Information & Ethics Committee on April 26th, 2012

I will ask the assistant commissioner to answer your question.

Exactly. Public-private partnerships have an impact on privacy. Continuity must be established in the protection of privacy, and that continuity must be ensured through a strong and effective legislative framework.

In CATSA's case, that contract ensured that the agency's obligations with regard to privacy also applied to subcontractors. Therefore, this violation of privacy was non-compliant, and it violated the Privacy Act.

CATSA acknowledged the fact that it needed to improve its monitoring of contractors when it comes to privacy. Therefore, we expect improvements in the overseeing of contractors. Regarding your more general question, you are completely right. In our opinion, the public-private partnership phenomenon has very relevant repercussions on privacy protection, and we are monitoring the situation.

There are a number of things that need mentioning. First, we have received several complaints. Therefore, we have several ongoing investigations. Second, following the first complaint, we noted some systemic deficiencies or an appearance, at first glance, of such deficiencies in the management of personal information at the Department of Veterans Affairs. That is why we decided to conduct an audit. So we also have an ongoing audit, which should lead to a report that will be submitted to you in the fall.

Indeed, the idea of potential technological problems or programming errors is worrisome. One of our annual reports talks about such a case. On a Service Canada website, personal information on a number of individuals was suddenly exposed.

We are talking to the government about the security standards needed to establish new steps for providing Canadians with access to an online government. This is still an area we monitor carefully, and we hope that the government will continue to do so as well.

Yes, absolutely, honourable member. It has been clear for many years now—and I've always said this to the committee—that the nature of privacy online now means that privacy is an international issue.

One of my own personal focuses, and the focus of Canada when we take part in international organizations like the OECD, is to encourage cooperation and the emergence of standards that can be shared among different groups when we're faced with the doings or the developments of international companies like some that we've met here. For example, there's the EU on the one hand, the U.S. on the other hand, and then Canada, New Zealand, and Australia, which are to the side. I believe that in our annual report we give some examples.

This continues to be a very important focus for my office, because often we have to coordinate—we're a member of something called the Asia Pacific Privacy Authorities—for example, on what Australia is doing, who's going to speak for us, and what the position of Hong Kong is when faced with the same phenomenon. But if you don't do that, then you're not providing effective privacy.

I think that now, with our technology analysis branch and the laboratory that we have developed, we have a lot of high-level, senior information technology people who have the contacts and the know-how necessary to communicate with companies like RIM. Of course, we don't have the resources to embed somebody in Google or RIM, even if it were possible, but I think our people make those companies aware of what our requirements are.

On that front, could I just mention that we're developing a mobile privacy app? I'm not sure what this is going to look like. It sounds pretty innovative to me. That is one of the projects that we hope to release to deal with the issue of what we're now all carrying on our mobile devices.

May I ask the assistant commissioner to tell us more about this?

Absolutely, and that's one of the reasons why we need to pay particular attention to the work being done on the border security perimeter.

As for what we do in relation to the possibility of inaccuracy, first of all, our audits are done on a risk basis. So we will look at either the number of incidents or the volume and sensitivity of the personal information held by an organization to decide whether we should go in and do an audit.

Certainly, a high level of inaccuracy, or the high impact of possible inaccuracy, would be exactly at the root of deciding to do an audit, hence our audit of CPIC and PROS. This fits exactly into your question.

Indeed, CBSA is another organization that we work very closely with, because, as you mentioned, the impact of inaccurate information at CBSA is quite significant. So yes, that is the kind of monitoring we do.

I am ready, Mr. Chair. Thank you very much.

Honourable members, Mr. Chairman, I'm very pleased to be able to have a second hour with you to talk about some of our key priorities now for the coming year. We go into the future, having done the annual reports, and once again will attempt to answer your questions.

For this particular phase, I'm joined not only by the assistant commissioner, whom you've already met, but also with Daniel Nadeau, our chief financial officer and director general of corporate affairs. We were very pleased to have him join us in August, following the retirement of a gentleman some of you may have previously met, Tom Pulcine. It's been a wonderful, seamless transition. I'm very happy that Daniel is with me today.

I would like to begin by explaining the evolving landscape of privacy issues and how public concern with them affects our office's work and choice of priorities. So for starters, as I think everyone around this table can appreciate, personal information protection is an issue of growing importance here in Canada and around the world. Canadian businesses need to be informed about how privacy law applies to their operations, and federal departments and agencies are constantly challenged to balance social benefits associated with initiatives that gather personal information on the one hand with the privacy rights of individuals on the other. As an agent of parliament, my office, of course, has the task of advising on such issues.

Individuals today face a reality of complex information technology. People enjoy the fact that these tools connect us like never before, and they bring valuable services to our fingertips. At the same time, Canadians fear the consequences of being tracked by data mining marketers and being surveyed by governments. As a result, Canadians turn to us to investigate their complaints and for information to protect and assert their rights.

I will now talk about the key areas of the OPC's mandate.

As you know, our office is mandated with overseeing compliance with both the Privacy Act, which applies to the government, and the Personal Information Protection and Electronic Documents Act, which applies to the public sector.

We also provide guidance to organizations on the application of privacy law, and to individuals on how they can protect themselves and assert their right to privacy. As in past years, we will be pursuing these objectives through actions under the following three key areas: compliance activities, research and policy development, and public outreach.

