Annual report to Parliament on the administration of the Privacy Act, April 1, 2024 to March 31, 2025

On this page

1. Introduction

The Department of Agriculture and Agri-Food Canada (AAFC) presents to Parliament its Annual Report on the Administration of the Privacy Act for fiscal year April 1, 2024, to March 31, 2025. This report is prepared and tabled in accordance with section 72 of the Privacy Act and section 20 of the Service Fees Act.

In accordance with the Treasury Board of Canada Secretariat (TBS) requirements, this report provides an overview of the activities of AAFC in administering its responsibilities under the Privacy Act.

AAFC’s Access to Information and Privacy (ATIP) Office is responsible for the administration of the Access to Information Act and Privacy Act, and related matters within the department. The Department is committed to openness and transparency, making every reasonable effort to assist Canadians to access records held within AAFC — while protecting privacy, security and confidentiality.

AAFC did not have any non-operational (“paper”) subsidiaries during this reporting period.

1.1 About Agriculture and Agri-Food Canada

AAFC supports the Canadian agriculture and agri-food sector through initiatives that promote innovation and competitiveness. The Department provides information, research and technology, policies, and programs to help Canada’s agriculture, agri-food, and agri-based product sectors compete in markets at home and abroad, manage risk, and embrace innovation.

The activities of the department extend from the farmer to the consumer, from the farm to global markets, through all phases of sustainably producing, processing, and marketing of agriculture and agri-food products.

For more information, please see What we do.

1.2 Purpose of the Privacy Act

The Privacy Act protects the privacy of individuals with respect to their personal information. This Act governs the federal government’s collection, retention, use and disclosure of that information. It also provides individuals with a right to access and request a correction of their personal information.

2. Organizational structure

2.1 Governance

Administration of the ATIA and the Privacy Act (collectively referred to as “the Acts”) is the primary responsibility of AAFC’s ATIP Office, which is part of the department’s Public Affairs Branch (PAB). The ATIP Office processes all requests for information and coordinates all activities related to the Acts, along with associated regulations, directives, and guidelines.

The ATIP Office consists of 2 units — the Operations Unit and the Privacy Compliance Unit (PCU). The Operations Unit works closely with AAFC officials to process ATIP requests; while the PCU supports and advises AAFC officials on privacy‑policy related matters, such as compliance measures, privacy evaluations and PIAs, and general inquiries regarding the collection and use of personal information.

2.2 Privacy Compliance Unit — mandate and organizational structure

The ATIP Office’s PCU provides expert advisory services on privacy policy and protection across all departmental activities. It also supports various Grants and Contributions and Business Risk Management programs aimed at bolstering Canada’s agricultural sector, including producers and processors. Specifically, the PCU advises on the collection, use, and disclosure of personal information critical to the operation of these programs, while offering practical recommendations and strategies to mitigate potential privacy risks. Key responsibilities include:

• Conducting privacy analyses and providing advice through tools such as AAFC’s Privacy Evaluation tool, PIAs, and Privacy Protocols;
• Developing and maintaining privacy policies, procedures, and best practices;
• Delivering privacy training and awareness initiatives to departmental staff;
• Assessing, managing, and reporting privacy breaches;
• Coordinating the department’s annual update of Info Source; and
• Preparing departmental reports to fulfill the Annual Report to Parliament requirements under the Privacy Act.

The ATIP Operations Unit is responsible for the management, monitoring, and processing of various request types, including access to information, privacy requests, consultation requests, informal requests, and proactive disclosure. The unit manages and oversees the monitoring and measurement of departmental performance related to access to information in accordance with legislative timeframes and responds to access to information and privacy complaint investigations.

The AAFC ATIP Office is comprised of a variety of positions that help to support the mandate and operations of both units within the Office. When fully staffed, these include:

• Director (1)
• Manager, Access to Information and Privacy Operations (1)
• Manager, Privacy Compliance (1)
• Senior ATIP Analyst (2)
• ATIP Analyst (3)
• Junior ATIP Analyst (2)
• Senior Privacy Analyst (2)
• Administrative Support (1)
• Contractor supporting ATIP Operations full-time (1)
• Contractor supporting Privacy Policy part-time (1)
• Student (2)

The cost of administering the ATIP Office (for privacy matters as recorded in the Statistical Reports) during the reporting period was $538,916 which included 5.96 full-time employees, and 0.153 students (or $388,090 in salaries and $128,637 for professional services).

AAFC does not currently have a service agreement under Section 73.1 of the Privacy Act, however, privacy advisory services were provided informally to the Dairy Innovation and Investment Fund program, which is administered by the Canadian Dairy Commission on behalf of AAFC.

