Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Office of the Privacy Commissioner of Canada

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.





2008-09
Departmental Performance Report



Office of the Privacy Commissioner of Canada






The original version was signed by
The Honourable Robert D. Nicholson, P.C., Q.C., M.P.
Minister of Justice and Attorney General of Canada






Table of Contents

Message from the Privacy Commissioner of Canada

Section I: Overview

Section II: Analysis by Program Activity

Section III: Supplementary Information



Message from the Privacy Commissioner of Canada

Jennifer Stoddart

As I look back on 2008-2009, my fifth full year as Privacy Commissioner, I am at once cheered by our progress, and realistic about the challenges ahead.

In presenting the Departmental Performance Report of the Office of the Privacy Commissioner of Canada for the fiscal year ending March 31, 2009, I am pleased to report that the OPC made great strides and continues to progress in relation to all of its strategic outcomes. This gratifying result caps a sustained effort to rebuild, reorient and strengthen the Office following a particularly tumultuous period.

For this I credit my exceptional team, which is why further fortifying our human resource capacity became the focus of much of our efforts. For example, when the job market could not yield enough trained complaints investigators, we hired 20 bright and innovative people with backgrounds in other fields, and trained them to become investigators.

At the executive level, we welcomed Chantal Bernier as Assistant Commissioner with responsibility for the Privacy Act, a choice that neatly complemented last year’s appointment of Elizabeth Denham to oversee the Personal Information Protection and Electronic Documents Act (PIPEDA).

Both pieces of legislation continued to lend shape and focus to our Office’s compliance activities as we retooled our internal processes and forged through a backlog of complaint files. And, while we continued to press Parliament for an urgent and substantial update to the Privacy Act, the law nevertheless provided the backbone for important audits of FINTRAC, the Passenger Protect Program, Passport Canada and the privacy management frameworks of three other federal institutions – Elections Canada, the Canada Revenue Agency and Service Canada.

Beyond our legislative framework, we were also exploring the global trend toward “soft law”, in which regulators work with industry to develop practical guidance enabling organizations to get privacy right in the first place, thus reducing the need for costly and cumbersome enforcement after the fact. In 2008-2009, we issued guidelines about such vital matters as privacy breach notification and the appropriate use of driver’s licence information by retailers.

Indeed, just as doctors preach the benefits of an ounce of prevention over a pound of cure, our Office also reached out to a wide range of stakeholders in industry, the provinces and territories, international partners and the Canadian public at large. With a particular focus on youth, our aim was to raise awareness about privacy, whether in the commercial context, the workplace, or on social networking sites.

For all this progress, however, the undeniable truth is that vast challenges remain. Evolving technologies, increased surveillance and global data flows, and the unquenchable thirst of governments and commercial enterprise for personal information mean our work is never done. And so we continued in 2008-2009 to refine our focus on four priority issues affecting privacy: information technology, national security, identity integrity and protection, and genetic information.

Even as we continue to build on our strengths and our renewed sense of purpose and direction, I am pleased to present this report on last year’s achievements in protecting and promoting the privacy rights of Canadians.

(Original signed by)

Jennifer Stoddart
Privacy Commissioner of Canada


Section I: Overview

1.1 Summary Information

Raison d’être

The mandate of the Office of the Privacy Commissioner of Canada is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The mission of the Office is to protect and promote the privacy rights of individuals.

Responsibilities

The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is an advocate for the privacy rights of Canadians and her powers include:

  • Investigating complaints, conducting audits and pursuing court action under two federal laws;
  • Publicly reporting on the personal information-handling practices of public- and private-sector organizations;
  • Supporting, undertaking and publishing research into privacy issues, and
  • Promoting public awareness and understanding of privacy issues.

The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. The Office focuses on resolving complaints through negotiation and persuasion, using mediation and conciliation where appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may take the matter to Federal Court and seek a court order to rectify the situation.

Strategic Outcome and Program Activity Architecture

To pursue its mandate effectively, the OPC works toward a single Strategic Outcome: the protection of the privacy rights of individuals. Three operational and one management activity support this Strategic Outcome, as outlined in the diagram below.


Strategic Outcome

The privacy rights of individuals are protected.

Program Activity

1.  Compliance Activities

2.  Research and Policy Development

3.  Public Outreach

4.  Internal Services


Alignment of Program Activity Architecture to Government of Canada Outcomes

The Privacy Commissioner is an Officer of Parliament who reports directly to Parliament. The Strategic Outcome of, and the expected results from, her Office are detailed in Section II of this Departmental Performance Report.

1.2 Performance Summary

The following table presents the financial and human resources that the OPC managed in 2008-2009.

Financial and Human Resources



2008-09 Financial Resources ($ millions)
Planned Spending Main Estimates Total Authorities Actual Spending
18,9791 17,827 22,368 22,137


2008-2009 Human Resources (FTEs*)
Planned Actual Difference
150 144 6
* Full-time Equivalents

Contribution of Priorities to the Strategic Outcome

In 2008-2009, the OPC had five corporate priorities, which are listed in the table below. Work to advance each priority contributed to progress toward the Office’s Strategic Outcome. For each priority, the following table presents a summary of actual performance and a self-assessment of performance status, based on the Treasury Board Secretariat’s scale2 of expectations. Assessments were made on the basis of reasonable judgments, as no numeric standards were in place in 2008-2009. More detailed performance information is provided in Section II – Analysis by Program Activity.


Strategic Outcome: The privacy rights of individuals are protected.
OPC Priorities for 2008-2009 Type3 Performance Summary Performance Status

1. Continue to improve service delivery through focus and innovation

Ongoing The OPC made significant progress in decreasing the persistent complaint investigation backlog, with a 42 percent reduction in Privacy Act files and a 40 percent reduction in PIPEDA files. Moreover, the rate of these reductions is now accelerating, in part due to innovative measures implemented in 2008-2009 (a priority-rating system, early resolution, delegation, and standardization of letter responses to complainants) that will yield efficiency benefits in 2009-2010. As well, specialized and in-depth IT training was provided to all investigators to facilitate the conduct of investigations with an IT dimension. Met all
  Ongoing Two new tools were developed to improve the selection process for private-sector audits under PIPEDA. As well, informal interventions with private-sector organizations (the Canadian Automobile Dealers Association, the Retail Council of Canada and selected credit card processors) were successful in addressing privacy issues.