Before we get to your questions, I would like to highlight some of the key priorities we are pursuing over the coming year for each of those areas.

First of all, I'll start with compliance activities, where we are continuing our work to update and strengthen our complaint intake and investigation processes. In particular, we are in the midst of an effort to develop and adopt more innovative practices in the Privacy Act investigation process. Our goal is to continue resolving complaints thoroughly with a view to providing service to Canadians in a more efficient, effective, and timely manner.

We are also taking action to better deal with the fact that an increasing number of privacy issues are tied to information technology. For this reason, we are taking steps to ensure that we have the right expertise and tools to evaluate the privacy impact of various technologies. On top of improving ways to do our existing work, we are also focusing on the best approach to fulfilling new responsibilities.

As you know, it's expected that Canada's anti-spam law will come into force sometime next year. We are working alongside Industry Canada, the CRTC, and the Competition Bureau to develop the processes and systems to fulfill our respective roles under this legislation.

In addition, we're also gearing up to review the privacy impact assessments tied to the many initiatives being developed across government, to realize the vision outlined by the Canada-U.S. perimeter security and economic competitiveness action plan. Our office and our provincial and territorial counterparts have underlined the fact that many of the planned initiatives in this plan contain privacy risks.

Our office is ready to examine the assessments to come in order to make recommendations to departments on how to mitigate such risks. With respect to audits, as the assistant commissioner said, we will lay before you the audit of Veterans Affairs Canada this fall, and we have just commenced our second mandated audit of FINTRAC.

I will now discuss research and policy development.

As an agent of Parliament, we will continue to devote our expertise to analyzing legislation and sharing our observations with parliamentarians. We will also be paying special attention to the upcoming parliamentary review of the private sector act. That review is mandated every five years—and for good reason, as we have already mentioned.

Another way we help meet Canadians' privacy needs is by working with leading academic researchers in the field. One important way we do this is by supporting independent, non-profit research through our Contributions Program. Over the course of this year, we look forward to supporting further research, which can lead to new ideas and insights on privacy protection issues.

I'll talk now a bit about public education.

Public education is vital as privacy issues continually evolve. Very few of us can grasp the technological intricacies of what's happening on the other side of the screen. It's therefore more and more important I think to assist Canadians in protecting their personal information online. The generation growing up today is really the first to grow up online. This is why our outreach efforts to youth, to parents, and to educators remain among our top public education priorities.

We've already developed presentation materials for grades 7 through 12 to help adults engage youth about the privacy challenges of today's online world. This year we will be promoting education materials for grades 4 through 6. In addition to individuals, we know that businesses, especially small ones, have specific needs. In general, small businesses lack the resources to have dedicated in-house chief privacy officers and legal counsel. As a result, we're dedicated to providing guidance materials and making outreach efforts to help small businesses learn about and comply with their privacy obligations. Included as part of this we will be spreading the word about the importance of cyber-security and the steps small businesses need to take to protect customer and client data in the online age.

In relation to the public sector, significant changes in our public safety context, as well as in government interaction with citizens online, call for us to educate Canadians on the privacy implications of measures resulting from these changes.

In closing, Mr. Chair, let me underline that we will carry out our work in a way that will continue to see Canadians both well respected as taxpayers and well served as citizens. While not mandated to make reductions under the deficit reduction action plan, our office answered the call to adhere to the exercise's spirit and intent. As a result, we proposed to the government that we would find savings of 5%, or $1.1 million per year, within our operations by fiscal year 2014-15, while maintaining the best possible level of service for Canadians. This proposal was accepted and reflected in our budget for 2012.

To deliver on this, we have planned the following reductions: $676,000, or 2.8%, starting this year, will come from funding that had been allocated to my office in support of the implementation of the Federal Accountability Act. This funding was never accessed by the Office of the Privacy Commissioner. Then, an additional $430,000, or some 2.2%, starting in 2014-15, will be absorbed through general efficiencies from across the organization. Efforts to improve the use of technology and available tools, to take on a greater risk management approach, to better target public education activities, and to seek out partnering opportunities will help OPC generate these savings.

In addition, I also want to note a looming cost pressure that poses a challenge to our quest for a workable balance between quality services and lower costs. A forced move out of the OPC's present location to new offices in 2013 will result in additional costs of up to $5 million. Right now we cannot absorb this without significant impact on our core program. We're currently negotiating with the Treasury Board Secretariat to address this pressure, and I'm hopeful this issue will be settled adequately in the very near future.

With that, I look forward to your questions. Monsieur Nadeau will help me with any detailed questions on our finances.

Thank you very much, Mr. Chair.

No. In answer to the last part of your question, I would say that we will use virtual tools more extensively. As I already told another member of the committee, I believe that virtual tools are less expensive and are probably increasingly efficient. We will try to be more careful about choosing audiences we think will benefit the most from our efforts. For instance, we will prioritize young people.

Bill C-30 does not give us any specific additional roles. If my memory serves me correctly, the bill mentions that we can conduct audits, but we can do that anyway. What we're worried about is the overall content of the bill. Since the bill is currently being discussed and the same issues have been raised for three years, our efforts are currently focused on the final version of the bill. For 10 years, various versions of this bill have been introduced, so we will have to wait and see. If the bill does not give us a specific role, the consequences of this new expenditure restraint program will clearly carry a lot of weight in terms of the risk elements that lead to audits, given our current resources.