This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
It is with great pleasure that I table before Parliament today the Departmental Performance Report of the Office of the Privacy Commissioner of Canada for the fiscal year ending March 31, 2007.
Being mandated with the responsibility to uphold and protect the privacy rights of Canadians is a sacred trust that should be handled with care. My Office strives to meet this task, but the tools we need to be an even more effective advocate for Canadians are currently out of our reach.
This year marks the 25th anniversary of the introduction of the Privacy Act, which regulates the way in which government departments and agencies handle personal information. Though more than two decades of technological and political change have come and gone, the protections within the Act have not changed. The Act no longer allows Canadians to demand accountability from the government over the way their personal information is handled. This state of affairs has been decried by successive privacy commissioners and stakeholders to no effect. This is unfortunate, as the government should lead by example. Last June, we tabled a proposal for Privacy Act reform before the House of Commons Standing Committee on Access to Information, Privacy and Ethics, but nothing has come of this yet.
As we close and begin a new fiscal year, we strongly urge Parliament to take the opportunity to affirm Canada as a leader in privacy protection rights, by tackling Privacy Act reform. My Office is eager to work with Parliament on this issue to put meaningful protections in place, for the good of our people and integrity of our institutions.
On another note, the Personal Information Protection and Electronic Documents Act (PIPEDA) was due for its mandatory review in 2006. This process is being undertaken by the House of Commons Standing Committee on Access to Information, Privacy and Ethics and we made two appearances to share our reflections on this law and its impact on the private sector. As the privacy protection standard for private-sector organizations regulated by the federal government, PIPEDA has proved to be sound legislation. However, the Act requires fine tuning in several areas to deal with issues such as data breach notification and transborder data flows. We look forward to the successful conclusion of this review.
Finally, the Office is energized as it prepares to host the privacy world in Montreal this September, at the 29th International Conference of Data Protection and Privacy Commissioners. We have spent much of the last year planning for this event and it promises to help foster worldwide policy collaboration and cooperation. Top privacy thinkers, data protection authorities and members of civil society from around the globe will join us to discuss and exchange ideas about upcoming privacy “dragons” and how we can work together to meet the challenge.
It is against this backdrop of activity that I present our report, which details the Office’s performance over the past fiscal year in meeting our data protection responsibilities and ensuring Canada continues to be a world leader in privacy rights.
Jennifer Stoddart
Privacy Commissioner of Canada
I submit for tabling in Parliament, the 2006–2007 Departmental Performance Report for the Office of the Privacy Commissioner of Canada.
This document has been prepared based on the reporting principles contained in the Guide for the Preparation of Part III of the 2006–2007 Estimates: Reports on Plans and Priorities and Departmental Performance Reports:
Jennifer Stoddart
Privacy Commissioner of Canada
The OPC’s Strategic Outcome and Program Activity Architecture (PAA) structure that were approved by Treasury Board Secretariat have remained stable in their substance; only minor wording revisions were made as part of an exercise to develop the OPC results and performance measurement framework during 2006-2007. Hence the structure of the PAA, the number of program activities, and corresponding allocation of funding have not been changed, nor has a submission to Treasury Board Secretariat for any formal modification been required. Nevertheless, and for purposes of clarity and transparency, we present in the table below the minor wording revisions that were made to the OPC PAA.
Wording of PAA in 2006-2007 RPP | Revised Wording of PAA in 2006-2007 DPR |
---|---|
Strategic Outcome: The privacy rights of Canadians are protected. |
Strategic Outcome: The privacy rights of individuals are protected. |
Program Activity 1: Assess and investigate compliance with privacy obligations |
Program Activity 1: Compliance activities |
Program Activity 2: Privacy issues: research and policy |
Program Activity 2: Research and policy development |
Program Activity 3: Privacy education – promotion and protection of privacy |
Program Activity 3: Public outreach |
Other Activities |
Other Activities: Management excellence |
Link to the Government of Canada outcome areas: given that the OPC is independent from government, we do not link, or report, information from this Office to the Government of Canada outcomes.
