Information & Ethics Committee on April 22nd, 2013

Thank you kindly, Mr. Chair.

Good afternoon, Mr. Chair and members of the committee. It's a pleasure to be here today once again to discuss our office's main estimates for this coming fiscal year.

Joining me today are assistant commissioner Chantal Bernier, who as you know is in charge of our day-to-day operations, along with our chief financial officer and director general of corporate services Monsieur Daniel Nadeau.

During my time today I look forward to outlining and discussing some of our major priorities for the year ahead. For our office this is a year marked by both continuity and transition. On one hand our main program activities remain the same. On the other hand we will see change as we move to a new headquarters and have a change in leadership.

I'll start by talking about what remains the same. First of all let me go over planned spending by program area.

Overall we have a planned operating budget of some $29.1 million spread among four key program activities. First we have the program activity of compliance, which includes investigating privacy-related complaints as well as reviewing privacy impact assessments and undertaking audits of organizations. In the coming year this area will account for just over $11.1 million of our budget.

Next we plan to devote some $4.6 million to the area of research and policy development under which we examine emerging privacy issues as well as provide advice to Parliament on the privacy aspects of proposed legislation.

In order to continue informing individuals of their privacy rights and organizations of their obligations under the law, we intend to invest just over $3.1 million in public education and outreach program activity.

Then finally we intend to direct just more than $10.1 million to the area of internal services. These include functions such as human resources management, administration, and asset management. This amount both represents an increase from the last fiscal year and accounts for an overall increase in our budget. I want to take a moment, honourable members, to explain why this is so.

In short, the increase you see is caused by a one-year injection to cover the costs associated with moving our headquarters, something made necessary by a long-term retrofit to our current space.

I'd like to talk now a bit about my concerns regarding an orderly transition in my office. While we are a relatively small organization, relocation comes with expense. Our costs are being covered by a $4.1 million interest-free loan, which we will repay to the Treasury Board Secretariat over the next 15 years. Our move will put us in the same building as some fellow agents of Parliament. We have planned several cost efficiencies through common and shared services, and we're exploring even more.

Already we've made arrangements to share a common reception desk, a library, a server room, and a mail-processing room. This action contributes to our wider commitment to continuously improve our business processes to make the most of our existing resources. This is an important priority for our organization given the current economic environment.

As I noted in last year's remarks, while not mandated to make reductions under the deficit reduction action plan, our office answered the call to adhere to its spirit and intent. As a result we will have implemented savings of 5%, or $1.1 million, per year within our total budget by the end of fiscal year 2014-15.

In sum, while our figures show an increase because of the cost of our move, the resources we have available to meet the privacy needs of Canadians largely remained at the levels set for the last fiscal year. We made the decision to implement savings while committing to maintain the best possible level of service for Canadians. That commitment remains solidly intact for this year and underlines the need to make the most efficient use possible of our existing resources.

I will now move on to the importance of adapting for the privacy landscape of today and tomorrow.

As we look at the present and the future, we can all rest assured that the ever-quickening pace of technological change and its relationship with privacy will remain a constant. This is why we have created the Technology Analysis Branch, a true lab responsible for supporting investigations and audits.

Over the years, as Canadians' interest and awareness with regard to privacy issues have increased, complaints have risen. Years ago, the rise in complaints prompted a need for further funding to deal with a backlog.

Today, I’m happy to say that we have made efforts to maximize existing resources to continue getting the results that Canadians expect and deserve. Last year, we engaged in a project to simplify investigation procedures and reduce the time required to investigate complaints. This year, we plan to implement the improvements that this project identified in order to continue providing Canadians with results at a lower administrative burden.

Going further, we plan to broaden this project to complaints under PIPEDA.

In short, from both a technological and a privacy perspective, to say that the world has changed immensely in 10 years would be an understatement. And the law needs to catch up with the times. As a result, we strongly suggest that action to bring needed change be taken as soon as possible.

With only a few months remaining in my final term, it appears more and more doubtful that a second review of PIPEDA—one that is overdue—will happen before I am replaced. Nonetheless, in the coming year, our office will work to set out a roadmap to address current and future privacy challenges more effectively. It will examine how organizations can be given greater incentive to invest in privacy and information security.

In the absence of such incentives, it's up to our investigation process to bring about needed improvements. And while some companies are very cooperative, the process is generally long, drawn-out and resource-intensive.

While I certainly can't speak for the committee, I think most can agree that it shouldn't be Canadian taxpayers footing an unnecessarily large bill to fund the privacy improvements of businesses.

In addition, I want to remind everyone here about the work we undertook in the past calling for reform of the Privacy Act. The committee supported that reform. The act was written during a time when information was stored in fixed filing rooms, rather than on USB sticks and portable hard drives.

