ARCHIVED - Office of the Privacy Commissioner of Canada - Report

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Message from the Privacy Commissioner of Canada

I am pleased to table before Parliament the Departmental Performance Report of the Office of the Privacy Commissioner of Canada (OPC) for the fiscal year ending March 31, 2010.

It was a year in which the eyes of the world turned to Canada and our determination to safeguard the privacy rights of individuals threatened by the most ordinary of activities - networking with their friends online. Our in-depth investigation of Facebook's privacy policies and practices was groundbreaking in that it preceded today's wholesale re-examination of online privacy across cyberspace and around the globe.

And yet, for all its public profile, the Facebook investigation was just one highlight among many others achieved in 2009-2010 - all of them serving the privacy interests of Canadians in one way or another. We are also very pleased to report to Parliament that we have eliminated our longstanding backlog of unresolved complaints, freeing us to focus on more complex and systemic issues. At the same time, we instituted new technologies and processes to ensure we continue to deal with complaints in a timely manner.

To name just a few highlights from last year:

• Our privacy audits and reviews of privacy impact assessments shone a spotlight on contemporary challenges to privacy, including national security, aviation safety and technology.
• We continued to work with parliamentarians and through the courts to ensure that legislative and other policy initiatives are sensitive to privacy. While significant amendments to the Privacy Act appear to be out of reach for now, we nevertheless pressed ahead and proposed a series of administrative alternatives.
• Through workshops, briefings, research and public outreach, we continued our efforts to explore the impact on privacy of four priority sectors: national security, information technology, genetic information and identity integrity.
• We continued to reach out to business and other target groups with clear and specific guidance, and promoted awareness of privacy challenges among youth and the public at large.
• Globally, we participated in numerous initiatives aimed at strengthening privacy protections and the security of international data flows.
• Internally, we focused on building capacity by recruiting and retaining skilled, dynamic, dedicated - and, in many cases, young - employees.

The report that follows provides more details on these and many other activities that helped make 2009-2010 stand out as a banner year for the OPC. At the same time, it provides context for the new year underway, and the opportunities and challenges ahead. In the wake of the Facebook investigation, for instance, we have already confronted other technology giants, and have expressed renewed concerns over Facebook's practices.

Sadly, we will be saying goodbye to Elizabeth Denham, the Assistant Commissioner responsible for the Personal Information Protection and Electronic Documents Act, as she takes over as the Information and Privacy Commissioner for British Columbia. On the plus side, we look forward to opening a new office in Toronto, from which we can better interact with business and other stakeholders.

Against this backdrop, I am pleased to share this report on last year's achievements in protecting and promoting the privacy rights of Canadians.

Section I: Overview

1.1 Summary Information

Raison d'être

The mandate of the Office of the Privacy Commissioner of Canada is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private-sector privacy law. The mission of the Office is to protect and promote the privacy rights of individuals¹.

Responsibilities

The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is an advocate for the privacy rights of Canadians and her powers include:

• investigating complaints, conducting audits and pursuing court action under two federal laws;
• publicly reporting on the personal information-handling practices of public- and private-sector organizations;
• advising on and reviewing privacy impact assessments (PIAs) of new and existing government initiatives;
• supporting, undertaking and publishing research into privacy issues, and
• promoting public awareness and understanding of privacy issues.

The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. The Office focuses on resolving complaints through negotiation and persuasion, using mediation and conciliation where appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may take the matter to Federal Court and seek an order to rectify the situation.

Strategic Outcome and Program Activity Architecture

To pursue its mandate effectively, the OPC works toward a single Strategic Outcome: the protection of the privacy rights of individuals. Three program activities and one management activity support this Strategic Outcome, as outlined in the diagram below.

Strategic Outcome	The privacy rights of individuals are protected.
Program Activity	1.  Compliance Activities	2.  Research and Policy Development	3.  Public Outreach
	4.  Internal Services

Alignment of Program Activity Architecture to Government of Canada Outcomes

The Privacy Commissioner is an Officer of Parliament who reports directly to Parliament. The Strategic Outcome of, and the expected results from, her Office are detailed in Section II of this Departmental Performance Report.

