ARCHIVED - RPP 2006-2007
Offices of the Information and Privacy Commissioners

• Previous Page
• Table of Contents
•  

This page has been archived.

---

Jennifer Stoddart Privacy Commissioner of Canada

The Honourable Vic Toews Minister of Justice and Attorney General of Canada

---

Section I:

Section II:

Section III:

Section I

Privacy Commissioner of Canada's Message

I am pleased to present this 2006-2007 Report on Plans and Priorities, which sets out the strategic directions, priorities, expected results and spending estimates for the Office of the Privacy Commissioner of Canada for the coming fiscal year.

Privacy is important, and Parliament has signalled its relevance and importance with the enactment of privacy laws and with the creation of this Office. Privacy is a right seen by many as fundamental, as the bedrock to many other civic, political, social and economic rights, including the right to autonomy, dignity and integrity of the person.

Increasingly, there are pressing and complex issues putting Canadians' informational privacy at risk — the willingness of government to share more and more information in the name of national security, personal data flowing across the borders, the pervasive use of technologies such as global positioning systems and radio frequency identification devices (RFIDs), and the potential of publicly available personal information being used for invasive or malevolent purposes.

In the last few years, it has been difficult for this Office to fully deliver on its multi-faceted mandate to fully promote and protect the privacy rights of Canadians. We do not have permanent funding to carry out our mandated activities under the Personal Information Protection and Electronic Documents Act (PIPEDA), as PIPEDA funding was granted initially for only three years and then renewed annually. With the coming into force of PIPEDA, which began in 2001 and reached full implementation in 2004, we understand that it was important to take stock before making long-term commitments. But PIPEDA has now been in full force for two years and the pressures are increasing. Furthermore, this Office has not had the adequate funding to deliver on our obligations under the Privacy Act.

This past year, our Office was pleased to take part in an innovative and entirely new process for seeking funding approval for the operations of Officers of Parliament. We embraced the opportunity to engage Parliament in a constructive dialogue about our funding needs. But before doing so, we certainly did our homework. Our Vision and Institutional Service Plan and our Business Case for Permanent Funding provided a comprehensive framework for protecting the privacy rights of Canadians and residents, and for serving Parliament in meeting its needs for privacy expertise as it considers legislation. The Service Plan and Business Case are the Office's blueprint for a stronger and more effective institutional role.

This Report on Plans and Priorities outlines the strategic directions, priorities, anticipated results and spending estimates within the context of this new Vision for our Office and for the federal privacy protection regime. A new Office, which will emerge in 2006-2007, will be one:

• that can undertake a meaningful number of audits and reviews to encourage greater compliance and proactively assist in the development of a robust privacy management framework in the public and private sectors;
• that can conduct legal and policy analyses of bills and legislation in support of the Parliamentary legislative role;
• that can make more proactive, extensive and effective use of the enforcement tools entrusted to us by Parliament, including Commissioner-initiated complaints, court action and public interest disclosure;
• that can carry out research, both internally and externally, into emerging privacy issues and trends, to help citizens and policy makers understand current privacy challenges resulting from globalization and technology;
• that can engage in significant public education to better inform individuals of their rights, and organizations of their obligations, as well as strategies to address privacy risks and vulnerabilities;
• whose streamlined investigation process can tackle the growing backlog of privacy complaints and ensure timely response to complaints from individuals; and, finally,
• is an organization that can truly sustain the institutional renewal efforts that have been put into place to ensure that it never again finds itself in the situation of 2003.

This is all very good data protection news for our Office, for Canadians, and for the organizations covered by federal privacy laws, both in the public and private sectors. The year 2006-2007 promises to be exciting and full of challenges. This Office is now poised to meet these challenges, to work toward fully implementing the mandate that was entrusted to us by Parliament, and to ultimately better protect the privacy rights of Canadians.

In closing, the OPC has recently expanded the membership of its External Advisory Committee to include a wider spectrum of Canadian society's interest in privacy protection. The Committee reviewed the strategic directions of the OPC and offered invaluable advice and insights to help our institution move forward with the implementation of our Vision and Institutional Service Plan. We are indebted to many distinguished members of the Committee for their observations and their support of our work. We look forward to continue receiving their advice on a range of privacy issues on which they are knowledgeable.

Jennifer Stoddart
Privacy Commissioner of Canada

Management Representation Statement

I submit for tabling in Parliament, the 2006-2007 Report on Plans and Priorities ( RPP ) for
the Office of the Privacy Commissioner of Canada.

This document has been prepared based on the reporting principles contained in Guide for the Preparation of Part  III of the 2006-2007 Estimates: Reports on Plans and Priorities and Departmental Performance Reports.

It adheres to the specific reporting requirements outlined in the TBS guidance:

• It is based on the department's approved Program Activity Architecture structure as reflected in its Management, Resources and Results Structure (MRRS);
• It presents consistent, comprehensive, balanced and accurate information;
• It provides a basis of accountability for the results achieved with the resources and authorities entrusted to it; and
• It reports finances based on approved planned spending numbers from the Treasury Board Secretariat in the RPP.

Jennifer Stoddart
Privacy Commissioner of Canada

Section II

Raison D'Être

The mandate of the Office of the Privacy Commissioner (OPC) is to oversee the application of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act, and within that context to promote privacy.