In 2008-2009, the OPC substantially or fully completed audits of selected aspects of Passport Canada, the Privacy Management Frameworks of selected federal departments; the Privacy Act reporting requirements for departments; FINTRAC, and wireless operations in six federal departments. An audit under the Privacy Act of the Passenger Protect Program, and three audits of private-sector organizations under PIPEDA, were also initiated.

Privacy Impact Assessment (PIA) review resources are being used in a more effective manner to offer more timely interventions, resulting in more focused guidance to departments and institutions. In particular:

  • a new triage process was introduced in the PIA unit to give precedence to the review of PIAs that either deal with one of the Office’s four priority privacy issues, or are particularly sensitive; and,
  • the PIA unit began offering higher-level analysis to departments in order to reduce the time needed to respond to PIA submissions.
Met all

2. Provide leadership to advance four priority privacy issues (information technology, national security, identity integrity and protection, and genetic information)

New For each of the four priority privacy issues, the OPC developed and approved a three-year strategic plan in 2008-2009.

Each plan includes high-level objectives for the next three years, a timetable with the main activities, resource estimates, as well as risks and mitigating strategies.

Each priority issue is assigned to a senior manager lead. Supported by a working group, the manager is mandated to deliver the plan, monitor progress and inform the senior management team.

Co-ordination and monitoring of progress on the four priority areas is ensured by the Assistant Privacy Commissioner responsible for the Privacy Act.
Met all

3. Strategically advance global privacy protection for Canadians

New Along with several other regulatory authorities from Asia-Pacific Economic Co-operation (APEC) economies, the OPC is developing a Framework for Cross-border Privacy Enforcement Co-operation within the APEC economies.

The Office participated actively in the Organisation for Economic Co-operation and Development’s (OECD) Ministerial Meeting on the Future of the Internet Economy, held in Seoul, Korea in June 2008. At the meeting, which was attended by more than 30 Ministers from OECD member states, the OPC discussed ways to promote the Internet economy by ensuring the protection of personal information and the privacy of individuals online.
Met all
New In the interests of strengthening Canada’s relationships with the international association of data protection authorities and other enforcement agencies from Francophone states, the OPC commissioned a study and accompanying documentary to provide information, intended for developing Francophone states, about Canada’s privacy protection regime. As well, the Office has played a lead role in the creation of an international association to promote data protection in Francophone states. The OPC also works with data protection authorities from other federal states to share expertise and discuss ways to encourage co-operation on data protection among federal and plurinational state authorities.

The Office also collaborated with the United States Federal Trade Commission by preparing and filing an amicus curiae brief in appellate proceedings involving an Internet-based data broker that had collected the confidential telephone records of individuals without their consent.

The OPC continued to contribute to the development of international privacy standards through its participation in International Standards Organisation (ISO) activities, as well as to act as Chair of the Canadian shadow group to the ISO Working Group on Identity Management and Privacy Technology. The OPC also represents Canada at the international meetings of the ISO Working Group.

The OPC has worked with, and provided advice to, other jurisdictions with respect to breach notification. Domestic guidelines developed by the OPC have since been adopted by other privacy commissioners.
Met all

4. Support Canadians to make informed privacy decisions

New The launch of youthprivacy.ca, a website dedicated to the protection of the privacy rights of young Canadians, provided information and tools for youth, parents and educators.

Research into the information needs and privacy attitudes of young Canadians has informed the OPC’s social marketing activities, and will continue in 2009-2010.

The establishment of pilot projects in Saskatchewan and Atlantic Canada, working with provincial and territorial privacy commissioners, marked the beginning of OPC outreach activities. The OPC has been building relationships with local Chambers of Commerce, business associations and other local stakeholders to make relevant and localized information available to Canadian businesses.

Innovative research and public education activities, drawing upon the contributions of academics, advocates, and private-sector and international experts, have given Canadians of all ages access to topics as complex as deep packet inspection and as socially relevant as social networking sites.
Met all

5. Build a sustainable organizational capacity

Previous In response to its capacity challenges of the past few years, the OPC developed and approved in October 2008 an Integrated Business and Human Resource Plan (IBHRP) 2008-2011. This approach better integrates business and people management and allows the OPC to forecast and prioritize recruitment activities. To increase efficiency, for example, a single generic process would be used to staff several vacancies.

A major recruiting and training initiative was completed late in 2008-2009 when 20 new inquiries officers and investigators completed an intensive training program of up to nine weeks duration. This increased the OPC’s capacity to process inquiries and investigations by nearly 50 percent.

The Office also developed a recruitment video and related messaging, which will soon be launched on the OPC Internet site under a new section related to Career Opportunities.

As a result of these efforts, the OPC was fully staffed as of March 31, 2009, based on the allocated FTEs for 2008-2009.

In light of the state of employee movement in the Public Service, particularly in the National Capital Region, the OPC is satisfied to have seen a significant reduction in its rate of departure over the past year (from 42 percent in 2007-2008 to 16 percent in 2008-2009).

Efforts to stabilize the workforce that were initiated in 2008-2009 within the framework of the IBHRP included: exit questionnaires; a new awards and recognition policy; formal orientation toolkits for employees and managers; a significant investment in training, particularly for new investigators, and a formal coaching offer (the first phase targeted executives and a second phase is to follow for a cross-section of employees with significant managerial and supervisory responsibilities).
Met all
Previous In 2008-2009, the OPC applied leading-edge technology to a re-engineering of its Inquiries, Complaints and Investigations processes. Phase 1, which modernized the inquiries functions, was completed. Phase 2, which deals with the complaints and investigations processes, was initiated and is expected to be completed in 2009-2010.