Staying with the Privacy Act for now, I would be remiss if I didn't take a moment to note the concerns Canadians have registered in the form of complaints stemming from some large-scale federal data breaches over the last few months.

This is a concern our office shares with federal departments, with Parliament, along with Canadians. In the coming months we hope to provide information to Parliament from our investigations into the loss at HRSDC of both a hard drive and a USB key in separate incidents, containing the personal information of more than half a million Canadians.

In addition to exploring systemic challenges related to the use of portable electronic storage devices by federal organizations, we plan to begin an audit in this regard.

Further on this year, we will be releasing reports on audits of both FINTRAC and the Canada Revenue Agency. Audit findings provide recommendations for subject organizations to follow. They can serve as guidance for other departments to improve practices. Our office also seeks to provide guidance to the private sector, and especially to smaller businesses.

In the year ahead our office will continue our proactive approach towards identifying and exploring emergency privacy challenges. Some of these include mobile payments, facial recognition software, intergovernmental information sharing, and consent for obtaining personal information online.

In conclusion, Mr. Chairman, let me underscore that my management team is wholly committed to ensuring that this year of transition, both to our new location and to new leadership, comes with no effect on service to Canadians. In the last year of my mandate I plan to do everything I can to ensure an orderly and a positive transition to new leadership upon my retirement in December.

I think all members around the table can agree that privacy issues are challenging and increasingly closer to home for more and more Canadians. In order for this office to continue functioning as efficiently as possible throughout the course of the year, we are now working with officials from the Privy Council Office to begin the competitive process to find a new commissioner in the near future.

As you all know, Parliament has a key role to play in the process of approving a new privacy commissioner, so I wish you well in your future deliberations on that matter.

With that, I conclude and I look forward to your questions.

Merci.

Thank you very much, honourable member.

I think that generally the issue of the slowness of legislative reform in comparison with the pace of change in the world in which personal information is used has created a great challenge for my office.

As I have suggested, in the future I am hoping Parliament will make privacy legislation a priority. I think the onus should be less and less on individual Canadians to make complaints to my office, and more on organizations, notably, to take the responsibility for better protecting personal information.

I do, and that's why I'm recommending it.

I will refer this to the director of corporate services. I don't really know.

I don't believe so.

In meeting with central agencies to discuss the financing of this event, we explored that as a way to address it. But to my knowledge it hasn't been done as a common practice.

It is possible.

As I said, to my knowledge it hasn't been common practice in the past, but you would have to ask these questions to Public Works delegates.

As was mentioned, the loan is for $4.1 million, and the repayment of the loan amounts to approximately $270,000 a year over the 15-year horizon.

In addition to that, because we're making efforts to create more efficiencies as it relates to our space, PWGSC, Public Works, is partaking along with us in the savings that are going to be generated. So we're getting a portion of that back as well to compensate slightly for the loan repayment we have to make over those 15 years.

We're working very hard to try to provide countervailing trends to these cuts, notably the modernization of process of both investigation operations to put the emphasis on early resolution— between 20% to 25% of our complaints are now early resolved—as well as other measures to offset these budget decreases.

I think Canadians overall would be better served by that, the exact granular implication of that has yet to be seen. Sometimes organizations with greater powers meet with greater resistance at some point; that is a possibility.

The problem I have noticed is that I think the lack of powers means that our legislation is not taken seriously until a certain amount of time and effort have gone into dealing with them.

Do you mean for both acts? This is the last time I'll be here for main estimates. This committee did quite a comprehensive report a couple of years ago. I think that report is still relevant.

I would add to that the issue of some measures of data breach for the Privacy Act. Many Canadians are extremely concerned about the safety and security of their information held by the federal government. This has come out of some of our recent polling, so I would add that to the committee's last report.

In terms of the private sector legislation, as I said when you were wrapping up your hearing on social media networks and so on, the Canadian law is now over 10 years old and has lagged behind reforms in almost every country that we can compare ourselves to, notably the G-8, in terms of having neither the substance nor the consequences, the heft necessary for it to be taken seriously, as it should be, by the increasing international online players who are the big users of personal information.

I would hope that Parliament could look at that law once again and give it the cutting edge it needs to better protect privacy.

Yes, I think we're always in a reactive mode. I think that's the nature of the world. There are creative entrepreneurs out there who come up with new inventions, and the rest of society adapts to that. Certainly, the legal system has always been behind changing reality, and that is through history. I guess the issue comes when the reality has changed so much compared to the legislation, which is or is not there, that it becomes a problem.

I also draw your attention to anti-spam legislation. Again, Canada is one of the few countries that doesn't have anti-spam legislation yet in force because the regulations have not yet been published, and that's an unfortunate delay.