1.2 Performance Summary

The following table presents the total financial and human resources that the OPC has managed in 2009-2010.

Financial and Human Resources

2009-2010 Financial Resources ($000)

Planned Spending	Total Authorities	Actual Spending
22,323	23,810	22,640

2009-2010 Human Resources (FTEs*)

Planned			Actual	Difference
FTEs (including FedAA)	Adjustment: FedAA	Adjusted FTEs
178	(11)	167	158	(9)
* Full-time Equivalents

Commencing in the 2009-10 Estimates cycle, the resources for the Internal Services program activity are displayed separately from other program activities; they are no longer distributed among the remaining program activities, as was the case in previous Main Estimates. This has affected the comparability of spending and FTE information by program activity between fiscal years.

The originally planned FTEs presented in the 2009-2010 Report on Plans and Priorities included the human resources related to the Federal Accountability Act (FedAA) of 11 FTEs, as identified in the FedAA Action Plan funding in the 2006 Federal Budget. The OPC was allocated 167 FTEs to carry out its 2009-2010 activities. The Office used 158 FTEs in 2009-2010, which represents 94.6 percent of the 167 adjusted planned FTEs. The variance of nine FTEs is mainly due to the turnover of staff during this fiscal year and to the Office having used more professional services to meet and achieve its commitments.

Contribution of Priorities to the Strategic Outcome

In 2009-2010, the OPC had five corporate priorities, which are listed in the table below. Work to advance each priority contributed to progress toward the Office's Strategic Outcome. The following table presents, for each priority, a performance summary against the specific commitments made in the 2009-2010 Report on Plans and Priorities and a self-assessment of performance status based on the Treasury Board Secretariat's scale² . More performance information is also provided in Section II - Analysis by Program Activity.

Strategic Outcome: The privacy rights of individuals are protected.

