Common menu bar links
Breadcrumb Trail
ARCHIVED - Office of the Privacy Commissioner of Canada
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Message from the Privacy Commissioner of Canada
I am pleased to present this 2010-2011 Report on Plans and Priorities, which sets out the strategic directions, priorities, expected results and spending estimates for the Office of the Privacy Commissioner of Canada (OPC) for the coming fiscal year.
At the start of this final year of my seven-year term as Privacy Commissioner, I am reflecting on both the challenge and the sense of satisfaction that have come from guiding this Office through a period of significant tumult and into an era of unprecedented growth, relevance and dynamism.
The vitality of today's OPC was driven home last summer when we published our investigative report on the privacy policies and practices of social networking giant Facebook. As the world lavished attention on our work, it was clear how much privacy continues to matter, and that our organization has a powerful role to play in securing the privacy rights of Canadians.
As this Report on Plans and Priorities makes clear, we are carrying out our mandate in several important ways: through our inquiries and complaints investigations functions, our audits and Privacy Impact Assessment reviews, our communications and strategic outreach efforts, and our legal, Parliamentary and policy-review work. We are also investing efforts in engaging the international community, because data flows respect no borders.
In the coming year, I am confident that still greater things lie ahead for this organization. We are finding ways to concentrate our efforts where they will yield the most impact. Toward that end, we have selected what we consider to be the four most significant emerging challenges to the privacy rights of Canadians: information technology, national security, the protection of identity, and genetic information. We are also reengineering our investigative processes in order to focus on systemic issues, and to wipe out what was, not long ago, a crippling backlog of cases.
Over the past few years, the Office of the Privacy Commissioner of Canada has matured into a stable and sophisticated organization with talented employees dedicated to serving the public. As a credible and influential voice for the protection of privacy, our commitment in the year ahead is to maintain this momentum with a bold, focused and forward-looking agenda.
The OPC's five corporate priorities for 2010-2011 are to:
- redefine service delivery through innovation to maximize results;
- provide leadership to advance four priority privacy issues (information technology, national security, identity integrity and protection, genetic information);
- strategically advance global privacy protection for Canadians;
- support Canadians, organizations and institutions to make informed privacy decisions, and
- enhance and sustain organizational capacity.
I am pleased to be able to lead this Office through the final year of my mandate, and look forward to the opportunity to report on more successes as the year unfolds.
The original version was signed by
Jennifer Stoddart
Privacy Commissioner of Canada
Section I: Overview
1.1 Summary Information
Raison d'être
The mandate of the Office of the Privacy Commissioner of Canada is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private-sector privacy law. The mission of the Office is to protect and promote the privacy rights of individuals1.
Responsibilities
The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is an advocate for the privacy rights of Canadians and her powers include:
- investigating complaints, conducting audits and pursuing court action under two federal laws;
- publicly reporting on the personal information-handling practices of public- and private-sector organizations;
- supporting, undertaking and publishing research into privacy issues, and
- promoting public awareness and understanding of privacy issues.
The Commissioner works independently from other parts of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. The focus is on resolving complaints through negotiation and persuasion, using mediation and conciliation as appropriate. If voluntary co-operation is not forthcoming, however, the Commissioner has the power to summon witnesses, administer oaths, and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may seek an order from the Federal Court to rectify the situation.
Strategic Outcome and Program Activity Architecture (PAA)
In line with its mandate, the OPC pursues as its Strategic Outcome the protection of the privacy rights of individuals. Toward that end, the Office's architecture of program activities is composed of three operational activities and one management activity. The PAA diagram below presents information at the program activity level:
Strategic Outcome
The privacy rights of individuals are protected.
| Program Activity |
|---|
| 1. Compliance Activities |
| 2. Research and Policy Development |
| 3. Public Outreach |
| 4. Internal Services |
Alignment of PAA to Government of Canada Outcomes
Federal departments are required to report on how their PAA aligns with the Government of Canada Outcomes. The Privacy Commissioner, being independent from government, reports directly to Parliament. The Strategic Outcome and the expected results from the work of the Office of the Privacy Commissioner of Canada are detailed in Section II of this Report on Plans and Priorities.
1.2 Planning Summary
The following two tables summarize the total planned financial and human resources required by the OPC over the next three fiscal years.
| 2010-2011 | 2011-2012 | 2012-2013 | |
|---|---|---|---|
| Planned Spending | 22,390 | 22,413 | 22,413 |
| Adjustment: Electronic Commerce Protection Act (ECPA)*** |
849 | 2,154 | 2,154 |
| Adjusted Planned Spending | 23,239 | 24,567 | 24,567 |
| 2010-2011 | 2011-2012 | 2012-2013 | |
|---|---|---|---|
| Planned FTEs | 173 | 173 | 173 |
| Adjustment: Electronic Commerce Protection Act (ECPA)*** |
4 | 6 | 6 |
| Adjusted Planned FTEs | 177 | 179 | 179 |
** FTE: Full-Time Equivalent.
*** Pending final Parliamentary and Treasury Board approvals.
Contribution of Priorities to the Strategic Outcome
The OPC has a single Strategic Outcome (SO 1), which is that the privacy rights of individuals be protected. Toward that end, the OPC identified five corporate priorities: four are operational in nature and the fifth relates to the management of the organization.
