growth and capability growing for the future of the Branch. Collectively, Branch employees participated in more than 200 courses (ATIP specific training, change management, project management, and more) along with training for negotiation and other soft skills (Discovery Insights Communications, Civility and Respect, Renewed Core Values) These efforts are contributing to the RCMP becoming a leader within the ATIP community.
• In an internal survey, 73% of ATIP employees felt they were well recognized for their work effort. Significant effort has been put into employee recognition at all levels through both formal and informal processes.
• The ATIP Branch has grown its relationship with Live Work Play, an organization that provides direct support and services to individuals with intellectual disabilities, autistic persons, and individuals with a dual diagnosis to live, work and play as valued citizens. The Branch currently had 3 employees working with the support of Live Work Play.
• The ATIP Branch was able to gain additional support from the IM/IT program through the use of students recruited from the Federal Student Work Experience Program. Totaling 1.639 full-time equivalents, these students worked on a part time basis while on school breaks. This gave some much needed assistance within the Ops Stream while exposing the students to a career in the federal public service. The Branch will continue to develop these relationships in the hopes of recruiting new analysts upon completion of their schooling.
• Official Languages is at the forefront of learning within the Branch. In line with the TBS Directive on Official Languages for People Management, 33 employees were enrolled in language training activities ranging from group learning to full time training over the reporting period.
• Training is not limited to external courses. Employees who attend conferences and external training are tapped to share their new-found knowledge with their colleagues. In this reporting period, this has included seminars from the Canadian Bar Association Conference, the International Association of Privacy Professionals annual Privacy Symposium, and the Canadian Access and Privacy Association’s annual conference.
• A new ‘lunch and learn’ series was launched, ATIP Branch’s Slice of Learning, in this reporting period. Designed to tap into the wealth of knowledge within the Branch, this monthly series of presentations focusses on all manner of topics related to ATIP. Some topics explored so far include how to prepare an affidavit in response to a complaint, the new TBS Directive on the Disclosure of Historical documents, and the court settlement with the LGBT Purge Fund to disclose records related to the treatment of 2SLGBTQIA+ employees in the government of Canada between the 1950s and 1990s.

Pillar 2: Our tools

• The adoption of body worn camera (BWC) by the RCMP has the potential to change the nature of ATIP and information management for the organization in general. Testing continues on the cameras and storage solutions but ATIP Branch has adopted new software, CaseGuard and AVS4You, to allow for the review and redaction of the increasing amount of audio and video materials received as part of requests.
• The archaic Access Pro Case Management software used by many ATIP offices across government was updated and support is now being received from both the vendor and RCMP IT. Procurement continues at the Central Agency level for new software for the community but this process continues to face issues which further delays the desperately needed updates.
• The ATIP Branch has developed two Robotic Process Automation tools, bots, to assist in reducing the administrative burden placed on each analyst to complete a request. These two bots, currently in the testing phase, can identify duplicate documents (estimated to reduce analyst workload by 10%) and to automate the data entry portion of the request. It is anticipated that both bots will be put into production in the next reporting period.

Pillar 3: Our procedures

• As the Branch continues to grow, we continue to re-examine our processes and procedures. Ops efficiency meetings were implemented on a monthly basis with all 3 streams contributing to discussions of how to streamline processes for the benefit of all.
• The Operations stream established quarterly/weekly request processing key performance indicators. The team now has an information flow process that functions as an early warning system that provides key information to help managers identify and plan (for example, staff, overtime, students) should the processing of requests compliance fluctuate – catching any issues before a problem grows and becomes unmanageable.
• The Operations Stream established a robust Triage process which closed or transferred 2,136 requests (22% of requests) independently (no need for disclosure's team review). This year, triage reached out to the requester on 1,772 requests for clarification.
• The drafting of standard operating procedures (SOPs) became a priority in this reporting period. Many procedures were informal and being shared by word of mouth. To facilitate training and ensure consistency, SOPs have been drafted to address motor vehicle collision files, statements, on-going investigations, and applicant files to name a few.
• The ATIP Branch continued to work on the skills developed in the previous reporting period. Agile management practices, including huddles and stand-up meetings, fostered flexibility, collaboration and rapid response to evolving needs.