Our mission is to protect and promote the privacy rights of individuals in Canada, as they are set down in data protection law and the Canadian Charter of Rights and Freedoms. The oversight powers are those of an ombudsman, which allows us to play a fundamental role in providing advice and guidance, and brokering consensus and optimal compliance with the spirit of the law. This vision is based on existing powers as found in the Privacy Act (sections 29 to 68 and section 70.1) and PIPEDA (sections 11 to 25).

As ombudsman and public advocate for the privacy rights of Canadians, the Commissioner carries out the following activities:

• investigates complaints
• promotes awareness and understanding of privacy issues
• conducts audits
• participates in court actions
• publishes information about personal information handling practices in the public and private sectors
• advises on privacy impact assessments (PIAs) of new government initiatives
• reports to Parliament annually and on special issues
• comments on legislative initiatives
• conducts research into privacy issues

We interpret this mandate broadly and expansively, as an ombudsman should. The powers (sections 23 and 24) under PIPEDA give us a further role to coordinate with provinces with substantially similar legislation.

As an Officer of Parliament responsible for the application of two federal privacy statutes respecting the protection of personal information in Canada and as an ombudsman, the OPC defines its service framework along four mutually reinforcing roles (see graphic below):

• Parliament (MPs/Senators): Proactively supporting Parliament's needs
• Economy (Commercial Activities): Proactively promoting and enabling compliance
• Society (Individuals): Effectively processing complaints and increasing public literacy in privacy
• Government (Federal Departments/Agencies): Supporting the federal government's efforts to improve the privacy management framework

Firstly, the OPC serves the Parliament of Canada by providing expert advice on privacy issues raised by bills, legislation and regulations. In 2005, the OPC appeared before parliamentary committees a total of 16 times to comment on a broad range of bills and policy issues including amendments to the Statistics Act dealing with the release of census information, the review of the Anti-terrorism Act and consumer issues in the financial services sector. The OPC also serves Parliament by enforcing two federal privacy statutes. Thus, the OPC is both an implementation vehicle for Parliament and a tool to achieve accountability and transparency for the privacy management practices of the federal agencies and departments and private sector organizations engaged in commercial activities in Canada. From that perspective, the OPC can be seen as an institution serving democratic governance in Canada. Parliamentarians need to have access to current, clear information and advice on the impact that emerging technologies and enhanced security initiatives have on privacy rights. While the requirement for such information may relate to legislation, it might also relate to policy debates in Parliament, to constituency issues, or to the scrutiny of government operations in committees. Parliamentarians need the assurance that the information they require to make decisions and to do their jobs can be provided to them in a timely and unbiased fashion.

Secondly, the OPC helps Canadians, residents, visitors to Canada, and clients of organizations in Canada by investigating their complaints about the personal information management practices of the federal government and of the private sector. The OPC also helps the people of Canada by fostering better awareness and understanding of privacy issues and responding to their inquiries about the Privacy Act and PIPEDA. The OPC thus functions as a public institution serving to protect the fundamental privacy rights of individuals. We are a key institution to help preserve the trust of citizens and non citizens alike in the Canadian government and the private sector. Individuals need to have confidence in organizations that collect, use and share personal information that relates to them, and oversight is necessary to ensure trust. In an era of globalization, heightened security concerns and increasing transborder data flows, exercising oversight and building trust have become more important, and more challenging, than ever. With increasing amounts of personal information flowing across borders we have opened dialogues with other national agencies with similar mandates about working together to foster compliance and assist individuals who wish to pursue redress.

Thirdly, the OPC helps private sector organizations engaged in commercial activities meet their obligations under PIPEDA by providing guidance and promoting best practices. We do this by investigating complaints from clients, customers and employees, by publishing summaries of our complaint findings to help organizations understand their obligations, and by providing advice about the privacy implications of new products, services and technologies. The OPC plays a vital role in maintaining a viable commercial sector in Canada that adheres to the highest standards in the protection of personal information. This is necessary to meet growing expectations and rising standards in data protection both domestically and globally, as more and more countries adopt data protection statutes. Growing threats from trans-national criminal activity, notably spam, identity theft and data breaches, are driving the demand for more precise guidance, regulation, and oversight. From that perspective, the OPC can be seen as an institution serving a sustainable and competitive economy.

Fourthly, the OPC assists the federal government by helping departments and agencies covered by the Privacy Act implement the elements of a privacy management framework to comply with the provisions of the Act. Through our investigations, audit, review and privacy impact assessment functions, we try to provide advice that will prevent mistakes and subsequent breaches and complaints. Through policy analysis, research, and participation in interdepartmental committees, we contribute the privacy perspective at the design phase in policy development. The OPC serves as an instrument to achieve an effective and accountable public administration at the federal level. Complementary roles are performed by provincial and territorial commissioners, and through our collaboration with them, we try to ensure a harmonious approach to common policy challenges. The OPC also serves the cause of ethical government, because compliance with the Privacy Act is an integral part of the federal public service Code of Values and Ethics adopted by the government of Canada in June 2003, and which has since become a condition of employment for all federal public service employees. The Privacy Act has served Canada well for almost 25 years, but our values and privacy expectations have evolved. The OPC believes that the Privacy Act needs to be updated to reflect this new environment. Privacy Act reform will be a major priority for OPC in 2006-2007.

