Information & Ethics Committee on May 3rd, 2016

Thank you very much, Mr. Chair.

I am very pleased to be here again, this time, to talk about our office's main estimates. With me today are Daniel Nadeau, our chief financial officer, and Patricia Kosseim, senior general counsel and director general, legal services, policy and research.

In my allotted time, I will discuss the technological evolution of the digital economy and its impact on privacy; our plans for the year ahead; and the challenges we face going forward given our current level of funding.

As you may know, our funding has remained stable in recent years at approximately $25 million annually, and no increase is expected in the near future. Yet our investigations workload is increasing and we have a number of new responsibilities relating to advances in technology.

The digital economy is evolving quickly as a result of constant technological innovation. This is a reality that affects many government regulators. This trend, however, has had a disproportionate, indeed revolutionary, impact on the field of privacy. When the Privacy Act came into force in 1983, computers were not mainstream. When the Personal Information Protection and Electronic Documents Act came into force in 2001, Facebook did not even exist.

Smart phones, cloud computing, big data and the Internet of Things, to name but a few data-rich technologies, all raise significant and highly complex privacy issues. Keeping up with all these changes has been a real struggle.

Despite its limited resources, my office has nonetheless effected much positive change for Canadians. Through sound management practices, we have optimized our resources and restructured our activities. Even though this has allowed us to realize significant efficiencies, we are unable to keep pace with demand. For example, despite our best efforts, by the end of fiscal 2014-15, a total of 291 out of an inventory of 759 active Privacy Act files were already more than a year old. In other words, 38% of complainants had not received a reply a year after filing a complaint. Our surveys show that 90% of Canadians feel they are losing control of their personal information. They expect to be better protected.

Turning to the year ahead, technology allows businesses and governments to collect and analyze exponentially greater quantities of information. But with great reward comes great risk. I am referring to government and corporate surveillance and massive data breaches, which occur on a regular basis.

As you know, breach reports to my office are growing year over year, particularly since 2014, when federal government reporting of material breaches was deemed mandatory under Treasury Board policy. Moreover, Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, known as the Digital Privacy Act, will soon make reporting by private organizations a legal obligation. Unfortunately, we have not received any additional funding to address these new responsibilities.

At this time, we are only able to cursorily review, advise, and follow up on all but a few of the breach reports we receive. We expect this problem to continue in the years ahead.

The increased complexity of Privacy Act investigations, owing to technology and the interconnectedness of government programs, is also putting added pressure on our compliance activities, with the result that too many are not completed in a timely way.

That being said, looking ahead, my office will try to confront these realities head-on as we embark on a number of ambitious initiatives related to the new privacy priorities, which I've spoken to you about before.

As part of our government surveillance priority, we are carefully reviewing how information-sharing is occurring between federal institutions for the purposes of national security following the passage of Bill C-51, the Anti-terrorism Act, 2015. We hope our review will inform the upcoming public debate on how to amend that legislation.

In keeping with our reputation and privacy priority, we are consulting widely on matters related to online reputation as we work to establish a position on such things as the “right to be forgotten” in the Canadian context.

Under our economics of personal information priority, we are examining the current consent model, the efficacy and even viability of which many are now questioning in the context of modern technologies. Our aim there is to identify potential improvements, to implement those that fall within our legal framework, and to recommend legislative changes where necessary.

We will also offer new guidance to businesses and individuals on privacy protection, paying special attention to small and medium-sized businesses, as well as vulnerable groups such as children and seniors.

We also look forward to working with Parliament in the year ahead to update the Privacy Act.

That Canadians would feel uninformed about their privacy rights and not able to control their personal information is hardly surprising given the speed and breadth of technological change. In my view, improving public education and regulatory protection through OPC guidance and industry codes of practice, in addition to completing investigations in a timely way, are all critical to meeting public expectations and maintaining trust in the digital economy.

For example, we've been unable to fulfill our statutory role to encourage private sector organizations to develop industry codes of practice. We would also like to be able to offer timely guidance to Canadians on fundamental issues such as big data and the Internet of things. We're also concerned about our ability to invest in key public education tools, such as the web, and in drawing the public towards these tools to help address privacy knowledge gaps amongst Canadians.

Furthermore, it is critical that we increase our capacity to monitor and research technology in order to better understand how it affects privacy, and that we promote privacy-enhancing technologies.

In closing, it is clear that technology has fundamentally changed the privacy landscape, and for us as a regulator, it is imperative that we stay ahead of these changes. I'm confident that the strategic priorities we have chosen position us well for this task. Still, new regulatory responsibilities and an ever-growing investigative workload have added to expectations of my office. Ensuring we can continue to provide Canadians with the level of privacy protection they expect while also maintaining their trust in government and the digital economy remains our primary goal, but it is one that is increasingly challenging to achieve, given our current funding levels.

