Information & Ethics Committee on April 27th, 2010

Yes, for the most part. The one thing I would add is that in the reports on plans and priorities, which is the estimates that are before you, if you look at the financial resources, it identifies for the Electronic Commerce Protection Act amounts over the next three fiscal years, including this fiscal year. For 2010-11 we've identified a requirement for $849,000. For next year, for 2011-12, it is $2.1 million. That number remains at $2.1 million into the future, so it's for 2011-12 and ongoing.

In terms of the FTEs and our people involved this fiscal year, if the legislation were reintroduced and passed, we would be seeking resources, presumably under the supplementary estimate process, for those amounts of moneys that I just indicated. As well, in terms of FTEs, it's four this year and six for next year and the years after that.

Although $100,000 was allocated through the supplementary estimate process, because the legislation did not pass or receive royal assent, it has been placed in a frozen allotment, and for all intents and purposes it has lapsed and is gone forever. We will not see any financial benefit of that $100,000.

We're trying to give Parliament as much detail as possible in distinguishing the work that is necessary to follow laws, technologies, human problems, or social trends in terms of privacy. We need to know what's happening, we need to analyze them, and we need to see how they fit in--or not--with Canadian law. So that's more the policy research development.

Secondly, we need to take the results of that and the best advice that we can give and reach out to Canadians by appropriate means. I think that's a quick way of describing it.

No, we are responsible for our office and—

Yes, some of our audits will probably focus on that. I will ask Assistant Commissioner Bernier to answer that question.

Yes. It is the container for what we work to protect. We are addressing the matter in a number of ways. First, we are carrying out two audits on wireless communications and electronic infrastructure. And, as part of our review of privacy impact assessments, we are focusing on specific security concerns. Finally, we established a dialogue with Public Safety Canada's cybersecurity unit to strengthen our relationship and complement our work in that area.

According to our mandate, we work on a case-by-case basis. For example, if one of our investigations reveals weaknesses in a department's electronic infrastructure, we make recommendations. Our annual report identified two cases where our recommendations led to better electronic infrastructure.

In one case, a department had a leak of personal information. We realized that access procedures were not adequate, so much so that over 1,000 people had access to the personal information of a single Canadian who was in custody abroad. Obviously, that is inappropriate. We made recommendations, and limits were placed on access. In another case, also mentioned in our report, a department was the victim of a cyber attack, which jeopardized the security of 60,000 people's personal information. In that case, too, the department took measures to strengthen its electronic infrastructure on its own.

First of all, every privacy impact assessment, in other words, the assessment that departments or agencies are subject to when implementing a program or policy, includes a security component. So we ask serious questions about that.

Second, we take note of any vulnerabilities for our audit plan, which is based on risk. And, clearly, we take those factors into account when choosing which audits to do next, precisely to ensure we are focusing on areas that present risks.

Not systematically, no, but we perform audits in cases where we think it is the most relevant. An audit—

When deciding where an audit is needed most, we look at the volume of information the institution has, as well as information disclosure practices and risks. Of course, we take into account the number of complaints in an area and the nature of the personal information being collected, among other things. As I said, volume is a factor. All of that goes into selecting the organizations we feel are most at risk.