ARCHIVED - Office of the Privacy Commissioner of Canada - Report

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Section II: Analysis of Program Activities

2.1 Strategic Outcome

All OPC efforts and activities are directed towards achieving the organization's Strategic Outcome, the protection of individuals' privacy rights. The Office plays a leadership role in encouraging organizations that handle Canadians' personal information to respect the privacy rights of individuals. Others who contribute to this mission include provincial and territorial privacy commissioners, data-protection authorities and other international organizations, privacy advocacy groups, chief privacy officers, professional associations, consumer representatives, academics, Parliamentary committees, and government departments and agencies.

Strategic Outcome
The privacy rights of individuals are protected.

Expected Result	Performance Indicator	Target
Ultimate Outcome for Canadians
The OPC plays a lead role in influencing federal government institutions and private-sector organizations to respect the privacy rights of individuals and protect their personal information.	Extent and direction of change in the privacy practices of federal government institutions and private-sector organizations	Three (3) on a scale of one to five, which means that "some preparatory steps to progress toward change" from the baseline of 2010-2011 may be observed by March 31, 2012

Performance Measurement Strategy

This umbrella indicator is based on performance information generated from the following indicators used to measure the OPC Program Activities: Extent to which investigation recommendations (from ‘well-founded', ‘resolved' and ‘well-founded and resolved' investigations) are accepted and implemented over time (Refer to Program Activity 1); Extent to which audit recommendations are accepted and implemented over time (Refer to Program Activity 1); Value added to Parliament of the OPC views on the privacy implications of relevant laws and regulations (Refer to Program Activity 2); Value added to stakeholders through OPC information and advice on selected policies and initiatives (Refer to Program Activity 2); Privacy outcome for government initiatives or programs stemming from consultations or recommendations associated with the Privacy Impact Assessment (PIA) process (Refer to Program Activity 3); Extent to which private-sector organizations understand their obligations under federal privacy legislation (Refer to Program Activity 3).

The OPC's four Program Activities are described in Section II with an overview of the activity (as set out in the Main Estimates, Part II); a table with the expected results for Canadians, the performance indicators (including measurement strategy) and targets to be achieved by March 31, 2012; the allocated financial and human resources; planning highlights for 2011-2012, and benefits for Canadians.

2.2 Program Activity 1: Compliance Activities

Activity Description

The OPC is responsible for investigating privacy-related complaints and responding to inquiries from individuals and organizations. Through audits and reviews, the OPC also assesses how well organizations are complying with requirements set out in the two federal privacy laws, and provides recommendations on Privacy Impact Assessments (PIAs), pursuant to Treasury Board policy. This activity is supported by a legal team that provides specialized advice and litigation support, and a research team with senior technical and risk-assessment support.

Program Activity 1: Compliance Activities

Expected Results	Performance Indicators (Performance Measurement Strategy)	Targets
Intermediate Outcomes
Federal government institutions and private-sector organizations meet their obligations under federal privacy legislation and implement modern practices of personal information protection.	Extent to which investigation and audit recommendations are accepted and implemented over time (Tracking and analysis of responses to investigation and audit reports)	90 percent of ‘well-founded', ‘resolved' and ‘well-founded and resolved' investigation recommendations are accepted and implemented within one year of reporting 90 percent of audit recommendations are accepted fully by entities Upon follow-up two years after the initial audit report, action to implement has begun on 90 percent of recommendations
	Extent to which obligations are met through litigation (Review and analysis of litigation files and statistics on settlements)	Legal obligations are met in 80 percent of cases, either through settlements to the satisfaction of the Commissioner or through court-enforced judgments
Intermediate Outcomes
Individuals receive timely and effective responses to their inquiries and complaints.	Timeliness of OPC responses to complaints (Analysis of Office statistics on the time required to close files)	95% of complaints are closed within 12 months of receipt (Note: in 2011-2012, the OPC will further review its service standards to define distinct response times by type of complaint resolution).
The privacy practices of federal government institutions (including Privacy Impact Assessments for new and existing government initiatives) and private-sector organizations are audited and/or reviewed to determine their compliance with federal privacy legislation and policies.	Proportion of audits and PIA reviews completed within planned times (Review and analysis of statistics on audit and PIA project completion)	90 percent of audits are completed within planned times and 70 percent of PIA reviews are completed within 120 days of receipt
	Feedback and action from federal government departments in response to OPC advice relating to PIAs (Tracking and analysis of responses to PIAs )	75 percent of institutions that submitted a PIA during the year were responsive to the OPC advice