These four service roles define the OPC as a public institution dedicated to the protection of what many see as a fundamental human right, to accountable government, and to fostering a competitive marketplace through fair and equitable business practices. The Office of the Privacy Commissioner is unique in relation to other Officers of Parliament in that as an oversight agency it has responsibility for the private sector through PIPEDA, which applies to organizations engaged in commercial activities in Canada, as well as the public sector through the Privacy Act.

Overview of Resources and Priorities

Financial Resources (planned)

2006-2007	2007-2008	2008-2009
$16,298,000	$18,320,000	$17,833,000

Human Resources (planned)

2006-2007	2007-2008	2008-2009
125	143	139

The planned increase in financial and human resources from 2006-2007 to 2007-2008 is due to the phasing in of the resource levels. The resource levels peak in 2007-2008 due to the one-time costs associated with equipping new employees. The resource levels for 2008-2009 represent the forecast requirements for future years.

The planned spending numbers for 2006-07 through 2008-09 do not include spending that will be required for the implementation of the upcoming Federal Accountability Act (FedAA).  The OPC is in the process of developing a business case and implementation plan with respect to aspects of the FedAA which will impact the OPC; namely, the creation of an office to handle access to information and privacy requests, and an increased number of privacy investigators to handle new organizations who will now be subject to the Privacy Act upon passage of the FedAA. The exact funding and resource requirements will not be known until the OPC has concluded its internal analysis based on the final wording of the legislation and the coming into force dates.

Agency Program Priorities for 2006-2007

Given the broad scope of the OPC mandate, the number of issues that could be addressed at any given time is quite extensive. For 2006-2007, the OPC will focus its attention on a few key questions of national importance, understanding that we will also address urgent issues as they arise in Parliament and in national dialogue. The OPC plans to make these issues the main focus of research, communications, policy analysis and development.

New technologies	New data-gathering technologies, such as global positioning systems, radio frequency identification (RFID) and black boxes in vehicles, are being introduced on the market at an unprecedented rate. These technologies pose significant risks to privacy by making it easier to carry out illicit surveillance and privacy invasion. Additional research and communications are required to ensure that individuals' understanding and awareness of these risks keep pace with the technological progress.
Interconnected information systems	Electronic information records, including the most sensitive information such as financial, health and employment records held by the private and public sectors, pose challenges to the protection of personal information because information stored electronically is easier to analyze, manipulate and share. As the ability to create linkages between different records increases, so does the risk that information collected for a specific purpose will be used inappropriately or find its way into the wrong hands. Sound policy decisions are required to ensure effective privacy management frameworks govern networked information systems and their interconnections and that the risks to privacy are appropriately managed.
Trans-border data flows	The advances in communication networks, notably the Internet, have facilitated 24/7 processing of personal information around the globe. Borders have become irrelevant to data flows as business and governments seek more efficient and seamless data processing. Access to information about Canadians can be gained from anywhere in the world, thus raising a wide range of risks from the nuisance of spam to financial consequences of identity theft. The OPC must respond to these challenges through applied research, better collaboration with other jurisdictions and joint enforcement actions.
National security and law enforcement	There are many national security and law enforcement initiatives on the government's agenda. This Office is responsible for analyzing their implications for privacy, exercising oversight over such activities as well as creating greater public awareness of the effects of large scale surveillance on the rights of privacy and civic trust in public institutions. The OPC will examine the privacy implications of the DNA Identification Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the Lawful Access legislative proposals as well as other bills, policies, measures (such as national identity cards, e-passports, etc.) and systems in support of national security and law enforcement objectives.
Legislative Review: Keeping the privacy rights of Canadians up to date	In the context of the statutory review of PIPEDA, planned for 2006-2007, the OPC intends to bring forward a set of proposals to strengthen and clarify the privacy rights afforded under the Act. The Privacy Act, however, is a first generation privacy law which has not been substantially amended since its inception in 1983. The law has not kept up with technological change and therefore the privacy management framework that determines the Canadian government's information practices does not meet the standard set in the private sector. The OPC will continue to advocate for a fundamental overhaul of the Privacy Act. Canadian privacy laws need to be periodically reviewed to ensure that they remain effective in protecting the right of privacy in the midst of new economy and e-government initiatives.

Agency Management Priorities for 2006-2007

	Type	Short-Term Outcomes
Strategic Outcome: Privacy rights of Canadians are protected
1. Improve and expand service delivery	Ongoing	Improved service levels — timeliness, responsiveness, initiative Reduced backlogs of complaints and PIA reviews Increased commissioner-initiated complaints and audits Increased participation in court applications Management of Information Technology Security Standard compliance achieved Business continuity plan in place Engagement activities launched for key audiences, such as Parliament, business, federal government, the general public, academics and the legal community
2. Respond to Parliament	Ongoing	Positive engagement with Parliament Key privacy issues identified and positions articulated Dialogue with provinces on issues of common interest
3. Participate in PIPEDA review and Privacy Act reform	Ongoing	PIPEDA review and Privacy Act reform framework documents available OPC strategy developed for PIPEDA review and Privacy Act reform, and implementation under way
4. Plan and prepare for the 2007 International Data Protection and Privacy Commissioners Conference	New	Plan for 2007 conference on track
5. Build organizational capacity: hire and integrate new staff, engage and train existing staff	New	Allocated resources fully utilized New staff fully integrated Trained management & staff, sub-delegated managers Regional offices planning completed
6. Develop results-based systems and baselines	New	Draft performance management framework and baseline measures in place Records information easily and quickly retrievable

Operating Environment

This section describes the operating environment of the OPC in three parts. The first part describes the major program delivery mechanisms; the second and third parts describe important internal and external factors affecting program delivery.

Major Program Delivery Mechanisms

Investigations and Inquiries

The OPC seeks to promote fair information management practices by both public and private sector organizations in Canada in accordance with two federal privacy laws — the Privacy Act, which was enacted in 1983, and PIPEDA, which began coming into effect in 2001 and which came into full force in 2004. The principal means of doing this is through complaint investigations, which are conducted by the OPC's Investigations and Inquiries Branch. The Branch investigates complaints from individuals alleging that their personal information has been collected, used or disclosed inappropriately.

In conducting this work, Investigations and Inquiries is supported by activities of other branches, such as the Legal Services and Research and Policy branches. The Legal Services Branch helps with the interpretation of the two Acts and is involved in litigation concerning the interpretation and application of these Acts and in cases relating to the jurisdiction and powers of the Commissioner. The Research and Policy Branch works with the Investigations and Inquiries Branch in establishing the Office's position on policy matters and provides investigators with research material to assist with the development of needed expertise in such areas as newly emerging technologies, which are the subject of an increasing number of complaints to the Office.

The Investigations and Inquiries Branch also responds to inquiries from members of the general public, government institutions, private sector organizations, and the legal community, who contact the Office on a wide variety of privacy-related issues.

Audits and Reviews

To safeguard Canadians' right to privacy, the OPC's Audit and Review Branch conducts compliance reviews under Section 37 of the Privacy Act. These reviews assess systems and practices for managing personal information from collection to disposal by federal departments and agencies. These reviews are carried out with reference to sections 4 to 8 of the Privacy Act and government policies and standards. This work is intended to encourage the growth of fair information practices by government institutions. The OPC also has the mandate, under Section 18 of PIPEDA, to conduct audits of the personal information management practices in the Canadian private sector.

Privacy Impact Assessments

The Government of Canada's Policy on Privacy Impact Assessments (PIA) has added to the responsibilities of the OPC. Our role, as defined in the Policy, is to assess the extent to which a department's PIA has succeeded in identifying privacy risks associated with a project or initiative and to comment on the appropriateness of the measures proposed to mitigate identified risks. The OPC views PIAs as an integral part of the federal government privacy management framework.

Support to Parliament

The Commissioner acts as Parliament's advisor on privacy issues, bringing to the attention of Parliament issues that have an impact on the privacy rights of Canadians. We do this by tabling annual reports to Parliament, by appearing before Committees of the House of Commons and the Senate to comment and advise on the privacy implications of proposed legislation and government initiatives and by identifying and analyzing issues that we believe should be brought to Parliament's attention.

The Office also assists Parliament to become better informed about privacy, acting as a resource or centre of expertise on privacy issues. This includes responding to a significant number of inquiries and letters from Senators and Members of Parliament.

Public Education and Communications

The Privacy Commissioner is specifically mandated under PIPEDA to conduct public education activities to ensure that the business community in Canada is complying with its obligations, as well as to make individuals aware of their rights.

Contributions Program

The Contributions Program supports the development of a national privacy research capacity in the voluntary, academic and not-for-profit sectors to generate and transfer knowledge on the privacy impact of emerging technologies, and the personal information management practices of the private and public sectors.

Internal Factors Affecting Program Delivery

The OPC is confident that in 2005-2006 we "turned a corner" in terms of dealing with the legacy of issues and challenges of the past few years. All of our staff continue to demonstrate an unwavering commitment to protecting and enhancing the privacy rights of Canadians, and there is new momentum in the organization as a result of changes implemented in recent years.

This new momentum offers for the Office both an opportunity and a challenge. The opportunity is to acquire new staff and to realign the organization so that all aspects of the OPC mandate are effectively and efficiently supported and resourced. The challenge is to successfully pilot the organization through the significant change that this will represent, so that all OPC resources are aligned, integrated, and effectively contributing to achieve our mandate and mission.

External Factors Affecting Privacy and the Office

The climate in which the OPC operates is a complex one, characterized by conflicting goals and trends. Canadians overwhelmingly, even in the face of threats to their security, believe that privacy is their right, and that it must be protected. They also want security, law enforcement, convenience, and value for money in the marketplace and in government services. This cluster of needs has some inherent conflict. The data protection law we administer to meet the privacy need is still very new in societal terms. It takes a while to seep into the culture, and until it does, there is an ongoing job of teaching, correcting and enforcement.

To some extent, that desire for and belief in privacy is ahead of reality, as our Office deals with a population that has not learned enough about the matter to take steps to protect themselves. Public education is essential if we are to live in a community with respect for basic rights. Meanwhile, society rushes forward with the implementation of new technologies that erode privacy and produce new ways to gather data, making that job of public education more difficult each day. Who understands the black box that is in their new car, reporting on geo-positioning and speed? Who understands what data their cellular operator has about their calls? When Canadians say to pollsters that they support or don't support a national identity card or a biometric passport, who understands what that means and what databanks and registration platforms, what security measures and physical readers might be entailed in the process?

Neither the population subject to these new surveillance systems, nor the organizations or government departments implementing them, are finding it easy to keep up with the pace of change. They all struggle to understand the impact of new initiatives and technologies, and systems integrators both in the public and private sectors need help to try to ensure they respect the requirements of data protection law. It is the OPC 's responsibility, mandated through law and policy, to assist them.

None of these technical issues had presented themselves when the Privacy Act was drafted in 1982, because there were no personal computers, no Internet, no cell phones, no geo-positioning systems, let alone biometrics and RFID chips or nanotechnology. Our Office has pointed out on many occasions that the Privacy Act is long overdue for an update, because it was crafted in the era of reel to reel computer tapes and paper files in filing cabinets, when trans-border data flow almost entirely was achieved through shipping goods, tapes or paper, not digital bits.

Nevertheless, even with the old car we are driving to transport the privacy rights of Canadians into the 21st century, we believe we can refocus our activities to achieve more, and to reflect what Parliament asked of us when it passed PIPEDA in 2000. PIPEDA contains a broader suite of powers than the Privacy Act, including public education, a broader basis for litigation, the right to take our own cases to the Federal Court, and the power of the Court to award damages. We are trying to respond to the growing demands of Canadians and of Parliament to be the counterbalance on the teeter-totter of public safety and national security versus the rights of the individual to a private life, and we must fully utilize the toolkit Parliament has provided in this recent legislation, not cling to old ways.

OPC Plans and Priorities for 2006-2007

Detailed Description

The OPC is confident that an increase in resources will enable it to increase its capacity to:

1. carry out audits and reviews to encourage greater compliance of the federal public sector and commercial activities with federal privacy laws;
2. conduct legal and policy analyses of bills and legislation in support of Parliament's interest for privacy protection;
3. carry out research, both internally and externally, in emerging privacy issues and trends (technology, etc);
4. engage in significant public education to better inform individuals about contemporary privacy challenges;
5. streamline the investigation process and tackle the growing backlog of privacy complaints from individuals; and
6. sustain its institutional renewal efforts by offering greater professional development opportunities, improving management practices and making optimal use of information technology.

As a result, 2006-2007 will be a pivotal year for the OPC, the year in which we build a foundation for this capacity increase and renewal, by focusing on the following strategic priorities:

2006-2007 Strategic Priorities	Type
1. Improve and expand service delivery	Ongoing
2. Respond to Parliament	Ongoing
3. Participate in PIPEDA review and Privacy Act reform	Ongoing
4. Plan and prepare for the 2007 International Data Protection and Privacy Commissioners Conference	New
5. Build organizational capacity; hire and integrate new staff, engage and train existing staff	New
6. Develop results-based systems and baselines	New

1. Improve and expand service delivery

This priority crosses all program activities and organizational boundaries, with a particular focus on the following:

1. Reduce the backlog of complaints and PIA reviews
   This is an essential step in increasing the trust of Canadians in the OPC and our ability to protect privacy rights of Canadians. Prompt and effective treatment of these files also provides a key opportunity for education and knowledge transfer. In addition to hiring new resources, activities planned to reduce the backlog include:
   • Increasing automation and use of technology
   • Reviewing and changing business processes to increase efficiency
2. Increase commissioner-initiated complaints and audits
   This is an essential component of our strategy to transform our basic role from being a complaints-driven, responsive organization to one that is proactive, with a holistic and multifaceted approach to privacy protection. The OPC will select specific issues to move forward through intentional action to raise awareness and enforce compliance.
3. Launch engagement and education activities for key audiences
   These key audiences may include Parliament, business, federal government, the general public, academics and the legal community. A comprehensive plan has been developed for public education and communications activities. In addition, all branches of the organization will be expected to integrate information-sharing and education into their communications with external groups.

2. Respond to Parliament

As stated above, the OPC is committed to providing Parliamentarians with accurate and timely information on privacy issues, whether the request relates to legislation, to policy debates in caucus or in Parliament, to constituency issues, or to the scrutiny of government operations in Committees. In addition to responding promptly to requests from Parliament, the OPC plans to:

1. Identify key privacy issues and clearly articulate positions on these issues; this work will support advice to Parliament as well as public education and awareness efforts.
2. Engage provinces/territories in dialogue on issues of common interest; the purpose of this work is to help build Canadian expertise in the protection of personal information and to help ensure that all elements of the system work together for the protection of privacy rights.

3. Participate in PIPEDA review and Privacy Act reform

PIPEDA includes a provision for a parliamentary review every five years after its coming into force. Since the Act came into effect in 2001, a review by a committee of the House of Commons, or of both Houses of Parliament, is expected in 2006. The OPC will prepare for this review by developing an adoption and implementation strategy, and by drafting framework documents that highlight the issues and lessons learned in this first implementation period.

Our Office has pointed out on many occasions that the Privacy Act is long overdue for an update. When it was drafted in 1982, there were no personal computers, no Internet, no cell phones, no geo-positioning boxes, let alone biometrics and RFID chips or nanotechnology, and there is a need to modernize the Act to take into account the proliferation of these new technologies. We remain ready to support Parliament in the review of the Privacy Act in the event that it chooses to proceed.

4. Plan and prepare for the 2007 International Data Protection and Privacy Commissioners Conference

In September 2007, Canada will be hosting the 29 th International Data Protection and Privacy Commissioners Conference, bringing together representatives from the world of business, public administration, science, the IT industry as well as governmental and non-governmental organizations to discuss leading-edge issues related to privacy and the protection of personal information. This will provide a unique opportunity to highlight and enhance Canada 's international role in promoting privacy standards. To succeed, s uch a major event requires careful planning and preparation, and these activities will require significant resources in 2006-2007. The planning effort is already under way, and responsibilities have been assigned within OPC to move forward on the event programme and logistics. The OPC intends to work in partnership with provincial and territorial commissioners to ensure that this conference is a success.

5. Build organizational capacity: hire and integrate new staff, engage and train existing staff

Much of our energy and effort will be directed to increasing our organizational capacity to approved levels. In order to achieve success, our plan includes two major components:

1. Hire and integrate new staff
   Although this appears simple, in the federal government context it is a lengthy and time-consuming process, all the more so when new organizational structures have to be put in place. Planned activities include:
   • Reviewing and revising the organizational structure, including the creation of regional offices
   • Creating and classifying new positions
   • Recruiting applicants
   • Screening and selecting new staff
   • Orienting and integrating new staff into the organization
2. Engage and train existing staff
   All of our energy cannot be directed to new staff. Success also depends on our ability to build the capacity of existing staff, who will play a critical role in keeping the organization on track by sharing their expertise and mentoring newcomers to quickly adapt and become productive. Planned activities include the identification and provision of training and development opportunities for staff, based on personal learning plans and organizational learning priorities.

6. Develop results-based systems and baselines

This priority is a cornerstone of our strategy to increase capacity and become a model of corporate excellence and innovation. To be able to report on progress, we must have the systems in place to measure our performance, and we must have a clear baseline of our current levels of performance. In 2006-2007, we will focus specifically on the following elements:

1. Finalize the OPC performance management framework and establish baseline measures.
2. Implement the use of records-management systems so that information is easily and quickly retrievable.

Section III

Analysis by Program Activity

This section provides information on the basis of the Office's program activity architecture (PAA). The PAA provides the structure for planning and reporting the Office's activities.

Our program has four operational activities aimed at achieving one strategic outcome on behalf of Canadians.

Strategic Outcome	Protection of the Privacy Rights of Canadians
Activities	1. Assess and investigate compliance with privacy obligations	2. Privacy issues: research and policy	3. Privacy education — promotion and protection of privacy

Program Activity 1: Assess and investigate compliance with privacy obligations

Planned Resources:

	2005-2006	2006-2007	2007-2008	2008-2009
Financial Resources - $000	7,696	10,154	11,115	10,681
Human Resources - FTEs	76	88	98	93

The planned increase in the level of resources from 2005-2006 to 2007-2008 is based on the phasing in of resource levels. The resource levels for 2006-2007 and 2007-2008 include the one-time costs of equipping new offices for employees and additional resources for those years to eliminate the backlogs in investigations and inquiries.

Activity Description

The OPC is responsible for investigating complaints and responding to inquiries received from individuals and organizations who contact the Office for advice and assistance on a wide range of privacy-related issues. The OPC also assesses how well organizations are complying with requirements set out in the two federal laws and provides recommendations on PIAs pursuant to the Treasury Board of Canada policy. This activity is supported by a legal team that provides specialized legal advice and litigation support.

Expected Results for 2006-2007

• Improved service levels — timeliness, responsiveness, initiative
• Reduced backlogs of complaints and PIA reviews
• Increased commissioner-initiated complaints and audits

Priorities for this Activity

The operations under this activity will contribute to the achievement of the following priority described in Section II.

Priorities	Type
Improve and expand service delivery	Ongoing

Performance Measurement and Reporting

We will report on our performance under this activity using indicators that measure workload and output such as:

• the number of inquiries, complaints and PIAs received, in process and closed
• the volume of court applications in which the OPC is actively involved
• the number of audits and reviews completed compared to plan / as received
• the percentage of complaints resolved to the satisfaction for both the complainant and the respondent using alternate dispute resolution methods
• the number of commissioner-initiated complaints and audits

We will also measure outcomes, for example the implementation of recommendations made as a result of investigations, reviews of PIAs, and audits and reviews.

Program Activity 2: Privacy issues: research and policy

Planned Resources:

	2005-2006	2006-2007	2007-2008	2008-2009
Financial Resources - $000	2,003	3,393	3,956	3,930
Human Resources - FTEs	14	19	23	23

Activity Description

The OPC serves as a centre of expertise on emerging privacy issues in Canada and abroad by researching trends, monitoring legislative and regulatory initiatives, providing analysis on key issues, and developing policy positions that advance the protection of privacy rights. An important part of the work done involves supporting the Commissioner and Assistant Commissioners in providing advice to Parliament on legislation and on government program and private sector initiatives that may impact on privacy.

Expected Results for 2006-2007

• Positive engagement with Parliament
• Involved in dialogue with provinces and territories on issues of common interest
• PIPEDA review and Privacy Act reform framework documents available
• OPC strategy developed for PIPEDA review and Privacy Act reform, and implementation under way
• Plan for 2007 International Data Protection and Privacy Commissioners Conference on track

Priorities for this Activity

The operations under this activity will contribute to the achievement of the following three priorities described in Section II.

Priorities	Type
Respond to Parliament	Ongoing
Participate in PIPEDA review and Privacy Act reform	Ongoing
Plan and prepare for the 2007 International Data Protection and Privacy Commissioners Conference	New

Performance Measurement and Reporting

The Office will report in the 2006-2007 Departmental Performance Report and/or in its annual reports on the outputs of this activity using indicators such as the appearances before parliamentary committees (number, purpose and result); the support provided to individual Parliamentarians (number of inquiries, meetings, requests for information, etc.); the major research and policy documents produced (number and issues addressed); and the status of PIPEDA review and Privacy Act reform processes. We will also report on key milestones achieved in the preparation of the 2007 International Data Protection and Privacy Commissioners Conference.

Program Activity 3: Privacy education — promotion and protection of privacy

Planned Resources:

	2005-2006	2006-2007	2007-2008	2008-2009
Financial Resources - $000	1,614	2,751	3,249	3,222
Human Resources - FTEs	10	18	22	22

Activity Description

The OPC plans and implements a number of public education and communications activities, including speaking engagements and special events, media relations, and the production and dissemination of promotional and educational material.

Expected Results for 2006-2007

• Key privacy issues identified and positions articulated
• Engagement activities launched for key audiences, such as Parliament, business, federal government, the general public, academics and the legal community

Priorities for this Activity

This activity will contribute to the achievement of the following two priorities described in Section II.

Priorities	Type
Improve and expand service delivery	Ongoing
Respond to Parliament	Ongoing

Performance Measurement and Reporting

We will report on the outputs and results of this activity using indicators such as the volume of inquiries handled, the use of our Web site, the number of publications distributed, the number of presentations made to key target audiences. We will also wherever possible, evaluate the impact or outcome of our proactive outreach efforts through anecdotal and quantitative and qualitative research.

Other Activities

Activity Description

The OPC continues to enhance and improve its management practices in order to meet the highest standards of performance and accountability. Although the resources captured in this section are those allocated specifically to Corporate Services, all managers of the OPC are expected to take responsibility for the expected results, and to integrate the necessary activities in their operational plans.

Expected Results for 2006-2007

• Trained management and staff, sub-delegated managers
• Allocated resources fully utilized
• New staff fully integrated
• Records information easily and quickly retrievable
• MITS compliance achieved
• Business continuity plan in place
• Regional offices planning completed
• Draft performance management framework and baseline measures in place

Priorities for these Activities

These activities will contribute to the achievement of the following three priorities described in Section II.

Priorities	Type
Build organizational capacity: hire and integrate new staff, engage and train existing staff	New
Improve and expand service delivery	Ongoing
Develop results-based systems and baselines	New

Performance Measurement and Reporting

We will report on the outputs and results of this activity using indicators such as:

• the number of staffing actions initiated, in process and completed
• the number of new employees hired
• investments in learning and development

We will also report on changes to the organization and improvements to our management capacity, such as:

• changes to the organization structure, if any
• new systems and baselines

Organizational Information

The Privacy Commissioner is an Officer of Parliament appointed by the Governor-in-Council following approval of her nomination by resolution of the Senate and the House of Commons. The OPC is designated by Order-in-Council as a department for the purposes of the Financial Administration Act. As such, it is established under the authority of schedule 1.1 of the Financial Administration Act and reports to Parliament for financial administration purposes through the Minister of Justice. The Privacy Commissioner is accountable to and reports directly to Parliament on all achieved results.

The roles of the Research and Policy, Public Education and Communications, Legal Services, Investigations and Inquiries, and Audit and Review Branches are described in the preceding sections. The roles of the administrative branches, Corporate Services and Human Resources, are set out below.

Corporate Services

The Corporate Services Branch, headed by the Office's Chief Financial Officer provides advice and integrated administrative services (corporate planning, finance, information technology and general administration) to managers and staff.

The Branch's most important priority will be to lead the implementation of the business case plans that will enable the Office to fulfil its mandate efficiently and effectively. The business case plans will necessitate a complete review of branch design, staffing and classification requirements as well as a comprehensive accommodation plan.

The Corporate Services Branch will also lead a number of important initiatives linked to the OPC 's goal of becoming a well-managed, effective and efficient Parliamentary agency. These initiatives focus on developing and implementing the Office's management accountability framework and integrated information management architecture. Specific projects include:

• threat and risk assessment, business impact assessment, and business continuity plan
• phase 2 of the information management project
• review of Corporate Services policies
• continuation of OPC strategic planning exercises with integrated human resource, financial and information technology/information management plans.