The OPC continued its information management renewal efforts and introduced scanning technology. Work has also been done towards creating a collaborative work environment using Web 2.0 technologies that can be easily modified, supported and maintained.
Partially met

The OPC is satisfied that all but one of the commitments it made to advance the five corporate priorities announced in 2008-2009 were met in their entirety. The Inquiries, Complaints and Investigations Process Re-engineering Project is not as advanced as expected at the end of this fiscal year, so that commitment is considered to have been somewhat met. The level of effort required to complete Phase 2 of the project was underestimated, particularly given the shortage in human resource capacity early in the year. By rebuilding its human resources capacity and with new funds through the 2008 Business Case, the OPC is confident that this important re-engineering project will be completed in 2009-2010.

Risk Analysis

It is becoming evident that an uneasy relationship exists between the privacy rights of individual Canadians and a society increasingly reliant upon the collection and use of personal and commercial information.

The personal information of Canadians is now a valuable commodity for both commercial and government organizations.

This is true in the private sector and in government, from main street businesses to virtual environments. For example, information is collected as part of an individual’s online activities on social networking sites, and may then be used to develop and target marketing efforts.
At the same time, agencies and departments of the Government of Canada are making louder calls for the collection of personal information in order to guarantee our collective safety and security.

In the private sector, the Office of the Privacy Commissioner (OPC) recognizes that Canadians find value and utility in many of the technologies and services developed as part of the expanding information economy. Our task is to prepare for how individuals choose to share their information, how technology solicits and stores that information, questions about the application of jurisdiction, and an increasing need for cooperation among international privacy authorities when faced with international trends.

The OPC also participates in joint technical groups to examine technologies such as geo-spatial imaging, genetic privacy, radio-frequency identification devices, behavioural advertising and deep packet inspection – frequently in cooperation with academics, technologists, privacy authorities and advocates outside Canada.

Engaging with private-sector organizations on emerging privacy issues has led to the development of guidance on topics such as covert video surveillance, street-level imaging, and trans-border data flows. It has also led to a continuing and constructive dialogue on the application of Canada’s privacy legislation in a dynamic and competitive environment.
In the public sector, the Government of Canada is examining the implementation of many of the same tools and technologies. Arguments are made for the collection of increasing amounts of personal information – whether through activities such as enhanced travel documents, increased surveillance activities or mandatory DNA registration – on the basis of existing or perceived threats to the safety and security of Canadians.

Increasingly, the public is being asked to gradually relinquish their privacy rights without the government clearly demonstrating the necessity, effectiveness, or proportionality of the proposed measures, or without examining whether a less privacy-invasive alternative is available.

In response, the OPC is paying close attention to information management and privacy protection practices of government organizations. We are reviewing their proposals for new activities to collect personal information, and are conducting audits to ensure that this information is well guarded. We research how governments abroad are integrating new processes and technologies in anticipation of similar initiatives in Canada. Importantly, we work with government departments and agencies to ensure that their activities address privacy concerns.

The OPC believes that Canadians continue to look to this Office to identify and highlight challenges to their privacy rights, no matter where they emerge, and to promote realistic and effective privacy practices among individuals and organizations.

The OPC’s compliance strategy includes the effective use of its mandated responsibilities: Investigating complaints, auditing organizations for compliance with the Privacy Act and PIPEDA, informing Canadians of their privacy rights and obligations, and advising Parliament.

The OPC continues to build its capacity to evaluate new technologies and to add to existing knowledge in such areas as the needs of small business, the impact of online behaviour on youth privacy, and the forecasting of possible developments in marketing techniques that target and communicate with people through their mobile devices.

The result has been targeted and relevant analysis, advice and guidance for Canadians.

Expenditure Profile


Spending Trends

Since 2005, the OPC has seen a steady increase in funding, activities and expenditures. Over the past two years, the Office has started to reduce the backlog of privacy investigations and has increased the number of Commissioner-initiated investigations. In the past year, the Office received additional funding to further reduce the backlog of privacy investigations, expand public outreach, and implement the internal audit initiative. Part of the spending trends cover expenditures related to collective agreements, combined with contributions to employee benefit plans.

Voted and Statutory Items

This table shows the voted items that Parliament approved through the Main Estimates with its supply bills. The statutory items are displayed for information purposes only.


($ 000) 2006-07 2007-08 2008-09
Vote or
Statutory Item
Truncated Vote
or Statutory Wording
Actual
Spending
Actual
Spending
Planned
Spending
Main
Estimates
Total
Authorities
Actual
Spending
45 Program expenditures 14,446 15,677 17,050 15,898 20,704 20,473
(S) Contributions to employee benefit plans 1,270 1,453 1,929 1,929 1,664 1,664
Total 15,716 17,130 18,979 17,827 22,368 22,137

The actual spending difference of $5 million between 2007-2008 and 2008-2009 is primarily attributable to higher costs to deliver programs in light of legislative requirements triggered by the Federal Accountability Act, efforts to reduce the backlog of privacy investigations, expanded public outreach initiatives, the establishment of an internal audit function, and pay increases under the collective agreement, combined with the resulting contributions to employee benefit plans.



Section II: Analysis by Program Activity

2.1 Strategic Outcome



Strategic Outcome: The privacy rights of individuals are protected.
Expected Result Performance Indicator
Ultimate Outcome for Canadians
The OPC plays a lead role in influencing federal government institutions and private-sector organizations to respect the privacy rights of individuals and protect their personal information. Extent and direction of change in the privacy practices of federal government institutions and private-sector organizations.

The activities carried out to support all four OPC Program Activities described in Section II have contributed to making progress toward the Strategic Outcome in 2008-2009. Sub-sections 2.2 to 2.5 detail the OPC performance against the expected results and performance indicators for each Program Activity, the sum of which will inform the ultimate-level indicator that the OPC will report upon in the 2010-2011 Departmental Performance Report, once the Office has completed the full implementation of its performance measurement strategy.

Each of the following sub-sections discusses one of the four Program Activities by:

  • describing what is involved in the Program Activity (defined as per the implementation of the Management, Resources and Results Structure Policy);
  • reporting on resource use in 2008-2009;
  • presenting a summary of OPC performance in relation to expectations, including a performance status indicator using the TBS scale (refer to Section 1.2 for a description of the scale);
  • discussing what benefits Canadians derived from the activities delivered by the OPC, providing an overall analysis of its performance in 2008-2009, and identifying some lessons learned from this year’s activities to continue to improve in the future.

