Evidence of meeting #22 for Access to Information, Privacy and Ethics in the 40th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was privacy.
A recording is available from Parliament.
4:10 p.m.
Conservative
Earl Dreeshen Conservative Red Deer, AB
I'll get off the lawyers' story now.
In the 2009-10 report on plans and priorities you indicated that your office had four priority issues: information technology, national security, identity integrity and protection, and genetic information. How have you identified these priorities, and what specific actions do you plan to take on them in the coming year?
4:10 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We identified them through in-house debate and brainstorming based on a reading of not only what the public came to us for, but the challenges looming outside in our environment.
We have quite a few different goals, such as a genetic privacy working group.
On what we have done for the last year, maybe I'll go to this year, because we're on estimates for this year. We are going to meet with patient advocacy groups on issues relating to genetic discrimination. We have the assistant commissioner for the Privacy Act, who sits as a member of the National DNA Data Bank Advisory Committee. So for her to keep up to date and look at their files is something. We participate in the review of the DNA Identification Act. We will probably--we're just looking to make sure we have the money--organize a series of public policy workshops on various aspects of genetic information.
4:10 p.m.
Conservative
Earl Dreeshen Conservative Red Deer, AB
Going back to the report, you spoke of some concerns about your own office keeping up with privacy and security infrastructure, and so on. You referred to this type of ongoing risk. Are there risks that all organizations face with the new electronic technologies and some of the challenges that are looming? Are there some serious shortcomings in your own technology capacity at the moment?
4:10 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I don't think there's anything serious. I'm going to ask the director of corporate services to speak to that, because we have initiated a very serious risk management program, and we annually update this risk management profile. We are very concerned about possible breaches and the impact they would have on Canadians' confidence in their personal information if our office couldn't withstand breaches. So we spend a lot of time on this, trying to keep up with the latest issues around information security and confidentiality.
I'll ask Mr. Pulcine to complete my answer for me.
May 25th, 2009 / 4:15 p.m.
Tom Pulcine Director General and Chief Financial Officer, Corporate Services Branch, Office of the Privacy Commissioner of Canada
Perhaps the only thing I will add is that we do a number of threat risk assessments, and there are different types of assessments one can do over a period of time. Because of the sensitivity of this issue to us, we take it very seriously. When you do a threat risk assessment, a vulnerability assessment is done to see how vulnerable we are to attack. We have it done by different firms to ensure we are not vulnerable. It's something we're very conscious of. So I don't think there are any issues within the Office of the Privacy Commissioner--any significant risk.
4:15 p.m.
Conservative
Earl Dreeshen Conservative Red Deer, AB
So these are the techniques, then, that you go through to make sure everything is fine.
Do you ever let others know what you're trying to do, so that other organizations might be able to protect their own privacy using these same techniques?
4:15 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Well, I think for those who know about this and are in the business of security, threat and risk assessments are something fairly standard. Now, as for exactly how they carry them out, the experts know.
We don't talk about our own assessment to the private sector companies, for example, or the government departments, but we certainly do dwell on the principle, the importance of security to maintaining confidentiality and privacy.
Data breach is a huge issue for Canadians. Data breach in the private sector is still an ongoing problem in Canada, as it is in the United States, and so on. I think we had something like 69 data breaches reported last year—and that's without mandatory legislation. Some of those were quite serious data breaches in the private sector. Now, had these organizations not done threat and risk assessment, they might have been better protected. But in fact we found out—and we'll talk about this in our next annual report—that rogue employees are a big cause of data breaches. That's a little harder to deal with.
4:15 p.m.
Liberal
The Chair Liberal Paul Szabo
Okay, we're going on to the second round.
Mr. Wrzesnewskyj, please, for five minutes.
4:15 p.m.
Liberal
Borys Wrzesnewskyj Liberal Etobicoke Centre, ON
Thank you, Chair.
We have a tremendous quality of life and we come together collectively, but we also have private or personal lives, our family lives. That privacy is an important component of our quality of life.
We were just talking about these new technologies: real-time surveillance, personal genetic information gathering, etc. These technologies are rapidly evolving and posing threats.
We just talked about the threat risk assessments you do, but when I look at your budget, I notice that for this coming year it's $22.3 million, and then it drops back down to $22 million basically, and you then have it going at $22 million over the next couple of years after that. The numbers seem conservative to me. I would have thought that with these threats to Canadians' privacy and the threats collectively, we would be ramping up the resources within your department to deal with these types of threats.
Have we done a cost analysis of how to deal with these threats, to be proactive as opposed to being strictly reactive?
4:15 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We did in the past when we had a significant increase in our budget. The whole budget history of the office is not there in the estimates, but in fact our budget has been doubled over the last five years. So within that context, it certainly seems like there's been a major increase in our funds.
The reason the budget drops in 2010 is that we asked for resources to deal with the backlog. We hope the backlog will be eliminated, that we'll be more efficient, and that we'll then come back to the status quo.
4:15 p.m.
Liberal
Borys Wrzesnewskyj Liberal Etobicoke Centre, ON
Okay. So the increases over the past couple of years, or a significant portion of them, were primarily to deal with these new threats on the horizon?