Additional efforts include:

• As part of the RCMP’s response to major events, the ATIP Branch assigned key analysts who work directly with the record holders to retrieve relevant records. This provided a consistent and quick response due to their complete and unique knowledge of the records.
• The ATIP Branch was involved in the implementation of the Mass Casualty Commission’s recommendations following the events in Portapique, Nova Scotia. Advice and guidance were given to ensure the RCMP’s response was more open and transparent from the onset.
• The ATIP Branch regularly works with the RCMP’s Audit and Evaluation unit to conduct reviews with an ATIP like lens of all audits/reports prior to their publication
• Following a Ministerial Directive, the ATIP Branch continues to support the RCMP’s Management Advisory Board by conducting informal reviews prior to the publication of their recommendations which supports internal reform while remaining transparent with the public
• The ATIP Branch is working alongside internal stakeholders in order to respond to the document requests as part of the Public Inquiry into Foreign Interference. This highly sensitive topic requires careful scrutiny to ensure any potential disclosure meets the requirements of the Inquiry but does not harm any on-going investigations.
• The RCMP remains the co-lead of an Interdepartmental Leadership Working Group that exchanges best practices and identify areas for collaboration. Some of the topics discussed this year included complaints, privacy practices, software updates, professional development program, improved streamlining practices and backlog strategies.

These successes were not without their challenges. The ATIP environment has evolved significantly, and until the recent modernization efforts, the RCMP program has lagged behind. Over time, common issues emerged in the case management software used to manage requests, leading each user to develop their own workarounds. This unsustainable method, coupled with the decision to forgo maintenance support from the vendor, prompted the RCMP to renew maintenance contracts. The updates required 18 months of IT efforts to implement and were meant to resolve existing issues. However, the update completed in July 2023 resulted in several new and significant errors, notably the loss of automatically generated letter and email templates. The loss of these templates caused significant additional work per week to manually modify them for each recipient, slowing request processing times and increasing the risk of privacy breaches. Issues with the aging case management software persist despite the update. To meet legislated obligations, the RCMP must dedicate funds and efforts to procure a new request processing software solution before the software’s end of life. This update is currently stalled due to procurement issues at the Central Agency level.

In the previous reporting period, the RCMP joined the TBS ATIP Online Management Tool portal. This portal was designed to allow requesters to submit their requests under both the ATIA and the PA online, directly to the institution, upload any required supporting documentation, and even receive their release packages online. In practice, for the RCMP, this portal has slowed the processing time for each request received and added many additional manual steps that must be taken. The portal as first launched was cumbersome, and could not be customized to the RCMP’s needs. The ATIP Branch has been working closely with TBS to try to improve the portal as approximately 80% of requests received via the portal require manual clarification by ATIP Branch employees, drastically adding to the time required to process each request. It is estimated that these additional steps are costing the RCMP ATIP Branch upwards of $100,000 a year. That said, it is hoped that working in tandem with TBS, a more customized portal will address these inefficiencies and be resolved in reporting period 2024-2025.

During fiscal year 2023-2024 the PPU continued to strengthen its relationship and its role within the National Technology Onboarding Program (NTOP). As part of this relationship building, both units worked together to develop a RASCI Matrix (Responsible, Accountable, Supportive, Consulted, Informed), which clarifies and defines roles and responsibilities when working with RCMP offices of primary interest. Each NTOP assessment includes the completion of a Privacy Impact Assessment Questionnaire (PIAQ), where PPU provides clients with recommendations to ensure compliance with the Privacy Act when onboarding new technology.

In addition to NTOP, the PPU strengthened its relationship with other key internal stakeholders, such as the IM/IT section, GBA Plus Centre of Expertise and the MOU Policy Centre. The PPU now meets regularly with these partners to share information and expertise, and to ensure there are no gaps relating to privacy for the organization.