OPC Priorities for 2009-2010	Type3	Performance Summary	Performance Status
1. Continue to improve service delivery through focus and innovation	Ongoing	The backlog of complaint files older than one year from receipt was eliminated as planned. A robust exercise to streamline the OPC investigative process was implemented successfully. An early resolution unit was created and of the complaint files that were received and closed (477 files) in 2009-2010, 25 percent were early resolved, thereby avoiding the more resource-intensive investigation process and contributing to a decline in new complaints being registered under both Acts. A new position of Complaint Registrar was created to assign priorities to complaints received and better allocate OPC investigative resources. Regular meetings were instigated with federal departments that hold large amounts of personal information under the Privacy Act, in order to facilitate information exchange and resolution. A new standardized privacy audit methodology was drafted in 2009-2010 and will be formalized in 2010-2011. A new approach to the review of Privacy Impact Assessments (PIAs) was adopted so that reviews would be grounded in human rights law. Government institutions are now challenged in their PIAs to justify infringement of privacy in relation to the necessity, effectiveness and proportionality of the proposed measure, as well as the availability of any more privacy-sensitive alternatives (a four-part test derived from the Supreme Court of Canada ruling in the case of R. v. Oakes). A triage method was instituted to address the increased number of PIA submissions received. The OPC conducts at least quarterly meetings with provinces with substantially similar legislation to identify emerging privacy issues. This year, the Office collaborated with the province of British Columbia to publish a guidance document on privacy and the Olympics.	Met all
2. Provide leadership to advance four priority privacy issues (information technology, national security, identity integrity and protection, and genetic information)	Previous	Implementation began in 2009-2010 on the three-year strategic plans adopted for the four priority privacy issues that were approved last year. Progress monitoring and reporting against the plans show the following key accomplishments: Information technology: The OPC organized two well-attended workshops to examine aspects of geospatial information and privacy (http://www.priv.gc.ca/newsletter-bulletin/2009-4/3_e.cfm). Industry briefings on new and emerging technologies and services were organized on topics such as online authentication, cloud computing, biometrics, road-use charging, and e-passports, significantly increasing OPC knowledge of these issues. National security: The OPC audited national security programs including the Passenger Protect Program (http://www.priv.gc.ca/information/pub/ar-vr/ar-vr_ppp_200910_e.cfm) and FINTRAC (http://www.priv.gc.ca/information/pub/ar-vr/ar-vr_fintrac_200910_e.cfm) and followed up on implementation of recommendations made as part of the 2006 audit of the Canada Border Services Agency (http://www.priv.gc.ca/information/pub/ar-vr/cbsa_060620_e.pdf). The Office prioritized Privacy Impact Assessments related to national security. Several learning events relating to national security took place in 2009-2010 and have deepened OPC knowledge in this area. Identity integrity and protection: The Office published the results of its exhaustive 14-month investigation into Facebook's privacy policies and practices, which highlighted concerns about the company's transparency with respect to its use of personal information (http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm), prepared associated research and public education material, and advanced the identity integrity agenda and the privacy rights of more than 12 million Canadians. Genetic information: The OPC provided input to Parliament as part of its review of the DNA Identification Act, and also co-sponsored with Genome Canada a successful workshop that engaged other federal partners on consent issues related to biobanks (http://www.priv.gc.ca/speech/2009/sp-d_20091127_e.cfm).	Met all
3. Strategically advance global privacy protection for Canadians	Previous	The OPC participated actively in meetings of the Organisation for Economic Co-operation and Development (OECD) and continued its involvement in promoting privacy protection within the Asia-Pacific Economic Co-operation (APEC) economies. Both the OECD and APEC are developing mechanisms to encourage and facilitate co-operation among enforcement authorities. As well, a member of the OPC's research staff was seconded to the OECD to support the Organisation's reassessment of the influential OECD Privacy Guidelines. The Office collaborated with the U.S. Federal Trade Commission on a complex investigation of an Internet-based data broker engaged in transborder activities, and offered support in related litigation by filing an amicus curiae ("friend of the court") brief. In November 2009, the Assistant Commissioner delivered a speech at the 31st International Data Protection Commissioners Conference in Madrid where dozens of the world's data protection authorities endorsed a draft international standard on privacy protection. In conjunction with that event, the OPC also took part in the Third Conference of Francophone Personal Data Protection Commissioners. As well, the Office contributed to the development of the Memorandum of Montevideo, signed by various Latin American countries. The Memorandum offers guidelines for legislators, government institutions, businesses and educational institutions in Latin America as they develop policies, programs and practices aimed at protecting youth privacy on the Internet. In addition to a continuing role with the International Standards Organisation (ISO), the OPC has taken on new responsibilities with membership in the ISO Technical Management Board Privacy Steering Committee and participates in an ISO subcommittee on biometrics.	Met all
4. Support Canadians, organizations and institutions to make informed privacy choices4	Previous	During 2009-2010, the OPC expanded its public education activities in Atlantic Canada and Ontario, while also producing additional resource materials for small business owners and other target markets. As well, the Office broadened its information technology assets to analyse new business models and evolving technologies. The OPC developed new guidance and information for Canadians and organizations on a variety of privacy issues. There was a significant increase in requests for these materials, as evidenced by hits to the OPC website, the distribution of publications, and an increase in speaking engagements (refer to section 2.3 of this report for more information). The Office, in consultation with provincial and territorial counterparts, published guidelines for administrative tribunals in relation to the disclosure of personal information during the publication of their decisions on the Internet (www.priv.gc.ca/information/pub/gd_trib_201002_e.cfm). In 2009-2010, the Office made 14 appearances before parliamentary committees to comment on the privacy implications of new legislation or ongoing programs (refer to section 2.2 of this report).	Met all
5. Enhance and sustain the organizational capacity	Previous	With an increase in funding in 2008, the OPC continued its efforts to meet rising demand by building human resource and infrastructure capacity. The OPC continues to implement its 2008-2011 Integrated Business and Human Resources Plan. An Employee Toolkit and a Managers' Toolkit were developed to help orient employees within the organization and the government environment. The OPC continues to favour the use of online knowledge assessments, managed through a web portal, to support its recruitment efforts. The Office enhanced its communications strategy for recruitment, notably by launching a video on YouTube that highlighted vacant positions and the OPC work environment. (The video is also accessible through the Public Service Commission's jobs.gc.ca web portal.) The Office also used new communication media such as blogs and Twitter to advertise openings that have been difficult to fill in the past. This contributed to the recruitment of a highly skilled workforce able to support the OPC's research and investigative efforts involving the privacy implications of sophisticated information technologies (IT). The OPC improved job postings used to attract Co-op and Federal Student Work Experience Program students in IT. By presenting opportunities with minimal bureaucratic terms and by including testimonials of previous students employed at the OPC, the Office successfully recruited students with high academic achievements for each placement of the school year. After an intensive two-year effort, a new case management system was rolled out in September 2009 in order to enhance organizational capacity. The system allows the OPC to track complaints, monitor the investigation process and analyze trends. The system and related IM/IT initiatives will help streamline the investigation and other processes. Several SharePoint sites were built across the OPC to increase information sharing and collaboration within the Office for specific business needs such as the organization and reporting of national consumer consultations. An information technology lab platform was configured to support the OPC research team. A new desktop security suite was provided to all staff.	Met all