I would, therefore, welcome a discussion on whether additional funding for my office would be appropriate to do what is expected of us by organizations, by Canadians, and of course, by Parliament.

I look forward to your questions.

Thank you.

In our view it would be in the order of $4 million to $5 million.

On that particular aspect, it would be around or under $1 million. The things we would like to achieve that we feel we cannot achieve under the current budget can be divided in part into investigative activities, including analysis of breach notifications. That would be around $1 million. Then there is policy working with industry to develop clearer, more detailed codes of practice and developing more guidance ourselves, as well as some public education tools.

Overall we're talking about $4 million to $5 million, including about $1 million in investigative or compliance activity.

Yes.

As you know, we are proceeding with a review of how Bill C-51 is being implemented under current funding. I think that this is a priority area, but there may be limits to how broad that review would be.

With additional money we would be able to look at the practice of more departments, but we're going to do a review of certain departments with current funding.

We've estimated that with roughly half a million dollars we could review a sizable number of departments in terms of their practice. My answer to your question would be we're doing the best we can with the current funding and we will do a kind of report similar to what was envisaged, but with relatively few departments in scope, to do—

As I indicated at a previous meeting, we've sent a survey to all departments to determine exactly where best to focus our efforts. We're still at the point of analyzing how many of these departments we will look at. But clearly, with no funding it's going to be a handful of departments. Again, with more funding we would be able to do a more thorough job for more departments.

It's going to probably take two years or so. This fall I intend to make public the results of our initial survey to departments, so that will give a certain sense of how Bill C-51 is being applied on the ground, but there will not be much in-depth analysis of the types of information because we're not there. That will likely be for the next phase.

Sure. As I said, the budget is around $25 million. It's $24.5 million in total, $22 million requiring approval by Parliament and another $2.5 million representing statutory forecasts for employee benefits that do not require additional approval by Parliament.

Of that amount of $24.5 million, around 69% is spent on personnel and 29% on operating expenditures. There is 2% of the budget which is spent on a contribution program for which we're responsible.

In terms of broad activities within the office, compliance activities—that would be investigations under the private and public sector laws and the audit and review group responsible for the C-51 review that we're undertaking—that represents roughly 46% of the budget.

Research and policy development represents roughly 14% of the budget. Public education and outreach, 10%, and internal services, 30%.

We've done quite a bit and we have tried to address the backlog. For instance, on the productivity of our investigative group looking at cases under the Privacy Act, the public sector, their productivity has doubled in the past five years through various means, by trying to resolve more cases through early resolution, by focusing on the investigations of greater risk. Through a number of means, then, in the past five years we have doubled our productivity, yet we still have that backlog. We are continually trying to attack that issue, but I think there's a limit to what we can do.

I would start with the issue of the backlog in the investigation of complaints as part of our workload generally. I've explained how, through various measures, we have succeeded in doubling our productivity. What I have to do also is devote sufficient resources to investigations and increasing productivity, but I also have a mandate to promote understanding of privacy, which includes guidance, public education, and so forth. Frankly, with the increase in the number of complaints in recent years, the share of the work the office devoted to investigations has increased proportionately, and I have a statutory obligation to respond to complaints. That's okay, but there's a cost to that. The cost is that we're able, proportionately, to spend less time on public education and guidance. We have not been able to work with industry sectors to develop codes of practice.

I think that when you look at statistics around the fact that 90% or so of the population constantly say that they are highly concerned with privacy, and the majority, not surprisingly, of the population feel that they do not understand privacy issues, then we need to spend time on investigations, closing the backlog, and giving service to Canadians in that respect, but we also need to do a better job of informing the public and companies of their rights and obligations under privacy legislation. I need to find the right balance in all of this.

I'll ask my colleague Daniel Nadeau to explain the difference between the $3.3 million and $2.4 million. What may be at play is this question that public education is a statutory responsibility, but if we have complainants, they need to be heeded. There may be a transfer of funds. That's certainly what I see at the macro level in the activities of the office, that certain activities on the more proactive side, public education and policy, have been diverted or reassigned to investigations in the past few years because we don't want people to wait too long for the outcome of their complaints.

Do you have anything to add?

I'm guessing you're looking at the main estimates, and I have a caution there. You're looking at expenditures from the main estimates of 2014-15, 2015-16, and 2016-17. The numbers fluctuate. But the caution is that a different methodology has been imposed on us by Treasury Board in how we account for internal services. It may mean that the figures have changed, but in real terms I think what the commissioner has just described is what we're facing.