Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Offices of the Information and Privacy Commissioners of Canada


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Section I: Overview

Photo: Jennifer Stoddart1.1   Message from the Privacy Commissioner of Canada

It is with great pleasure that I table before Parliament today the Departmental Performance Report of the Office of the Privacy Commissioner of Canada for the fiscal year ending March 31, 2007.

Being mandated with the responsibility to uphold and protect the privacy rights of Canadians is a sacred trust that should be handled with care. My Office strives to meet this task, but the tools we need to be an even more effective advocate for Canadians are currently out of our reach.

This year marks the 25th anniversary of the introduction of the Privacy Act, which regulates the way in which government departments and agencies handle personal information. Though more than two decades of technological and political change have come and gone, the protections within the Act have not changed. The Act no longer allows Canadians to demand accountability from the government over the way their personal information is handled. This state of affairs has been decried by successive privacy commissioners and stakeholders to no effect.  This is unfortunate, as the government should lead by example. Last June, we tabled a proposal for Privacy Act reform before the House of Commons Standing Committee on Access to Information, Privacy and Ethics, but nothing has come of this yet.

As we close and begin a new fiscal year, we strongly urge Parliament to take the opportunity to affirm Canada as a leader in privacy protection rights, by tackling Privacy Act reform. My Office is eager to work with Parliament on this issue to put meaningful protections in place, for the good of our people and integrity of our institutions.

On another note, the Personal Information Protection and Electronic Documents Act (PIPEDA) was due for its mandatory review in 2006. This process is being undertaken by the House of Commons Standing Committee on Access to Information, Privacy and Ethics and we made two appearances to share our reflections on this law and its impact on the private sector. As the privacy protection standard for private-sector organizations regulated by the federal government, PIPEDA has proved to be sound legislation. However, the Act requires fine tuning in several areas to deal with issues such as data breach notification and transborder data flows. We look forward to the successful conclusion of this review.

Finally, the Office is energized as it prepares to host the privacy world in Montreal this September, at the 29th International Conference of Data Protection and Privacy Commissioners. We have spent much of the last year planning for this event and it promises to help foster worldwide policy collaboration and cooperation. Top privacy thinkers, data protection authorities and members of civil society from around the globe will join us to discuss and exchange ideas about upcoming privacy “dragons” and how we can work together to meet the challenge.

It is against this backdrop of activity that I present our report, which details the Office’s performance over the past fiscal year in meeting our data protection responsibilities and ensuring Canada continues to be a world leader in privacy rights.

Signature of the Privacy Commissioner of Canada

Jennifer Stoddart
Privacy Commissioner of Canada

1.2   Management Representation Statement

I submit for tabling in Parliament, the 2006–2007 Departmental Performance Report for the Office of the Privacy Commissioner of Canada.

This document has been prepared based on the reporting principles contained in the Guide for the Preparation of Part III of the 2006–2007 Estimates: Reports on Plans and Priorities and Departmental Performance Reports:

  • It adheres to the specific reporting requirements outlined in the Treasury Board Secretariat guidance;
  • It is based on the department’s Strategic Outcome and Program Activity Architecture that were approved by the Treasury Board;
  • It presents consistent, comprehensive, balanced and reliable information; 
  • It provides a basis of accountability for the results achieved with the resources and authorities entrusted to it; and
  • It reports finances based on approved numbers from the Estimates and the Public Accounts of Canada.

Signature of the Privacy Commissioner of Canada

Jennifer Stoddart
Privacy Commissioner of Canada

1.3   Program Activity Architecture

The OPC’s Strategic Outcome and Program Activity Architecture (PAA) structure that were approved by Treasury Board Secretariat have remained stable in their substance; only minor wording revisions were made as part of an exercise to develop the OPC results and performance measurement framework during 2006-2007. Hence the structure of the PAA, the number of program activities, and corresponding allocation of funding have not been changed, nor has a submission to Treasury Board Secretariat for any formal modification been required. Nevertheless, and for purposes of clarity and transparency, we present in the table below the minor wording revisions that were made to the OPC PAA.


Wording of PAA in 2006-2007 RPP Revised Wording of PAA in 2006-2007 DPR

Strategic Outcome: The privacy rights of Canadians are protected.

Strategic Outcome: The privacy rights of individuals are protected.

Program Activity 1: Assess and investigate compliance with privacy obligations

Program Activity 1: Compliance activities

Program Activity 2: Privacy issues: research and policy

Program Activity 2: Research and policy development

Program Activity 3: Privacy education – promotion and protection of privacy

Program Activity 3: Public outreach

Other Activities

Other Activities: Management excellence


Link to the Government of Canada outcome areas: given that the OPC is independent from government, we do not link, or report, information from this Office to the Government of Canada outcomes.

