Skip to content Skip to institutional links

Common menu bar links

Breadcrumb Trail

Institutional links

ARCHIVED - Office of the Privacy Commissioner of Canada

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Message from the Privacy Commissioner of Canada

Jennifer Stoddart

As I look back on 2008-2009, my fifth full year as Privacy Commissioner, I am at once cheered by our progress, and realistic about the challenges ahead.

In presenting the Departmental Performance Report of the Office of the Privacy Commissioner of Canada for the fiscal year ending March 31, 2009, I am pleased to report that the OPC made great strides and continues to progress in relation to all of its strategic outcomes. This gratifying result caps a sustained effort to rebuild, reorient and strengthen the Office following a particularly tumultuous period.

For this I credit my exceptional team, which is why further fortifying our human resource capacity became the focus of much of our efforts. For example, when the job market could not yield enough trained complaints investigators, we hired 20 bright and innovative people with backgrounds in other fields, and trained them to become investigators.

At the executive level, we welcomed Chantal Bernier as Assistant Commissioner with responsibility for the Privacy Act, a choice that neatly complemented last year�s appointment of Elizabeth Denham to oversee the Personal Information Protection and Electronic Documents Act (PIPEDA).

Both pieces of legislation continued to lend shape and focus to our Office�s compliance activities as we retooled our internal processes and forged through a backlog of complaint files. And, while we continued to press Parliament for an urgent and substantial update to the Privacy Act, the law nevertheless provided the backbone for important audits of FINTRAC, the Passenger Protect Program, Passport Canada and the privacy management frameworks of three other federal institutions � Elections Canada, the Canada Revenue Agency and Service Canada.

Beyond our legislative framework, we were also exploring the global trend toward �soft law�, in which regulators work with industry to develop practical guidance enabling organizations to get privacy right in the first place, thus reducing the need for costly and cumbersome enforcement after the fact. In 2008-2009, we issued guidelines about such vital matters as privacy breach notification and the appropriate use of driver�s licence information by retailers.

Indeed, just as doctors preach the benefits of an ounce of prevention over a pound of cure, our Office also reached out to a wide range of stakeholders in industry, the provinces and territories, international partners and the Canadian public at large. With a particular focus on youth, our aim was to raise awareness about privacy, whether in the commercial context, the workplace, or on social networking sites.

For all this progress, however, the undeniable truth is that vast challenges remain. Evolving technologies, increased surveillance and global data flows, and the unquenchable thirst of governments and commercial enterprise for personal information mean our work is never done. And so we continued in 2008-2009 to refine our focus on four priority issues affecting privacy: information technology, national security, identity integrity and protection, and genetic information.

Even as we continue to build on our strengths and our renewed sense of purpose and direction, I am pleased to present this report on last year�s achievements in protecting and promoting the privacy rights of Canadians.

(Original signed by)

Jennifer Stoddart
Privacy Commissioner of Canada

Section I: Overview

1.1 Summary Information

Raison d��tre

The mandate of the Office of the Privacy Commissioner of Canada is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada�s private-sector privacy law. The mission of the Office is to protect and promote the privacy rights of individuals.

Responsibilities

The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is an advocate for the privacy rights of Canadians and her powers include:

Investigating complaints, conducting audits and pursuing court action under two federal laws;
Publicly reporting on the personal information-handling practices of public- and private-sector organizations;
Supporting, undertaking and publishing research into privacy issues, and
Promoting public awareness and understanding of privacy issues.

The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. The Office focuses on resolving complaints through negotiation and persuasion, using mediation and conciliation where appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may take the matter to Federal Court and seek a court order to rectify the situation.

Strategic Outcome and Program Activity Architecture

To pursue its mandate effectively, the OPC works toward a single Strategic Outcome: the protection of the privacy rights of individuals. Three operational and one management activity support this Strategic Outcome, as outlined in the diagram below.

Strategic Outcome	The privacy rights of individuals are protected.
Program Activity	1. Compliance Activities	2. Research and Policy Development	3. Public Outreach
Program Activity	4. Internal Services

Alignment of Program Activity Architecture to Government of Canada Outcomes

The Privacy Commissioner is an Officer of Parliament who reports directly to Parliament. The Strategic Outcome of, and the expected results from, her Office are detailed in Section II of this Departmental Performance Report.