2.2 Program Activity 1: Compliance Activities

Activity Description

The OPC is responsible for investigating complaints and responding to inquiries received from individuals and organizations that contact the OPC for advice and assistance on a wide range of privacy-related issues. The OPC also assesses, through audits and reviews, how well organizations are complying with requirements set out in the two federal privacy laws and provides recommendations on privacy impact assessments (PIAs) pursuant to a Treasury Board Secretariat Policy4. A legal team provides specialized legal advice and litigation support, and a research team furnishes senior technical and risk-assessment support. 


Program Activity 1: Compliance Activities

2008-2009 Financial resources ($000)

2008-2009 Human resources (FTEs)

Planned Spending Main Estimates Total Authorities Actual Spending Planned Actual Difference
10,537 9,675 12,198 12,403 103 94 9


Expected Results Performance Indicators Performance Summary Performance Status
Intermediate Outcomes
Individuals receive effective responses to their inquiries and complaints. Timeliness5 of OPC responses to inquiries and complaints The Office responded to 11,750 inquiries (oral and written) in 2008-2009; 97 percent within the 30-day service standard.

For complaints, timeliness is measured by the time to close a file and the size of backlog of files. The calculation of turnaround time to process a complaint is based on the average number of months between the date of reception of the complaint and the date when findings are made or another type of disposition occurs.

To address a serious backlog of complaint investigations, the OPC decided to address the oldest cases first during this reporting period. As a result, average turnaround times became longer as the oldest files were closed. Significant progress was made in reducing the backlog, however, and the Office is on target to eliminate the backlog in 2009-2010.

  • Complaints under PIPEDA: 20.9 months on average to complete 535 complaints in 2008-2009 (16.5 months last year), with the backlog of complaint files going from 3446 to 205.
  • Complaints under the Privacy Act: 19.5 months on average to complete 990 complaints in 2008-2009 (14.4 months last year), with the backlog of complaint files going from 5756 to 333.
Partially met
Federal government institutions and private-sector organizations meet their obligations under federal privacy legislation and implement modern principles of personal information protection. Extent to which audit, investigation and PIA review recommen-dations are accepted and implemented over time Of the three7 audits that were completed during 2008-2009, 42 recommendations were made and all but one (98 percent) were accepted by the audit entities at the time of reporting. Follow-up is made two years after reporting to determine the rate of implementation of the recommendations.

The OPC initiated its first follow-up audit in January 2008 to assess progress made by the Canada Border Services Agency in implementing the 21 recommendations from a June 2006 audit report. This follow-up was completed in April 2009, therefore results will be reported in the 2009-2010 departmental performance report.
Mostly met
Federal government institutions and private-sector organizations meet their obligations under federal privacy legislation and implement modern principles of personal information protection. (Cont’d) Extent to which audit, investigation and PIA review recommen-dations are accepted and implemented over time (Cont’d) Personal Information Protection and Electronic Documents Act (PIPEDA)

The Commissioner’s investigation recommendations were accepted in 13 of the 17 (76 percent) PIPEDA-related investigations where specific recommendations were made. Of the four remaining cases, two cases were settled by the parties prior to being heard by the Federal Court, one case is being litigated and, in the fourth, the OPC decided against proceeding with litigation.

Privacy Act

Under the Privacy Act, no preliminary report of findings is issued and, in the past, recommendations were rarely made. However, in 2008-2009, the Commissioner did make recommendations in 25 cases (including two cases closed at the very end of the year such that acceptance is not yet determined), which were accepted in 13 cases (57 percent). The recommendations that were not accepted all relate to the same issue. The OPC will continue to pursue this issue through other avenues. 

From April 1, 2008 to March 31, 2009, the OPC was involved in 13 litigation cases related to PIPEDA and one related to the Privacy Act in order to promote compliance with federal privacy legislation. Some of these cases are still before the courts. Four cases were settled to the satisfaction of the Commissioner and the parties (three cases prior to, and one case after, the Commissioner’s Notice of Application in the Federal Court of Canada). In two cases, the Commissioner requested to be removed as an improperly named respondent, to which the courts agreed. In three cases, the courts rendered judgments that clarified legal obligations, thus facilitating compliance with privacy legislation.
Partially met
Privacy Impact Assessment (PIA)

In 2009-2010, the OPC will implement a formal process to follow up on the implementation status of recommendations made through investigations.

During 2008-2009, the OPC received a total of 64 PIAs, which represents a slight increase from the 60 received in the previous reporting period, and completed 31 reviews. The OPC received written responses to 62 PIA review letters (issued in either the current or previous fiscal year), a significant (94 percent) increase from the 32 responses received during the previous reporting period.

Federal departments are under no obligation to respond to the OPC PIA reviews or to implement their recommendations. Moreover, when responses are received, agreement is not always explicitly outlined. However, the Office notes that an increasing number of departments are showing a higher level of engagement and co-operation during the PIA process. And although not all departments respond to the Office’s advice formally through letters, many comments are exchanged at all stages of PIA development through on-going consultation with departmental officials.
Mostly met
Immediate Outcomes
The process to respond to inquiries and investigate complaints is effective and efficient. Timeliness of OPC responses to inquiries and complaints Refer to performance information for the same indicator earlier in this table. Partially met
The process to conduct audits and reviews is effective and efficient, including effective review of privacy impact assessments (PIAs) for new and existing government initiatives. Proportion of audits completed as scheduled and within planned times Two of the three audits (67 percent) completed during the reporting period were within planned times. Nine other audits were commenced during 2008-2009, of which seven are still ongoing and two were cancelled once it was determined that an audit was not required. Partially met
Proportion of PIA reviews completed within planned timelines Six of the 31 PIA reviews (19 percent) completed in 2008-2009 were processed within the standard 90-day time. At the end of the year, there were 94 PIAs on hand, either in backlog (48) or at various stages of the review process (46). Due to staffing shortages, a backlog of PIA submissions accrued during the reporting period and the OPC was unable to meet its goal of improving the timeliness of PIA reviews during the year. Not met

Benefits for Canadians from this Program Activity

In responding to inquiries, the OPC informs Canadians of their privacy rights. In conducting complaint investigations, audits and PIA reviews, the Office establishes whether government institutions and private-sector organizations plan to and/or collect, use, disclose, retain and dispose of Canadians’ personal information in accordance with the privacy protections included in the two Canadian privacy laws. Where non-compliance is identified, the OPC takes action to influence change aimed at protecting the privacy rights of individuals. In some cases, the investigation of one individual's privacy complaint can have huge impact when it leads to improvements that affect a large number of Canadians. In all of its compliance activities, the OPC helps protect the privacy rights of individuals by working to improve the personal information-handling practices of government institutions and private-sector organizations.

