Evidence of meeting #11 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was year.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Daniel Nadeau  Director General and Chief Financial Officer, Office of the Privacy Commissioner of Canada
Mary Dawson  Conflict of Interest and Ethics Commissioner, Office of the Conflict of Interest and Ethics Commissioner
Denise Benoit  Director, Corporate Management, Office of the Conflict of Interest and Ethics Commissioner
Lyne Robinson-Dalpé  Director, Advisory and Compliance, Office of the Conflict of Interest and Ethics Commissioner

Bob Bratina Liberal Hamilton East—Stoney Creek, ON

Thanks very much for joining us today.

There is a statement in your comments that to me really stands out, which is, “Unfortunately, our lack of funding for these activities is adversely impacting our ability to effectively deal with breaches.” How serious a problem is that in terms of court actions and so on? For instance, how many of the investigations actually lead to court actions?

Also, would you comment on how many of the breaches would be criminal in nature versus somebody throwing into the garbage a bag that happens to have in it all of the information of the Privacy Commissioner or members of Parliament?

Could you comment on the seriousness of this inability to effectively deal with breaches?

9:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Sure. I would start with the fact that very few of these cases lead to court action. I'll distinguish between the public and the private sector again.

Under the public sector rules, there is now a directive from the Treasury Board that mandates departments to notify my office and the Treasury Board when there is a significant or material breach in a department. We've not been funded to do that work, so we had to reallocate from other places. Essentially there is one person in the office who deals with these cases.

We receive reports from departments. In the public sector there are roughly 300 of these breach notifications every year. There is one person to review these reports at the office. We look at what the department tells us in terms of the nature and the potential impact of the breach. We give some advice, but with few resources the examination is relatively superficial.

On the private sector side, there is no obligation at this point for companies to notify us. Some companies notify us voluntarily. Under Bill S-4, which was adopted by Parliament last year, when regulations are adopted, there will be a legal obligation for companies to notify us, but again, there will be no funding. We're talking about hundreds of notifications per year given to our office. We have one person on the public sector side and one on the private sector side to look at these. By necessity we review fairly superficially what the departments tell us or what the companies tell us.

To add to this, as you know, there are other statistics out there that suggest there are many more breaches than those our office is actually notified about.

I think the issue of breaches is a significant problem. We do what we can with these two people who are devoted to these analyses. Given the importance of the issue of breaches, it's a concern for me that we have as few resources as we do to devote to these issues.

Bob Bratina Liberal Hamilton East—Stoney Creek, ON

To continue on with regard to resources, are you aware of new technologies coming online that would be useful to you? Do you have resources to evaluate, within the government, the kinds of technologies that might make the job easier, strictly in terms of technology? Obviously it sounds as though you're short-staffed in terms of examining these breaches. Are you aware of any technologies that you would consider if you had the budget to do so?

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We actually have a technological lab comprising four or five people all together, but they serve the office generally. For breaches there are one or two technologists who spend time on the analysis of these breaches, so we're not without capacity on the technological side.

But these technologists serve for breach analyses as well as for other investigations, policy work, guidance, etc. At the end of the day, we do give guidance to departments and companies. Among the advice we give is to make better use of technology. Encryption is an important part of the protection that companies and departments can use. So we're not without capacity altogether, but as we know, people are concerned about breaches, which we hear about almost on a daily basis, in either the private or the public sector. We have the capacity we have, which I think is too little.

Bob Bratina Liberal Hamilton East—Stoney Creek, ON

With regard to the $4 million or $5 million that you suggested—and I know it's kind of a ballpark, blue sky figure—would you be able to prioritize within that envelope of funding what you would take first, second, and third? Is that something that would be helpful to us in terms of a priority for future needs or immediate needs that have to be addressed? Would there be a priority list?

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It's not a ballpark figure. We've done a bit of analysis leading to that number. It's difficult to give an answer on priority but if you define the activities as point one, reducing backlogs and compliance work generally; point two, policy guidance including working with industry to develop industry code of practice; point three, public education, the first two would be a priority but it would be a shame because Canadians deserve to be better informed. If I had to choose, I would put public education in the third category.

Bob Bratina Liberal Hamilton East—Stoney Creek, ON

I appreciate the comment on how you arrived at that number. We tend to blue sky a lot of things. That's very helpful, thanks very much.

9:20 a.m.

Conservative

The Chair Conservative Blaine Calkins

Mr. Kelly, please.

9:20 a.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

I want to return to part of your answer to Mr. Erskine-Smith's question when he asked about the line-by-line breakdown on the budget. You mentioned 30% of the budget going to internal services. I see that broken out here. Can you elaborate on how that fairly large item within your budget breaks down? What are some of the major and perhaps minor items that fall under that roughly 30%?

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I'll ask Mr. Nadeau to give the breakdown of the proportion within that range of activities. Thirty per cent for internal services may seem high, but you have to look at this issue in context. First of all, it's less than other agents of Parliament by and large and other small organizations. Thirty per cent may be higher than what you would see in a larger department but as a small organization, we're subject to the same reporting and oversight activities including an external audit committee, the comptroller general, etc.

We have the same reporting obligations and because we're smaller in proportion, it takes more people to deliver. I'm not suggesting for one minute that there should be less oversight or reporting, it's a very good thing but the price to pay for that when you're a small organization is that proportionately, you're going to spend more time on these issues.

Mr. Nadeau.

9:25 a.m.

Director General and Chief Financial Officer, Office of the Privacy Commissioner of Canada

Daniel Nadeau

In the breakdown, if you want, by type of activity, you'll find informatics, IMT, information management and technology; the bulk of the money is there. You'll also find your typical sections or functions such as finance, human resources, strategic planning, and there's also the management overhead of the organization.

We follow the methodology provided to us by central agency to be able to report similarly from one organization to the other. One of the cautions I would bring to that is that what you'll find in this reporting methodology in smaller organizations is that the costs are often highly centralized as opposed to larger organizations where some of these things are decentralized. You may find in a larger organization a human resource advisory function, a financial advisory function that is within the programs; a number of expenditures related to your IT is within the programs. Whereas for our organization, for efficiency reasons, we centralize all these things within internal services, which might explain the figure of 30%.

Pat Kelly Conservative Calgary Rocky Ridge, AB

I understand fully what you're saying about the obligations and responsibilities of your organization, the burden this puts on you when you are a small organization. It immediately led me to think of some of the suggestions that other witnesses have brought forward about combining the offices of Privacy and Access to Information. They would probably give us a similar response to how internal services take up a significant portion of their budget.

Would the combining of the two offices allow for cost savings in internal services that could be put into investigative activity or responding to the backlog of complaints or other activities that are really important?

9:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

That's a very good question. We haven't looked at this in exactly these terms, but over the past few years we have done a lot of work in trying to merge certain functions or have common services with other agents of Parliament. For instance, many of us are now housed in the same building, and we share certain services like libraries, and so on and so forth.

We haven't looked at this in the context of a merger of internal services with the Information Commissioner, per se. We've looked at it more broadly with other agents of Parliament. There's been quite a lot of progress there, but we have not looked at this issue specifically. It's possible that there might be some savings. We've gone in a similar area in looking at this from an agents of Parliament perspective, so we think we've gained a lot of that efficiency already.

If necessary, we could look at this question.

9:25 a.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you.

Mr. Long.

Wayne Long Liberal Saint John—Rothesay, NB

Thanks for coming, and it's good to see you again.

My background is business. I've run many businesses, and the budgeting process is something we go through as business owners every year. Certainly, with respect to my hockey team, the budget process had many layers. Whether it was physiotherapy, equipment, game night, sponsorship, or sales, they would all come back to me with their own budgets. Then there would certainly be a budget review period.

Again, I'm a proud Liberal, but I'm certainly fiscally conservative.

9:30 a.m.

Conservative

The Chair Conservative Blaine Calkins

You should come over here.

Wayne Long Liberal Saint John—Rothesay, NB

No, thanks.

That being said, the budgeting process is very important, obviously, and it needs to be challenged. As the leader of my organization, I did a lot of challenging of that budget.

There have been great questions today about different things you want and don't want. We talked about technology. But I'm more interested in the budgeting process you go through as a leader of your organization: how you come up with it, how you challenge it, and most important, how personally and directly involved you are in the process.

9:30 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We have, I think, quite a rigorous process leading to the conclusion of our annual budgets. I am personally involved in these various steps.

It starts with defining the corporate priorities of the organization. There's a discussion among managers several months before the beginning of a fiscal year. There are the strategic priorities that you know about, the four that I've mentioned. Every year there is a series of more administrative operational types of corporate priorities that are set for the organization. We discuss that as a group. I'm involved personally and I approve the corporate commitments or priorities. Then, once that is done, that leads the various branches to align their priorities, activities, and budget.

There is a discussion around this time of year to make sure that the budget asked for by each branch is aligned to our priorities. That, too, is discussed as a group, but I decide at the end of the day, based on fairly rigorous discussions, how much each branch will be allocated.

As well, there is a central reserve that we allocate, based on the priorities of the day.

Wayne Long Liberal Saint John—Rothesay, NB

So, there is a challenge back. There is a process where you will challenge back people's budgets asking for increases.

9:30 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

9:30 a.m.

Conservative

The Chair Conservative Blaine Calkins

Raj, you have a couple of minutes.

Raj Saini Liberal Kitchener Centre, ON

Thank you very much for coming here.

I have two questions. The first one is to Mr. Nadeau.

Bringing up the topic of internal services, I noticed here in the strategic outcome and program section that your 2014-15 expenditure was $7.99 million. Then in 2015-16 it went to $5.7 million. Then the 2016-17 main estimate is back to $7.3 million. Can you explain the discrepancy as to why the money went down?

9:30 a.m.

Director General and Chief Financial Officer, Office of the Privacy Commissioner of Canada

Daniel Nadeau

As mentioned earlier, there was a significant change in the methodology to account for internal services within the federal government. Treasury Board Secretariat issued guidelines on what should be seen within any internal service program activity, which has led to a shift over the years, so that explains partly that.

Another explanation is that 2014-15 was the tail end of the Office of the Privacy Commissioner's move. We moved our offices from downtown Ottawa to downtown Gatineau. As a result of that, at the tail end of this, there was a bit more internal services expenditures to account for the move, which was a corporate expense. That explains the fluctuations over the years.

Raj Saini Liberal Kitchener Centre, ON

You expect your expenditure to be roughly the same as 2014-15, around $7 million.

9:30 a.m.

Director General and Chief Financial Officer, Office of the Privacy Commissioner of Canada

Daniel Nadeau

Yes, again because of the change in methodologies.