2024-2025 Annual Report on the Administration of the Privacy Act

I - Introduction

The purpose of the Privacy Act, (“the Act”), is to strengthen Canada’s laws that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.

This Annual Report on the Canadian Air Transport Security Authority’s (CATSA) administration of the Act has been prepared in accordance with section 72(1) of the Act and is hereby submitted for tabling in Parliament under Section 72(2) of the Act.

This is report serves as CATSA’s 22nd Annual Report on Privacy Act and coincides with its establishment twenty-one years ago. CATSA remains focused on its mandate of civil aviation security screening of the traveling public with the greatest degree of security while providing the best possible screening service for passengers and their baggage.

Previous such reports are available under the “Reports and Summaries” heading of the “Privacy” page on the CATSA website and the Open Government portal.

During 2024-2025, CATSA has no non-operational subsidiaries during this reporting period.

The Canadian Air Transport Security Authority - Mandate

Established as an agent Crown Corporation on April 1, 2002, CATSA‘s mandate is to protect the public by securing critical elements of the air transportation system as assigned by the Government of Canada.

Fully funded by parliamentary appropriations, CATSA is accountable to Parliament through the Minister of Transport. CATSA is governed by a Board of Directors. Operations are directed by a senior management team. CATSA currently contracts security screening to third-party contractors.

CATSA delivers on its mandate of securing Canada’s air transportation system by conducting the following activities across 89 of Canada’s designated airports:

  1. Pre-Board Screening (PBS) - The screening of passengers and their belongings prior to their entry into the secure area of an air terminal building;
  2. Hold Baggage Screening (HBS) - The screening of passengers checked (or hold) baggage to prevent the boarding of prohibited items;
  3. Non-Passenger Screening (NPS) - The random screening of non-passengers accessing restricted areas; and
  4. Restricted Area Identity Card (RAIC) - The program that uses iris and fingerprint biometric identifiers to allow non-passenger access to the restricted areas of airports.

Under an agreement concluded with Transport Canada in 2010, CATSA has the authorization to conduct screening of cargo at smaller airports if there is capacity to do so. Each of these activities is carried out effectively, efficiently, consistently, and in the public interest, as required by the CATSA Act.

II- Organizational Structure

The Manager of IM, Privacy and ATIP, who is also the organization’s Access to Information and Privacy (ATIP) Coordinator, is responsible for processing requests received under the Act, and privacy policy and compliance. A Senior ATIP Advisor supports the ATIP Coordinator in processing requests under the Act, and a Privacy Advisor supports the privacy policy and compliance functions. The Senior Advisor, Corporate Security and Business Continuity – EP provides support for disclosures of personal information under Paragraph 8 of the Act.

ATIP & Privacy organizational chart
Org Chart Details
  • President and CEO 
    • Vice-President, Corporate Services and Corporate Secretary
      • General Manager, Corporate Security, Facilities, IM, Privacy and ATIP
        • Manager, IM, Privacy and ATIP
          • Senior ATIP
          • Privacy Advisor

The ATIP Coordinator reports directly to the General Manager, Corporate Security, Facilities, and Information Management. The Vice-President, Corporate Services and Corporate Secretary serves as CATSA’s Chief Privacy Officer (CPO) and reports directly to the President and Chief Executive Officer.

CATSA’s Privacy Office responsibilities regarding the Act are as follows:

  • receive and process all requests in accordance with the Act;
  • assist requesters in formulating their requests when required;
  • gather all pertinent records from the program areas and ensure that the search for information is rigorous and complete;
  • receive and process all disclosure requests in accordance with the Act;
  • conduct the initial record review and provide recommendations to the program areas;
  • conduct all internal and external consultations;
  • consolidate recommendations and apply all discretionary and mandatory exemptions under the Act;
  • assist the Office of the Privacy Commissioner (OPC) in all privacy-related matters including complaints against CATSA;
  • prepare annual reports on the administration of the Act;
  • coordinate the annual Info Source update;
  • work with representatives throughout the organization to complete Privacy Impact Assessments for any new or substantially modified activity, program that collects or uses personal information;
  • provide ongoing advice and guidance to senior management and staff on matters related to privacy and privacy tools;
  • promote privacy of personal information awareness by providing training sessions to ensure that all staff are aware of the obligations imposed by legislation;
  • respond to consultations received from external organizations;
  • develop and maintain privacy policies and guidelines;
  • stay current on, and promulgate within CATSA, any changes to administrative requirements for the Act from the Treasury Board of Canada Secretariat, or guidance prepared by the Office of the Privacy Commissioner; and
  • participate in ATIP community activities and ATIP community meetings.