Performance Analysis

The OPC significantly reduced the backlog of complaint investigations in 2008-2009 through a number of strategies, including outsourcing some PIPEDA complaints to a legal firm and the recruitment and intensive training of 20 new inquiry and investigation staff. Many of the older complaint files have now been responded to and the OPC is on target to eliminate the rest of the backlog by March 2010. Elimination of the backlog will eventually result in much improved turnaround times and improved service to Canadians.

The OPC audit of the Privacy Management Frameworks of select federal government agencies, published in February 2009, was undertaken concurrently with the Office of the Auditor General of Canada. It was the first time that the two offices worked together and it resulted in a more comprehensive picture of the issues for Parliament. Furthermore, more government institutions than in the previous year responded to the OPC PIA recommendations and requests for information, allowing the Office to influence them to take privacy principles into account in the design and implementation of programs and services.

Lessons learned

The OPC has had to deal with the departures of trained and experienced investigators in the past year, which inevitably affected the productivity of the investigation team. Management of the investigations and inquiries unit faced a significant challenge in simultaneously reducing the backlog, re-engineering business processes, building a new case management system, and hiring, training and mentoring 20 new staff.

The audit and PIA activities suffered during this period from a human resources shortage, which affected the Office’s ability to deliver as planned. The OPC continues to have a backlog of PIA submissions waiting for review, some up to seven months. This may discourage departments from participating in the PIA process in the future, and raises the concern that privacy risks might go unidentified or unmitigated. The OPC is taking concrete steps to address its capacity situation in the PIA unit, along with some restructuring, new procedures to expedite the review of certain priority PIA files, and more informal consultations with departments to assist them in addressing privacy risks faster.

2.3 Program Activity 2: Research and Policy Development

Activity Description

The OPC serves as a centre of expertise on emerging privacy issues in Canada and abroad by researching trends and technological developments, monitoring legislative and regulatory initiatives, providing legal, policy and technical analyses on key issues, and developing policy positions that advance the protection of privacy rights. An important part of the work involves supporting the Commissioner and senior officials in providing advice to Parliament on potential privacy implications of proposed legislation, government programs and private-sector initiatives.


Program Activity 2: Research and Policy Development
2008-2009 Financial resources ($000) 2008-2009 Human resources (FTEs)
Planned Spending Main Estimates Total Authorities Actual Spending Planned Actual Difference
4,542 4,386 4,699 4,633 24 20 4


Expected Results Performance Indicators Actual Performance Performance Status
Intermediate Outcome
Parliamentarians and others have access to clear, relevant information, and timely and objective advice about the privacy implications of evolving legislation, regulations and policies. Proportion of privacy-relevant cases in which OPC was consulted for advice.

Proportion of cases in which the final outcome was more privacy protective than the original version.
Of 47 bills tabled in the House of Commons and Senate in 2008-2009, nine were assessed to have potential privacy impacts. The OPC was asked to appear on two of the nine bills: Bill S-2, An Act to Amend the Customs Act and Bill C-11, Human Pathogens and Toxins Act. Neither has yet received Royal Assent to establish whether the final outcome was more privacy protective than the original version. The others included private members’ bills that were not on the order of precedence, one government bill was withdrawn and others either died with the suspension of Parliament or had not reached Committee stage by the end of the fiscal year. Met all
Immediate Outcomes
The work of Parliamentarians is supported by an effective capacity to identify and research privacy issues, and to develop policy positions for the federal public and private sectors that are respectful of privacy. Key privacy issues identified and positions articulated to influence the evolution of bills through the departmental drafting stage and the legislative process The OPC provided 13 submissions and policy positions relating to potential privacy implications of proposed legislation and/or government initiatives.

OPC officials offered extensive comment on various subjects, including an overview of commercial privacy law in Canada for foreign investment officers; privacy and the use of deep packet inspection technologies; proper disclosure of employee medical information; personal information as defined by federal private-sector statute, and regional approaches to data protection.
Met all
Knowledge about systemic privacy issues in Canada is enhanced through research, with a view to raising awareness and improving privacy management practices. Key privacy issues identified, analysed, and potential impacts assessed. Research capacity continued to focus on issues of interest and concern to Canadians, building internal specialities in technological, small business and youth issues in particular.

Internal and commissioned research conducted in 2008-2009 examined the privacy implications of several new technologies, including the deep packet inspection techniques used in telecommunications network management; online social networking; electronic health records, and aspects of personal mobile technology.

The OPC organized two workshops in 2008-2009 to highlight issues of concern under the Privacy Act: the first focused on possible reforms to the Act, and the second brought together academics and civil society representatives to discuss the long-term implications of the security measures associated with the Vancouver 2010 Olympic Games.
Met all
In 2008-2009, 24 research papers were issued by the OPC on a variety of privacy topics and eight research projects were either completed or well underway.

The Contributions Program was focused in 2008-2009 to promote research and activities in support of the OPC’s four priority privacy issues. The Program also solicited proposals for public education activities in support of the OPC mandate.

A total of 10 projects were approved for $406,923 in funding to conduct research and public education in emerging privacy issues (Refer to the OPC website for a list of recipient organizations and their approved projects: http://priv.gc.ca/media/nr-c/
2008/nr-c_080623_e.cfm
).
Met all

Benefits for Canadians from this Program Activity

By examining federal programs and policies that touch on privacy, business processes that affect information security, and innovative technologies that pose challenges to personal privacy, the OPC is helping raise awareness of privacy issues among Canadians. Through its research programs, the Office also advances knowledge about privacy issues, in Canada and abroad, among institutions, businesses and the Canadian public.