The table below describes how each corporate priority contributes to the Strategic Outcome, and what the OPC plans to do in 2010-2011 to make progress toward each priority. More detail about those planned activities is provided in Section II.
| Corporate Priority | Type2 | Link to Strategic Outcome | Description |
|---|---|---|---|
| 1. Redefine service delivery through innovation to maximize results | New | SO 1 | Effective delivery of complaint-resolution processes is essential to the protection of individual privacy rights. The OPC will:
|
| 2. Provide leadership to advance four priority privacy issues (information technology, national security, identity integrity and protection, and genetic information) | Previous | SO 1 | In 2008-2009, the OPC launched a horizontal approach to focus on four emerging privacy issues over the next few years. A strategic plan for each priority issue sets goals and identifies concrete action items. More details are available on the OPC website at http://www.priv.gc.ca/ aboutUs/message_e.cfm#contenttop. Implementation of the plans started in 2009-2010. In 2010-2011, the OPC will:
|
| 3. Strategically advance global privacy protection for Canadians | Previous | SO 1 | Governments and businesses increasingly operate transnationally. The OPC will continue to work with international stakeholders to advance global privacy protection for Canadians. The OPC will:
|
| 4. Support Canadians, organizations and institutions to make informed privacy choices | Previous | SO 1 | The OPC will continue to provide Canadians with information and tools to understand and protect their privacy rights. The Office will also work with organizations and institutions to understand their privacy obligations and comply with applicable legislation. The OPC will:
|
| 5. Enhance and sustain organizational capacity | Ongoing | SO 1 | Over the past five years, the organization has more than doubled in size and budget to meet a constantly growing demand for privacy protection. More than ever, the OPC relies on its competent and dedicated staff, and understands that they, in turn, require a work environment that is conducive to performance through access to information and state-of-the-art tools. In 2010-2011, the OPC will:
|
Risk Analysis
External factors and key risks influence the OPC's choice of corporate priorities, affect plans and performance, and drive decision-making. The OPC continually scans its environment to remain responsive to change. This section describes the strategic context for the priority activities presented in the preceding table.
External Factors
A large proportion of Canadians have access to high-speed telecommunications networks and spend a significant amount of time communicating with one another, taking advantage of online services, and participating in online communities. Networked technology strengthens existing relationships and promotes bonds among individuals with similar interests.
In step with this trend, governments and private-sector organizations are also increasingly likely to move their operations online. That, in turn, tends to lead to the collection of extensive amounts of personal information.
The preferences and purchasing intentions of Canadian consumers are valued by advertisers and merchants. The capacity for organizations to direct targeted advertising at individuals will only increase as mobile devices become more common, especially if they emit data on their geographic location.
Personal information is of paramount interest to national security and law enforcement agencies as well. In fact, telecommunications service providers may soon be directed to build infrastructure that can capture significant quantities of data and make it available to law enforcement agencies. This would allow agencies to pursue leads, conduct surveillance, launch investigations, and share data with international law enforcement and national security partners.
Many citizens, for their part, appear willing to exchange their personal information for relatively little reward. Individuals today are exchanging personal information with a mounting number of other people and organizations, in both the private and public sectors, at home and abroad. Indeed, it is now possible to become the "friend" of a corporate marketing mascot and the "fan" of a brand of detergent.
Privacy regulators around the world struggle with the enforcement of privacy rights and data protection legislation in this new environment. What is the appropriate level of intervention in this situation? What do Canadians expect from privacy regulators?
The OPC's challenge is to find an approach that promotes technological innovation, while ensuring that Canadians' privacy rights continue to be protected. In practice, this will involve a combination of public education, guidance and, where necessary, investigative action and sometimes litigation. Given the pervasive nature of these new technologies, the Office will continue to work with international counterparts to address the privacy challenges created by this new reality.
Key Risks
For the OPC to be successful in this environment, it must manage risks to its activities through controls and mitigating strategies. While risks are managed every day, the Office formally updates its corporate risk profile once a year to document its risk actions, including categorizing risks based on their likelihood and severity of potential impact. Here are the three most critical risks currently faced by the Office:
1. Business Demand
Business demands continue to exceed the capacity of the organization. As such, the Office could find itself unable to meet all of its legislative and mandated requirements, or failing to deliver on a public commitment. The Office has, however, taken a number of steps to address the challenge:
- Over the past few years, the OPC has invested substantial effort to reduce a backlog of investigations and Privacy Impact Assessment (PIA) reviews, and to streamline work processes through a major re-engineering project. The Office will continue to explore the use of alternative interventions to respond to demands more efficiently.