1.2 Performance Summary

The following table presents the financial and human resources that the OPC managed in 2008-2009.

Financial and Human Resources

**2008-09 Financial Resources ($ millions)**
Planned Spending	Main Estimates	Total Authorities	Actual Spending
18,979¹	17,827	22,368	22,137

**2008-2009 Human Resources (FTEs*)**
Planned	Actual	Difference
150	144	6
* Full-time Equivalents

Contribution of Priorities to the Strategic Outcome

In 2008-2009, the OPC had five corporate priorities, which are listed in the table below. Work to advance each priority contributed to progress toward the Office�s Strategic Outcome. For each priority, the following table presents a summary of actual performance and a self-assessment of performance status, based on the Treasury Board Secretariat�s scale² of expectations. Assessments were made on the basis of reasonable judgments, as no numeric standards were in place in 2008-2009. More detailed performance information is provided in Section II � Analysis by Program Activity.

**Strategic Outcome: The privacy rights of individuals are protected.**
OPC Priorities for 2008-2009	Type³	Performance Summary	Performance Status
1. Continue to improve service delivery through focus and innovation	Ongoing	The OPC made significant progress in decreasing the persistent complaint investigation backlog, with a 42 percent reduction in Privacy Act files and a 40 percent reduction in PIPEDA files. Moreover, the rate of these reductions is now accelerating, in part due to innovative measures implemented in 2008-2009 (a priority-rating system, early resolution, delegation, and standardization of letter responses to complainants) that will yield efficiency benefits in 2009-2010. As well, specialized and in-depth IT training was provided to all investigators to facilitate the conduct of investigations with an IT dimension.	Met all
	Ongoing	Two new tools were developed to improve the selection process for private-sector audits under PIPEDA. As well, informal interventions with private-sector organizations (the Canadian Automobile Dealers Association, the Retail Council of Canada and selected credit card processors) were successful in addressing privacy issues. In 2008-2009, the OPC substantially or fully completed audits of selected aspects of Passport Canada, the Privacy Management Frameworks of selected federal departments; the Privacy Act reporting requirements for departments; FINTRAC, and wireless operations in six federal departments. An audit under the Privacy Act of the Passenger Protect Program, and three audits of private-sector organizations under PIPEDA, were also initiated. Privacy Impact Assessment (PIA) review resources are being used in a more effective manner to offer more timely interventions, resulting in more focused guidance to departments and institutions. In particular: a new triage process was introduced in the PIA unit to give precedence to the review of PIAs that either deal with one of the Office�s four priority privacy issues, or are particularly sensitive; and, the PIA unit began offering higher-level analysis to departments in order to reduce the time needed to respond to PIA submissions.	Met all
2. Provide leadership to advance four priority privacy issues (information technology, national security, identity integrity and protection, and genetic information)	New	For each of the four priority privacy issues, the OPC developed and approved a three-year strategic plan in 2008-2009. Each plan includes high-level objectives for the next three years, a timetable with the main activities, resource estimates, as well as risks and mitigating strategies. Each priority issue is assigned to a senior manager lead. Supported by a working group, the manager is mandated to deliver the plan, monitor progress and inform the senior management team. Co-ordination and monitoring of progress on the four priority areas is ensured by the Assistant Privacy Commissioner responsible for the Privacy Act.	Met all
3. Strategically advance global privacy protection for Canadians	New	Along with several other regulatory authorities from Asia-Pacific Economic Co-operation (APEC) economies, the OPC is developing a Framework for Cross-border Privacy Enforcement Co-operation within the APEC economies. The Office participated actively in the Organisation for Economic Co-operation and Development�s (OECD) Ministerial Meeting on the Future of the Internet Economy, held in Seoul, Korea in June 2008. At the meeting, which was attended by more than 30 Ministers from OECD member states, the OPC discussed ways to promote the Internet economy by ensuring the protection of personal information and the privacy of individuals online.	Met all