3. Delegation of authority

Section 73 of the Privacy Act provides for the Minister of AAFC to delegate the powers, duties and functions designated by the Acts.

The delegation of authority for the administration of the Privacy Act includes the PAB Assistant Deputy Minister, the Director General, Communications Services, and the Director of ATIP and Translation Services, who have full delegated authority to approve exemptions in accordance with the delegation of authority instrument approved by the Minister in September 2025. Certain functions are also delegated to the ATIP Office Managers and Team Leaders to enhance efficiency in processing requests.

The delegation of authority instrument for the administration of the Privacy Act is appended hereto at Annexes A and B.

4. Performance

4.1 Overview

In this reporting period, the ATIP Office continued working on priorities addressing 3 different components — Our People, Our Work and Our Relationships. Over the past fiscal year, these components have included staffing to meet resource needs, continued investment and progression of candidates in the ATIP Analyst Development Program, and continued work preparing for the transition to a new case management system.

This fiscal year also saw the launch of the ATIP Office’s SharePoint Online site, which was developed to bring Access to Information and Privacy Compliance resources and policy suites directly to internal clients.

In parallel, AAFC’s PCU adapted to the updated TBS Directive on Privacy Practices, which necessitated a comprehensive internal review of departmental programs. Programs previously identified only by Classes of Records (CoRs) were reassessed to determine if Personal Information Banks (PIBs) were required under the new directive criteria. Where applicable, the PCU facilitated the development of PIBs through PIAs or Privacy Protocols, employing newly implemented PIA and PIB templates.

This process involved extensive coordination and consultation across branches to ensure accurate compliance with the updated policy requirements. The PCU’s efforts in this regard reflect its commitment to maintaining rigorous privacy standards and supporting AAFC’s compliance with evolving privacy regulations.

4.2 Privacy compliance

As AAFC’s PCU has matured, it has continued to focus efforts on streamlining evaluation processes, updating privacy policies, and expanding its network across the department to foster more collaboration.

In doing so, the number of collaborative working relationships continues to expand; notably, between AAFC Security, Information Services, Human Resources, the Office of the Chief Data Officer, AAFC’s Centre of Excellence for Grants and Contributions programming, M365 Governance Committee and the Office of Values and Ethics.

During this time, the PCU has worked with several clients to ensure a “privacy-by-design” approach to new and existing activities, including updates to AAFC’s Values and Ethics attestations forms, the development of AAFC’s Guidance Document: Acceptable Artificial Intelligence Use In The Contact Centre, supported by an Artificial Intelligence (AI) Ethics Committee, and the application of AAFC’s Generic Privacy Impact Assessment for Grants and Contributions programming to the first programs to fall under its provisions.

In addition to policy development, the PCU processed 122 files during 2024-2025. It provided departmental staff with advice on digital solutions, handling personal information, privacy risk assessments, and protocols for various activities. There was a small decrease in files compared to the 124 last year, however 62 files (48%) were requests for privacy guidance. This is nearly double the number from last year, suggesting increased visibility of the PCU within the department.

The PCU reported a significant decrease in privacy breaches at AAFC this fiscal year, with only 7 breaches compared to 32 in the previous year — a 78% reduction. Among these reported events, 3 were classified as non-material breaches, 3 were privacy incidents where no actual breach of personal information occurred, and 1 was unrelated to privacy. This decline reflects the positive impact of ongoing awareness campaigns and training initiatives aimed at improving the management and protection of personal information within the department. In addition, the reduction in reported breaches is partly due to program areas gaining a clearer understanding of what constitutes a privacy breach. Previously, incidents involving corporate (versus personal) information not covered by the Privacy Act were mistakenly reported as privacy breaches. This improved clarity has led to more accurate reporting and enhanced privacy practices across AAFC.

Departmental context for 2024-2025

Fiscal year 2024-2025, saw AAFC continuing to create conditions for long-term profitability, sustainability, and adaptability of the Canadian agriculture and agri-food sector. This included responding to evolving stakeholder needs and working in close collaboration with key partners. The Department supported various government priorities, including economic growth, climate resiliency and supporting diversity, as well as advancing priorities in the Sustainable Canadian Agricultural Partnership (Sustainable CAP) policy framework (2023 to 2028).

During this fiscal year, AAFC also deepened its commitment to inclusivity through the continued application of Gender-Based Analysis Plus (GBA Plus). AAFC worked to ensure that policies, programs, and services reflected the needs of Canadians of all genders and backgrounds, supporting a more equitable and representative agriculture and agri-food sector.