1.4   Raison d’Être

The mandate of the OPC is to protect and promote the privacy rights of individuals.

The OPC is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law. 

The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate.

The Commissioner is an advocate for the privacy rights of Canadians and her powers include:

  • Investigating complaints, conducting audits and pursuing court action under two federal laws;
  • Publicly reporting on the personal information-handling practices of public and private sector organizations;
  • Supporting, undertaking and publishing research into privacy issues; and
  • Promoting public awareness and understanding of privacy issues.

The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. In public sector matters, individuals may complain to the Commissioner about any matter specified in Section 29 of the Privacy Act. This Act applies to personal information held by Government of Canada institutions.

For matters relating to personal information in the private sector, the Commissioner may investigate all complaints under Section 11 of PIPEDA except in the provinces that have adopted substantially similar privacy legislation, namely Québec, British Columbia, and Alberta. Ontario now falls into this category with respect to personal health information held by health information custodians under its health sector privacy law. However, even in those provinces with substantially similar legislation, and elsewhere in Canada, PIPEDA continues to apply to personal information collected, used or disclosed by all federal works, undertakings and businesses, including personal information about their employees. Also, PIPEDA applies to all personal data that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to the Act or to substantially similar legislation.

We focus on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may take the matter to Federal Court and seek a court order to rectify the situation.

In brief, as a public advocate for the privacy rights of Canadians, the Commissioner carries out the following activities:

  • Investigates complaints and issues reports with recommendations to federal government institutions and private sector organizations to remedy situations, as appropriate;
  • Pursues legal action before Federal Courts where matters remain unresolved;
  • Assesses compliance with obligations contained in the Privacy Act and PIPEDA through the conduct of independent audit and review activities, and publicly reports on findings;
  • Advises on, and reviews, privacy impact assessments (PIAs) of new and existing government initiatives;
  • Provides legal and policy analyses and expertise to help guide Parliament’s review of evolving legislation to ensure respect for individuals’ right to privacy;
  • Responds to inquiries of Parliamentarians, individual Canadians and organizations seeking information and guidance and takes proactive steps to inform them of emerging privacy issues;
  • Promotes public awareness and compliance, and fosters understanding of privacy rights and obligations through: proactive engagement with federal government institutions, industry associations, legal community, academia, professional associations, and other stakeholders; prepares and disseminates public education materials, positions on evolving legislation, regulations and policies, guidance documents and research findings for use by the general public, federal government institutions and private sector organizations;
  • Provides legal opinions and litigates court cases to advance the interpretation and application of federal privacy laws;
  • Monitors trends in privacy practices, identifies systemic privacy issues that need to be addressed by federal government institutions and private sector organizations and promotes integration of best practices; and
  • Works with privacy stakeholders from other jurisdictions in Canada and on the international scene to address global privacy issues that result from ever-increasing transborder data flows.

1.5   Financial and Human Resources

The following two tables present the total financial and human resources that the OPC has managed in 2006-2007.

Financial Resources (in thousands of dollars)


Planned Spending Total Authorities Actual Spending
$16,298 $16,033 $15,716

Human Resources


Planned Actual Difference
125 FTEs 108 FTEs * (17) FTEs

* Full-Time Equivalent

1.6   Factors Affecting OPC Performance in 2006-2007

External Factors

In 2006-2007, the OPC focused its attention on key questions of national importance.  We also addressed urgent issues as they arose in Parliament and in national dialogue. These issues included:

New technologies

The OPC hosted jointly with University of Ottawa’s Law and Technology Group the “Internet Privacy Symposium” in February 2007. Leading experts on Internet privacy issues met in Ottawa to discuss new threats to online privacy, emerging trends and ways to better protect personal information in the future.  The focus of the symposium was on research funded by the OPC through its Contributions Program. Topics discussed included: patient privacy and electronic health records; helping children understand Internet privacy issues; Internet privacy and the workplace; and, privacy issues and identity theft.

Under its Contributions Program, the OPC funded four research projects in 2006 that focused on new technologies.  These projects dealt with: digital rights management technologies and consumer privacy; technology choices and privacy policy in health care; vehicle technology and consumer privacy; and, the secondary uses of health information and electronic medical records.

In November 2006, the OPC released a summary of its findings in a case involving the workplace use of Global Positioning Systems (GPS), which can track the location of a vehicle in real time. The OPC concluded that employers needed to carefully consider the privacy rights of their workers and limit the specific purposes for installing GPS into their vehicle fleets.  Several workers complained that their employer, a telecommunications company, was using GPS to improperly collect their personal information, specifically their daily movements while on the job.

