Information & Ethics Committee on Oct. 19th, 2010

Thank you very much, Mr. Chair.

It's a pleasure to be back before this committee after the summer recess. I welcome this opportunity, because since I've last been before you, I have released two annual reports to Parliament. The topic for today is the findings in my two annual reports.

First of all, Mr. Chair, the annual report on the Personal Information Protection and Electronic Documents Act, known as PIPEDA, Canada's private sector privacy law, was tabled in June of this year. As you will also recall, Mr. Chair, we presented our most recent annual report to Parliament on the Privacy Act just two weeks ago.

Over the next few minutes, I propose to offer to the committee some highlights from those reports and some highlights of our work over the past year. Then I would be happy to take all the questions members of the committee may have.

First is the Privacy Act annual report. I will mention parenthetically for the new members of the committee that the Office of the Privacy Commissioner administers two privacy laws, one in the public sector and the other, the more recent, in the private sector. I'll start with the report on the one on the public sector, which is the one we released in September.

The Privacy Act report of September traced our efforts to safeguard privacy rights in the face of two key challenges: rapidly evolving information technologies and the pressures of national security and public safety measures. On the whole, it is safe to say that most public servants take good care of the personal information entrusted to them by Canadians.

Still, and unfortunately, there were some exceptions. One complaint to our office, for instance, involved the unauthorized access by Canada Revenue Agency employees to the tax records of prominent Canadian athletes. While such a breach cannot be undone, it did lead the Canada Revenue Agency to update its audit capabilities to better control access to personal information.

I now want to talk about wireless and disposal audits. The annual report also summarized two privacy audits we undertook during the year.

One found significant shortcomings in the way government institutions dispose of surplus computers, with many still containing sensitive data. We also discovered that documents are shredded by private contractors without the necessary degree of government oversight.

A second audit of the use of wireless networks and mobile devices of five federal departments and agencies uncovered numerous gaps in policies and practices that could put the personal information of Canadians at risk.

I will now move on to Veterans Affairs. Just a few weeks ago, we announced plans to conduct another privacy audit—this one of privacy policies and practices at the Veterans Affairs Department. This, as you know, was sparked by concerns that came to light during our investigation of a complaint launched by a veteran who has been an outspoken critic of the department.

Our investigation determined that the veteran's sensitive medical and personal information was shared—apparently with no controls—among department officials with no legitimate need to see it. The information then made its way into a ministerial briefing note about the individual's advocacy activities, something I deemed entirely inappropriate.

We are still working out the scope of the audit. We hope, though, that it will provide guidance as the department implements the recommendations stemming from our investigation.

In June, we also published our findings in an important audit on the private sector side. This one was triggered by a string of serious data breaches among Ontario mortgage brokers that compromised the personal information of thousands of Canadians. Our audit under PIPEDA found that the breaches caused several of the brokerages to take further steps to better protect personal information.

And yet, we determined they had not gone far enough. Indeed, our audit raised concerns about data security; the haphazard storage of documents containing personal information; inadequate consent by clients; and a general lack of accountability for privacy issues.

The audit was summarized in the PIPEDA annual report, which also highlighted the challenges of enforcing privacy rules in a world where data flows readily and instantly around the world.

I would like to talk now about Google Buzz and a bit of our international work.

We recognize that addressing this global challenge will demand agility and resourcefulness on the part of all privacy authorities. That is why, when Google disregarded privacy rights in the rollout of its Google Buzz social networking service last February, we opted for an innovative alternative to our conventional tools of audit and investigation.

Instead, we led nine other data protection authorities from around the world in an unprecedented--and I think highly effective--tactic: the joint publication of an open letter that urged Google and other technology titans entrusted with people's personal information to incorporate fundamental privacy principles directly into the design of new online services.

We are engaging with global partners in numerous other ways as well. Last month, for instance, we joined other data protection authorities from around the world to establish the Global Privacy Enforcement Network, which aims to bolster compliance with privacy laws through better cross-border cooperation. Later this month at an international conference of data protection privacy commissioners, I will be co-sponsoring a resolution that would see privacy considerations become embedded into the design, operations, and management of information technologies--or at least that is the wish.

A couple of our other files are of great interest to many Canadians: Google Wi-Fi and Facebook. Just this morning, we released our preliminary findings in an investigation of Google's collection of Wi-Fi data by a camera car shooting images for the company's Street View mapping application. We have learned that while collecting Wi-Fi signals, Google had also captured personal information, some of it highly sensitive. The collection appears to have been careless and in violation of PIPEDA. We are making several recommendations that would bring Google into compliance with Canadian law and help safeguard the privacy of Canadians.