The mandate of the OPC is to protect and promote the privacy rights of individuals.
The OPC is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law.
The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate.
The Commissioner is an advocate for the privacy rights of Canadians and her powers include:
The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. In public sector matters, individuals may complain to the Commissioner about any matter specified in Section 29 of the Privacy Act. This Act applies to personal information held by Government of Canada institutions.
For matters relating to personal information in the private sector, the Commissioner may investigate all complaints under Section 11 of PIPEDA except in the provinces that have adopted substantially similar privacy legislation, namely Québec, British Columbia, and Alberta. Ontario now falls into this category with respect to personal health information held by health information custodians under its health sector privacy law. However, even in those provinces with substantially similar legislation, and elsewhere in Canada, PIPEDA continues to apply to personal information collected, used or disclosed by all federal works, undertakings and businesses, including personal information about their employees. Also, PIPEDA applies to all personal data that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to the Act or to substantially similar legislation.
We focus on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may take the matter to Federal Court and seek a court order to rectify the situation.
In brief, as a public advocate for the privacy rights of Canadians, the Commissioner carries out the following activities:
The following two tables present the total financial and human resources that the OPC has managed in 2006-2007.
Financial Resources (in thousands of dollars)
Planned Spending | Total Authorities | Actual Spending |
---|---|---|
$16,298 | $16,033 | $15,716 |
Human Resources
Planned | Actual | Difference |
---|---|---|
125 FTEs | 108 FTEs * | (17) FTEs |
* Full-Time Equivalent
In 2006-2007, the OPC focused its attention on key questions of national importance. We also addressed urgent issues as they arose in Parliament and in national dialogue. These issues included:
The OPC hosted jointly with University of Ottawa’s Law and Technology Group the “Internet Privacy Symposium” in February 2007. Leading experts on Internet privacy issues met in Ottawa to discuss new threats to online privacy, emerging trends and ways to better protect personal information in the future. The focus of the symposium was on research funded by the OPC through its Contributions Program. Topics discussed included: patient privacy and electronic health records; helping children understand Internet privacy issues; Internet privacy and the workplace; and, privacy issues and identity theft.
Under its Contributions Program, the OPC funded four research projects in 2006 that focused on new technologies. These projects dealt with: digital rights management technologies and consumer privacy; technology choices and privacy policy in health care; vehicle technology and consumer privacy; and, the secondary uses of health information and electronic medical records.
In November 2006, the OPC released a summary of its findings in a case involving the workplace use of Global Positioning Systems (GPS), which can track the location of a vehicle in real time. The OPC concluded that employers needed to carefully consider the privacy rights of their workers and limit the specific purposes for installing GPS into their vehicle fleets. Several workers complained that their employer, a telecommunications company, was using GPS to improperly collect their personal information, specifically their daily movements while on the job.
Finally, the Office published three information fact sheets on its web site dealing with new technologies and the challenges posed by these to privacy. These documents addressed digital rights management and technical protection measures, the risks of metadata and the ways in which personal information may be hijacked online.
The principal concern with interconnected (interoperable) information systems is that shared connections mean shared risks. The more interconnected systems become the less knowledge and control over the movement and use of personal information an individual system owner will have. To mitigate this risk, effective governance and control is required for the collective set of systems. This poses a major challenge for government and private sector organizations creating any such “systems of systems.” This is a particularly complex issue when systems connections and associated flows of information cross jurisdictional boundaries where different laws and standards may apply. The Office addressed this issue in some of its work.
During its review of certain privacy impact assessments for interconnected systems of the RCMP, the OPC raised concerns regarding the governance, control and accountability over the sharing of personal information for policing purposes at federal, provincial and municipal levels. As a result, a more comprehensive and overarching privacy impact assessment was undertaken by the RCMP for the National Integrated Inter-agency Information System (N-III).