- Since 2005-2006, the OPC has secured additional funding, which was used to increase capacity and to meet new responsibilities, such as expanded public outreach activities and the delivery of programs in the context of the Federal Accountability Act.
- As privacy issues proliferate, the Office has become more strategic by tackling four key emerging issues as priorities. They are: information technology, national security, identity integrity and protection, and genetic information.
- The OPC will continue to employ diverse staffing and contractual strategies to build and maintain the necessary organizational capacity, while constantly monitoring resource levels.
These actions have mitigated this capacity risk but the OPC remains vulnerable as demands continue to increase and the specialized investigative and audit skills needed by the Office remain in short supply in the labour market. For now, however, the OPC remains on track in implementing its resourcing strategy from the 2008-2011 Integrated Business and Human Resources Plan.
2. Data Protection
Protecting data from unauthorized disclosure is a second key challenge for the OPC.
The OPC already has significant security measures and safeguards in place. For example, it conducts periodic threat and risk assessments, uses encrypted USB storage devices and web filtering, registers all visitors at reception, and provides regular information-security training to staff.
In February 2009, the OPC also implemented a new privacy breach policy. As an added measure, an internal audit of information security is currently underway, with the resulting recommendations expected to be implemented during the 2011-2012 fiscal year.
Even so, data may be vulnerable to breach, either through system or human error. Risks include the inadequate or inconsistent application of internal security procedures, improper system architecture, or roles-based access to systems, a term used in informatics to indicate that an employee's access to an organization's information system is based on his or her role.
As with any organization, the modern reliance on technological tools to manage operations and exchange information demands that internal security procedures be scrupulously applied.
3. Investigations Backlog
The third critical risk to the OPC is the possibility of not completing the elimination of the investigations backlog by March 2010, as originally planned. The backlog consists of all complaints files that are older than one year, from the time of receipt by the Office.
The OPC has been treating the backlog issue as its first priority for several years. In 2008-2009, the OPC obtained additional funding from Treasury Board for several initiatives, including the elimination of the backlog within a clearly stated deadline.
At the time of preparing this report, the backlog had been reduced from 725 files in November 2008 to 283 files in December 2009, and additional measures were being implemented to eliminate it completely. However, the risk remains as well as a few complex cases, which are difficult to quantify at this time, may not be closed by the end of the fiscal year.
Expenditure Profile
In 2010-2011, the OPC plans to spend $22.39 million to advance its five corporate priorities, meet the expected results of its Program Activities, and contribute to its Strategic Outcome.
Spending Trend from 2006-2007 to 2012-2013
The figure below illustrates the OPC's spending trend over a seven-year period.
The graph shows a steady increase in reference-level resources for the period 2006-2007 through to 2009-2010, then a fixed state from 2010-2011 onward. The increased spending reflects resources sought by the OPC through two business cases, as submitted to the Parliamentary Panel on the Funding and Oversight of Officers of Parliament.
In 2005, the OPC received increased funding to oversee the implementation of PIPEDA, and in support of its overall mandate. In 2008, the Office also received increased funding to:
- deliver programs in light of new legislation such as the Federal Accountability Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act;
- eliminate the backlog of privacy investigations;
- expand public outreach, and
- establish an internal audit function.
The funding increase has been phased in over three fiscal years, 2008-2009, 2009-2010 and 2010-2011. The increase for 2008-2009 was $3.3M and for 2009-2010 it is $1.2M. In 2010-2011 and future years, the sunset provision for the funding ($0.4M) earmarked for the backlog elimination is offset by the resources received to compensate for collective bargaining.
2010-2011 Allocation of Funding by Program Activity
The figure below displays the allocation of the OPC's funding by program activity for 2010-2011. More than four-tenths of the funds are allocated to Program Activity 1, Compliance Activities, which includes the Office's main program delivery mechanisms - complaint investigations, responses to inquiries, audits, and privacy impact assessment reviews.
Voted and Statutory Items
The Table below illustrates Parliament's approval of OPC resources and shows the changes in resources derived from the supplementary estimates and other authorities, as well as how funds were spent.
| Vote # or Statutory Item |
Truncated Vote or Statutory Wording | 2009-10 Main Estimates |
2010-11 Main Estimates |
|---|---|---|---|
| 45 | Program expenditures | 20,101 | 20,099 |
| (S) | Contributions to employee benefit plans | 2,222 | 2,291 |
| Total | 22,323 | 22,390 | |