But Google isn't the only major technology giant we have had concerns about during the past year. In September, we were able to wind up an investigation of Facebook that was heavily publicized last year. In 2009, Facebook agreed to make certain changes to its site, which took a year to fully and satisfactorily implement. This concluded lengthy and intensive discussions between my office and Facebook, which eventually led the social networking company to significantly boost the privacy protections available on its site.

As we look ahead, I'm looking forward to many other initiatives to strengthen the privacy rights of Canadians. You will, of course, be familiar with two pieces of legislation currently before the House that are of particular interest to my office.

Bill C-28, called FIWSA in English, the anti-spam legislation, would give us important powers to control which cases we investigate and permit the sharing of information for the purposes of enforcing Canadian privacy laws. Earlier I mentioned the Global Privacy Enforcement Network, the group of data protection agencies who together are working toward ensuring better compliance. For us to be an effective member, we need the ability to share information with our international counterparts when necessary, and the provisions in this bill will assist in making that possible.

Bill C-29, meanwhile, would amend PIPEDA to, among other things, make breach notification compulsory for private sector organizations. Over the longer term, we welcome the next statutory review of PIPEDA. We will be publishing in the near future a draft report on the comprehensive public consultations that we hosted this spring on such cutting edge topics as tracking people's online activities by companies, and cloud computing. While this report is not our contribution to the PIPEDA review, the consultations raised issues that we will need to focus on for that review, which starts in 2011.

On the public sector side, we continue to advocate for a long overdue modernization of the Privacy Act, which was passed in 1982. Some of you may remember that 1982 was the year that the first affordable home computer, the Commodore 64, hit the market, and we lined up at movie theatres to watch E.T.

We're also working with experts to develop privacy policy guidance documents for decision-makers working in four key areas. The first, focused on national security, should be ready for publication in the near future, with others to follow in the areas of information technology, genetic technology, and identity integrity.

I hope, Mr. Chair, that I have been able to give you an overall sense of our activities over the past year. I would be happy to respond to your questions.

First of all, thank you for the question, honourable member.

I had said very generally that this may be happening in a wider area than Veterans Affairs. It is, of course, a concern of mine, because we reported, for example, that a couple of years ago--this took place a couple of years ago--Canada Revenue Agency civil servants were looking into the tax files of well-known sports authorities, so this is not unknown. I don't have any indication, either personally or institutionally, that this is a widespread practice, but rather that it is an unusual practice.

What are we going to do? First of all, we are going to do our audit of Veterans Affairs and probably report, depending on the timing, directly to Parliament. Second, I'd be very interested if you wrote me outside this discussion today, and we would look into the details of what you relate in your letter.

Yes, we did. We made some 14 recommendations to this committee several years ago. This committee looked at the matter in quite some detail, received quite a few witnesses--perhaps 15 witnesses--and came out with a report. The committee supported, as I remember, two-thirds of the recommendations that I made.

However, the Minister of Justice replied that he was not proceeding with reforms to the Privacy Act at that time and encouraged us to look for administrative approaches to privacy problems with the government, so this is what we're doing in lieu of reform of the Privacy Act.

Well, most countries either have much newer legislation for the private sector or are contemplating major reforms to it.

I take countries whose legislative models often look like ours. The law in Great Britain, for example, dates from perhaps 2003 and is much more suitable, I think, for contemporary issues. The Australian Law Reform Commission has suggested major revisions to the Australian law, some of which I believe are in effect, but I could't give you any details right now. The European Union is looking at reworking its 1995 directive, which basically governs the privacy parameters for all of the European Union. Within that club, to have a law that dates from 1983 means that we have to be very creative in trying to modernize it.

Fortunately, our other law, PIPEDA, dates from 2000 and has a five-year review, so it's a little easier to work with in terms of modern challenges.

To the best of my knowledge, we haven't received a complaint since June on this topic. I believe we have received some inquiries. I'd have to check that, but we don't have any new--

Only in the context of a privacy impact assessment. We're not consulted regularly.

I am confident now because the rules.... In fact, this was a case that we appeared in at Federal Court. It is now possible, with so much public information out there, that in access to information requests.... This was a case involving drug trials and information gathered by Health Canada. We appeared in order to agree with the Information Commissioner that some fields had to be blocked out; otherwise, the identity of one of the participants in the drug trial could be identified.