4:20 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
A significant portion of the increase was to deal with the increasing sophistication of privacy threats, the issues of new technologies, which are very hard to understand, first of all, and then hard to investigate or monitor, and for international cooperation on them, because they are technologies that usually come from outside Canada. It's for things like that.
4:20 p.m.
Liberal
Borys Wrzesnewskyj Liberal Etobicoke Centre, ON
Your recommendation number 10 talked about the sharing of data and the problems with the sharing of Canadians' personal data with foreign governments. I note that we have 271 so-called agreements with some 147 countries in the world. Has your threat risk assessment group looked at these 271 agreements and done an assessment; and if so, could we see a report card on how you rank the threat risk of those 271 agreements with 147 countries?
4:20 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
No, we haven't. The threat risk assessment was just to the Office of the Privacy Commissioner against spam attacks, electronic attacks, or spoofing; or people penetrating who are not employees, getting access to our computer network where people's complaints are and things like that. It didn't have to do with the information sharing agreements.
4:20 p.m.
Liberal
Borys Wrzesnewskyj Liberal Etobicoke Centre, ON
So we really have no idea how stringent the rules are in these 271 agreements. If we're talking about agreements with 147 countries, that's a number that's significantly higher than the number of democracies that would subscribe to the same principles that we subscribe to. I would assume that also includes a large number of dictatorships, totalitarian regimes, and so on. So I think that would be a priority, and perhaps resources should be dedicated to that area.
We talk about these new technologies and the threats. Have we done a costing? Once again, this is about being proactive as opposed to just responsive to individual complaints, to protect vulnerable groups within our society. None of us likes our credit information being shared and shared by credit card companies. That has received a lot of media attention.
But what about children, for instance? A computer is a window into a child's life. Have we looked proactively to see what needs to be done in that area? Has your group looked at that?
In terms of seniors and the telephone, these marketing companies that prey on vulnerable seniors, have we done that type of proactive work? What is the costing? Have you budgeted for that type of work?
4:20 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
For seniors, we entertain several complaints that are made usually on their behalf. We try to operate a change in the practice of the company that's preying on them. I think we've been fairly successful in the complaints we've had.
As for children, we have a whole new initiative on youth privacy, which was an issue we really brought to international attention when we hosted the international conference in 2005. We have a youth privacy website. We have a joint initiative with commissioners in several other provinces. We have a youth privacy blog. I don't know if we have that as a particular cost, but it's a major resource centre in terms of initiatives in order to educate this demographic and educate their parents on the issues of privacy online.
I've just remembered: we have a campaign with, for example, stickers that you can put on your iPod that say, “Think before you click”. We're trying to do a lot of these things to reach down to youth.
4:20 p.m.
Conservative
Kelly Block Conservative Saskatoon—Rosetown—Biggar, SK
Thank you, Mr. Chair, and welcome again to you, Ms. Stoddart.
I remember way back in the beginning--I think it was at our first session when we met with you, or maybe it was even in January--you referred to the four priorities that your department had outlined. Those were information technology, national security, identity integrity, and protection. You referred to them again today in your remarks to us. Could you remind me how these priorities were identified for your department?
4:25 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
They were identified in a number of ways: by looking at the complaints, certainly the phone calls and the letters, everything that came into the office as to what Canadians were concerned about, and polling that we do annually; by looking at the evolution of the outside environment in terms of new technologies about to be put on the market; by looking at the media; and by reviewing some of the work that has been done for us by various experts on some of these issues. In order to try to focus our energies, we said we thought many of the things we had converged to those four priorities.
4:25 p.m.
Conservative
Kelly Block Conservative Saskatoon—Rosetown—Biggar, SK
And what specific actions do you plan to take with respect to those priority areas in this coming year?
4:25 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
There are quite a few. Let me refer to various things.
I believe that I talked about the genetic information.
4:25 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I mentioned that there are jobs not filled. In terms of information technology, one of the things we want to do this year is hire and train enough people within our office to better assess the privacy impact of new information technologies coming on stream every day.
Another thing is to increase public awareness of technologies that have potential impacts on privacy, which means putting out information for the public.
Another area is providing practical guidance to organizations and institutions, in both the private sector and the public sector, on the implementation of specific technologies. For example, how should we deal with RFIDs--radio frequency identification devices--which are being rolled out at the pallet level across Canada and which are also the components of the electronic driver's licence being adopted in several provinces that will supposedly help people pass a border checkpoint faster?
Is that okay? That's an example. Would you like me to go on?
4:25 p.m.
Conservative
Kelly Block Conservative Saskatoon—Rosetown—Biggar, SK
No, that's okay.
I have one other question related to the estimates and to one of the quick fixes you've recommended, which is a clear public education mandate. You indicated when we met with you at one point in time that educating the public was one of the most important roles--some would say the most important role--for the Privacy Commissioner. Is that contemplated in your estimates? You have 163 staff now, and you're moving to hire up to 178 staff. Are you hoping that you'll have an increased public mandate, and has that been contemplated in the numbers you've presented to us today?