I agree with your notion of perception and reality when it comes to trust. It's all very well to say that the commissioner is independent, that there's a registry and certain provisions, but if the perception isn't there, reality doesn't matter.
With regard to the independence of the commissioner, you've stated quite clearly that he or she must be truly independent and perceptibly so.
At the moment, the way the commissioner is appointed is problematic. In my opinion, the three parties should be involved in the choice rather than simply consulted.
You mentioned the five-year review. If I remember correctly, the Canadian Security Intelligence Service Act came into force in 1984, and was reviewed in 1990. The Privacy Act of 1983, on the other hand, has not been reviewed. It seems to me that governments don't tend to do these revisions.
This is problematic because the Privacy Act existed before the Internet was created.
What could be done to ensure that this is done? Should an annual report be requested from the commissioner?