As part of the RCMP Vison150 and the ATIP Office's own modernization efforts, there is an extensive privacy and security awareness training strategy under development; including but not limited to:

• Development and sharing of breach and PIA management tools
• Executive leadership deck has been created and is now in circulation
• Increase of privacy resources in the Privacy Policy Unit from 3 to 11 since January 2022 with a planned increase to a total of 14 resources to support the RCMP and all things privacy policy related. Dedicated Client engagement and outreach team, as well as a Privacy compliance team; all with an effort to increase privacy compliance, education, awareness and support to the RCMP.

Establishment of Interdepartmental Privacy Policy Management Working Group

Given that many departments and agencies face similar challenges concerning privacy policy at the management and working level, in the summer of 2023, the RCMP’s Privacy Policy Unit established an interdepartmental working group to share and leverage efforts by partners from a policy, procedural, structural and operational perspective. The goal of this working group is to provide structure for discussions/consultation with interdepartmental partners, with a key focus on departments with similar mandates or those with significant privacy programs, to ensure effective interdepartmental collaboration and sharing of lessons learned.

Complaints and investigations

During this reporting period, the RCMP continued to work collaboratively with the OPC to address com­plaints made under sections 4 through 8 of the Privacy Act related to the RCMP’s collection, correction, retention, use, disclosure and disposition of personal information. Some of the key highlights of those complaints are below:

Section 9 – Statistical report

As part of the modernization strategy, a team of disclosure analysts dedicated specifically to review and respond to complaints received through the Office of the Privacy Commissioner (OPC) was created to enable the RCMP to respond more efficiently to complaints. Section 9 of the Statistical Report, found in Appendix B, provides data on the complaints received and closed. Specifically, for the 2023-2024 reporting period, the RCMP received and provided the following under the PA:

• Section 31 – the RCMP received 226 - Section 31 notices, which represents 3% of all requests closed during the reporting period. The majority of the complaints received related to delays and deemed refusals, which can be attributed to the substantial increase of requests received over the reporting period; the ongoing RCMP backlog and to the complex and/or voluminous nature of requests. Under this section, the OPC formally notifies the institution of their intent to investigate a complaint received.
• Section 33 – the RCMP received 312 - Section 33 notices. Under this section, the OPC requests representations from both the complainant and the institution pursuant to an ongoing complaint investigation.
• Section 35 – the RCMP received 119 - Section 35 notices. Under this section, the OPC issues a finding report, which may include recommendations, for founded complaints upon the conclusion of the investigation.

Court action

There were 4 court proceedings actioned with respect to privacy requests processed within fiscal year 2023-2024 and none were discontinued/concluded nor dismissed in this reporting period.