Of course, when the Information Commissioner gets such a request, it's referred back to Statistics Canada, and they weigh in. They're very cognizant of the increasing challenges of data-matching with all the information that's out there now.

It is November 30, I believe.

That is correct.

Yes, that is possible under the legislation.

I said that I would be agreeable provided it was for a short period of time.

No, seven years is too long.

As some members of the committee will no doubt remember, when I came to the Office of the Privacy Commissioner of Canada, there were major administrative problems. It took approximately three years to establish our reputation, have a budget and prove that we were a responsible agency. During that time, I was not able to tackle issues relating to privacy protection policy.

That conditional clause was included because there are a number of cases currently before the courts involving Google. In fact, the attorneys general of approximately some 40 American states have filed suit under what is called electronic wiretap legislation. There is also another series of litigation cases. In general, when there is a suit, we retain the elements that may constitute evidence.

We recognize that we cannot order them to do things that they are unable to do under American legislation, since we are working with the American privacy authorities where possible. So we included this conditional clause that states that if 40 states are suing Google, the latter could keep the data and erase it after conclusion of the suit.

We have just concluded an investigation on Facebook, two weeks ago.

That is, to some extent, the problem.

You understand the importance of working with other countries so that we are not alone or relatively alone. My colleague from the Spanish National Commission on Information and Freedom issued a press release yesterday that said he was laying criminal charges against Google WiFi for what had happened in Spain, where the system imposes heavy fines.

With regard to your question about Facebook, we will assess this with our technology experts, because it seems that the problem is not coming from Facebook as such, but from applications.

In fact, following our investigation on Facebook, which was concluded in September, part of the agreement specified that Facebook had to respect, under contract, the obligation of using only the personal information that people allowed to be provided, and of only using the personal information they needed for the purposes of the game. That began this summer.

There is still one thing we don't know. We learned about it like everyone else, yesterday, in the Wall Street Journal. There was that report, but there was no date on the Wall Street Journal investigation. We don't know whether this happened last year, before we concluded our work on Facebook. In fact, Facebook should be ensuring supervision, contractually requiring application developers to respect standards in keeping with Canadian legislation.

We don't have enough specific information on what is really happening, to whom and when. In fact, if it was six months ago, I would say that it was before Google undertook its internal reorganization.

Yes, and we miss her.

We have investigations under the act, and they can be broadened into systemic investigations. This tends to be inquiries into a particular set of facts around a particular individual or a series of individuals, looking maybe at patterns and practices, but always related to a specific event.

An audit is I think what we usually understand by its name. It's a general sampling, according to the best scientific principles of representivity, into the practices and the observances of personal information protection in an organization.

We do both investigations, mostly because people complain to us about something. Sometimes we initiate our own investigations, like the Google Wi-Fi one.

What I've announced is that I thought the best tool for Veterans Affairs, given what we were learning, was to do an audit. So that would be a department-wide audit, but only on personal information protection measures.

It would be a major, major, major operation; I would need quite a few mandates, I think, to accompany that. Our audits usually take a year, although I hope this one could be done faster, and that's in a relatively small department. It's a very big operation.

Now, in Veterans Affairs, yes, I believe we do.

No. Nobody that I heard of in the international data protection or IT community was talking about what happened. What was happening was unbeknownst to all of us until this spring. One of the länders'--they're like the German provinces--data protection supervisors, who have jurisdiction over a lot of the private sector in Germany, started a discussion with Google that quickly became public because they suspected that Google was scooping up personal information.

As I remember the newspaper reports, Google initially denied it, in retrospect because they did not know themselves that they were scooping up personal information. That's how they store...and that's just in April-May of this year.

I'm not a huge personal specialist in this, but I understood that the initial operation was to do a street mapping. Then they were interested in picking up Wi-Fi transmission points for the development of other services, geo-location services. But they didn't understand--because of internal, I'd say, organizational problems--that in doing that they also got the personal information that was unencrypted and not password-protected.

I know that at the office.... In fact, Assistant Commissioner Elizabeth Denham, who was responsible for this area, said they had a plan to go on and use geo-location data, which is another field to be exploited by those who are in that business, but nobody had an idea that it involved collecting unprotected information as well.

Okay. I'll say that overall they were cooperative, but that maybe there were a few sticky points.

We're doing what's called “scoping the audit”, which involves basically setting up a work plan. This may take a couple of months--Veterans Affairs has offices not only in Prince Edward Island, but also here in Ottawa and across the country--for deciding how we are going to do the work, whether we'll have to contract it out, whether it will be in-house staff that will do it, just how big the sample size will be, and so on. I'd say there's a good few months of planning.