4.3 Privacy Act performance and statistics for 2024-2025

This section provides an overview of key data on the department’s performance of ATIP Operations as it relates to privacy requests for the year.

Caseload and carry forward

• In 2024-2025, AAFC received a total of 22 privacy requests.
• Of the 25 active requests (including 3 outstanding from a previous period), 20 were closed during the reporting period for a compliance rate of 95%.
• 60% of formal requests were disclosed in part and 10% were all disclosed.
• 5 requests were carried over to the next fiscal year, all within the legislated timelines.

Privacy requests received and completed

Pages processed and disclosed

Processing time for requests

• 11 requests (or 55%) were completed within 30 days
• 8 requests (or 40%) were completed within 60 days.
• 1 request (or 5%) was completed between 61 and 120 days.
• 1 request was closed 1 to 15 days past its legislated timeline, without an extension taken.

Extensions

The Privacy Act allows extensions beyond the 30-day statutory time frame for specific reasons, such interference with operations, volume of records, or required consultations with other government departments. For the 2024-2025 reporting period, 7 extensions were taken, all were required due to a large volume of records. All 7 requests required time extensions of up to 30 days.

Consultations completed from other institutions

AAFC must also respond to consultations pursuant to the Privacy Act from other government institutions to provide those institutions with recommendations regarding the release of information of interest to AAFC. No requests for consultation were received during the reporting period.

Disposition of completed requests

Of the 20 privacy requests completed in 2024–2025, 12 were disclosed in part, 2 were fully disclosed and 6 were abandoned by the requester.

Exemptions or exclusions invoked

The appended statistical report provides details regarding the types of exemptions or exclusions applied to information for completed requests.

• For 5 consecutive years, the most common exemption used by AAFC during the reporting period has been section 26 (personal information about individuals other than the requester).
• No exclusions were invoked during the reporting period.

Complaints

The Privacy Act provides a system of review to help ensure that federal institutions comply with their obligations. Under this review system, an individual may file a complaint with the Privacy Commissioner of Canada, whose Office (OPC) will investigate the matter on behalf of the complainant. These investigations relate to matters such as improper collection, use, or disclosure of personal information, refusals of access, and delays in responding to requests. After carrying out the complaint investigation, the Privacy Commissioner issues findings on the matter and determines whether the institution handled the personal information appropriately and whether any further action is required. The Commissioner may also make recommendations to an institution to address issues identified during the investigation.

The Privacy Commissioner provided written notice of 1 new complaint under section 31. This complaint was closed as not well founded during the fiscal year.

Translations

No translations were required to respond to requests in 2024–2025.

Format of information released

All responsive records were provided to requesters as digital copies using E-post.

5. ATIP training and awareness

5.1 Departmental privacy training

The ATIP Office continues to invest in its people and is focused on enhancing departmental privacy awareness by offering a range of ATIP-related training courses. These offerings ensure that staff and management understand their roles and responsibilities with respect to the Acts and related policies, including closely linked subjects such as information management.

Training

During fiscal year 2024-2025, the PCU delivered 5 virtual privacy training sessions to various groups within AAFC. These sessions focused on privacy breach awareness, prevention and management, as well as the roles and responsibilities related to the collection and use of personal information. A highlight was a new joint training session co-led by the PCU and Security Awareness teams, designed to deepen participants’ understanding of fundamental principles and requirements for safeguarding AAFC’s information resources and personal data.

In total, 362 employees participated in these virtual sessions. Building on progress made last fiscal year, the ATIP Office is currently developing on-demand, self-paced training modules through the AgriCampus platform. While these modules are being finalized, the office continues to utilize the platform to schedule instructor-led training sessions, ensuring ongoing learning opportunities for staff.

ATIP Analyst Development Program

The ATIP Office continued to support the development of its employees through the ATIP Analyst Recruitment and Development Program, aimed at providing opportunities within AAFC ATIP and retaining talent and expertise within the department. The goal of the program is to have a capable workforce that can grow within the AAFC ATIP Office. Entry-level participants receive training in both ATIP operations and privacy policy and can become eligible for promotion as qualifications and experience are gained over a set period of time.

5.2 Awareness

Data Privacy Week

In 2025, Canada, along with many countries worldwide, observed Data Privacy Week from January 27 to 31. AAFC marked the occasion by featuring related events in its internal publication, news@work, to raise awareness about privacy rights and emphasize the importance of safeguarding personal information. The PCU promoted available privacy management courses and directed employees to its SharePoint Online site, providing valuable resources to support AAFC staff in protecting personal data.