	New	In the interests of strengthening Canada�s relationships with the international association of data protection authorities and other enforcement agencies from Francophone states, the OPC commissioned a study and accompanying documentary to provide information, intended for developing Francophone states, about Canada�s privacy protection regime. As well, the Office has played a lead role in the creation of an international association to promote data protection in Francophone states. The OPC also works with data protection authorities from other federal states to share expertise and discuss ways to encourage co-operation on data protection among federal and plurinational state authorities. The Office also collaborated with the United States Federal Trade Commission by preparing and filing an amicus curiae brief in appellate proceedings involving an Internet-based data broker that had collected the confidential telephone records of individuals without their consent. The OPC continued to contribute to the development of international privacy standards through its participation in International Standards Organisation (ISO) activities, as well as to act as Chair of the Canadian shadow group to the ISO Working Group on Identity Management and Privacy Technology. The OPC also represents Canada at the international meetings of the ISO Working Group. The OPC has worked with, and provided advice to, other jurisdictions with respect to breach notification. Domestic guidelines developed by the OPC have since been adopted by other privacy commissioners.	Met all
4. Support Canadians to make informed privacy decisions	New	The launch of youthprivacy.ca, a website dedicated to the protection of the privacy rights of young Canadians, provided information and tools for youth, parents and educators. Research into the information needs and privacy attitudes of young Canadians has informed the OPC�s social marketing activities, and will continue in 2009-2010. The establishment of pilot projects in Saskatchewan and Atlantic Canada, working with provincial and territorial privacy commissioners, marked the beginning of OPC outreach activities. The OPC has been building relationships with local Chambers of Commerce, business associations and other local stakeholders to make relevant and localized information available to Canadian businesses. Innovative research and public education activities, drawing upon the contributions of academics, advocates, and private-sector and international experts, have given Canadians of all ages access to topics as complex as deep packet inspection and as socially relevant as social networking sites.	Met all
5. Build a sustainable organizational capacity	Previous	In response to its capacity challenges of the past few years, the OPC developed and approved in October 2008 an Integrated Business and Human Resource Plan (IBHRP) 2008-2011. This approach better integrates business and people management and allows the OPC to forecast and prioritize recruitment activities. To increase efficiency, for example, a single generic process would be used to staff several vacancies. A major recruiting and training initiative was completed late in 2008-2009 when 20 new inquiries officers and investigators completed an intensive training program of up to nine weeks duration. This increased the OPC�s capacity to process inquiries and investigations by nearly 50 percent. The Office also developed a recruitment video and related messaging, which will soon be launched on the OPC Internet site under a new section related to Career Opportunities. As a result of these efforts, the OPC was fully staffed as of March 31, 2009, based on the allocated FTEs for 2008-2009. In light of the state of employee movement in the Public Service, particularly in the National Capital Region, the OPC is satisfied to have seen a significant reduction in its rate of departure over the past year (from 42 percent in 2007-2008 to 16 percent in 2008-2009). Efforts to stabilize the workforce that were initiated in 2008-2009 within the framework of the IBHRP included: exit questionnaires; a new awards and recognition policy; formal orientation toolkits for employees and managers; a significant investment in training, particularly for new investigators, and a formal coaching offer (the first phase targeted executives and a second phase is to follow for a cross-section of employees with significant managerial and supervisory responsibilities).	Met all
5. Build a sustainable organizational capacity	Previous	In 2008-2009, the OPC applied leading-edge technology to a re-engineering of its Inquiries, Complaints and Investigations processes. Phase 1, which modernized the inquiries functions, was completed. Phase 2, which deals with the complaints and investigations processes, was initiated and is expected to be completed in 2009-2010. The OPC continued its information management renewal efforts and introduced scanning technology. Work has also been done towards creating a collaborative work environment using Web 2.0 technologies that can be easily modified, supported and maintained.	Partially met

The OPC is satisfied that all but one of the commitments it made to advance the five corporate priorities announced in 2008-2009 were met in their entirety. The Inquiries, Complaints and Investigations Process Re-engineering Project is not as advanced as expected at the end of this fiscal year, so that commitment is considered to have been somewhat met. The level of effort required to complete Phase 2 of the project was underestimated, particularly given the shortage in human resource capacity early in the year. By rebuilding its human resources capacity and with new funds through the 2008 Business Case, the OPC is confident that this important re-engineering project will be completed in 2009-2010.

Risk Analysis

It is becoming evident that an uneasy relationship exists between the privacy rights of individual Canadians and a society increasingly reliant upon the collection and use of personal and commercial information.