Finally, the Office published three information fact sheets on its web site dealing with new technologies and the challenges posed by these to privacy.  These documents addressed digital rights management and technical protection measures, the risks of metadata and the ways in which personal information may be hijacked online.

Interconnected information systems

The principal concern with interconnected (interoperable) information systems is that shared connections mean shared risks. The more interconnected systems become the less knowledge and control over the movement and use of personal information an individual system owner will have. To mitigate this risk, effective governance and control is required for the collective set of systems. This poses a major challenge for government and private sector organizations creating any such “systems of systems.” This is a particularly complex issue when systems connections and associated flows of information cross jurisdictional boundaries where different laws and standards may apply. The Office addressed this issue in some of its work.

During its review of certain privacy impact assessments for interconnected systems of the RCMP, the OPC raised concerns regarding the governance, control and accountability over the sharing of personal information for policing purposes at federal, provincial and municipal levels. As a result, a more comprehensive and overarching privacy impact assessment was undertaken by the RCMP for the National Integrated Inter-agency Information System (N-III).

While IT systems are not directly interconnected, personal information is shared by the Canada Border Services Agency (CBSA) with foreign jurisdictions. Effective control and accountability is required. As part of the audit of the CBSA, the OPC recommended that:

  • The CBSA seek to update and strengthen its personal information sharing agreements with the United States, including the establishment of processes providing mutual assurance that shared personal information is accorded appropriate protections; 
  • A formal service level agreement be implemented between the United States and Canada to include mutually agreed security standards so that each party takes steps to ensure shared personal information is complete, current and accurate; and
  • The CBSA, in conjunction with the Treasury Board Secretariat, better inform Parliament and the public about the sharing of personal information with other countries.

Another prime example of interconnected systems is the ongoing initiative to develop and implement electronic health record (EHR) solutions on a pan-Canadian basis. The OPC has taken a keen interest in the development of interoperable EHR systems across Canada and has helped advance the debate on these issues by funding a number of important research projects and contributing to stakeholder discussions and consultations on critical privacy issues associated with this initiative.

Transborder data flows

As mentioned above, in June 2006, the OPC published its audit of the personal information management practices of the Canada Border Services Agency with regards to transborder data flows. The report contains 19 recommendations or groups of recommendations for improvements on how the CBSA handles the international exchange of personal information. While the audit found that the CBSA has systems and procedures in place for managing and sharing personal information with other countries, significant opportunities exist to better manage privacy risks and achieve greater accountability, transparency and control over the transborder flow of data.

Also in June, the Office announced it was examining whether Canadians’ financial records were being improperly accessed by foreign authorities. This followed news reports and a letter sent by Privacy International to data protection authorities around the world – including Canada – alleging that authorities are obtaining access to Canadians’ information through SWIFT (the Society for Worldwide Interbank Financial Telecommunication), a European-based financial cooperative.

In April 2006, the Privacy Commissioner issued a statement congratulating the Government of Canada for its Federal Strategy to Address Concerns About the USA Patriot Act and Transborder Data Flows, which was officially launched at that time by the Treasury Board of Canada Secretariat. The Office also actively participated in the development process of that strategy.

During the fiscal year, the Office continued its work with two international bodies, the Organization for Economic Co-operation and Development (OECD) and Asia Pacific Economic Cooperation (APEC), to enhance the protection of personal information as it flows around the globe and to encourage cross-border enforcement cooperation.

Finally, in the matter ofX. v. Accusearch Inc., dba ABIKA.com and Privacy Commissioner of Canada, the Federal Court of Canada rendered a decision clarifying our jurisdiction to investigate a complaint against an organization that operates outside of Canada to collect, use and disclose personal information about individuals in Canada for commercial profit. This decision confirmed the scope of our jurisdiction in matters involving cross-border flows of personal information. 

National security and law enforcement

In June 2006, the OPC presented to the Standing Senate Committee on Banking, Trade and Commerce a submission reviewing the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. The Committee had been asked to undertake a review of the Act as per the legislation’s five-year review provisions. A little later in the year, the Office appeared before the same Senate Committee on the same issue, this time to provide its views on Bill C-25, An Act to amend theProceeds of Crime (Money Laundering) and Terrorist Financing Act. In both instances, the Office took the position that Canada’s anti-money laundering and anti-terrorist financing regime is novel and precedent setting because of the degree to which it requires private sector entities to collect information on behalf of the state. The OPC asked the Committee to consider carefully whether the proposals to expand Canada’s anti-money laundering and anti-terrorist financing regime as set out in Bill C-25 are necessary and proportionate.