Performance Analysis

The OPC brought timely advice before Parliamentarians on a number of proposed legislative measures in 2008-2009, while also engaging with federal government departments and agencies. The OPC’s research activities contributed to national and international debate on privacy issues, particularly with respect to the growing impact of technology on Canadians’ privacy rights.

Lessons learned

The Office continued to refine and update its approach to monitoring Parliamentary activity related to privacy, and will be staffing a full-time position to help co-ordinate this work in 2009-2010. In its research function, the OPC will continue to collaborate with other privacy offices, advocates, civil society, the private sector and international partners in order to maximize the impact of its work. This is especially important as many of the issues confronting the OPC are global in scope.

2.4 Program Activity 3: Public Outreach

Activity Description

The OPC delivers a number of public awareness and communications activities, including speaking engagements and special events, media relations, and the production and dissemination of promotional and educational material. Through public outreach activities, individuals have access to information about privacy and personal data protection that enables them to protect themselves and exercise their rights. The activities also allow organizations to understand their obligations under federal privacy legislation.


Program Activity 3: Public Outreach
2008-2009 Financial resources ($000) 2008-2009 Human resources (FTEs)
Planned Spending Main Estimates Total Authorities Actual Spending Planned Actual Difference
3,900 3,766 5,471 5,101 23 30 7


Expected Results Performance Indicators Actual Performance Performance Status
Intermediate Outcomes
Individuals have relevant information about privacy rights and are enabled to guard against threats to their personal information. Target audience reached with OPC public education materials OPC officials were cited in the media hundreds of times on hot privacy issues, including enhanced driver’s licences, privacy and the 2010 Olympics, airport security, Google Street View, identity theft, and the collection of personal information in retail settings. Close to 30 press releases were disseminated on a variety of issues, such as the Office’s audits of federal institutions, annual reports to Parliament, investigation of a privacy breach under PIPEDA, public opinion poll findings, and a joint release with the provinces on children and online privacy issues. The OPC also initiated two innovative audio news release campaigns, which received significant broadcast coverage.

The OPC produced about 15 new publications, including annual reports and audits, and guides for businesses and individuals on a variety of issues. The most popular publications were a PIPEDA guide for businesses (which has recently been updated); a privacy breach handbook, and an overview of issues and trends over the first seven years of PIPEDA.

Each year, the number of visitors to the OPC’s website grows steadily. On average, there were more than 140,000 hits per month, for a total of 1.7 million in the fiscal year. The OPC website was completely redesigned to respond to focus group recommendations. It is now Web 2.0 compliant, where appropriate and incorporates the OPC’s new brand. Navigation on the site has also been improved significantly, giving visitors better access to the information they seek.

As well, the OPC launched a youth privacy website, with information for youth, parents, teachers including tip sheets, animated videos and lesson plans. The site also launched a first-ever Youth Privacy Video contest, which encouraged high school students to submit short videos exploring privacy concerns. Building on such initiatives, the OPC is expanding its marketing efforts for the following year, with more public education materials for young Canadians, their parents and their teachers.
Met all
Individuals have relevant information about privacy rights and are enabled to guard against threats to their personal information. (Cont’d) Target audience reached with OPC public education materials (Cont’d) A new OPC e-newsletter was launched and there were two editions in 2008-2009. The e-newsletter provides a snapshot of the role and activities of the OPC, and promotes new tools and information available on the website. New privacy illustrations were also created – in editorial cartoon style – highlighting a variety of important privacy issues in a simple, straightforward and humorous way. These illustrations were used on the OPC website, in presentations and in other materials. Met all
Federal government institutions and private-sector organizations understand their obligations under federal privacy legislation. Degree of organizational awareness and understanding of privacy responsibilities8 In February 2009, the Office published its audit report on the privacy management frameworks of Elections Canada, Human Resources and Social Development Canada/Service Canada, and the Canada Revenue Agency. The audit examined: the structures, policies, systems and procedures in place in those institutions to ensure accountability, co-ordinate privacy work, manage privacy risks, and ensure compliance with the Privacy Act. The audit found that the privacy management frameworks of two of the federal institutions are reasonably robust, but require improvement, while there are gaps with respect to the way personal information is managed by two other institutions. Mostly met
In its 2007 Audit of PIAs, the most recent reference on the quality of PIAs, the OPC found that PIAs completed by federal departments did not fully document the analysis of privacy issues. Of the nine entities examined, only three had ”mature” PIA environments (level 4 on a scale of 1 to 5). The audit had also polled 47 federal institutions. It found that while 89 percent indicated that they used personal information in delivering their programs and services, only 32 percent said they had a formal management framework in place to support the conduct of PIAs.
Immediate Outcomes
Individuals receive and have easy access to relevant information about privacy and personal data protection, enabling them to better protect themselves and exercise their rights. Target audience reached with OPC public education materials Refer to performance information for the same indicator earlier in this table. Met all
Federal government institutions and private sector organizations receive useful guidance on privacy rights and obligations, contributing to better understanding and enhanced compliance. Target audience reached with OPC policy positions, promotional activities and promulgation of best practices In 2008-2009, the OPC launched several new tools and resources for organizations, including brochures on the Privacy Act andPIPEDA, a PIPEDA self-assessment tool for businesses, and guidelines for retailers on the collection of driver’s licence information and for companies processing personal information across borders. The OPC also published and promoted public opinion polling data specific to retail issues, and initiated more widespread public opinion polling on key privacy issues.

The OPC continues to provide guidance to federal departments and agencies to ensure privacy issues are addressed during the planning of new programs. For example, the Office raised concerns about safeguarding the personal information of Canadians in relation to the enhanced drivers licence programs being implemented in several provinces. As a result of the Commissioner’s concerns, the Canada Border Services Agency committed to ensuring that custody and control of the personal information of Canadians would remain in Canada.

The OPC also reached out to organizations through numerous appearances, media statements and resolutions in order to articulate its positions on important privacy matters such as youth privacy, the collection of driver’s licence information in the retail sector, the DNA databank, the 2010 Olympics and breach notification.

In the past year, the OPC organized a workshop on the Vancouver 2010 Olympics and held subsequent meetings with federal officials to raise concerns about the privacy impact of security and surveillance measures associated with the Olympics and to propose measures to protect privacy within that context.

In addition, with the hiring of a full-time representative in Atlantic Canada, the OPC has begun meeting with provincial and regional Chambers of Commerce and other business associations to build partnerships, develop outreach activities, and provide relevant and local information to Canadian businesses.
Met all

Benefits for Canadians from this Program Activity

By raising organizations’ awareness of their obligations under federal privacy laws and furnishing them with tools and information to better protect the personal information in their care, the OPC is helping to strengthen the privacy protections enjoyed by Canadians. The Office also directs communications and outreach activities specifically at individuals, thus heightening their awareness of their rights and abilities to exercise them. With a better understanding of the issues, Canadians are also better equipped to protect their personal information and reduce their privacy risks.

Performance Analysis

Communications and public awareness activities in 2008-2009 were significant. As a measure of impact, there was a steady increase in several indicators, including web hits, publications produced and disseminated and speeches delivered. The OPC also explored alternative approaches to communicating with Canadians so as to generate the most impact from its public education activities. These included targeted activities such as the youth privacy website, contests, videos, audio news releases and increased visibility at events. It will be important to sustain the momentum gained by these public awareness initiatives in 2009-2010.

Lessons learned

As the issues become more complex and involve new technologies and other influences, the OPC recognizes that it must remain current and continuously explore new strategies for reaching key audiences. One important lesson the OPC has derived from its experiences is that outreach activities have greater impact when they are planned and implemented with public- and private-sector partners.

2.5 Program Activity 4: Internal Services

Activity Description

Internal Services support an organization’s programs and other corporate obligations. As a small entity, the OPC’s internal services include two sub-activities: governance and management support, and resource management services (which also incorporate asset management services). Given the specific mandate of the OPC, communications services are not included in Internal Services, but rather form part of Program Activity 3 – Public Outreach. Legal services are also excluded. Because of the OPC’s legislated requirement to pursue court action as appropriate under the two federal privacy laws, legal services form part of Program Activity 1 – Compliance Activities and Program Activity 2 – Research and Policy Development.

To be consistent with the presentation of resources in the 2008-2009 Report on Plans and Priorities, this performance report presents resources associated with Internal Services as being integrated with the three other Program Activities of the Office (refer to Sections 2.2, 2.3 and 2.4 for an allocation by Program Activity).


Program Activity 4: Internal Services
Expected Results Performance Indicators Actual Performance Performance Status
Intermediate Outcome
The OPC achieves a standard of organizational excellence, and managers and staff apply sound business management practices. Ratings against Management Accountability Framework - MAF Because the Commissioner is an independent Officer of Parliament, the OPC is not subject to a MAF assessment by Treasury Board Secretariat. Nonetheless, the Office conducts a comprehensive self-assessment exercise against the MAF every two years. In September 2008, the OPC completed its second self-assessment, which indicated an overall improvement in its management practices. in 2008-2009, 60 percent of MAF areas were acceptable or strong, up from 40 percent the previous year.

Areas where OPC’s management practices meet or exceed expectations are: values-based leadership and organizational culture; corporate performance framework; corporate management structure; quality of analysis in TB submissions; quality of performance reporting; corporate risk management, fair workplace; information management; IT management; project management;, procurement, and alignment of accountability instruments. Areas where OPC has opportunities for improvement are: quality and use of evaluation; managing organizational change; sustaining the workforce; asset management; financial management and control; internal audit; management of security and business continuity, and citizen-focused service.
Mostly met
Immediate Outcomes
Key elements of the OPC Management Accountability Framework (MAF) are integrated into management practices and influence decision-making at all levels. Ratings against Management Accountability Framework - MAF Refer to performance information for the same indicator in the row above. Mostly met
The OPC has a productive, principled, sustainable and adaptable workforce that achieves results in a fair, healthy and enabling workplace. Employee satisfaction; number of grievances received; quality of labour relations; retention of staff Employee satisfaction
The federal public service launched the third Public Service Employee Survey in the fall of 2008. The OPC participation rate in the survey increased to 65 percent from the 40 percent who took part in the last survey in 2005. Once survey data become available, the OPC will look for information to assist in addressing workplace issues, including the retention of qualified employees.

Number of grievances received
During 2008-2009, the OPC received three formal grievances (one of them a group grievance) and addressed a number of informal staff relations issues. No formal complaint relating to the staffing process was received.

Quality of labour relations
The Office fosters ongoing dialogue among employees through all-staff meetings at both the organizational and branch levels. There is also dialogue with bargaining agents at labour management and health and safety committees. As well, the development of a manager’s toolkit will strengthen human resources management practices across the organization.

Retention of staff
With the influx of 69 new employees (20 of them recruited as investigation and inquiry officers), the rate of departure decreased from 42 percent in 2007-2008 to 16 percent in 2008-2009.
Mostly met
HR management practices reflect new accountabilities stemming from the Public Service Modernization Act and the Public Service Employment Act. Full, unconditional staffing delegation from the PSC; human resources planning is integrated into business planning at the OPC Full, unconditional staffing delegation from the Public Service Commission
The OPC prepared comprehensive annual reports, as required within government, which serve as a measure of the Office’s accountability in the human resource program. Feedback on reports submitted by the OPC in 2008-2009 was very positive. The OPC maintains its full, unconditional staffing delegation from the Public Service Commission.

Human resources planning is integrated into business planning at the OPC
The Integrated Business and Human Resources Plan includes branch-level business activities. In addition, HR and Finance specialists meet jointly with branch managers to discuss current and future resource requirements.
Met all
Managers and staff demonstrate exemplary professional and ethical conduct in all of their work, and are responsive to the highly visible and complex nature of the environment in which they operate. Feedback from employees on fairness, respect and engagement In 2008-2009, the formal training program for new investigators included senior management representatives and staff being engaged in an interactive dialogue about values and ethics.

