Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Office of the Privacy Commissioner of Canada - Report


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Message from the Privacy Commissioner of Canada

Jennifer Stoddart

Since Parliament recently expressed confidence in the direction that the Office of the Privacy Commissioner of Canada (OPC) has taken in recent years, I will have the privilege of steering the organization through another three years of challenge and opportunity. With that in mind, I am pleased to present the 2011-2012 Report on Plans and Priorities, which sets out strategic directions, priorities, expected results and spending estimates for the coming fiscal year.

As 2011-2012 gets underway, it will be imperative to leverage and build on past successes. Under the authorities vested in us by the Privacy Act and the Personal Information Protection and Electronic Documents Act, we are proud to have advanced privacy rights through significant investigations, privacy audits, public outreach, legislative reviews and other work in the public and private sectors. Indeed, the OPC has blossomed into an internationally respected force for privacy rights. And yet there can be no room for complacency, as the privacy landscape evolves and new challenges emerge.

In 2011-2012, therefore, we expect to field thousands of inquiries from individuals about privacy issues that concern them. We will investigate hundreds of complaints and turn the spotlight on dozens of privacy policies and practices through our audit function and our Privacy Impact Assessment process. To deliver the top-quality service that Canadians expect, we will implement a new online complaint form and strengthen other internal and external processes.

In the year ahead, we will continue to focus on the four priority areas we feel pose the greatest risks to privacy: information technology, public safety, identity integrity and protection, and genetic information. Toward that end we augmented our in-house expertise in information technologies, and fostered valuable links with outside experts. A tangible outcome for Canadians last year was a comprehensive reference document on the privacy issues raised by national security initiatives. Going forward, we will continue to share our learning on topics such as biometrics and the next generation of networked devices. The privacy implications of public safety and law enforcement initiatives will be another ongoing priority for us. We recognize that privacy protections must sometimes give way to a greater good, but only if the promised outcome is achievable and no less privacy-invasive option has been overlooked.

We will also persist in our forays into the online world, where so much of the real world now unfolds. Our Office is already a committed user of social media, so we can speak of them with the confidence born of experience. And we will continue to profit from the insights gained through our successful public consultations on the privacy implications of cloud computing and the online tracking, profiling and targeting of consumers by marketers and other businesses.

This kind of facility with information technology strengthens our Office's capacity to pursue another key goal: to support organizations and individuals in making informed privacy decisions. Indeed, we are persuaded that digital literacy equips people with the knowledge and skills necessary to protect their personal information, and the personal information entrusted to them by others.

Bolstering our service to Canadians demands a vibrant organizational capacity. We embarked on this course last year. With the departure of Assistant Commissioner Elizabeth Denham to take on the position of Information and Privacy Commissioner of British Columbia, we merged responsibilities for both acts under the able leadership of a single assistant commissioner, Chantal Bernier. We intend to leverage this streamlined and strengthened structure in the year ahead. For instance, we will reinforce our contact with stakeholders through the decentralizing presence of our new office in Toronto. We will capitalize on technology and promote employee productivity and excellence across the organization. And we will continue to work with Parliament to ensure that the legislative authorities and powers of the Office are suited for the challenges and the opportunities to come.

The original version was signed by

Jennifer Stoddart
Privacy Commissioner of Canada

Section I: Overview

1.1 Summary Information

Raison d'être

The mandate of the Office of the Privacy Commissioner of Canada is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private-sector privacy law. The mission of the Office is to protect and promote the privacy rights of individuals1.

Responsibilities

The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner's powers to further the privacy rights of Canadians include:

  • investigating complaints, conducting audits and pursuing court action under two federal laws;
  • publicly reporting on the personal information-handling practices of public- and private-sector organizations;
  • supporting, undertaking and publishing research into privacy issues, and
  • promoting public awareness and understanding of privacy issues.

The Commissioner works independently from other parts of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. The focus is on resolving complaints through negotiation and persuasion, and using mediation and conciliation as appropriate. If voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths, and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may seek an order from the Federal Court to rectify the situation.