Allocated Financial and Human Resources for
Program Activity 1

	Forecast Spending 2010-2011	Planned Spending
		2011-2012	2012-2013	2013-2014
Financial Resources ($000)	9,631	10,391	10,391	10,391
Planned Human Resources (FTEs)		87	87	87

Planning Highlights for Program Activity 1

The OPC will continue to work toward the Compliance Activities outcomes (as identified in the outcomes table on the previous page), while also supporting the achievement of the first corporate priority - "Identify, adopt, and deliver on new service-delivery models to maximize results for Canadians". In addition to its usual ongoing activities, the OPC will conduct the following initiatives in 2011-2012:

• Adopt new service-delivery models to respond more effectively to complaints:
  • Integrate the new Toronto office in all aspects of the OPC business to ensure a consistent, seamless approach to service delivery, including compliance and outreach activities;
  • Communicate with respondents in a more direct manner, such as through site visits to clarify issues before deciding to launch an investigation, as appropriate;
  • Develop and maintain stronger relationships with privacy stakeholders to further the OPC's understanding of their information needs.
• Strengthen the process for receiving complaints and inquiries, namely by implementing an online complaint form.
• Publish service standards for inquiries and complaints, and implement a process to track and report OPC performance against the standards.
• Implement design changes to the new case-management system to improve the tracking, management and reporting of investigations, as well as the access to strategic information for decision-making.
• Prepare for additional responsibilities as a result of legislative changes, notably the new anti-spam law and anticipated legislation to make data breach notification mandatory, by developing new protocols, decision-making frameworks and information-sharing agreements, and providing training to employees.
• Conduct public-sector audits in the areas of financial transactions and law enforcement activities, and a private-sector audit on the privacy practices of a national retailer; carry out follow-up audits of the Passenger Protect Program, Federal Annual Privacy Reports and FINTRAC, the Financial Transactions and Reports Analysis Centre of Canada.

Benefits for Canadians from Program Activity 1

The investigation services delivered by the OPC help to safeguard the privacy rights of Canadians. Audits and PIA reviews also seek to improve management and accountability for privacy within organizations, thus enhancing the privacy rights of individuals for today and future generations. Collaboration with provincial, territorial and international counterparts contributes to more effective enforcement of privacy legislation.

2.3 Program Activity 2: Research and Policy Development

Activity Description

The OPC serves as a centre of expertise on emerging privacy issues in Canada and abroad by researching trends and technological developments, monitoring legislative and regulatory initiatives, providing legal, policy and technical analyses on key issues, and developing policy positions that advance the protection of privacy rights. An important part of the work involves supporting the Commissioner and senior officials in providing advice to Parliament on potential privacy implications of proposed legislation, government programs, and private-sector initiatives.