During the 2024-2025 fiscal year, CATSA was not party to any service agreements under section 73.1 of the Privacy Act.

Access to Information and Privacy Communities Development Office (APCDO) Membership

Since 2022, TBS established the Access to Information and Privacy Communities Development Office (APCDO). CATSA joined the membership to continue to develop our visibility as a smaller ATIP office. APCDO was established to provide ongoing support to ATIP offices for the recruitment activities and retention of ATIP professionals.

CATSA membership has benefited from the valuable guidance on the development and training of practitioners, which in turn strengthens the ATIP community. The APCDO has hosted various workshops, InfoBlitz and Deep Dive sessions, that give timely information about ongoing issues and guidance on how to effectively manage the Access to Information Program.

III - Delegation Of Signing Authority

In accordance with section 73(1) of the Act, a delegation order, signed by CATSA’s President and Chief Executive Officer (CEO), designates the person holding the position of ATIP Coordinator to exercise and perform the privacy duties on behalf of the organization.

The signed and dated delegation order is attached to this report as Annex A.

IV - Performance 2024-2025

Privacy Act Requests Received and Completed

For the fiscal year of 2024-2025, CATSA received twenty-two (22) new Privacy Act requests, which is seven (7) requests less than the twenty-nine(29) requests received in the previous fiscal year. This represents a 27% decrease in requests. There were four (4) requests carried over from 2023-2024. In total, CATSA was responsible for twenty-six (26) requests in 2024-2025.

During the 2024-2025 of the twenty-six (26) requests completed, CATSA processed 67 pages of records and 774 minutes of video footage.

Chart I: Annual Formal Requests Received

Annual Formal Requests Received Chart by years

Number of requests received by fiscal year
Chart I details
Number of Requests Received by Fiscal Year
Fiscal Year Number of requests received
2024-2025 22
2023-2024 29
2022-2023 4
2021-2022 9
2020-2021 9

Chart II: Average Number of Pages Processed 

Average Number of Pages Processed chart by years

Average Number of Pages Processed chart by years
Chart II details
Average Number of Pages Processed by Year
Source Number of pages processed
2024-2025 67
2023-2024 244
2022-2023 153
2021-2022 530
2020-2021 77

Multi-Year Trend

During this fiscal year, the number of Privacy Act requests submitted to CATSA has remained steady with a slight increase in the number of requests for the viewing of CCTV footage. This trend demonstrates that there are fewer paper records requests being received. While the number of requests has been steady, the challenge of processing CCTV footage requests remains a challenge due to the complexity of these disclosures.

Completion Time

During fiscal year 2024-2025 of the twenty-four (24) Act requests completed:

  • 20 requests (83%) completed within 30 days or less; and
  • 4 Completed in 31 to 60 days.

All requests disclosed were delivered electronically and there eleven (11) requests for video format.

This result demonstrates CATSA continues to be committed to completing its requests in a timely manner and in compliance with the Privacy Act. Many of our Privacy Act requests are no longer for paper/electronic records, but more specifically for the viewing of checkpoint footage.

Active Requests

At the end of this reporting period, CATSA had two (2) active ongoing requests, both from the 2024-2025 reporting period and within the legislative timelines.

Complaints

During this fiscal reporting period, CATSA has no ongoing complaints, nor did they receive any new complaints.

Disposition of Completed Privacy Act Requests

The twenty-four (24) completed requests consisted of :

  • 7 requests were disclosed in part;
  • 1 request was all disclosed;
  • 9 requests no records existed; and
  • 7 requests were abandoned.

Of the abandoned requests, the requester did not return to clarify their original requests, which were vague and contained wording such as “all records that CATSA has on requester name”.

Exemptions Invoked

Where privacy exemptions were invoked, these reasons were cited:

Reason Exemption Number of Cases
Law Enforcement and investigations S.22 3
Personal information S.26 3
Legal advice S.27 3

Extensions

For the twenty-four (24) requests completed in 2024-2025, two (2) extensions of an additional period between 16 to 30 days were taken due to the requests interference with operations/workload, while one (1) was classified as other, as the requester asked to delay their viewing of the footage for a period of a few months.

Complexity

The CATSA has received more requests to view footage this fiscal year. These requests continue to require additional work as they have a higher complexity than request for electronic records. The significant increase in the number of minutes to process these requests clearly demonstrates the fact that there are occasionally multiple viewpoints to choose from adds yet another level of complexity to these types of requests. It necessitates choosing the optimal angles, which subsequently requires additional labour to complete.

Consultations

There were no consultations from other government departments completed during this reporting period. There were also no consultations pending from the end of the previous reporting period.

The full Statistical Report on the Administration of the Act is attached as Annex B.