We'll be acting to see how this situation that was uncovered in our investigation--and that we and other people read about in media reports of other veterans who dealt with the department--actually came to be. Were there any policies or were they just not followed? How widespread were the problems and what is being done to fix them? What further steps should the department take to make sure that this can't happen again?

I don't have an idea on that, because we simply look at the very particular circumstances around one person. We didn't go back and sample to see if this was an old practice or a relatively new one. I think perhaps our audit will give us a better idea of that.

Well, basically these are Wi-Fi signals by which, increasingly, telecommunications or the Internet are passing. A previous member asked what Google knew about it and what we knew about it. I think what is surprising about this file is that this is not something that was done intentionally. This is something that was done without Google itself being aware of the fact that they were scooping up the personal information. A program to take this up was written into the code unbeknownst to those in charge of the Street View photographing program.

This then scooped up data only--before everybody gets too worried--if your Wi-Fi transmission was unencrypted and not password-protected. I think there's a story here for individual Canadians about making sure that they use the strongest privacy protection possible.

Google had been totally unaware that it was getting all this information, but this is not the first time Google has been deficient in adhering to privacy standards, either in Canada or in the European Union, or in other countries that have similar standards.

I think it's a tale of what can happen to your personal information through big technology companies that don't take privacy as seriously as they should.

Certainly since early 2007 when Google first started photographing streets outside the United States, they have made great efforts to comply. You talked about the blurring technology for faces, your license plate, and so on. You can have your house taken down or have part of it blurred. That's fine for the Street View photo-imaging product.

But the thing that concerns me is that then we had the Google Buzz fiasco, in which people's identities were revealed one to another without their consent in an attempt to create a kind of social networking within your Gmail correspondence. Your Gmail correspondent could have been, one, your mother, two, your doctor, or three, somebody you had an intimate relationship with. All of a sudden, these people who perhaps didn't even know that the others existed in your life found themselves in an instant social network. That was something that caused us concern. It was almost instantly withdrawn because there was a huge outcry.

Then there was this third thing, which is that, unbeknownst to Google, it was collecting personal information. So it's not that once something is brought to Google's attention they don't clean it up; the question is, why aren't they starting with privacy principles at the beginning? And why are Canadian taxpayers or Spanish taxpayers and so on spending a lot of time and effort when these companies should get it right from the beginning before they launch their products?

Oh, oh!

Honourable member, as I've said, we're planning the audit right now. We're looking at what the scope of it should be. But given the allegations we have heard and what we have found in our own investigation, I think we have to look at all levels of the department to know where personal information is being appropriately sent and not appropriately sent. As I mentioned to another honourable member, we should try to see if this is a traditional practice or a new practice, if we can.

I think it would include at least the deputy minister's office. As you know, there may be some legal issues about ministers being bound by the Privacy Act and Access to Information Act, but that is before the Supreme Court of Canada. Perhaps we'll get guidance at that point.

This is the first time I've heard...or if indeed it was picked up and our press clippings noticed this particular article. I can't really comment on it because this is honestly the first time I've heard about it. We comment on things where we have some personal institutional knowledge of the facts of the case.

I will remind the honourable member of our concern, though, with the potential sharing of the voters lists. A couple of years ago, I believe it was, we did an audit of Elections Canada and were concerned about some of the security issues around the multiplication of voters lists and the distribution of the lists.

As I didn't see this article, I haven't thought about this for a while, but as I remember, there was not a system to get them back at the end of elections, so some could go astray. There were things like that, but I'm not aware of the facts of this article.

I'll start with the last part of your question, if I may. Every year there is an annual meeting sponsored by privacy commissioners, mostly from the European Union--they have that European-defined level of privacy, which Canada has exceeded--as well as Australia, New Zealand, Hong Kong, and, more recently, some of the Latin American countries. Mexico, I believe, has just adopted legislation; it hasn't been approved as adequate. Uruguay's was. This is a growing movement of countries that have come up to the more stringent privacy standards of the European Union.

Every year at that conference, resolutions are brought forward. They're only resolutions. We try to use them as a way to put forth important ideas and to get public attention focused on the issue of privacy. This year, my colleague Dr. Ann Cavoukian, the commissioner for privacy and information in Ontario, is co-sponsoring this resolution with the host, the Israeli data protection commissioner. I'm very happy to be one of the sponsors.