While IT systems are not directly interconnected, personal information is shared by the Canada Border Services Agency (CBSA) with foreign jurisdictions. Effective control and accountability is required. As part of the audit of the CBSA, the OPC recommended that:
Another prime example of interconnected systems is the ongoing initiative to develop and implement electronic health record (EHR) solutions on a pan-Canadian basis. The OPC has taken a keen interest in the development of interoperable EHR systems across Canada and has helped advance the debate on these issues by funding a number of important research projects and contributing to stakeholder discussions and consultations on critical privacy issues associated with this initiative.
As mentioned above, in June 2006, the OPC published its audit of the personal information management practices of the Canada Border Services Agency with regards to transborder data flows. The report contains 19 recommendations or groups of recommendations for improvements on how the CBSA handles the international exchange of personal information. While the audit found that the CBSA has systems and procedures in place for managing and sharing personal information with other countries, significant opportunities exist to better manage privacy risks and achieve greater accountability, transparency and control over the transborder flow of data.
Also in June, the Office announced it was examining whether Canadians’ financial records were being improperly accessed by foreign authorities. This followed news reports and a letter sent by Privacy International to data protection authorities around the world – including Canada – alleging that authorities are obtaining access to Canadians’ information through SWIFT (the Society for Worldwide Interbank Financial Telecommunication), a European-based financial cooperative.
In April 2006, the Privacy Commissioner issued a statement congratulating the Government of Canada for its Federal Strategy to Address Concerns About the USA Patriot Act and Transborder Data Flows, which was officially launched at that time by the Treasury Board of Canada Secretariat. The Office also actively participated in the development process of that strategy.
During the fiscal year, the Office continued its work with two international bodies, the Organization for Economic Co-operation and Development (OECD) and Asia Pacific Economic Cooperation (APEC), to enhance the protection of personal information as it flows around the globe and to encourage cross-border enforcement cooperation.
Finally, in the matter ofX. v. Accusearch Inc., dba ABIKA.com and Privacy Commissioner of Canada, the Federal Court of Canada rendered a decision clarifying our jurisdiction to investigate a complaint against an organization that operates outside of Canada to collect, use and disclose personal information about individuals in Canada for commercial profit. This decision confirmed the scope of our jurisdiction in matters involving cross-border flows of personal information.
In June 2006, the OPC presented to the Standing Senate Committee on Banking, Trade and Commerce a submission reviewing the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. The Committee had been asked to undertake a review of the Act as per the legislation’s five-year review provisions. A little later in the year, the Office appeared before the same Senate Committee on the same issue, this time to provide its views on Bill C-25, An Act to amend theProceeds of Crime (Money Laundering) and Terrorist Financing Act. In both instances, the Office took the position that Canada’s anti-money laundering and anti-terrorist financing regime is novel and precedent setting because of the degree to which it requires private sector entities to collect information on behalf of the state. The OPC asked the Committee to consider carefully whether the proposals to expand Canada’s anti-money laundering and anti-terrorist financing regime as set out in Bill C-25 are necessary and proportionate.
In December 2006, the OPC acquired new oversight responsibilities under Bill C-25. The OPC is now required to regularly review compliance with the Privacy Act by the Financial Transactions and Reports Analysis Centre (FINTRAC). The Act mandates the Privacy Commissioner to review and report to Parliament on FINTRAC’s activities every two years. Accordingly, the OPC has already planned to conduct an audit of FINTRAC in 2007-2008. Providing the Commissioner with mandated review of FINTRAC’s activities is an important step because – as a result of Bill C-25 – the number of organizations required to monitor and to collect information about their clients and customers will increase, the amount of personal information being collected will expand, and more transactions will be subject to scrutiny and reporting.