In December 2006, the OPC acquired new oversight responsibilities under Bill C-25. The OPC is now required to regularly review compliance with the Privacy Act by the Financial Transactions and Reports Analysis Centre (FINTRAC). The Act mandates the Privacy Commissioner to review and report to Parliament on FINTRAC’s activities every two years. Accordingly, the OPC has already planned to conduct an audit of FINTRAC in 2007-2008. Providing the Commissioner with mandated review of FINTRAC’s activities is an important step because – as a result of Bill C-25 – the number of organizations required to monitor and to collect information about their clients and customers will increase, the amount of personal information being collected will expand, and more transactions will be subject to scrutiny and reporting.

Legislative review: Keeping the privacy rights of Canadians up-to-date

The Personal Information and Electronic Documents Act

In July 2006, in preparation for the mandatory review of PIPEDA, the OPC issued a consultation paper which described several issues identified as warranting consideration during the review. The OPC invited input on the issues and possible amendments for consideration in the PIPEDA review. In response, the Office received 63 submissions that helped inform the OPC’s own thinking on the issues. Following this consultation, in November 2006 the Office tabled with the Standing Committee of the House of Commons on Access to Information, Privacy and Ethics (ETHI Committee) a background paper summarizing the views received and setting forth its preliminary views on how PIPEDA was functioning. This was followed up with an appearance before the Committee in February 2007, where the Commissioner presented a submission setting forth a more defined OPC position on the review of the Act. This submission noted that while the OPC believes PIPEDA is working reasonably well, deficiencies have come to light that were not anticipated when the Act was drafted several years ago.

The Privacy Act

In an October 2005 appearance by the Privacy Commissioner of Canada on the Annual Reports of her Office, the ETHI Committee extended an invitation to provide proposals for Privacy Act reform. In response, the Commissioner presented in June 2006 a discussion document on reforming the Act. It contained commentary on the factors driving the need for reform of the Privacy Act, as well as general proposals and recommendations for changes to the legislation. The Office also appeared before the Committee in June 2006 to present this discussion document, which contains many recommendations. The Privacy Act is a first generation privacy law that has not been substantially amended since its passage in 1982. The OPC believes that Canadians, elected and non-elected officials, as well as civil society groups representing broad-based societal interests should be engaged in a thoughtful, deliberate and informed discussion on reforming the Privacy Act.

Internal Factors

Fiscal year 2006-2007 was Year 1 of the implementation plan for the OPC’s three-year business case (presented in 2005-2006 to the House of Commons Advisory Panel on the Funding  and Oversight of Officers of Parliament). The OPC focused on organizational design, staffing and classification requirements during that first year as a result of newly approved resources for an almost 40 percent increase in personnel strength. However, the Office did not meet all of the objectives of the business case due to recruitment challenges, and as a result have not yet staffed all new positions.

The OPC regained its full staffing delegation authority in May 2006, which facilitated staffing efforts and demonstrated the continued improvements in our human resources management practices.

The OPC faced some accommodation challenges given the growth of the organization in 2006-2007. In order to address this challenge, the OPC worked closely with Public Works and Government Services Canada to acquire an additional 550 m2 of space at its current location on Kent Street in Ottawa. This provided some relief but did not address long-term needs as the OPC will continue to grow over the next few years. The OPC has completed some initial work in preparing a business case for approval of a long-term accommodation plan. Work on this plan will continue in the next fiscal year in order to address ongoing needs on the accommodation front.

1.7   Performance Status of OPC Priorities

The OPC had identified six priorities for 2006-2007. The following table summarizes the priorities and expected results, provides high-level information on our actual performance, and includes a self-assessment of performance status using Treasury Board Secretariat’s ratings: successfully met, not met, or exceeded expectations.

More detailed information on actual performance is provided in Section II – Analysis by Program Activity.


Strategic Outcome: The privacy rights of individuals are protected.
Priorities for 2006-2007 and Expected Results Type Actual performance Performance Status

1. Improve and expand service delivery:

Ongoing    
  • Reduced backlogs of complaints and PIA reviews
 
  • The OPC improved its service delivery with increased efforts to reduce the backlog of complaints through the streamlining of processes, which resulted in  a significant reduction of backlogs by 60% for PIPEDA complaints and 42% for Privacy Act complaints by the end of March 2007. 
Partially Met
   

The PIA backlog did not diminish but has remained essentially unchanged over the fiscal year due to the loss of a key PIA review officer and delays in staffing the vacancy.

