Thank you very much, Mr. Chair.
It's a pleasure to be back before this committee after the summer recess. I welcome this opportunity, because since I've last been before you, I have released two annual reports to Parliament. The topic for today is the findings in my two annual reports.
First of all, Mr. Chair, the annual report on the Personal Information Protection and Electronic Documents Act, known as PIPEDA, Canada's private sector privacy law, was tabled in June of this year. As you will also recall, Mr. Chair, we presented our most recent annual report to Parliament on the Privacy Act just two weeks ago.
Over the next few minutes, I propose to offer to the committee some highlights from those reports and some highlights of our work over the past year. Then I would be happy to take all the questions members of the committee may have.
First is the Privacy Act annual report. I will mention parenthetically for the new members of the committee that the Office of the Privacy Commissioner administers two privacy laws, one in the public sector and the other, the more recent, in the private sector. I'll start with the report on the one on the public sector, which is the one we released in September.
The Privacy Act report of September traced our efforts to safeguard privacy rights in the face of two key challenges: rapidly evolving information technologies and the pressures of national security and public safety measures. On the whole, it is safe to say that most public servants take good care of the personal information entrusted to them by Canadians.
Still, and unfortunately, there were some exceptions. One complaint to our office, for instance, involved the unauthorized access by Canada Revenue Agency employees to the tax records of prominent Canadian athletes. While such a breach cannot be undone, it did lead the Canada Revenue Agency to update its audit capabilities to better control access to personal information.
I now want to talk about wireless and disposal audits. The annual report also summarized two privacy audits we undertook during the year.
One found significant shortcomings in the way government institutions dispose of surplus computers, with many still containing sensitive data. We also discovered that documents are shredded by private contractors without the necessary degree of government oversight.
A second audit of the use of wireless networks and mobile devices of five federal departments and agencies uncovered numerous gaps in policies and practices that could put the personal information of Canadians at risk.
I will now move on to Veterans Affairs. Just a few weeks ago, we announced plans to conduct another privacy audit—this one of privacy policies and practices at the Veterans Affairs Department. This, as you know, was sparked by concerns that came to light during our investigation of a complaint launched by a veteran who has been an outspoken critic of the department.
Our investigation determined that the veteran's sensitive medical and personal information was shared—apparently with no controls—among department officials with no legitimate need to see it. The information then made its way into a ministerial briefing note about the individual's advocacy activities, something I deemed entirely inappropriate.
We are still working out the scope of the audit. We hope, though, that it will provide guidance as the department implements the recommendations stemming from our investigation.
In June, we also published our findings in an important audit on the private sector side. This one was triggered by a string of serious data breaches among Ontario mortgage brokers that compromised the personal information of thousands of Canadians. Our audit under PIPEDA found that the breaches caused several of the brokerages to take further steps to better protect personal information.
And yet, we determined they had not gone far enough. Indeed, our audit raised concerns about data security; the haphazard storage of documents containing personal information; inadequate consent by clients; and a general lack of accountability for privacy issues.
The audit was summarized in the PIPEDA annual report, which also highlighted the challenges of enforcing privacy rules in a world where data flows readily and instantly around the world.
I would like to talk now about Google Buzz and a bit of our international work.
We recognize that addressing this global challenge will demand agility and resourcefulness on the part of all privacy authorities. That is why, when Google disregarded privacy rights in the rollout of its Google Buzz social networking service last February, we opted for an innovative alternative to our conventional tools of audit and investigation.
Instead, we led nine other data protection authorities from around the world in an unprecedented--and I think highly effective--tactic: the joint publication of an open letter that urged Google and other technology titans entrusted with people's personal information to incorporate fundamental privacy principles directly into the design of new online services.
We are engaging with global partners in numerous other ways as well. Last month, for instance, we joined other data protection authorities from around the world to establish the Global Privacy Enforcement Network, which aims to bolster compliance with privacy laws through better cross-border cooperation. Later this month at an international conference of data protection privacy commissioners, I will be co-sponsoring a resolution that would see privacy considerations become embedded into the design, operations, and management of information technologies--or at least that is the wish.
A couple of our other files are of great interest to many Canadians: Google Wi-Fi and Facebook. Just this morning, we released our preliminary findings in an investigation of Google's collection of Wi-Fi data by a camera car shooting images for the company's Street View mapping application. We have learned that while collecting Wi-Fi signals, Google had also captured personal information, some of it highly sensitive. The collection appears to have been careless and in violation of PIPEDA. We are making several recommendations that would bring Google into compliance with Canadian law and help safeguard the privacy of Canadians.
But Google isn't the only major technology giant we have had concerns about during the past year. In September, we were able to wind up an investigation of Facebook that was heavily publicized last year. In 2009, Facebook agreed to make certain changes to its site, which took a year to fully and satisfactorily implement. This concluded lengthy and intensive discussions between my office and Facebook, which eventually led the social networking company to significantly boost the privacy protections available on its site.
As we look ahead, I'm looking forward to many other initiatives to strengthen the privacy rights of Canadians. You will, of course, be familiar with two pieces of legislation currently before the House that are of particular interest to my office.
Bill C-28, called FIWSA in English, the anti-spam legislation, would give us important powers to control which cases we investigate and permit the sharing of information for the purposes of enforcing Canadian privacy laws. Earlier I mentioned the Global Privacy Enforcement Network, the group of data protection agencies who together are working toward ensuring better compliance. For us to be an effective member, we need the ability to share information with our international counterparts when necessary, and the provisions in this bill will assist in making that possible.
Bill C-29, meanwhile, would amend PIPEDA to, among other things, make breach notification compulsory for private sector organizations. Over the longer term, we welcome the next statutory review of PIPEDA. We will be publishing in the near future a draft report on the comprehensive public consultations that we hosted this spring on such cutting edge topics as tracking people's online activities by companies, and cloud computing. While this report is not our contribution to the PIPEDA review, the consultations raised issues that we will need to focus on for that review, which starts in 2011.
On the public sector side, we continue to advocate for a long overdue modernization of the Privacy Act, which was passed in 1982. Some of you may remember that 1982 was the year that the first affordable home computer, the Commodore 64, hit the market, and we lined up at movie theatres to watch E.T.
We're also working with experts to develop privacy policy guidance documents for decision-makers working in four key areas. The first, focused on national security, should be ready for publication in the near future, with others to follow in the areas of information technology, genetic technology, and identity integrity.
I hope, Mr. Chair, that I have been able to give you an overall sense of our activities over the past year. I would be happy to respond to your questions.