Human Resources

Human Resources is responsible for the management and delivery of comprehensive human resource management programs in areas such as staffing, classification, staff relations, human resource planning, learning and development, employment equity, official languages and compensation.

The priorities for the HR Branch in the 2006-2007 fiscal year include:

• continue working with the Public Service Commission in order to regain full, unconditional delegation in staffing;
• implementing the human resource strategy that addresses the Office's staff recruitment, retention and development needs;
• completing a review of branch designs, staffing and classification requirements as a result of the newly approved resources;
• continuing to work with the Canada School of Public Service on training and information sessions for all staff as part of the OPC learning environment;
• capacity building and enhancing staff skills as well as developing a retention and succession strategy;
• continuing implementation of requirements under the new Public Service Employment Act and the Public Service Modernization Act ; and
• integrating human resources planning with overall strategic planning and identifying key risks, challenges and necessary actions.

Resource Tables

Table 1: Departmental Planned Spending and Full Time Equivalents

($ thousands)	Forecast Spending 2005-2006	Planned Spending 2006-2007	Planned Spending 2007-2008	Planned Spending 2008-2009
Vote 45 - Operating expenditures	3,925	14,460	16,192	15,764
Statutory - Contributions to employee benefit plans	728	1,838	2,128	2,069
Total Main Estimates	4,653	16,298	18,320	17,833
Adjustments:
Funding provided through transfers from TB Vote 5 and Governor General Special Warrants in lieu of Supplementary Estimates for activities under PIPEDA	7,135	--	--	--
Total Planned Spending	11,788	16,298	18,320	17,833
Plus: Cost of services received without charge
Accommodation provided by Public Works and Government Services Canada (PWGSC)	823	990	1,065	1,146
Contributions covering employers' share of employees' insurance premiums and expenditures paid by TBS (excluding revolving funds)	572	774	896	871
Audit of the financial statements by the Office of the Auditor General of Canada	110	90	90	90
Cost of Program	13,293	18,152	20,371	19,940

Full Time Equivalents	80	125	143	139

Explanation of Trends

The planned increased resources are being phased-in over two years, 2006-2007 and 2007-2008. The planned spending for those two years also includes the one-time costs of fitting up offices and systems for the increased staff; in addition resources are temporarily provided in those years to eliminate the backlog in Investigations and Inquiries. The planned spending for 2008-2009 represents the resource utilization on an on-going basis.

Table 2: Program Activities

Program Activity ($)	Operating	Contributions	Total Main Estimates
Assess and investigate compliance with privacy obligations	10,154,000	--	10,154,000
Privacy issues: research and policy	3,018,000	375,000	3,393,000
Privacy education — promotion and protection of privacy	2,751,000	--	2,751,000
Total	15,923,000	375,000	16,298,000

Table 3: Resource Requirements by Branch - 2006-2007

($)	Assess and investigate compliance with privacy obligations	Privacy issues: research and policy	Privacy education — promotion and protection of privacy	Total
Offices of the Commissioner and Assistant Commissioners	428,000	428,000	428,000	1,284,000
Investigations and Inquiries	3,567,000	--	--	3,567,000
Research and Policy	--	1,713,000	--	1,713,000
Audit and Review	1,655,000	--	--	1,655,000
Legal Services	927,000	397,000		1,324,000
Regional Offices	162,000	--	378,000	540,000
Communications	--	--	1,257,000	1,257,000
Corporate Services	2,811,000	743,000	609,000	4,163,000
Human Resources	604,000	112,000	79,000	795,000
Total	10,154,000	3,393,000	2,751,000	16,298,000

The Offices of the Commissioner and Assistant Commissioners include the costs of federal-provincial coordination and international activities. The OPC budgets centrally for many of its costs. For example, Corporate Services includes the costs of information management and information technology (computer systems and computer equipment for all employees), office furniture and supplies and telecommunications. Human Resources Branch includes the cost of employee training.

Sources of Additional Information

Legislation Administered by the Privacy Commissioner

Privacy Act 85, ch. P21, amended 1997, c. 20, s. 55	R.S.C. 1985, ch. P21, amended 1997, c.20, s. 55
Personal Information Protection and Electronic Documents Act	2000, c.5

Statutory Annual Reports, other Publications and Information

Statutory reports, publications and other information are available from the Office of the Privacy Commissioner of Canada, Ottawa, Canada K1A 1H3; tel.: (613) 995-8210 and on the Office's Web site at www.privcom.gc.ca

• Privacy Commissioner's annual reports
• Performance Report to Parliament, for the period ending March 31, 2005
  You can obtain a copy through local booksellers or by mail from Public Works and Government Services — Publishing, Ottawa, Canada K1A 0S9
• Your Privacy Rights: A Guide for Individuals to the Personal Information Protection and Electronic Documents Act
• Your Privacy Responsibilities: A Guide for Businesses and Organizations to the Personal Information Protection and Electronic Documents Act

Contact for Further Information on the Report on Plans and Priorities

Mr. Tom Pulcine
Director General, Corporate Services/Comptroller
Office of the Privacy Commissioner of Canada
Place de Ville, Tower B
112, Kent St., Suite 300
Ottawa, Ontario K1A 1H3
Telephone: (613) 996-5336
Facsimile: (613) 947-6850

• Previous Page
• Table of Contents
•