Not met
  • Increased Commissioner-initiated complaints and audits
 
  • While the number of Commissioner-initiated complaints has increased by only one (from five to six) in 2006-2007, this worthwhile initiative allowed the Commissioner to exercise her powers to instigate in-depth reviews of federal government institutions and private sector organizations to assess whether they were in compliance with the requirements of the two Acts.
Successfully met
   
  • Six new audits were initiated pursuant to the Privacy Act. Two audits in the private sector were initiated under PIPEDA. This represents an increase in audit activity compared with previous years.
Successfully met
  • Engagement activities launched for key audiences, such as Parliament, business, federal government, the general public, academics and the legal community
 
  • With the increased funding obtained through its 2005-2006 business case, the OPC has undertaken more extensive public awareness initiatives, namely by:
    • Commissioning its annual public opinion survey in March 2007 to revisit Canadians’ views on some of the emerging privacy issues;
    • Preparing daily press clipping packages and media analysis on key issues to support management decision-making;
    • Responding to some 450 requests from the media for information and interviews on key privacy issues;
    • Conducting research, generating public debates and working at raising awareness of a number of important national privacy issues with all stakeholder groups, and continuing to hold bi-monthly privacy lecture series;
    • Continuing to liaise with provincial and territorial counterparts; and
    • Developing a number of fact sheets, including a ‘Questions and Answers’ document on applications for court hearings.
Successfully met

2. Respond to Parliament

Ongoing

   
  • Key privacy issues identified and positions articulated
 
  • The OPC made 11 appearances before Parliamentary committees on a variety of bills and issues. The Parliamentary liaison function was further reinforced; and the policy development and advice function reorganized to provide more focused advice to Parliament.
Successfully met
  • Dialogue with provinces on issues of common interest
 
  • OPC continued to work collaboratively with provincial privacy commissioners throughout the year (i.e., clarification of respective responsibilities, information sharing, learning events).
Successfully met

3. Participate in PIPEDA review and Privacy Act reform

Ongoing

 

 

  • PIPEDA review and Privacy Act reform framework documents available
 
  • The Office published the two following documents:
    • PIPEDA review discussion document titled “Protecting Privacy in an Intrusive World” (July 18, 2006)
    • Privacy Act discussion document titled “Government Accountability for Personal Information: Reforming the Privacy Act” (June 5, 2006)
Successfully met
  • OPC strategy developed for PIPEDA review and Privacy Act reform, and implementation under way
 
  • OPC senior officials appeared before the Commons Standing Committee on Access to Information, Privacy and Ethics on the subject of the PIPEDA review on November 27, 2006. As well, the OPC strategy for PIPEDA review and Privacy Act reform was developed and implementation is under way. Finally, an OPC internal Privacy Act working group was created and its work has commenced, and activities of the OPC internal PIPEDA working group is ongoing.
Successfully met
4. Plan and prepare for the 2007 International Data Protection and Privacy Commissioners Conference New    
  • Plan for 2007 conference on track

 

  • Conference preparations are on track:
    • Draft program developed
    • Potential speakers and panellists approached
    • External and internal resources retained to participate in conference preparation
    • Venue confirmed

Successfully met

5. Build organizational capacity: hire and integrate new staff, engage and train existing staff New    
  • Allocated resources fully utilized

 

  • Seventy-nine percent (79%) of the positions required to deliver on the first year implementation of the OPC business case were created or reviewed in 2006-2007, with the remaining 21% of the positions to be addressed in 2007-2008. Scarcity of specialized personnel compounded with a lengthy staffing process affected OPC’s ability to staff all of its allocated FTE resources.

Not met

 

 

  • New staff fully integrated
 
  • Newly hired staff were fully integrated within their respective branches (i.e., orientation program, mentoring, hands-on training). Internal communications activities were also a focus of the OPC in 2006-2007, with the completion of an Intranet project aimed at improving content and design of the site to offer more support and information to employees for doing their work.
Successfully met
  • Trained management and staff, sub-delegated managers
 
  • All sub-delegated managers and the majority of the non-delegated managers received the required training.
Successfully met

6. Develop results-based systems and baselines

New    
  • Draft performance management framework and baseline measures in place
 
  • OPC developed and finalized a comprehensive OPC Results and Performance Measurement Framework, which Senior Management Committee approved in December 2006, along with a three-year implementation schedule starting in 2007-2008. The OPC has certain baseline measures in place already and others will be developed as part of the first year time implementation of the performance indicators.
Successfully met
  • Records information easily and quickly retrievable

 

 

  • Enhancements were made to the document repository (RDIMS) and business rules for effective information management were developed to help reduce information silos and ensure that information is easily accessible and retrievable. These enhancements are currently being tested in a pilot and will be rolled out to all OPC employees starting in June 2007.

Successfully met