Information & Ethics Committee on May 3rd, 2016

Sure. I would start with the fact that very few of these cases lead to court action. I'll distinguish between the public and the private sector again.

Under the public sector rules, there is now a directive from the Treasury Board that mandates departments to notify my office and the Treasury Board when there is a significant or material breach in a department. We've not been funded to do that work, so we had to reallocate from other places. Essentially there is one person in the office who deals with these cases.

We receive reports from departments. In the public sector there are roughly 300 of these breach notifications every year. There is one person to review these reports at the office. We look at what the department tells us in terms of the nature and the potential impact of the breach. We give some advice, but with few resources the examination is relatively superficial.

On the private sector side, there is no obligation at this point for companies to notify us. Some companies notify us voluntarily. Under Bill S-4, which was adopted by Parliament last year, when regulations are adopted, there will be a legal obligation for companies to notify us, but again, there will be no funding. We're talking about hundreds of notifications per year given to our office. We have one person on the public sector side and one on the private sector side to look at these. By necessity we review fairly superficially what the departments tell us or what the companies tell us.

To add to this, as you know, there are other statistics out there that suggest there are many more breaches than those our office is actually notified about.

I think the issue of breaches is a significant problem. We do what we can with these two people who are devoted to these analyses. Given the importance of the issue of breaches, it's a concern for me that we have as few resources as we do to devote to these issues.

We actually have a technological lab comprising four or five people all together, but they serve the office generally. For breaches there are one or two technologists who spend time on the analysis of these breaches, so we're not without capacity on the technological side.

But these technologists serve for breach analyses as well as for other investigations, policy work, guidance, etc. At the end of the day, we do give guidance to departments and companies. Among the advice we give is to make better use of technology. Encryption is an important part of the protection that companies and departments can use. So we're not without capacity altogether, but as we know, people are concerned about breaches, which we hear about almost on a daily basis, in either the private or the public sector. We have the capacity we have, which I think is too little.

It's not a ballpark figure. We've done a bit of analysis leading to that number. It's difficult to give an answer on priority but if you define the activities as point one, reducing backlogs and compliance work generally; point two, policy guidance including working with industry to develop industry code of practice; point three, public education, the first two would be a priority but it would be a shame because Canadians deserve to be better informed. If I had to choose, I would put public education in the third category.

I'll ask Mr. Nadeau to give the breakdown of the proportion within that range of activities. Thirty per cent for internal services may seem high, but you have to look at this issue in context. First of all, it's less than other agents of Parliament by and large and other small organizations. Thirty per cent may be higher than what you would see in a larger department but as a small organization, we're subject to the same reporting and oversight activities including an external audit committee, the comptroller general, etc.

We have the same reporting obligations and because we're smaller in proportion, it takes more people to deliver. I'm not suggesting for one minute that there should be less oversight or reporting, it's a very good thing but the price to pay for that when you're a small organization is that proportionately, you're going to spend more time on these issues.

Mr. Nadeau.

In the breakdown, if you want, by type of activity, you'll find informatics, IMT, information management and technology; the bulk of the money is there. You'll also find your typical sections or functions such as finance, human resources, strategic planning, and there's also the management overhead of the organization.

We follow the methodology provided to us by central agency to be able to report similarly from one organization to the other. One of the cautions I would bring to that is that what you'll find in this reporting methodology in smaller organizations is that the costs are often highly centralized as opposed to larger organizations where some of these things are decentralized. You may find in a larger organization a human resource advisory function, a financial advisory function that is within the programs; a number of expenditures related to your IT is within the programs. Whereas for our organization, for efficiency reasons, we centralize all these things within internal services, which might explain the figure of 30%.

That's a very good question. We haven't looked at this in exactly these terms, but over the past few years we have done a lot of work in trying to merge certain functions or have common services with other agents of Parliament. For instance, many of us are now housed in the same building, and we share certain services like libraries, and so on and so forth.

We haven't looked at this in the context of a merger of internal services with the Information Commissioner, per se. We've looked at it more broadly with other agents of Parliament. There's been quite a lot of progress there, but we have not looked at this issue specifically. It's possible that there might be some savings. We've gone in a similar area in looking at this from an agents of Parliament perspective, so we think we've gained a lot of that efficiency already.

If necessary, we could look at this question.

We have, I think, quite a rigorous process leading to the conclusion of our annual budgets. I am personally involved in these various steps.

It starts with defining the corporate priorities of the organization. There's a discussion among managers several months before the beginning of a fiscal year. There are the strategic priorities that you know about, the four that I've mentioned. Every year there is a series of more administrative operational types of corporate priorities that are set for the organization. We discuss that as a group. I'm involved personally and I approve the corporate commitments or priorities. Then, once that is done, that leads the various branches to align their priorities, activities, and budget.

There is a discussion around this time of year to make sure that the budget asked for by each branch is aligned to our priorities. That, too, is discussed as a group, but I decide at the end of the day, based on fairly rigorous discussions, how much each branch will be allocated.

As well, there is a central reserve that we allocate, based on the priorities of the day.

Yes.

As mentioned earlier, there was a significant change in the methodology to account for internal services within the federal government. Treasury Board Secretariat issued guidelines on what should be seen within any internal service program activity, which has led to a shift over the years, so that explains partly that.

Another explanation is that 2014-15 was the tail end of the Office of the Privacy Commissioner's move. We moved our offices from downtown Ottawa to downtown Gatineau. As a result of that, at the tail end of this, there was a bit more internal services expenditures to account for the move, which was a corporate expense. That explains the fluctuations over the years.

Yes, again because of the change in methodologies.