This speaks to the whole issue of privacy by design. As I was saying in response to a previous question, our problem is not with the product once it's fixed; it's why the privacy wasn't built in at the beginning.

It's very interesting that this concept, which Commissioner Cavoukian has been instrumental in pushing as long as I've known her, I think, has international take-up now. I believe the European Union is considering this issue of privacy by design to be incorporated in their new directive. I guess that's an example of how we try to work together to have some leverage with these enormously powerful international companies.

In terms of ongoing relations, both with Google and with Facebook, I'd say they're positive. Google has very able representation here in Ottawa, and Facebook has great Canadian representation too. The issue is that we're always following after the fact, and it's how to get that message across to them in a way where they really pay attention. Once they're found out and we say, sorry, but this is Canadians' personal information and this is how you have to do it, that's fine, but that process is very arduous for our employees. You can imagine the number of engineers and inventors they have at Google and Facebook, and we have to try to keep up with what they're doing, so--

The process in dealing with these two companies, particularly given the take-up on their products, has been to make our reports public, to issue press communiqués, and to try to do public education about this.

I do have that option to make reports public when it's in the public interest. That's a way of cautioning people as soon as we can, by saying: “Be very careful when you're on Facebook”, or “If you want to have your house removed from Google Street View, here's what you do”. Occasionally people will say, “Well, I tried to get in touch with Google, but I couldn't get my house erased, so can you help us?” In fact, there's some kind of mix-up, and yes, Google will blur--not erase but blur--their car licence numbers and things like that.

In our case, the legal means are the Personal Information Protection and Electronic Documents Act. In fact, I do not believe that the Canadian legislation is a disincentive within the private sector, and it might perhaps be appropriate to consider the issue in coming years, if not immediately. As soon as we see that companies are breaking Canadian legislation, we ask them to change their practices. In some cases, they do so, but there are no fines as is the case, for example, in America, England, France and Spain.

At the most, we could say that there are not many incentives for these companies to incorporate privacy protection within their projects from the start. They know that if they are caught breaking the law, that same law allows them the possibility of remedying that before I can take them before the Federal Court of Canada, and then I have to start all over again.

I think that this issue will be raised a lot over the coming year, during the PIPEDA review.

I talked about an international trend. I also spoke about two professors, including France Houle at the Université de Montréal, who did some work for us to determine whether the legislation passed in 2000 is now able to target modern personal information protection concerns. That report has just been submitted to us; I talked about it in my presentations. One of the recommendations is discussing the possibility of having a slightly more coercive regime.

Your question concerns a number of issues. I do not know whether the Blackberry belonging to your colleague was provided by the government, so if it met government standards. In principle, it should be encrypted. From what I have understood, government Blackberrys are encrypted—the ones at my office are. Perhaps it would be a good idea to protect them with a very good password.

This brings me to one of the audits that we conducted, which suggests that the PIN to PIN function is not used. When the PIN to PIN function is used, it seems, according to my experts, that the department or Parliament server is not being used. So, the signal can be intercepted by quite basic equipment.

Finding one's personal information on a Blackberry is not necessarily bad, to the extent that no one had access to it because it is protected by a password.

Thank you for your question. The agencies in question noted their inability to erase the information at the workshop, since the workshop was not really set up to erase personal information. We will do a follow up in two years' time.

I think Canada is well respected for its balancing of these two rights. We have a very thorough process. It's not in all countries, for example, that things like the airport scanner, to take that particular one, are referred to the Office of the Privacy Commissioner for a privacy evaluation. I think that has attracted a certain amount of attention. I know that on the level of scholarship, there are a couple of international scholars who are interested in working with us on how to balance the principles of privacy protection with national security imperatives.

Well, yes, one wonders. The rules have been there for a long time. In fact, 10 years ago, the commissioner who preceded me, Bruce Phillips, did an investigation of this kind and found that there were an enormous number of computers that were not being wiped clean.

My take on this is that at the end of the 1990s we were all just starting to work with computers and maybe we didn't realize that everything is indelible unless it's specially wiped and so on. But we thought, for interest, that we would follow up 10 years later to find out what was happening.

In our sample, 40% of the computers had not been completely wiped. There was still personal information on them--in fact, national security information--in spite of the clear directive that has been around for more than 10 years, and in spite of, I would say, increasing popular personal individual knowledge of what happens on the computers we all work with, whether they're little BlackBerrys or much more powerful ones.

This was a bit of a surprise to us. It's not that the rules aren't there, but I guess busy people forget that, or the job's half done. That's another audit we'll be following up on in two years.

Yes. In fact, educating small and medium-sized businesses would be an objective for the next three years--if I continue on for three years--because we realize, partly because of the work of these two university professors, that big business, like the big insurance companies, the big banks, and so on, are following the rules pretty well. They're pretty sophisticated. We rarely have serious complaints against them now, and if we do, they're quite rapidly settled.

The issue with small and medium-sized businesses is that this is seen as an extra financial burden—and it probably is—for them, as just another thing they have to do. We're working on a program, particularly out of Toronto, where a lot of Canadian business is centred, to take some of the tools that have been developed by big business and, with them, try to adapt them. So these would be tools that small and medium-sized businesses could access free of charge through our office so that they don't have to go out and spend $200 or $300--sorry, $3,000--on a custom-made.... There should be something that is reasonably adapted, that can be scaled down from the bigger business experience.

Oh, oh!

Not that I'm aware of, no.

The recommendations are shown to them. They have a chance to comment on them, to make factual corrections to the report and so on. Whether we negotiate, as you say, or try to arrive at a consensus, depends on the type of issue we have.

Here we have an issue where it seems there were multiple illegitimate accesses to somebody's personal information, so it's not something that you can really negotiate on, going backwards. But forward, I didn't hear that there was any objection by the department or the officials to any of the recommendations that we made going forward, nor indeed to an audit.

For taking “immediate steps”, I would say in the days and weeks that follow. If this is a widespread issue, it's pretty critical.

Exactly.

Yes. That was one of the subjects of our consultations this spring. We are working on that. We're bringing out a position paper.

Google is not the only one dealing with geopositional location technology; some of it could be quite privacy-invasive. What we haven't done is look at the different individual types in terms of even our investigation or not...we're looking at them as examples of deploying a new technology.

Generally, I believe that former Assistant Commissioner Elizabeth Denham did some informal work with Canpages—and I believe there is another company whose name I just forget—in terms of them giving notice in a way that Google never did when they were about to photograph or geomap a certain area.

Yes. I don't believe the process itself is illegal in Canada. The issue is taking the personal information without notice or any form of consent. I haven't really thought of this for a while, I must say, but I believe that we worked with Canpages, so they gave the best type of notice they could, given the technology they're working with. I could get back to you on that.

Exactly, and using it eventually to send messages to people on their hand-held devices about all kinds of things. In fact, we used those scenarios in the consultation.

Well, I guess reasonable notification that would get to a wide variety of people whose whatever they had was about to be photographed...maybe not just a newspaper, but maybe some radio advertisements or interviews, things that would get people's attention, so that if they had a problem, they would know how to get in touch with the company.

In terms of blurring technologies, I think we had about a two-year discussion between some of the specialists in my office and Google about the strength of their swirl technique and whether or not it could be unswirled. Do you remember the case of a gentleman who had gone to Thailand and then his swirl was unswirled? That took a while to settle, but it seems to be a fairly strong technology now.

I don't have any details of that, but I know that we are working with the RCMP in terms of a privacy impact assessment. I believe we are encouraging the RCMP to possibly narrow the scope and the application of this program, but I don't really have the details here, so I'd have to get back to you on that.

Yes. I've been contacted by the Prime Minister's Office. I believe the Prime Minister has written to the leaders of the opposition parties to ascertain their views on a further reappointment for three years.

Honestly, 14 years as a privacy commissioner in this fast-changing world would be too long. As I perhaps mentioned, I did spend a lot of time doing very intense administrative work at the beginning of my mandate, so I think I have the energy and interest to go forward for another three years on some of the increasingly interesting and challenging privacy issues.

That's right.

Excuse me, honourable member, is this the Privacy Act?

First of all, we've spent an intense four years trying to get rid of a backlog that started to accumulate in the early years of this decade. Fortunately, we had budgetary support, so we eliminated it at the end of the last fiscal year on which we're reporting it.

Concurrently, we're trying to do something in parallel, which is not to refuse to help Canadians, but to answer their questions and help them with their problems at the outset. Very often we see that when people get the information they desire, they can go off and solve the problems themselves, or we can put their minds at rest without going through a whole investigation. Because the Privacy Act is fairly dated, the investigations take on a formal aspect that is long and not necessarily helpful to the individual person, who usually just wants access to their government file.

So that explains why the complaints are down. From an administrative point of view, I think we should stay with the same budget. This is not a time to be increasing it. So if we spend less time on individual complaints--there's already a model wherein this issue is being dealt with and we can refer somebody to it--that frees up resources for some of the big investigations that are very resource heavy.