Material privacy breach summaries

1. An employee of the RCMP used the Police Reporting and Occurrence System database to make an unauthorized check on a member of the public. Personal information about two members of the public was inappropriately reviewed and shared with an individual. The two individuals that were affected have been notified by the RCMP following the breach, and the information has not been further disclosed. Since the incident, Departmental Security conducted a review of the employee's security clearance and additional training has been mandated to prevent a reoccurrence.
2. A notebook containing sensitive operational and personal information was lost by an RCMP member and found by a known criminal who distributed photos of the entries. The RCMP has been unable to recover the notebook at this time and, due to the information contained in the notebook, safety plans have been established for affected individuals. To prevent a reoccurrence of this event training on the proper information handling policies has been implemented.
3. An RCMP member's name was mistakenly released in an information package relating to their suspension which was provided to the media. The RCMP's Access to Information Director personally contacted the requester verbally and in writing to ensure the information stays private and provided a new information package to the requester. The affected individual was notified and steps were taken to prevent any further dissemination of the leaked information. To ensure this does not happen again, the RCMP has instituted a policy of reviewing all records twice prior to public release.
4. A report to the Crown contained the unredacted identity of a member of the public and details from a record that was subject to a suspension order. The mistake was promptly discovered and destroyed by the Ministry and the affected individual was notified about the error. There was no further disclosure of information and additional resources have been allocated to the detachment responsible to help prevent a reoccurring instance in future reports.
5. An employee of the RCMP used the Police Reporting and Occurrence System database to make several unauthorized checks on multiple individuals. The employee's security clearance has since been suspended and is under review, they no longer have access to any IT equipment, databases, and their access to the physical RCMP premises has been removed. An investigation into the affected files is underway and affected individuals will be notified. No personal or sensitive information was shared outside the RCMP. To prevent a reoccurrence, an email, titled “Misuse of RCMP Databases is a serious breach of the code of conduct”, was sent out across the entire organization and a Security Awareness course is now mandatory for all RCMP employees.
6. A photograph that incorrectly identified two individuals as suspects in a criminal case was shared to media outlets and published on the RCMP Crime Stoppers website. Upon notification of the error, the photo was taken down immediately and the affected individuals were notified. Any future photographs of this nature will require a judicial authorization to protect against this error in the future.
7. A member's disability management accommodations were inappropriately accessed by and shared amongst their coworkers. The RCMP is working with both the IT department and the individuals involved to ensure the information is not further disseminated and to prevent unnecessary access to the information in the future. The individual responsible for accessing and sharing the information is presently undergoing a conduct review.
8. The RCMP was made aware of and began investigating a breach of the BGRS (formerly Brookfield Global Relocation Services) and Sirva Canada LP, affiliated companies that are contracted by the Government of Canada to provide relocation services for employees. Information from these services has since been found on the dark web, potentially affecting an estimated 17,300 current and former RCMP employees. The BGRS system has since been taken offline to limit access and cyber security measures have been implemented across both systems. The RCMP's Departmental Security Section has established a task force to determine next steps and protect and support affected employees.
9. The RCMP found that screenshots of a multi-organizational crime brief were leaked online. It remains unclear how widely the photographs were disclosed but management of the breach has been carried out by both the RCMP and municipal police in the affected region, and the website that published the photographs has since taken them down. Individuals identified in the breach were promptly notified and a new security policy, alongside researching and testing software applications and program add-ons to harden and protect the bulletin dissemination process.
10. A Commissionaire guard contracted with the RCMP was found taking cellphone videos of CCTV footage of female detainees. The guard's contract has since been suspended, his security clearance has been revoked, and a Criminal Code investigation is ongoing. The affected individuals have been notified and referred to victim services. The RCMP is working with the Commissionaire’s team to ensure the integrity of the securing screening process and a coordinator has been assigned to the cell block to ensure professional and ethical standards are maintained at all times.
11. A retired member of the RCMP misused personal information, which was obtained during their time as an investigator, to berate a member of the public working in a local government office. While operational information is held on systems that have the multiple safeguards in place, since the retired member chose to inappropriately disclose information that they had personally obtained during employment with the RCMP, there was no way to prevent the incident. The RCMP's Departmental Security and Professional Responsibility Units are working to address and mitigate any residual privacy risks, alongside working to prevent future risk of post-employment breaches of personal information.
12. A package containing the personnel file of a regular member within the RCMP was lost during the shipping process. Unfortunately, the missing documents have been deemed permanently lost as all efforts to recover the file have failed. To prevent harm from materializing as a result of the loss, additional resources and guidance has been offered to the member affected by this matter to prevent any incidents from the loss and to help protect their information. To prevent a reoccurrence, new methods of file transfer that do not require the use of unprotected or untracked mail have been recommended.
13. An incident at the Depot Division occurred involved cadets having unauthorized access to sensitive personal information about each other on folders in a shared drive. The incident affected 142 individuals and involved the unauthorized sharing of their personal employment information regarding the reasons noted for termination, reinsertion or resignation of their fellow members, alongside medical or family information. The drive has since been removed from shared access and departmental security was informed of the incident to help manage the situation. The division is continuing to update their operating procedures and exploring new methods of data storage to prevent a reoccurrence.
14. In Alberta, a member of the RCMP had their home broken into and an RCMP hard drive stolen from the premises. The drive contained material related to RCMP investigations alongside personal documents. Despite RCMP efforts the drive has not been recovered, however the investigation is ongoing and internal reviews are being conducted to determine the exact risk posed to affected individuals as a result of this incident.

