National Defence committee  I think the legislation provides certain exceptions for disclosure, either under my legislation—the Privacy Act—or the Access to Information Act. Departments have leeway with that. There are some valid public interest reasons to prevent disclosure under legislation, but recourse exists to challenge those.

National Defence committee  I have statistics of the complaints we receive at my office. We receive complaints directly from Canadians. I've indicated that, I think, in the last five years, we've received 300 complaints.

National Defence committee  Regarding access by VAC, there is some exchange of information between the two institutions in terms of those types of records. We have been engaged. We've been consulted on that. I understand we've received some PIAs, privacy impact assessments, on that.

National Defence committee  We are currently investigating the ArriveCAN app following complaints, so I won't be able to speak further on that, as this is ongoing.

National Defence committee  I think that the resources and efforts have to be put into making the system as user-friendly as possible. There are a number of modernization recommendations that need to happen in terms of making the principles of the system more up to date. An order-making power is one. A mandatory privacy impact assessment is another.

National Defence committee  I think we can make it easier to understand and faster. We are seeing that in terms of the statistics, so that's something we're working towards.

National Defence committee  We're measuring success by looking at the statistics and trends and by trying to see whether the number of complaints is increasing and being resolved quickly. Are the timelines decreasing? Is the collaboration we see, the exchanges with the departments...? When we're thinking about privacy impact assessments, are those being done before new programs are started?

National Defence committee  I think that it's important that people be able to access legal recourse. If you have a legal right, if you're protecting citizens, employees, civil servants or otherwise, people need to be able to access the systems. People need to be able to file a complaint and not worry about repercussions or reprisals.

National Defence committee  It was not PIPEDA. It was the Privacy Act.

National Defence committee  That's right. The Information Commissioner was created under the Access to Information Act, and the Privacy Commissioner under the Privacy Act. More recently—I think it was 2017, but I may be wrong on the date—Bill C-58 amended the Access to Information Act to give the Information Commissioner order-making powers.

National Defence committee  I will not minimize the impact of a public ruling, a public recommendation or the role of committees and so on. However, I don't have the ability to issue a binding order.

National Defence committee  Well, I think a more efficient and accessible system is one where you can have a regulator issue an order. That order is then binding. Again, I don't—

National Defence committee  We don't have that right now. Also, having the possibility of an order makes it more likely, in my view, that you're going to get early resolution on the matter without having to go through the process.

National Defence committee  In the case of our work, we're looking at a range. It's not entirely digital; we're doing a combination of both. We've designed and created a digital tool, for instance, for a breach, to assess whether a given privacy breach is a real risk of harm, and that's going to give an opinion on that and assist in that.

National Defence committee  We've moved forward in terms of information on the cloud, for instance, at the OPC. We are looking at technologies generally to see which ones could be used and how to use them. In terms of our strategic priority, we talked about staying ahead of technology in terms of legal compliance.