V - Training and Awareness

The ATIP Coordinator has maintained the designation of Certified Information Privacy Professional - Canada (CIPP/C) and will continue to seek out professional development opportunities such as attendance at conferences and peer communication to provide the most up to date privacy training. The Privacy Advisor continues to seek out development opportunities through conferences, research and attending privacy related working groups. They are actively pursing the designation of Certified Information Privacy Processional – Canada (CIPP/C).

CATSA continues to provide staff with privacy training to its employees using awareness tips and privacy themed blog posts on its intranet throughout the year. The Privacy team aims to bring awareness to privacy issues by developing and posting educational materials posted on its intranet as part of Privacy Awareness Week, held during the early part of May 2024.

During 2024-2025, CATSA privacy e-module training mandatory continues to provide at the start of employment. At the end of the fiscal year, 93% of all CATSA employees had complied and completed the training.

CATSA offers additional privacy training during a virtual orientation session for new employees - where 72 CATSA employees attended.

VI - Policies, Guidelines, and Procedures

The Privacy Office has undertaken a review of our Privacy Program in order to improve our internal processes and procedures. We have identified key areas such as updating our Privacy Basics e-module and creating more detailed guidance on Privacy deliverables based on updated tools, such as the Privacy Checklist, a Privacy Protocol and the Privacy Impact Assessment template, as ways to ensure that CATSA continues to apply appropriate privacy protections.

VII - Initiatives and Projects to Improve Privacy

CATSA is a strong advocate of collaboration, both internally within the organization as well as within the Privacy Community.

CATSA’s Privacy Program -The Privacy Office regularly engages with internal groups to provide advice, guidance and best practices on improving privacy protections, and getting a better understand of how the impact that our programs/activities have on our organization’s objectives.

Privacy Community – The Privacy Office also has regular consultations with other Crown Corporation privacy offices as well as with the Treasury Board Secretariat through quarterly ATIP community meetings. These discussions provide an opportunity to discuss areas of concerns for smaller Privacy Offices and to touch on areas that may not affect core-government institutions.

Regulatory Community – the Privacy Office actively seeks out guidance from regulators such as the Government Advisory Directorate of the Office of the Privacy Commissioner. Their offices provide informal, proactive advice and guidance on programs and activities where there are clearly privacy impacts. Their guidance has assisted CATSA in the drafting of PIAs and retention periods.

CATSA’s AI Committee - With the recent focus on Artificial Intelligence (AI), CATSA has formed an AI Committee responsible for the creation of the procedures required to uphold the conduct, objectives, ethical impact, and output requirements contained in CATSA’s AI Policy. As a member of the Committee, the Privacy Advisor provides recommendations on privacy regulations and ensuring compliance with those regulations in the development and deployment of AI systems and technologies that deal with personal information.

VIII - Summary of Key Issues and Actions Taken on Complaints

During 2024-2025, there were no complaints received or concluded during the reporting period. There were no ongoing complaints from the previous period.

Although non formal complaints have been received, the Privacy Office continues to be readily available to provide guidance on privacy concerns that are outside of the scope of an access request.

IX - Material Privacy Breaches

For 2024-2025 fiscal year, there were no material privacy breaches reported to the Office of the Privacy Commissioner and to the Treasury Board of Canada Secretariat (Privacy and Responsible Data Division) during the reporting period.

X - Privacy Impact Assessments

Privacy Impact Assessments (PIAs) are a tool used to ensure that the protection of personal information is considered throughout the design or re-design of a program or activity. PIAs identify the extent to which proposals comply with all appropriate statutes and legislation. They assist managers and decision-makers to avoid or mitigate privacy risks and promote only fully informed policy, program and activity design choices.

For the 2024-2025 fiscal year, CATSA submitted one PIA for the pilot project of Retensa. This PIA documented CATSA’s use of provider Retensa, for conducting exit interview with departing employees utilizing an online survey platform. The questions have been customized to CATSA’s workforces, ensuring the data collected/analyzed can support future strategy plans and retention efforts.

XI - Public Interest Disclosures

For 2024-2025 fiscal year, there were no disclosures made under paragraph 8(2)(m) of the Privacy Act during the reporting period.

XII - Monitoring Compliance

The ATIP Coordinator meets with Privacy Advisor weekly to discuss and develop strategies that ensure the appropriate privacy protections are in place in contracts and information sharing agreements.

Reports on the CATSA’s Privacy Program are submitted to senior management semi-annually, with a briefing in June and again in January to the Chief Privacy Officer.

Annexes

Annex A: Delegation Order – Privacy Act

Annex B: Statistical Report on the Administration of the Privacy Act

Annex C: Supplemental Statistical Report on Access to Information Act and the Privacy Act

Date modified: