Treasury Board of Canada Secretariat
www.tbs-sct.gc.ca
Common menu bar links
Breadcrumb Trail
ARCHIVED - Office of the Privacy Commissioner of Canada
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Message from the Privacy Commissioner of Canada
I am pleased to present this 2009-2010 Report on Plans and Priorities, which sets out the strategic directions, priorities, expected results and spending estimates for the Office of the Privacy Commissioner of Canada (OPC) for the coming fiscal year.
As we were preparing this Report, I marked an important anniversary – five years as Privacy Commissioner. Anniversaries are a time for reflection, and what stands out as I look back over the last five years is how far my Office has come.
As our past Reports on Plans and Priorities have indicated, in addition to focusing on activities related to the full implementation of Personal Information Protection and Electronic Documents Act (PIPEDA), the key focus of my first three years as Commissioner was on getting our house back in order after a tumultuous period of administrative, financial and organizational crises. During that time, we made tremendous progress on strengthening the management and financial framework of the OPC.
The fourth and fifth years were about consolidation – our rebuilt Office emerged as an effective organization. Our focus shifted back to where it should be: fulfilling our mandate to protect the privacy rights of all Canadians.
The coming final two years of my mandate will be even more focused on action. We live in an unprecedented period of transformation for privacy and the challenges we face as Canada's privacy guardian are enormous and ever-changing. New information technologies and new implications of 9-11 are creating potent and novel threats to privacy. Our Office will take an even more innovative and focused approach in addressing these evolving issues.
Last year, the OPC had identified five corporate priorities to give focus to its activities and most effectively achieve its Strategic Outcome of protecting the privacy rights of individuals. For the planning period of this Report on Plans and Priorities, the management team ratified last year's priorities with slight revisions to keep with the changing privacy world and organizational challenges.
The five corporate priorities for 2009-2010 are as follows:
- Continue to improve service delivery through focus and innovation;
- Provide leadership to advance four priority privacy issues (information technology, national security, identity integrity and protection, genetic information);
- Strategically advance global privacy protection for Canadians;
- Support Canadians, organizations and institutions to make informed privacy decisions; and
- Enhance and sustain the organizational capacity.
While the challenges we face in our day to day work are great, I am proud that the OPC has such a talented and creative team dedicated to tenaciously working to fulfill the vital mandate which Parliament has entrusted in our Office.
(Original signed by)
Jennifer Stoddart
Privacy Commissioner of Canada
Section I: Overview
1.1 Summary Information
Raison d'être
The mandate of the Office of the Privacy Commissioner of Canada is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private sector privacy law. The mission of the Office is to protect and promote the privacy rights of individuals1.
Responsibilities
The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is an advocate for the privacy rights of Canadians and her powers include:
- Investigating complaints, conducting audits and pursuing court action under two federal laws;
- Publicly reporting on the personal information-handling practices of public and private sector organizations;
- Supporting, undertaking and publishing research into privacy issues; and
- Promoting public awareness and understanding of privacy issues.
The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. We focus on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may take the matter to Federal Court and seek a court order to rectify the situation.
Strategic Outcome and Program Activity Architecture (PAA)
To pursue its mandate effectively, the OPC works towards the achievement of a single Strategic Outcome: that the privacy rights of individuals are protected. The Office's architecture of program activities for making continued progress to protect privacy on behalf of Canadians is composed of three operational activities and one management activity as follows (the PAA diagram below presents information at the program activity level):
Strategic Outcome
The privacy rights of individuals are protected.
| Program Activity |
|---|
| 1. Compliance Activities |
| 2. Research and Policy Development |
| 3. Public Outreach |
| 4. Internal Services |
Alignment of PAA to Government of Canada Outcomes
The Privacy Commissioner is an Officer of Parliament who reports directly to Parliament. The Strategic Outcome of, and the expected results from, her Office are detailed in Section 2 of this Report on Plans and Priorities.
1.2 Planning Summary
The following two tables present a summary of the total planned financial and human resources for the OPC over the next three fiscal years.
| 2008-09 | 2009-10 | 2010-11 |
|---|---|---|
| 22,323 | 21,950 | 21,950 |
| 2008-09 | 2009-10 | 2010-11 |
|---|---|---|
| 178 | 178 | 178 |
* FTE: Full-Time Equivalent
Contribution of Priorities to the Strategic Outcome
The OPC has a single Strategic Outcome (SO 1): The privacy rights of individuals are protected. The table below describes how each corporate priority contributes to the Strategic Outcome and what the OPC plans to do in 2009-2010 to achieve or make progress toward each priority.
| Operational Priorities | Type2 | Link to Strategic Outcome | Description |
|---|---|---|---|
| Continue to improve service delivery through focus and innovation | Ongoing | SO 1 |
This has been, and continues to be, the most important priority for the OPC, as much as it is a challenge given the ever-increasing demand for privacy protection coupled with the difficulty of recruiting experienced investigators and auditors. The OPC is committed to:
|
| Provide leadership to advance four priority privacy issues (information technology, national security, identity integrity and protection, genetic information) | Previous | SO 1 |
Last year, in an effort to be more strategic in its allocation of resources and to achieve greater impact, the OPC designated four horizontal priority privacy issues to help guide the Office over the next few years and developed a three-year plan to advance each issue. Over the period of this
RPP, the OPC will:
|
| Strategically advance global privacy protection for Canadians | Previous | SO 1 |
Businesses, particularly in the online context, increasingly operate transnationally. The OPC will continue to work with international stakeholders to advance global privacy protection for Canadians. More specifically, the OPC
will:
|
| Support Canadians, organizations and institutions to make informed privacy choices | Previous | SO 1 |
The OPC will continue to provide Canadians with information and tools to understand and protect their rights. The Office will also work with organizations and institutions so they understand their privacy obligations and comply with applicable legislation. The OPC will:
|
| Management Priority | Type | Link to Strategic Outcome | Description |
|---|---|---|---|
| Enhance and sustain the organizational capacity | Previous | SO 1 |
Having obtained increased funding to meet a greater demand, the OPC must continue efforts to build the required capacity to support its activities directed to privacy protection and promotion. The Office's focus relating to internal services will be to:
|
Risk Analysis
The strategic context and operating environment of the OPC are characterized by external and internal factors and risks that dictate the choice of our corporate priorities, affect our plans and performance, and drive our decision-making. This section briefly presents our particular environment.