The OPC is satisfied that all commitments made to advance its five corporate priorities, as published in the 2009-2010 Report on Plans and Priorities, were "all met".

Risk Analysis

External Factors

Thirty years ago, the members of the Organisation for Economic Co-operation and Development agreed on a common set of guidelines for the protection of privacy and transborder data flows. These guidelines helped set the stage for a broad array of privacy and data protection legislation enacted in many OECD countries during the intervening years. Canada's own private-sector privacy legislation draws from this common heritage. In recent years, the OPC has been challenged to apply this legislation to a global business environment that seeks to collect and interpret increasing amounts of information about its users and clients. Canada's public-sector privacy legislation dates from the same era, and faces similar pressures.

In the private sector, demographic data, product preferences, search histories and countless other details not only inspire innovative new products and processes, but also make users more susceptible to behavioural targeting and profiling on the basis of economic and social analysis.

In the public sector, meanwhile, Canadians are confronted with a never-ending stream of demands to verify their identity and reassure authorities that they are upstanding members of society. Technology and tactics originally implemented abroad, such as automated licence plate recognition, closed-circuit television networks, radio frequency identification (RFID)-equipped identity documents and invasive border security techniques, are finding their champions among Canadian intelligence and security authorities.

Indeed, whether to enhance efficiency, increase national security, rationalize social services or strike international information-sharing agreements, the government seeks continually to expand the amount of data it holds on its citizens. As a result, Canadians frequently encounter circumstances where they feel their privacy rights are being undermined.

The OPC recognizes that international cooperation is essential to push for increased respect for privacy rights from public-sector authorities and improved data protection among private-sector organizations. As such, the Office is working with international counterparts to address the privacy challenges facing Canadians today.

The OPC also works with researchers, advocates and academics to understand technological and social solutions to these challenges. The Office, moreover, is examining how to provide Canadians with appropriate information and tools to help them counter demands for their personal information.

When required, the OPC marshals its legislative powers to effect change by domestic and international organizations. Recent investigations by the Office demonstrated that the strategic application of these legislative authorities can, in fact, compel change.

The rapid progress of technology, however, is challenging traditional approaches to privacy protection. In an environment where a smart phone can relate locational data to pictures, voice messages, Internet use history and other activities, how do we define personal information? As genetic testing procedures drop in price but rise in accuracy, how do we ensure continuing data protection? In either case, how do we ensure that Canadians have the opportunity to provide their informed consent?