Employee engagement

An AAFC employee engagement plan was designed and began implementation in 2022–2023 and continued into this reporting period. It consists of 3 areas  — updating and implementing the AAFC Employee Training Program, launching an Awareness Campaign and strengthening the network of various AAFC groups, for example offices of primary interest, Legal, Information Management, etc. The ATIP Office was successful in the implementation of its Awareness Campaign and strengthened networks across the department.

6. Privacy policies, guidelines and procedures

6.1 Privacy policy

The PCU continues to review and update AAFC’s suite of privacy policies as needed. To support employees in understanding their responsibilities related to the collection, use, and protection of personal information, the PCU has developed a comprehensive set of policy tools.

This year, the PCU has focused on leveraging its internal SharePoint Online site to enhance communications and provide employees with easy access to important resources that emphasize the significance of privacy in their daily work.

In addition, the PCU has updated its departmental policies on Privacy Impact Assessments and the Privacy Management Framework to ensure alignment with the TBS 2024 revisions to the Directive on Privacy Practices.

These tools play a crucial role in equipping AAFC employees with the knowledge and resources necessary to effectively uphold their privacy responsibilities.

6.2 Guidelines and procedures

As part of this initiative, the PCU implemented several key tools aligned with the TBS 2024 update to the Directive on Privacy Practices. These include the newly developed mandatory TBS Privacy Checklist, as well as the required PIA and PIB submission templates. Alongside well-established internal evaluation tools already in use, these resources have been employed to assess numerous programs and activities across AAFC.

By engaging AAFC program officials early in the design phase, these resources help capture critical information during the initial development of new programs and activities. This early-stage engagement supports informed decisions about the need for a PIA or Protocol and guides the integration of privacy-by-design principles to ensure robust privacy outcomes.

7. Initiatives and projects to improve privacy

Innovation and client service

AAFC is committed to being a leader in innovative and effective technology, continuously enhancing its service to clients and stakeholders. A key focus for the PCU has been improving the client experience by strengthening collaboration with multiple branches, including the Centre of Excellence for Grants and Contributions, Security Services, Values and Ethics, and the Chief Data Office. Through regular meetings and ongoing communication, these partnerships have cultivated a heightened awareness of privacy throughout the department, resulting in solutions that both increase operational efficiency and ensure full compliance with the Privacy Act and TBS Directives.

A significant initiative this fiscal year, involving stakeholders from across the department, was the comprehensive overhaul and update of AAFC’s Info Source chapter. Managed by the PCU, Info Source is a vital resource that outlines AAFC’s programs, activities, and associated information holdings. The PCU worked closely to coordinate the update, providing guidance and support to branch experts to ensure PIBs and CoRs were accurately revised and fully reflective of current program descriptions. This collaborative approach is a clear example of the PCU’s commitment to enhanced client service, fostering stronger partnerships and facilitating more effective compliance across the department.

8. Summary of key issues and actions taken on complaints

AAFC ATIP worked closely with the OPC to resolve a complaint.

One delay complaint was received and closed as not well founded during the fiscal year. No court actions in relation to AAFC’s obligations under the Privacy Act were carried out during the reporting period.

No requests were received from individuals seeking a correction or notation to their personal information pursuant to subsection 12(2) of the Privacy Act.

9. Material privacy breaches

There were no material privacy breaches reported by AAFC during fiscal year 2024-2025.

Seven (7) non-material privacy breaches were reported during this fiscal year.

10. Privacy Impact Assessments

AAFC completed 2 Privacy Impact Assessments during the 2024-2025 fiscal year and conducted 7 Privacy Protocols to ensure AAFC’s compliance with the new TBS Directive on Privacy Practices.

Generic grants and contribution programming

This PIA was developed to assess a series of new and existing funding programs that fall under the umbrella of Grants and Contributions programming offered by AAFC.

All AAFC programs that fall under grants and contributions programming follow a nearly identical workflow where an agriculture producer or processor applies for funding, AAFC receives and assesses the application, and subsequently provides the producer or processor with repayable funds (including loans), non-repayable contributions, grants, a combination of all three, or declines the application.

This PIA was developed to create a new PIB, called the Grants and Contributions programming PIB. This new PIB will replace existing program PIBs and will be used for new funding initiatives that fall under grants and contributions.

Security Incident Management Program

The Security Incident Management Program (SIMP) is designed to effectively manage security incidents impacting departmental assets, employees, authorized users, stakeholders, and clients. All employees and managers share the responsibility of promptly reporting security incidents to AAFC’s Departmental Security and Intelligence Services (DSIS).