Covert Access and Intercept Team Program

As internet and telecommunication technologies have evolved, tools and techniques used by police have likewise advanced, which led to the establishment of the RCMP's Covert Access and Intercept Team in late 2016. The Covert Access and Intercept Team's mandate is to implement lawful technological techniques to evidence collection that respects the law for search and seizure of digital evidence. In accordance with the RCMP Act and the Criminal Code, the program allows for the covert search and seizure of data from technological devices, under judicial authorization, when serious criminal activity is being investigated. The tools and techniques used may vary greatly and are dictated by the hardware, software, and network configurations of the targeted computer systems, tablets, or smartphones. This class of tools is generally referred to as On Device Investigative Tools. Based on the privacy impact assessment, given the strong safeguards put in place by the RCMP, the risk of a breach is believed to be minimal. Given the sensitivity of the information and the possibility of serious injury should a breach occur, the Covert Access and Intercept Team rigorously follows the RCMP and Government of Canada policies for Protected B information to ensure safe data management practices. Additional information is included in the Executive Summary published here: https://www.rcmp-grc.gc.ca/en/covert-access-and-intercept-team-privacy-impact-assessment

Canadian Firearms Program Safety Course Portal

As part of its modernization strategy, this year the Canadian Firearms Program shifted their paper-based Safety Course Report system to an online cloud-based service. The RCMP completed a privacy impact assessment on the initiative, the second in a series of privacy impact assessments developed as the Canadian Firearms Program modernize its service delivery. The assessment found that the new service, which collects the same personal information of firearm permit holders as in the paper-based system and in accordance with the Firearms Act, to have moderate risk levels. Throughout the privacy impact assessment, the RCMP identified and assessed risks pertaining to the collection and sharing of personal information through the portal. Following the implementation of the privacy impact assessment’s recommendations, it is expected that the initiative will have a low level of risk. Additional information is included in the Executive Summary published here: https://www.rcmp-grc.gc.ca/en/mycfp-safety-course-report-portal

Interpersonal Violence Disclosure Protocol (Clare’s Law) Act

The RCMP completed a core privacy impact assessment on Clare’s Law, often known officially as a Domestic Violence Disclosure Scheme. Such a disclosure regime was first introduced in England and Wales, and was named in memory of Clare Wood who was killed in 2009 by her former domestic partner who had a record of violence against women that she was unaware of. In Canada, several provinces have adopted Clare’s Law which authorizes a police service to disclose risk-related information to a current or former intimate partner where such information could assist the current or former partner in making informed decisions about their safety and the relationship. The law requires the development of a protocol to guide police services through the disclosure process. Due to the type of information that is shared, the RCMP completed a privacy impact assessment on the commonalities of the law that will exist across provincial and territorial jurisdictions. The assessment found that the initiative has moderate risk levels, however, the risk level of privacy breach is expected to be low given the strong mitigating measures outlined in the legislation, the protocol and the divisional policies and procedures. The RCMP F Division (Saskatchewan) was the first division to complete a divisional appendix to the core privacy impact assessment. The appendix assessed the risks related to their participation in the Clare’s Law regime. Additional information is included in the Executive Summary published here: https://www.rcmp-grc.gc.ca/en/interpersonal-violence-disclosure-protocol-clares-law-act

Federal Policing

Federal Policing is a core responsibility of the RCMP that is carried out in every province and territory in Canada, as well as internationally. The RCMP's Federal Policing mandate includes: investigating drugs and organized crime, economic crime, and terrorist criminal activity, securing Canada’s borders and ensuring the safety of major events, state officials, dignitaries and foreign missions.

In support of Federal Policing’s core activities, the RCMP’s Privacy Policy Unit reviewed and provided guidance on 14 questionnaires to determine the need for a PIA and 22 memoranda of understanding involving personal information during the report period.