The Personal Information and Electronic Documents Act
In July 2006, in preparation for the mandatory review of PIPEDA, the OPC issued a consultation paper which described several issues identified as warranting consideration during the review. The OPC invited input on the issues and possible amendments for consideration in the PIPEDA review. In response, the Office received 63 submissions that helped inform the OPC’s own thinking on the issues. Following this consultation, in November 2006 the Office tabled with the Standing Committee of the House of Commons on Access to Information, Privacy and Ethics (ETHI Committee) a background paper summarizing the views received and setting forth its preliminary views on how PIPEDA was functioning. This was followed up with an appearance before the Committee in February 2007, where the Commissioner presented a submission setting forth a more defined OPC position on the review of the Act. This submission noted that while the OPC believes PIPEDA is working reasonably well, deficiencies have come to light that were not anticipated when the Act was drafted several years ago.
The Privacy Act
In an October 2005 appearance by the Privacy Commissioner of Canada on the Annual Reports of her Office, the ETHI Committee extended an invitation to provide proposals for Privacy Act reform. In response, the Commissioner presented in June 2006 a discussion document on reforming the Act. It contained commentary on the factors driving the need for reform of the Privacy Act, as well as general proposals and recommendations for changes to the legislation. The Office also appeared before the Committee in June 2006 to present this discussion document, which contains many recommendations. The Privacy Act is a first generation privacy law that has not been substantially amended since its passage in 1982. The OPC believes that Canadians, elected and non-elected officials, as well as civil society groups representing broad-based societal interests should be engaged in a thoughtful, deliberate and informed discussion on reforming the Privacy Act.
Fiscal year 2006-2007 was Year 1 of the implementation plan for the OPC’s three-year business case (presented in 2005-2006 to the House of Commons Advisory Panel on the Funding and Oversight of Officers of Parliament). The OPC focused on organizational design, staffing and classification requirements during that first year as a result of newly approved resources for an almost 40 percent increase in personnel strength. However, the Office did not meet all of the objectives of the business case due to recruitment challenges, and as a result have not yet staffed all new positions.
The OPC regained its full staffing delegation authority in May 2006, which facilitated staffing efforts and demonstrated the continued improvements in our human resources management practices.
The OPC faced some accommodation challenges given the growth of the organization in 2006-2007. In order to address this challenge, the OPC worked closely with Public Works and Government Services Canada to acquire an additional 550 m2 of space at its current location on Kent Street in Ottawa. This provided some relief but did not address long-term needs as the OPC will continue to grow over the next few years. The OPC has completed some initial work in preparing a business case for approval of a long-term accommodation plan. Work on this plan will continue in the next fiscal year in order to address ongoing needs on the accommodation front.
The OPC had identified six priorities for 2006-2007. The following table summarizes the priorities and expected results, provides high-level information on our actual performance, and includes a self-assessment of performance status using Treasury Board Secretariat’s ratings: successfully met, not met, or exceeded expectations.
More detailed information on actual performance is provided in Section II – Analysis by Program Activity.
Strategic Outcome: The privacy rights of individuals are protected. | |||
---|---|---|---|
Priorities for 2006-2007 and Expected Results | Type | Actual performance | Performance Status |
1. Improve and expand service delivery: |
Ongoing | ||
|
|
Partially Met | |
The PIA backlog did not diminish but has remained essentially unchanged over the fiscal year due to the loss of a key PIA review officer and delays in staffing the vacancy. |
Not met | ||
|
|
Successfully met | |
|
Successfully met | ||
|
|
Successfully met | |
2. Respond to Parliament |
Ongoing |
||
|
|
Successfully met | |
|
|
Successfully met | |
3. Participate in PIPEDA review and Privacy Act reform |
Ongoing |
|
|
|
|
Successfully met | |
|
|
Successfully met | |
4. Plan and prepare for the 2007 International Data Protection and Privacy Commissioners Conference | New | ||
|
|
|
Successfully met |
5. Build organizational capacity: hire and integrate new staff, engage and train existing staff | New | ||
|
|
|
Not met
|
|
|
Successfully met | |
|
|
Successfully met | |
6. Develop results-based systems and baselines |
New | ||
|
|
Successfully met | |
|
|
|
Successfully met |