Strategic Outcome and Program Activity Architecture (PAA)

In line with its mandate, the OPC pursues as its Strategic Outcome the protection of the privacy rights of individuals. Toward that end, the Office's architecture of program activities is composed of three operational activities and one management activity. The PAA diagram below presents information at the program activity level:

Strategic Outcome

Strategic Outcome The privacy rights of individuals are protected.
Planned Spending 1. Compliance Activities 2. Research and Policy Development 3. Public Outreach
4. Internal Services

Alignment of PAA to Government of Canada Outcomes

Federal departments are required to report on how their PAA aligns with Government of Canada Outcomes. The Privacy Commissioner, however, being independent from government and reporting directly to Parliament, does not make such alignment. The Strategic Outcome and the expected results from the work of the Office of the Privacy Commissioner of Canada are detailed in Section II of this Report on Plans and Priorities.

1.2 Planning Summary

The following two tables summarize the total planned financial and human resources allotted to the OPC for the next three fiscal years.

Financial Resources ($000)
  2011-2012 2012-2013 2013-2014
Planned Spending 24,659 24,659 24,659
Human Resources (FTEs*)
  2011-2012 2012-2013 2013-2014
Planned FTEs 176 176 176

* FTE: Full-Time Equivalent

Contribution of Priorities to the Strategic Outcome

The OPC has a single Strategic Outcome (SO 1), which is that the privacy rights of individuals be protected. Toward that end, the OPC identified four corporate priorities: the first three are operational in nature, and the fourth relates to the management of the organization.

The table below describes how each corporate priority contributes to the Strategic Outcome, and what the OPC plans to do in 2011-2012 to make progress in each one. More detail about those planned activities is provided under Planning Highlights in Section II.

Corporate Priority Type2 Link to Strategic Outcome Description
1. Identify, adopt, and deliver on new service delivery models to maximize results for Canadians Previously committed to SO 1 The OPC will maximize the return on past investments made to enhance service delivery and will implement expanded responsibilities pursuant to impending legislative amendments. In 2011-2012, the OPC will:
  • Consolidate fundamental changes to OPC processes and systems, namely the re-engineered complaints resolution process and case management system, and the new Toronto office.
  • Prepare for and integrate legislative changes to the OPC mandate, namely the new anti-spam legislation and anticipated amendments to PIPEDA (including data breach notification).
2. Provide leadership to advance the four priority privacy issues (information technology, public safety, identity integrity and protection, and genetic information) Ongoing SO 1 First identified in 2008, the four priority privacy issues have provided strategic focus to the work of the OPC and guided the rational allocation of its resources. Because these areas still represent the greatest risk to the privacy of Canadians, they will continue to be treated as priority issues. In 2011-2012, the OPC will:
  • Further enhance OPC capacity on the four priority privacy issues and the sharing of knowledge and information about them across the Office.
  • Leverage knowledge gained to date on the four priority privacy issues and translate it into relevant outcomes for Canadians.
3. Support Canadians, organizations and institutions to make informed privacy decisions, both nationally and internationally Ongoing SO 1 Past efforts have been invested in raising general privacy awareness among Canadians and enhancing global capacity to protect personal information. Pressing ahead, the OPC will also work with partners to reach out to selected groups through the most effective channels. In 2011-2012, the OPC will:
  • Strategically identify and target selected audiences to promote understanding of privacy choices through innovative and interactive approaches.
  • Sustain partnerships and exchange knowledge with data-protection authorities, regulators, international associations and other selected stakeholders, and leverage further opportunities for joint initiatives in the public and private sectors.
4. Enhance and sustain organizational capacity Ongoing SO 1 To be successful and relevant, the OPC relies on the specialized knowledge, skills and expertise of its staff. They, in turn, require a work environment, organizational structure, processes and tools that contribute to performance and wellness. In 2011-2012, the OPC will:
  • Enable employee productivity and excellence in a healthy workplace through a talent management program (recruitment, training, retention and succession planning), flexible work approaches, and support for a work-life balance.
  • Strengthen the sharing and integration of knowledge across the OPC through the optimized use of systems, enhanced collaboration, and effective handling of information assets.
  • Develop and implement a change-management strategy to facilitate continuous improvement and increase organizational effectiveness.

Risk Analysis

Key risks influence the OPC's choice of corporate priorities, affect plans and performance, and drive decision-making. The OPC continually scans its environment to remain responsive to change. This section describes the strategic context and operating environment of the OPC, outlines key risks faced by the Office, and identifies mitigating strategies to manage the risks.

Strategic Context and Operating Environment

As part of its work, the OPC continues to identify instances where personal information is collected inappropriately, sometimes leading to disastrous results for Canadians. Unfortunately, these are not isolated events. And yet, while individual cases of identity theft, corporate data loss, inappropriate collection and even outright deception continue to prompt concern, it is becoming evident that systemic challenges to the privacy rights of Canadians are also on the rise.