Expected Results	Performance Indicators (Performance Measurement Strategy)	Targets
Intermediate Outcomes
Parliamentarians and key stakeholders have access to clear, relevant information and timely and objective advice about the privacy implications of evolving legislation, regulations and policies.	OPC information and advice on selected policies and initiatives add value for stakeholders (Tracking of stakeholders' reaction to the OPC information and advice)	The OPC views have added value for parliamentarians and key stakeholders
Intermediate Outcomes
The work of parliamentarians is supported by an effective capacity to identify privacy issues, and to develop privacy-respectful policy positions for the federal public and private sectors.	OPC views on the privacy implications of relevant laws and regulations add value for parliamentarians (Tracking impact from OPC work at parliamentary committee appearances, submissions, and other support to parliamentarians)	The OPC views have added value for parliamentarians and key stakeholders
Knowledge about systemic privacy issues in Canada and abroad is enhanced through information exchange and research, with a view to advancing privacy files of common interest with stakeholders, raise awareness, and improve privacy-management practices.	Stakeholders have had access to, and have considered, OPC research products and outreach materials in their decision-making (Review of progress reports against the operational plans for the four priority privacy issues to extract evidence that OPC research products and outreach materials have had an impact on stakeholders)	Initiatives under all four OPC priority privacy issues (100 percent) have involved relevant stakeholders and there is documented evidence demonstrating that stakeholders were influenced by OPC research products and outreach materials

Allocated Financial and Human Resources for Program Activity 2

	Forecast Spending 2010-2011	Planned Spending
		2011-2012	2012-2013	2013-2014
Financial Resources ($000)	5,442	5,206	5,206	5,206
Planned Human Resources (FTEs)		19	19	19

Planning Highlights for Program Activity 2

The OPC will continue to work toward the Research and Policy Development outcomes (as identified in the outcomes table on the previous page), while also supporting the achievement of the second corporate priority - to "provide leadership to advance the four priority privacy issues relating to: information technology, public safety, identity integrity and protection, and genetic information". In addition to its usual ongoing activities, the OPC will conduct the following initiatives in 2011-2012:

• Reinforce the OPC's capacity to identify, analyse and test new technology and network developments, increasingly in partnership with international data-protection organizations.
• Follow up on past audits of the Passenger Protect Program and FINTRAC, and continue to give priority to reviewing Privacy Impact Assessments that are related to public safety.
• Develop information for consumers on the privacy implications of direct-to-consumer genetic testing.
• Drawing on international comparisons, further develop and publicize the Office's position on the use of DNA for forensic purposes.
• Expand public understanding of how the next generation of networked devices, including smart phones, set-top boxes and smart grids, deal with data collected about individuals.
• Identify tools and public education materials that help Canadians understand how to protect their personal information, whether through enhanced permissions models, technical protection measures, or contractual agreements.
• Based on syntheses of court decisions and case findings, develop policy guidance and interpretation tools to help organizations apply PIPEDA and/or the Privacy Act.
• Continue to build on existing relationships with academics, advocacy groups, business associations and others to identify research subjects from the technology and social trends that pose an emerging challenge to privacy rights in Canada.
• Continue to strengthen relations with Parliament and other international data-protection authorities.
• Work with industry to further the OPC's understanding of the impacts of PIPEDA on businesses and to inform decisions related to pending legislative amendments to PIPEDA.

Benefits for Canadians from Program Activity 2

Knowledge about emerging and systemic privacy issues is the foundation for OPC advice and guidance, which help to inform organizations about the privacy implications of their actions. For legislators, the implications relate to laws and regulations, and for organizations and Canadians, the implications relate to everyday decisions in the marketplace. An enhanced understanding of national and global privacy issues and a strengthened capacity to address them more effectively are critical for Canada to be recognized as a leader in privacy protection and to positively influence the development of international privacy laws and co-operative agreements.

With the help of effective and well-communicated research activities, policy positions and legal advice from the OPC, decision-makers can better evaluate their actions and measure the privacy risks they assume. Organizations, moreover, are better able to comply with their privacy obligations.

2.4 Program Activity 3: Public Outreach

Activity Description

The OPC delivers public education and communications activities, including speaking engagements and special events, media relations, and the production and dissemination of promotional and educational material. Through public outreach activities, individuals have access to information about privacy and personal data protection that enable them to protect themselves and exercise their privacy rights. The activities also allow organizations to understand their obligations under federal privacy legislation.