Contract and Indigenous Policing

The RCMP provides policing services under contract to all provinces and territories of Canada, except Ontario and Quebec, this is called contract policing. Policing agreements cover 75% of the geography of Canada, including much of rural Canada, all of the Canadian North (outside Ontario and Quebec), and many towns and large urban areas in contract provinces. Contract policing is how most RCMP members acquire the hands on policing and investigative skills that will serve them throughout their careers.

In support of C&IP’s core activities, the RCMP’s Privacy Policy Unit reviewed and provided guidance on 2 questionnaires to determine the need for a PIA and 5 memoranda of understanding involving personal information during the reporting period.

Specialized Policing Services

Specialized Policing Services (SPS) provides critical front-line operational support services in areas such as forensic analyses, firearms, criminal records, advanced police technology, combatting child sexual exploitation and locating missing persons. SPS is responsible for the stewardship and delivery of National Police Services. Our services are available to the RCMP, partners across the Canadian law enforcement and criminal justice communities, and to select foreign organizations.

In support of SPS’ core activities, the RCMP’s Privacy Policy Unit reviewed and provided guidance on 25 questionnaires to determine the need for a PIA and 16 memoranda of understanding involving personal information during the reporting period.

Internal Services

The primary role of Internal Services is to provide essential support to strategic priorities that ultimately facilitate the efficient operation of the RCMP. This includes managing resources, ensuring compliance with internal policies, and supporting overall business objectives and mandates.

In support of Internal Services core activities, the RCMP’s Privacy Policy Unit reviewed and provided guidance on 10 questionnaires to determine the need for a PIA during the reporting period.

In addition, the Privacy Policy Unit engaged in two consultation sessions with the Office of the Privacy Commissioner. The first consultation session was regarding the Body Worn Camera national roll out. The RCMP updated the OPC on the field test phase, a step of the procurement process, and related privacy mitigation measures. The RCMP also briefed the OPC on a cybercrime prevention campaign.

Finally, the RCMP also met with the OPC on the use of two investigative tools, used in the context of the human trafficking investigations (Traffic Jam) and child exploitation investigations (Griffeye). Traffic Jam offers a suite of analytical tools developed by Marinus Analytics to help law enforcement agencies to identify potential victims of human trafficking and to find missing persons. It collects open source information from a number of adult services websites that have been identified by Marinus Analytics as being hotspots for potential exploitation. It also has facial recognition functionality, which is currently disabled, until further assessments are conducted. The RCMP is currently conducting a privacy impact assessment on its use of Traffic Jam.

Griffeye is a tool used to effectively analyze, categorize and process high volumes of data. With the advent of mass digital storage and the availability of high-speed internet, the production, transmission and collection of videos and images are near instant and often result in a single child exploitation investigation containing on average in excess of 2 to 3 million media items to be reviewed (numerous computers, cellphones, tablets and other common devices with large storage and connectivity can be found in everyone's residences). Without Griffeye, the analysis of digital media by investigators to identify child exploitation material would take much longer. Griffeye includes a face matching function, which is a form of facial recognition, that involves comparing the faces of individuals within the same collection or repository of lawfully obtained evidence for the purpose of grouping or categorizing images potentially depicting the same face(s).

The Privacy Policy Unit continues to meet with the Office of the Privacy Commissioner to provide updates on key files on a regular basis.

Section 1: Requests under the Privacy Act

Section 2: Informal requests

Section 3: Requests closed during the reporting period

Section 4: Disclosures under Subsections 8(2) and 8(5)

Section 5: Requests for correction of personal information and notations

Section 6: Extensions

Section 7: Consultations received from other institutions and organizations

Section 8: Completion time of consultations on Cabinet Confidences

Section 9: Complaints and investigations notices received

Section 10: Privacy impact assessments and personal information banks

Section 11: Privacy breaches

Section 12: Resources related to the Privacy Act

Section 1: Open requests and complaints under the Access to Information Act

Section 2: Open requests and complaints under the Privacy Act

Section 3: Social insurance number

Section 4: Universal access under the Privacy Act