Criminal enterprises at a national or international level will always find ways to misuse personal information for identity thefts and other frauds. In today's information society, however, the over-collection of data is by no means exclusively a criminal matter. Nor is it necessarily evidence of poor corporate processes, or even human error.

Instead, personal information is increasingly targeted as a valuable component of large-scale, and generally legitimate, data-collection efforts. These efforts are led by governments, namely to implement public safety initiatives, and by corporations under the guise of improving the consumer experience or more accurately targeting advertising.

There are several factors that encourage the systematic over-collection of information: the increasing sophistication of data-analysis tools, the deployment of surveillance tools in private and public spaces, the miniaturization and personalization of technology, and individuals' willingness to share information about their preferences, behaviours and social connections.

Such factors are not unique to Canada. In fact, privacy advocates around the world have recognized that these challenges are shared and increasingly require a co-ordinated response. Several data-protection authorities are struggling to identify an appropriate response to increasingly sophisticated online advertising tools. Others are collaborating on standards to moderate the privacy impacts of smart utility grids, an important piece of national infrastructure.

Perhaps the biggest emerging challenge to privacy rights is the growth in surveillance and data collection under the auspices of expanded public safety programs. Often tying such programs to international anti-terrorist initiatives, public safety program administrators have pressed forcefully for the subordination of privacy to the imperative of security. The OPC has questioned, and sometimes countered, this trade-off, calling instead for strong oversight mechanisms for public safety initiatives that give individuals appropriate and credible avenues for redress.

The Office's mandate is to safeguard the privacy rights of Canadians in such a way as to encourage the private and public sectors to provide the policies, tools and oversight mechanisms that strengthen individuals' control over the collection, use, disclosure and disposal of their personal information. The OPC's approach must be nuanced, reflecting broad societal change and technological evolution - but always reliant upon the right to dignity and privacy.

Key Risks

While risks are monitored throughout the year, the OPC updates its corporate risk profile annually. Risk analysis informs corporate priority-setting at an annual strategic planning session. Key risks are assessed for their degree of probability, as well as their potential impact on the successful delivery of the Office's activities. During 2011-2012, the Office will focus on managing the following five corporate risks:

1. Government of Canada Cap on Travel, Hospitality and Conference Fees - Risk that the cap will hamper the Office's efforts to remain abreast of privacy threats.

Since most privacy trends are global in nature, the OPC invests considerable efforts in developing and sustaining partnerships with data-protection authorities around the world, as well as international associations and regulators. OPC officials deliver numerous speeches to transfer knowledge about privacy to audiences in Canada and abroad. Those interactions also furnish invaluable insights and information to inform policy development.

Audit and investigation work also tends to involve travel because it often necessitates site visits to review materials and discuss issues with respondents. The cap on travel limits such visits, as well as conference attendance and other professional development activities that are critical for staff to remain current with rapid evolutions in the privacy field. (Many learning events are not available locally).

To mitigate this risk, the Office is developing a plan to closely manage cap-related expenditures. It is also reviewing an oversight system for expenditure management; developing an annual travel plan and linking it to strategic outreach and learning plans; allocating resources more strategically (for example, by considering videoconferencing instead of travelling); and reporting quarterly to senior management on expenditure use against the cap.

2. Information Management (IM) - Risk that information gaps will jeopardize decision-making.

As an organization, the OPC grew considerably over the past 10 years. At the same time, privacy issues have become increasingly complex, requiring integrated solutions with multiple perspectives. This demands that the Office's burgeoning quantities of business intelligence be managed, stored for easy access, and shared effectively among OPC decision-makers. The OPC already has tools to support information management, including a new case-management system offering more integrated, easier-to-access information; SharePoint, used as a collaboration tool; a commonly used electronic document-management system; improved research databases; and better dissemination of information among branches of the OPC. As well, some cross-training of employees and work in horizontal teams foster the sharing of information.

However, the interconnected privacy issues point to the need to better manage and share the information on which decisions are made. To mitigate this risk, the Office will: update its IM/IT strategy to address the most pressing information-management issues; explore more effective horizontal tools to better inform branches about work elsewhere in the Office; better align information to the Office's performance-measurement framework; and address IM recommendations as identified in two internal audits currently underway (one is examining the utilization of information for decision-making; the other is studying the Office's responses to public inquiries.