Expected Results	Performance Indicators (Performance Measurement Strategy)	Targets
Intermediate Outcome
Federal government institutions and private-sector organizations understand their obligations under federal privacy legislation and individuals understand how to guard against threats to their personal information.	Privacy outcome for government initiatives or programs stemming from consultations or recommendations associated with the PIA process (Tracking of privacy outcomes from PIA consultations/ recommendations)	In 70 percent of the government initiatives or programs for which a high-priority PIA was reviewed and a recommendation was issued, the consultations with or recommendations from the OPC resulted in stronger privacy protections
	Extent to which private-sector organizations understand their obligations under PIPEDA (Biennial polling of a sector of private industry)	More than 50 percent of private-sector organizations report having at least moderate awareness of their obligations under PIPEDA
Intermediate Outcome
Individuals have relevant information about their privacy rights and are enabled to guard against threats to their personal information.	Reach of target audience with OPC public education and communications activities (Analysis of reach is based on media monitoring, visits to the OPC website and blogs, audience size for speeches and events, distribution of materials, etc.)	100 citations of OPC officials in the media on selected communications initiatives per year At least 100,000 visits per month on the OPC website and 20,000 visits per month to the OPC blog At least one news release per month on a subject of particular interest to individuals At least 350 subscribers to the e-newsletter At least 1,000 communication tools distributed per year Two public education initiatives per year, designed for new individual target groups Two public events addressing needs of individual target groups
	Extent to which individuals know about the existence/role of the OPC, understand their privacy rights, and feel they have enough information about threats to privacy (Biennial public opinion polls and other research activities)	At least 20 percent of Canadians have awareness of the OPC At least 20 percent of Canadians have an "average" level of understanding of their privacy rights At least 35 percent of Canadians have some awareness of the privacy threats posed by new technologies
Federal government institutions and private-sector organizations receive useful advice and guidance on privacy rights and obligations, contributing to better understanding and enhanced compliance.	Responsiveness of, or feedback from, federal government departments and private-sector organizations to OPC advice and guidance relating to privacy rights and obligations (Tracking and analysis of feedback and responses received)	75 percent of institutions and organizations are responsive to the OPC advice
	Reach of organizations with OPC policy positions, promotional activities and promulgation of best practices (Analysis of reach is based on reviews of Office statistics; analysis of top-10 pages of the website and writing of anecdotes on best practices; and an analysis of the targeting and distribution of public education initiatives)	At least 1,000 communication tools distributed per year At least one news release per month on a subject of particular interest to organizations Exhibiting at least four times throughout the year At least 350 subscribers to the e-newsletter Two public education initiatives annually designed for new organizational target groups Two public events/speaking engagements addressing needs of organizational target groups

Allocated Financial and Human Resources for Program Activity 3

	Forecast Spending 2010-2011	Planned Spending
		2011-2012	2012-2013	2013-2014
Financial Resources ($000)	3,788	3,976	3,976	3,976
Planned Human Resources (FTEs)		24	24	24

Planning Highlights for Program Activity 3

The OPC will continue to work toward the Public Outreach outcomes (as identified in the outcomes table starting two pages earlier), while also supporting the achievement of the third corporate priority - to "support Canadians, organizations and institutions to make informed privacy decisions nationally and internationally". In addition to its usual ongoing activities, the OPC will conduct the following initiatives in 2011-2012:

• Continue to create and disseminate tools in a variety of formats (electronic, video, audio and print) to support targeted outreach to communities that would benefit from such information.
• Develop and promote new guidance in the priority privacy issue areas identified by the Office (on topics, for example, such as behavioural targeting and cookie use), in order to increase compliance with federal privacy law among public- and private-sector organizations.
• Implement a communications strategy to reach the public sector, so organizations understand the OPC's requirements in relation to the 2010 Treasury Board Secretariat Directive on PIAs; the strategy could include publications, fact sheets, web work, speaking engagements, training for ATIP co-ordinators, etc.
• Provide more opportunities for stakeholders to interact with Office specialists and knowledgeable members of the privacy community through expanded public speakers series, support for innovative and collaborative privacy seminars, and participation in specialized conferences.
• Educate small- and medium-size enterprises (SME) on their responsibilities to comply with PIPEDA, using outreach activities (especially in Toronto), and guidelines in the form of FAQs.
• Set up a youth council in Toronto to better understand issues in youth privacy.