The personal information of Canadians is now a valuable commodity for both commercial and government organizations.

This is true in the private sector and in government, from main street businesses to virtual environments. For example, information is collected as part of an individual�s online activities on social networking sites, and may then be used to develop and target marketing efforts.
At the same time, agencies and departments of the Government of Canada are making louder calls for the collection of personal information in order to guarantee our collective safety and security.

In the private sector, the Office of the Privacy Commissioner (OPC) recognizes that Canadians find value and utility in many of the technologies and services developed as part of the expanding information economy. Our task is to prepare for how individuals choose to share their information, how technology solicits and stores that information, questions about the application of jurisdiction, and an increasing need for cooperation among international privacy authorities when faced with international trends.

The OPC also participates in joint technical groups to examine technologies such as geo-spatial imaging, genetic privacy, radio-frequency identification devices, behavioural advertising and deep packet inspection � frequently in cooperation with academics, technologists, privacy authorities and advocates outside Canada.

Engaging with private-sector organizations on emerging privacy issues has led to the development of guidance on topics such as covert video surveillance, street-level imaging, and trans-border data flows. It has also led to a continuing and constructive dialogue on the application of Canada�s privacy legislation in a dynamic and competitive environment.
In the public sector, the Government of Canada is examining the implementation of many of the same tools and technologies. Arguments are made for the collection of increasing amounts of personal information � whether through activities such as enhanced travel documents, increased surveillance activities or mandatory DNA registration � on the basis of existing or perceived threats to the safety and security of Canadians.

Increasingly, the public is being asked to gradually relinquish their privacy rights without the government clearly demonstrating the necessity, effectiveness, or proportionality of the proposed measures, or without examining whether a less privacy-invasive alternative is available.

In response, the OPC is paying close attention to information management and privacy protection practices of government organizations. We are reviewing their proposals for new activities to collect personal information, and are conducting audits to ensure that this information is well guarded. We research how governments abroad are integrating new processes and technologies in anticipation of similar initiatives in Canada. Importantly, we work with government departments and agencies to ensure that their activities address privacy concerns.

The OPC believes that Canadians continue to look to this Office to identify and highlight challenges to their privacy rights, no matter where they emerge, and to promote realistic and effective privacy practices among individuals and organizations.

The OPC�s compliance strategy includes the effective use of its mandated responsibilities: Investigating complaints, auditing organizations for compliance with the Privacy Act and PIPEDA, informing Canadians of their privacy rights and obligations, and advising Parliament.

The OPC continues to build its capacity to evaluate new technologies and to add to existing knowledge in such areas as the needs of small business, the impact of online behaviour on youth privacy, and the forecasting of possible developments in marketing techniques that target and communicate with people through their mobile devices.

The result has been targeted and relevant analysis, advice and guidance for Canadians.

Expenditure Profile

Spending Trends

Since 2005, the OPC has seen a steady increase in funding, activities and expenditures. Over the past two years, the Office has started to reduce the backlog of privacy investigations and has increased the number of Commissioner-initiated investigations. In the past year, the Office received additional funding to further reduce the backlog of privacy investigations, expand public outreach, and implement the internal audit initiative. Part of the spending trends cover expenditures related to collective agreements, combined with contributions to employee benefit plans.

Voted and Statutory Items

This table shows the voted items that Parliament approved through the Main Estimates with its supply bills. The statutory items are displayed for information purposes only.

($ 000)		2006-07	2007-08	2008-09
Vote or Statutory Item	Truncated Vote or Statutory Wording	Actual Spending	Actual Spending	Planned Spending	Main Estimates	Total Authorities	Actual Spending
45	Program expenditures	14,446	15,677	17,050	15,898	20,704	20,473
(S)	Contributions to employee benefit plans	1,270	1,453	1,929	1,929	1,664	1,664
Total		15,716	17,130	18,979	17,827	22,368	22,137

The actual spending difference of $5 million between 2007-2008 and 2008-2009 is primarily attributable to higher costs to deliver programs in light of legislative requirements triggered by the Federal Accountability Act, efforts to reduce the backlog of privacy investigations, expanded public outreach initiatives, the establishment of an internal audit function, and pay increases under the collective agreement, combined with the resulting contributions to employee benefit plans.