Authorities such as the OPC must continue to develop tools to confront institutional and technical challenges to privacy and data protection rights. This demands ongoing engagement with provincial, territorial and international authorities, constant monitoring of business trends and product developments, insight into intelligence and security threats, and technological expertise.

Key Risks

In this turbulent environment, the OPC manages risks to the successful delivery of its responsibilities. The three most critical risks faced in 2009-2010 follow, along with the mitigating measures used to manage the risks:

First, the OPC continues to have more business demands than it can handle. This creates the risk that the Office may not meet all of its mandated requirements. To reduce capacity challenges and improve service delivery, the OPC re-engineered its complaint investigation processes; implemented a new case management system; eliminated its longstanding backlog of complaints, and continued focusing efforts on four priority privacy issues (information technology, national security, identity integrity and protection, and genetic information). Nevertheless, the Office remains vulnerable as demands continue to increase. Government-wide capacity challenges continue to drive the human resources strategies. Implementation of the OPC Integrated Business and Human Resources Plan 2008-2011 is proving to be effective and has resulted in a more stabilized workforce. Recruitment efforts continue to reach out to a broader pool of candidates.

Second, protecting data from unauthorized disclosure has been a continuous challenge for the OPC, just as it would be for any organization that depends on technology to manage operations. The OPC has information technology (IT) security and related controls in place to address this challenge. These include compliance with the Treasury Board Policy on Government Security; regular Access to Information Act and security of information training for personnel; enforcement and review of the OPC information management and IT policies, directives and practices; safeguards of licences for information management and IT products; keeping perimeter defences current; use of encrypted USB data storage devices where appropriate; enhanced security measures for visitors to the building; security patrols for safeguarding assets and information; new and improved security access keys for all closed offices and perimeter entrance doors; reinforced security for all new servers; periodic enterprise threat and risk assessment, and approval of a business contingency plan.

Third, the Privacy Act is not up to date and does not offer sufficient recourse when there are privacy breaches. A comprehensive reform of the Act is long overdue. Since 2008, when the House of Commons Standing Committee on Access to Information, Privacy and Ethics commenced a review of the Act and the Privacy Commissioner proposed a list of 10 "quick fixes" as a first step in modernizing the law, the government has not introduced new legislation. This remains a risk, but the OPC cannot act further upon it, other than to continue to remind Parliament of the importance of this issue for Canadians.

Expenditure Profile

The OPC Main Estimates and Planned Spending amounts have increased steadily since 2007-2008, including approved funding from Business Case II of $3.064 million in 2008-2009 and $4.295 million in 2009-2010 to address the backlog of privacy investigations, expand public outreach and implement the internal audit initiative. The backlog was eliminated as of March 31, 2010, many public outreach initiatives were directed at businesses and other target groups, such as small businesses and youth, and the OPC now has an internal audit function.

There is no significant difference between the Main Estimates and the Planned Spending amounts, which are presented as a single figure. The variance between the Planned Spending and the Total Authorities is due to compensation for collective agreements and funding carried forward from the previous year. Actual spending reflects the same trend as the funding. As such it was lower in 2007-2008 than in 2008-2009 and 2009-2010, due to funding granted in Business Case II.

Voted and Statutory Items

This table shows the voted items that Parliament approved through the Main Estimates with its supply bills. The statutory items are displayed for information purposes only.

($ 000)		2007-2008	2008-2009	2009-2010
Vote or Statutory Item	Truncated Vote or Statutory Wording	Actual Spending	Actual Spending	Planned Spending/Main Estimates	Total Authorities	Actual Spending
45	Program expenditures	15,677	20,473	20,101	21,691	20,521
(S)	Contributions to employee benefit plans	1,453	1,664	2,222	2,119	2,119
Total		17,130	22,137	22,323	23,810	22,640

The increase of $0.5 million in Actual Spending between 2008-2009 and 2009-2010 is mainly attributable to changes stemming from the collective agreement (i.e., salaries and corresponding contributions to employee benefit plans).

• Previous Page
• Table of Contents
• Next Page