Benefits for Canadians from Program Activity 3

The Privacy Commissioner of Canada has a mandate to raise awareness of rights and obligations under privacy laws. By having a more in-depth understanding of Canadians' views and concerns with respect to their personal information, the OPC can better educate individuals about their rights and help them make informed choices with respect to their personal information protection. By helping organizations understand their responsibilities under federal privacy laws, and by encouraging them to better protect the personal information in their care, Canadians ultimately benefit from enhanced privacy protection.

2.5 Program Activity 4: Internal Services

Activity Description

Internal Services are groups of related activities and resources that support the needs of programs and other corporate obligations of an organization. As a small entity, the OPC's internal services include two sub-activities: governance and management support, and resource management services (which also incorporate asset management services). Communications services are not included in Internal Services but rather form part of Program Activity 3 - Public Outreach. Similarly, legal services are excluded from Internal Services at OPC, given the legislated requirement to pursue court action under the two federal privacy laws. Legal services form part of Program Activity 1 - Compliance Activities, and Program Activity 2 - Research and Policy Development.

Expected Result	Performance Indicator (Performance Measurement Strategy)	Target
The OPC achieves a standard of organizational excellence, and managers and staff apply sound business management practices.	Ratings against the Management Accountability Framework (MAF) (Review of results from the biennial MAF self-assessment exercise and annual progress reports)	Strong or acceptable rating on 70 percent of the MAF areas of management

Allocated Financial and Human Resources for Program Activity 4

	Forecast Spending 2010-2011	Planned Spending
		2011-2012	2012-2013	2013-2014
Financial Resources ($000)	5,358	5,086	5,086	5,086
Planned Human Resources (FTEs)		46	46	46

Planning Highlights for Program Activity 4

The OPC will continue to work toward achieving and maintaining a standard of organizational excellence and will have managers and staff apply sound business management practices. Over the next three years, and more particularly in 2011-2012, the OPC will enhance and sustain its organizational capacity (the fourth corporate priority) by pursuing the following Internal Services activities, in addition to its usual ongoing activities:

• Implement a comprehensive Talent Management Program, developed in 2010-2011. It is composed of activities to support recruitment, training, performance evaluation, retention, succession planning and the development of competencies.
• Enhance employee skills through mentoring, training and coaching opportunities.
• Encourage the formation of issue-specific teams, drawing from across the organization and capitalizing on the experience and skills that already exist within the OPC, to address emerging threats to privacy rights.
• Create internal opportunities for employee assignments and interdisciplinary teamwork; promote active employee involvement in projects and dialogue with external experts to promote learning and integration; and broaden the exchange of knowledge among staff to foster a more holistic understanding of privacy issues being investigated, audited or researched. Examples of such innovative approaches include expanding research or investigation teams with staff from different areas of the Office, requesting employee input to design changes to the case-management system, and continuing to facilitate access to legal advice through ‘duty counsel' or informal counselling.
• Continue to build and populate knowledge-sharing tools on existing IT infrastructure, thereby providing OPC staff with the latest developments in privacy research and insight.
• Make better use of available information tools and technologies (such as information databases, SharePoint electronic collaboration tool) and install new ones (e.g. a video conferencing solution) to enhance knowledge management within and between the different branches of the Office.
• Start implementing the 2011-2014 Information Management/Information Technology Strategy and finish addressing recommendations from the 2009 Information Management Audit Report.
• Start applying a uniform approach to all OPC initiatives involving significant change by implementing a recently-approved Change Management Strategy and accompanying tools.

• Previous Page
• Table of Contents
• Next Page