3. Meeting Service Standards - Risk that the OPC's capacity to respond to complaints and inquiries will not meet enhanced service standards for timeliness, quality and relevance.

Now that the long-standing backlog of incomplete complaint files has been eliminated, the OPC is redefining standards to meet the demand for responses to often-pressing privacy concerns with service that is timely, relevant and of high quality. The OPC allocates its resources as strategically as possible in a context of multiplying demands, but remains at risk of not being able to deliver quality products in the timeframe necessary to be relevant to Canadians and international stakeholders. If the risk were to become reality, the public may not receive the calibre of services to which they are entitled. If, for example, an error or omission were to affect some investigative findings, the public and other stakeholders could lose confidence in the organization.

To mitigate this risk, the Office will track and report performance against new service standards, to be set by the end of 2010-2011.

4. Organizational Structure - Risk that the organization will not be sufficiently adaptable to change.

Rapid evolutions in the privacy world have led the OPC to implement more efficient, timely, innovative and responsive operations. In one such enhancement to its delivery methods, the OPC opted to consider more dynamic and creative responses to complaints and inquiries ("early resolution"), rather than the traditional approach of responding to every complaint with a comprehensive investigation.

The OPC has and will continue to invest in proactive measures such as public education and outreach and special (unplanned) investigations and audits on emerging issues. The Office is also committed to informing and influencing public policy through more engagements with the public, the media and parliamentary committees. These changes to the operations require an organizational structure that is fluid, including perhaps requiring a different set of skills to continue to meet the Office's mandate.

To mitigate this risk in 2011-2012, the Office will implement a recently-approved change-management strategy and a talent-management program to help staff adjust positively to change. The Office will also update its Integrated Business and Human Resources Plan, with an eye to organizational designs that increase effectiveness.

5. Organizational Impact of new Anti-Spam Legislation - Risk relating to the implementation of new responsibilities under Canada's new anti-spam legislation.

The intent of the new legislation is to curb the amount of damaging and deceptive electronic communications (spam) that circulate in Canada. The new law, passed in December 2010, broadens the OPC's mandate through enforcement responsibilities that are shared with the Canadian Radio-television and Telecommunications Commission and the Competition Bureau. The implementation of the law must be managed well, in light of the impact that the expanded responsibilities will have on the organization internally, as well as the external demands of working with other enforcement bodies.

To mitigate the risk associated with these changes, the OPC will collaborate with its partner institutions to develop a communications strategy that will inform the public about the implications of the new legislation for their lives and, more specifically, to manage expectations about what it can achieve. Internally, the Office will designate an executive representative with authority to co-ordinate efforts with partners and enforcement bodies and to ensure an effective and coherent implementation process within the OPC.

Expenditure Profile

In 2011-2012, the OPC plans to spend $24.659 million to advance its four corporate priorities, meet the expected results of its Program Activities, and contribute to its Strategic Outcome.

Spending Trend from 2007-2008 to 2013-2014

The figure below illustrates the OPC's spending trend over a seven-year period.

Spending Trend from 2007-2008 to 2013-2014

[D]

The graph shows a steady increase in reference-level resources for the period 2007-2008 through 2011-2012, followed by a levelling off. The period of increase reflects resources sought by the OPC through two business cases, as submitted to the Parliamentary Panel on the Funding and Oversight of Officers of Parliament, as well as new funding for the anti-spam legislation.

In 2008, the Office received increased funding to:

  • deliver programs in light of new legislation such as the Federal Accountability Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act;
  • eliminate the backlog of privacy investigations;
  • expand public outreach, and
  • establish an internal audit function.

The 2008 funding increase of $4.7M was phased in over three fiscal years, 2008-2009, 2009-2010 and 2010-2011. Since 2010-2011, the OPC budget was further increased by additional resources received for the anti-spam legislation. This amounted to $0.77M in 2010-2011 and a further $1.3M for 2011-2012. This combined increase of $2.0M remains stable for 2012-2013 and beyond.

2011-2012 Allocation of Funding by Program Activity

The figure below displays the allocation of OPC funding by Program Activity for 2011-2012. More than 40 percent of OPC funding is allocated to Program Activity 1 - Compliance Activities, which encompasses the Office's main program delivery mechanisms: complaint investigations, responses to inquiries, audits, and Privacy Impact Assessment reviews.

2011-2012 Allocation of Funding by Program Activity

[D]