SIMP’s primary objective is to respond to incidents in accordance with the TBS Policy on Government Security and related directives. Security incidents may be reported by employees or identified through monitoring activities conducted by DSIS or partner organizations.

Upon reporting, each incident is logged into a dedicated case management system and may be subject to a fact-finding process. Where necessary, an administrative investigation is initiated, employing various collection methods, including IT-based evidence gathering techniques.

In addition, DSIS investigates wrongdoing under the Public Servants Disclosure Protection Act, ensuring confidentiality for individuals who come forward with disclosures applicable under the Act.

11. Public interest disclosures

During 2024-2025, there were no disclosures made under section 8(2)(m) of the Privacy Act and, therefore, no section 8(5) written notifications made to the OPC.

12. Monitoring compliance

The PCU utilizes an automated case management system to track and manage all requests for guidance and advice concerning the handling and use of personal information within the department.

As part of its responsibility to monitor and address risks identified during PIAs, the PCU developed a SharePoint Online site dedicated to Management Response Action Plans (MRAP). This internal platform is used to document and track recommendations for mitigating risks identified through completed privacy evaluations. For each assessment, tables are prepared to record all identified risks, assign accountability for their resolution, and review overdue actions to ensure timely completion.

Beyond PIAs, the PCU is routinely consulted whenever personal information may be collected or handled. For instance, AAFC employs an online questionnaire that employees complete when requesting services for public opinion surveys. If potential collection of personal information is indicated, the PCU is automatically notified and engaged. Similarly, the PCU is automatically involved by AAFC Security whenever a client requests access to procure or use a new digital solution. The PCU receives detailed reports on such initiatives, reviews them for privacy implications, and provides recommendations as needed.

Standard requests for policy advice regarding the interpretation of the Privacy Act and Treasury Board submissions are regularly reviewed by the PCU. These are typically approved at the program manager level and by the PCU manager. More complex, high-profile, or sensitive initiatives and privacy breaches undergo review and approval by the Director of Access to Information and Privacy — who serves as AAFC’s section 10 delegate — and, where necessary, by the Director General or Assistant Deputy Minister of the relevant program.

13. Conclusion

Fiscal year 2024-2025 brought numerous engagement opportunities for AAFC’s ATIP Office and PCU. Client engagement, enhanced collaboration, and innovative, streamlined processes have been central priorities for both teams. The ATIP Office has worked closely with senior officials and program officers to ensure compliance across all business streams.

AAFC remains committed to upholding the spirit and intent of the ATIA and Privacy Act, fostering government accountability and transparency to support an open, democratic society and facilitate informed public debate on the activities of federal institutions — while protecting personal information. Consistent with this commitment, all privacy requests were responded to within established timelines.

In addition to these ongoing priorities, the PCU and AAFC are actively advancing their understanding and use of AI — its applications, implications, and associated privacy risks. Recognizing the transformative potential of AI, the PCU is focused on safely and appropriately integrating AI and automation technologies into daily operations, programs, and activities. This includes assessing AI-related privacy concerns, establishing guidelines to mitigate risks, and promoting privacy-by-design principles to ensure responsible AI adoption throughout the department.

Looking ahead, the AAFC ATIP Office will continue to streamline processes, implement digital strategies, and support the department in responding to calls to action from the Information Commissioner, the Office of the Privacy Commissioner, and the President of the Treasury Board. These efforts will reinforce AAFC’s commitment to legislative requirements, openness, and the protection of personal information, including emerging challenges and opportunities presented by AI.

Annex A

Privacy Act Designation Order, Agriculture and Agri-Food Canada

The Minister of Agriculture and Agri-Food Canada, pursuant to Section 73 of the Privacy Act, hereby designates the persons of the department holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers and perform the duties and functions of the Minister as the head of a government institution under the sections of the Act set out in the schedule opposite each position. This Designation Order supersedes all previous Designation Orders.

Annex B

Delegation of authority instrument for the administration of the Privacy Act

The Minister of Agriculture and Agri-Food, pursuant to section 95(1) of the Access to Information Act and Section 73(1) of the Privacy Act, hereby designates the persons holding the positions set out in the schedule hereto, or the persons occupying on an acting basis those positions, to exercise the powers, duties and functions of the Minister as the head of Agriculture and Agri-Food, under the provisions of the Act and related regulations set out in the schedule opposite each position. This designation replaces all previous delegation orders.

Delegation of authority instrument