Yes, our experiences have been positive. The panel has brought together, in a very innovative and positive way, parliamentarians, Treasury Board officials, and us as the organization that requests the money. We talk to Treasury Board beforehand, so all the budgetary requests we make have the support of Treasury Board. We answer the questions as to why we need this money. In our case, we have the resources we asked for.

I think so at the present time. I know that we're under economic constraints. One of the things I'd like to do in the future is continue to try to find ways to work more efficiently, perhaps by the use of things such as online complaints and increasingly turning to the Internet as a way of interfacing with Canadians.

What would be helpful as an agent of Parliament, I think--and as you know, for certain things we're in a different world than government ministries--would be some flexibility in the administration of the budget, which we don't have. This is something that we've recently realized is a challenge. It is not necessarily to get a new budget or to overrun our budget, but simply to administer the different budgetary posts as we choose.

Yes, I think cooperation has been very good. I'm not sure that people are really happy to see us coming. I think that if there were a popularity contest, certainly we wouldn't win it.

There has been cooperation. There is respect for the functions of the office and also an understanding by departmental officials that what we do is important, even though they're not always happy to see us and we raise uncomfortable questions.

Yes, that's a very important question. I think that on some page of this annual report, we report on a growing trend by departments to report privacy problems to us, departments that aren't legally obliged to, including losses and breaches and so on, in the hope of getting some help with this.

Increasingly we're trying to focus on a collaborative, preventive role, because you know, if people are going to be punished, they don't come forward. The issue is how to not keep repeating the same problems, or at least to make sure that they don't happen again in exactly the same way. This is a trend and I'm very happy about that.

No. These are not constraints because of previous issues. That was what was happening in the first three years of my mandate. We got back our full powers and full confidence.

Perhaps, Mr. Chair, I could answer the question of the honourable member: how do we then choose with limited resources? We look at our privacy impact assessments and choose the ones that, after a first initial examination, seem to us to be the ones that put Canadians' personal information most at risk.

They have not been tabled as such, for which I am very happy. We did in fact consult extensively ourselves and then wrote a preliminary letter to the Minister of Public Safety last fall. Some of the content of those bills or the purpose of the bills is now enshrined in, I believe, Bill C-29, and certainly that's an improvement on what we saw last summer.

No, we don't.

Yes. But in some cases, when it is a matter that comes under our particular jurisdiction, often there is informal consultation between ourselves and department officials. But we don't see the legislation per se before it's tabled.

First of all, what do we do for businesses already? We have extensive material on our website. Increasingly, we use our website, because it can be accessed by Canadians across Canada. We have just updated our tool kit for small business in consultation with the small business communities. As I've said, we hope to continue that in the future, using some of the material borrowed from the experiences of larger companies that can be adapted.

We consult with various representatives of the small business community regularly, and if they say they need x number of information sheets for their kits at a conference, we are happy to provide them with those. We have some that are done particularly for businesses.

This might seem a little frivolous, but we have worked on a series of cartoons. I think we have about 20 different cartoons now that are very useful for public education. It's hard to get the attention of the business person who's worrying about their balance sheet at the end of the month, so maybe somebody in a presentation in a local community can use one of our cartoons, and it might get their attention. Then maybe they'll go on and listen to the short message and explore this by themselves.

Those are some of the things we want to do.

We're also cooperating with the provincial commissioners across the country to provide them with templates for personal information in areas where either we have jurisdiction or sometimes there's a kind of overlapping jurisdiction. Or they can serve as the distribution point, in a collegial fashion, for materials and messages about small business if we have a jurisdiction in a province, for example, like Saskatchewan. So we do things like that.

Finally, what percentage of data breaches are human error? I would say probably between 40% and 60%. It depends on what sample you look at. It's not all about thieves and hacking into computers and so on. Often it's just employees who make human errors, as we all do, and now the errors are amplified by the technology, so it's in fact more stressing, I think, not to make an error now.

I guess we've never looked at it that way, but maybe it's 10%. I'm just saying.... I have the director of finance here, but I don't think even he has ever calculated that.

We do it because, once again, we think we can be more effective. If it's Canada alone on this technology, well, you know.... If we have a strategic alliance, we'll have much more effect.

On the one hand, our role was—

On the one hand, our role was to work with the police, the RCMP, to make officers aware of issues relating to privacy protection, and, on the other hand, to inform members of the public of their right to privacy.