As part of the performance management program, senior managers are assessed on key leadership competencies, including values and ethics. One harassment-related incident was reported in 2008-2009 for a staff complement of 150 FTEs; upon investigation, the incident was determined to be not well founded.
Met all
The performance of the OPC is defined, measured and reported upon regularly in a meaningful and transparent manner. OPC reports, particularly RPP and DPR, are well received by Central Agencies and stakeholders Based on informal comments from Parliamentarians, Parliamentary Committee members and Treasury Board Secretariat officials, the OPC continued to receive positive feedback on its annual reports, Report on Plans and Priorities and Departmental Performance Report in 2008-2009. Met all

Performance Analysis

The OPC has either met or mostly met all of its performance expectations under this Program Activity. The Office is satisfied that it has a solid foundation of internal services to support the effective delivery of its privacy business.

Lessons learned

Thanks to the implementation of the Integrated Business and Human Resources Plan 2008-2011 and an assertive approach toward recruitment and retention, the OPC was fully staffed as of March 31, 2009, based on the allocated FTEs for 2008-2009. In fact, at year end, effective risk management meant that the OPC had a staff complement greater than its annual target, knowing that the FTE allocation would rise again in 2009-2010, in the context of the 2008 Business Case. Much effort continues to be invested in human resources management and the results have been encouraging. The task now is to maintain the momentum in a competitive employment market.



Section III: Supplementary Information

This section presents the financial highlights for 2008-2009 and other items of interest. Audited financial statements can be found on the OPC website.

3.1 Financial Highlights



Condensed Statement of Financial Position
As at March 31
  % Change 2008-2009
($000)
2007-2008*
($000)
Total Assets 60% 5,259 3,283
Total Liabilities 76% 7,110 4,044
Total Equity of Canada 143% (1,851) (761)
Total 60% 5,259 3,283
* Restated


Condensed Statement of Operations
For the Period ending March 31
  % Change 2008-2009
($000)
2007-2008*
($000)
Total Expenses 37% 25,474 18,584
Net Cost of Operations 37% 25,474 18,584
* Restated

Assets by Type

Total assets were $5.259M at the end of 2008-2009, an increase of $1.976M (60 percent) over the previous year’s total assets of $3.283M.  Of the total assets, $3.079M (58 percent) were due from the Consolidated Revenue Fund.  Accounts receivable and advances represented $0.554M (11 percent) while prepaid expenses and tangible capital assets represented 3 percent and 28 percent of total assets respectively.

Liabilities by Type

Total liabilities were $7.110M at the end of 2008-2009, an increase of $3.066M (76 percent) over the previous year’s total liabilities of $4.044M.  Employee severance benefits represented the largest portion of liabilities at $2.986M or 42 percent of the total.  Accounts payable and accrued liabilities represented a slightly smaller portion of the total liabilities, at $2.70M or 38 percent).  Vacation pay and Compensatory leave and accrued employee salaries accounted for 8 percent and 12 percent of total liabilities, respectively.

Expenses - Where Funds Go

Total expenses for OPC were $25.474M in 2008-2009.  The largest share of the funds, $14.352M or 57 percent, was spent on compliance activities, while public outreach efforts represented $5.938M, or 23 percent of total expenses.  Research and policy development accounted for the remainder of the expenditures, at $5.184M, or 20 percent of the total.

Audited Financial Statements

Information on OPC’s audited financial statements can be found at the following link: http://www.priv.gc.ca/information/an-av_e.cfm#contenttop

3.2 Other Items of Interest: Legislation Administered by the Privacy Commissioner



Privacy Act R.S., 1985, ch. P-21, amended 1997, c.20, s. 55
Personal Information Protection and Electronic Documents Act 2000, c.5

Statutory Annual Reports, other Publications and Information

Statutory reports, publications and other information are available from the Office of the Privacy Commissioner of Canada, 112 Kent Street, 3rd Floor, Ottawa, ON K1A 1H3; tel.: (613) 995-8210, and on the OPC's website at www.priv.gc.ca


1 The variance of $1.152M between Planned Spending and Main Estimates represents funds that had been earmarked within the Government of Canada fiscal framework for the implementation of the Federal Accountability Act. Subsequently, the OPC submitted a business case in 2008, which triggered supplementary funding, as reflected in the Total Authorities.

2 The TBS scale for performance status refers to the proportion of the expected level of performance (as evidenced by the indicator and target or planned activities and outputs) for the priority or result identified in the corresponding Report on Plans and Priorities that was achieved during the fiscal year. The ratings are: exceeded – More than 100 percent; met all – 100 percent; mostly met – 80 to 99 percent; somewhat met – 60 to 79 percent; and not met – less than 60 percent.

3 Type is defined as follows: previous –committed to in one of the past two Reports on Plans and Priorities (RPP); ongoing – committed to at least three fiscal years prior to this RPP; and new – newly committed to in this RPP.

4 http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/siglist-eng.asp

5 As part of a major review of its inquiry and complaint investigation processes, to be completed in 2009-2010, the OPC will set new service standards against which to compare turnaround times. Timeliness of responses will be calculated by: (i) the proportion of complaints completed within service standards and (ii) the reduction of the backlog. In the meantime, actual turnaround times are presented in 2008-2009, along with a report on the backlog.

6 Adjusted to a new definition of backlog adopted as of April 1, 2008 to include all files older than a year from acceptance.

7 The three audits completed in 2008-2009 were: (1) Privacy Management Frameworks of Selected Federal Institutions (Feb. 12, 2009) http://www.priv.gc.ca/information/pub/ar-vr/pmf_20090212_e.pdf; (2) Privacy Audit of Canadian Passport Operations (Dec. 4, 2008) http://www.priv.gc.ca/information/pub/ar-vr/pc_20081204_e.pdf; (3) Audit of Equifax Canada Inc. (April 2008).

8 This performance indicator was included in the 2008-2009 RPP but has since been modified so as to present some private-sector data only once every other year. Because the OPC last polled a sector of private industry in 2007-2008, the next survey will be conducted in 2009-2010. In the public sector, awareness is now assessed based on the quality of PIAs submitted for review. This year’s DPR reports on some information related to public-sector organizations, using the 2009 Audit of the Privacy Management Frameworks of Selected Federal Institutions http://www.priv.gc.ca/information/pub/ar-vr/pmf_20090212_e.asp and the 2007 Audit: Assessing the Privacy Impacts of Programs, Plans, and Policies (http://www.priv.gc.ca/information/pub/ar-vr/pia_200710_e.cfm).