We met with police forces several times.

I will try to give you a brief answer. At that time, there had been allegations that the police was misusing people's personal information at the border with the United States, that activists in Vancouver were under increased surveillance, and that there was a database on the activists, and so on. This was before the games. Nothing happened, but I remember that the atmosphere was fairly tense before the games.

No.

As far as I know, nobody called upon us for that. Further, I do not believe that those events fell under federal jurisdiction. As far as I know, the Ontario Provincial Police and the Toronto Police do not fall under federal jurisdiction.

The RCMP was there, but—

On the one hand, we had just put the Olympic Games behind us, and so we thought that the lessons from the games had been learned and integrated. On the other hand, I do not believe that we were called upon because, contrary to the games, nobody had expected these events to happen.

We will maintain these four priorities because it will take years for us to study them in depth. Over the coming years, they will remain very significant priorities. Indeed, our objectives will include increasing the efficiency of our office and improving our contacts with the business community, which will happen, for instance, because we will be present in Toronto.

We're working right now on the national security document. There's a bit of a debate, in fact, about who it will be useful to. First of all, it's a public document, of course, but the idea is that it is directed to government policy-makers who have to take security considerations into account and also, to the extent possible, protect privacy as well.

That is the one we're working on. We work with a variety of people: scholars, people in government security, and the police community. We have a former foreign affairs minister on the committee, and we have members of the advocacy groups that are very interested in civil liberties, to try to get a complement of different points of view so we have some kind of general guidance on what, from the point of view of the Privacy Commissioner, we consider to be a good balance between these two objectives. That's the one that we've really come the farthest with. It's a similar process in terms of genetic information.

We think it's something like what happens in the Privacy Act and my previous response, but this time we saw the drop in inquiries accompanied by a rise in the number of people who go to our website. We now have about 2.5 million on our website, and we're trying to continue that, because people can get the information they want. We have a children's website, our youth privacy website, a blog, and so on.

Yes. Over the years some people have asked why we don't do a report card and rate all the departments and so on. This may be appropriate in some circumstances, but it doesn't seem to be appropriate for what our office does. Some departments, by their very nature, have to hold a lot of Canadians' personal information, so on a representative basis they're going to get a lot of complaints.

The single department that has the most requests year after year--I think probably since the office was opened--is the Correctional Service of Canada, because of course it controls all the personal information of the people in their files. Also, it has a problem with replying within 30 days, so then there's another complaint.

It goes down in that order. The RCMP has a lot of complaints, again because of its function. Ironically, for some places where there may be systemic problems, like Veterans Affairs, there are statistically very few complaints.

Well, we tried to report as objectively as possible our concerns with the first draft PIA and the description of this program and what it was set out to do. It was something that we had never seen before as a proposal, and what we understood was that it was a proposal to scan the web for indications of political activity. In talking with the commission, it was agreed to take it back, look at the program, and provide us with a new privacy impact assessment.

I think somewhere there's an acknowledgment that perhaps we have raised some relevant questions, such as, “Why this program?” In order to scan somebody's political activities outside of the government.... Has there been something like a radical increase in the remarked political activities of civil servants that would cause this? What we understood was that it was looking at personal websites, at blogs and so on.

Anyway, we're waiting for the second version of this, and we hope we can continue dialoguing about this and see eye to eye on it.

No, we haven't.

I think I have to accept that for a long time it has been recognized that nations are sovereign and they control the conditions upon which they let citizens of other nations come in. They can set those rules.

What I don't accept is that there are frequent complaints by the public about the manner in which they are treated at the border, so we are working with the Canada Border Services Agency to see if we can sensitize some of the border guards or officials to the impact of some of their words, their gestures, the way they treat Canadians coming back into the country, and how these things make them feel as though their privacy has been invaded and so on.

We can't change that reality, but we could help to encourage a more sensitive treatment of people.

Yes, we have.

I can't answer that question. I could get back to you on it.

For the moment, we are using a less intrusive type of scanner, the name of which escapes me. This is not the most intrusive, which may be the backscatter x-ray scanners, some of which have been introduced into the United States and which apparently put the human body into, shall we say, detailed focus as compared to the one currently used in Canada, which my office has tested out. People of both sexes have tested it out. It shows, as I understand it, foreign objects on an outline of the body, so it is much less privacy-intrusive.

In the quote you read, I was asked to say what keeps me “up at night”, and I said that if national security issues became so imperative that there was a push to move to these, then yes, that would be a huge privacy challenge.

Merci.