Privacy regulators, whether national, provincial, territorial or international, now find themselves facing similar operational environments. Our traditional role as the guardians of personal privacy is well established in legislation, defined by clear guidelines and reinforced by a history of legal precedents. At the same time, challenges to the conventional interpretation of personal privacy appear to increase with every new development in technology.
Whether as a result of new and powerful consumer products that encourage individuals to enter, store and share data on a range of interests, obsessions and personal details, or the creation and rapid application of business products and processes that can easily collect, analyze and commercialize this data, it appears that individuals are making decisions that may, in fact, erode the general right to personal privacy and the protection of their personal data.
Organizations like ours are trying to understand why Canadians are making these decisions. Have they become resigned to less privacy as a result of the rash of invasive security measures imposed over the past seven years? Does the growing popularity of community-building tools – like online forums, social networks and micro-blogging services – encourage individuals to share more personal information with little consideration for the short term and long term implications of their behaviour? Canadians appear willing to trade a certain amount of information about their background, their preferences and their intentions for relatively little reward: is there a limit to the information they will trade?
At the same time, businesses are learning to apply technology in more effective and efficient means. They are using sophisticated data collection and analysis tools to identify their customers and target particular customer segments. The level of detail available about individuals who regularly use online services should be staggering to most Canadians.
The ready availability of bandwidth, inexpensive computing power and all this data is fuelling the growth of global online service firms. As Canadians are encouraged to use online services, their personal information may rapidly find its way into files and data servers in countries with less robust privacy protection regimes.
Faced with these challenges, privacy regulators are dedicating more of their resources to working in concert with their international colleagues. Together, they are developing global standards in data protection, identity management and the reporting of data breaches. They are identifying jurisdictions with weaker privacy protections, and are working with global firms to ensure privacy protection meets the same high standard around the world – not the lowest common denominator. These cooperative efforts are especially important in a turbulent economic environment where private industry and public sector organizations might be tempted to concentrate on other priorities, to the detriment of privacy and data protection.
In order to be successful and deliver on its expected results, the OPC manages risks to its operations through implementing controls and mitigation strategies. At present, the three most critical risks faced by the Office are as follows:
First, considering that business demands exceed the present the OPC capacity, there is a risk that the Office could not meet its legislative and mandated requirements or could not deliver on its corporate priorities and business activities as planned. The OPC has been struggling for some time with a significant backlog of investigations and privacy impact assessment (PIA) reviews. The OPC mitigates this risk through a major initiative to review and streamline its work processes to increase efficiency. In 2009-2010, we will be in the final stages of development and full implementation of a new Case Management System scheduled for December 2009, which will lead to re-engineering of processes to reflect a more streamlined approach to respond to inquiries and complaint investigations and will help reduce some of our capacity challenges. As well, the OPC focuses efforts on four distinct priority issues to maximize our impact, as opposed to always trying to address any and all privacy issues, recognizing their proliferation.
Capacity challenges are exacerbated by a marketplace characterized by a restricted pool of specialized, investigative and audit skills, as well as lengthy staffing processes. While some of these challenges are common throughout the federal public service, they nevertheless affect the human resources situation at the OPC. In 2008-2009, the OPC approved a revised Integrated Business and Human Resources Plan, which includes a resourcing strategy identifying plans and priorities for the next three years, namely to address capacity and retention challenges. We also make effective use of alternative approaches to staffing (terms, contractors, students). The OPC received additional funding through a business case approved in 2008-2009 and is now hiring new staff; however, the scarcity of investigative skills represents a continuing risk.
Second, there is a risk of privacy breaches to the OPC information and data management, which could potentially come from an inconsistent application of, internal security procedures or improper system architecture and roles-based access to OPC systems. Since the OPC's mandate is to protect the privacy rights of individuals, it must lead with the protection of its own information and data. We have a number of IT security controls in place such as: compliance with the Management of Information Technology Security (MITS) standards and the new Government Policy for IT Security, annual threat and risk assessments (TRAs) and quick action on any identified shortcomings, and due diligence in the handling of access to information and privacy requests. Nevertheless, the risk remains as for any organization considering our era's dependency on technology to manage operations and exchange information.
Third is the fact that the Privacy Act is not up-to-date and does not offer sufficient provision to protect individuals' personal information held or handled by federal government departments and agencies. The Act was enacted in 1983 when there were no personal computers, no Internet, no cell phones, no geo-positioning systems, let alone biometrics and radio frequency identification devices (RFIDs) chips or nanotechnology. It was crafted in the era of reel-to-reel computer tapes and paper files in filing cabinets, when transborder data flow almost entirely was achieved through shipping goods, tapes or paper, not digital bits. This important risk inherently reduces the OPC's ability to influence the protection of individuals' privacy rights.
The OPC has pointed out on many occasions that the Privacy Act is long overdue for a fundamental reform. We will continue to advocate for Privacy Act reform by engaging Parliament, as well as encouraging federal government institutions to adopt leading practices to respect the privacy rights of individuals and to protect their personal information. We do this through Parliamentary appearances, speeches, media relations activities, and other communications activities, and we work with Treasury Board Secretariat on the renewal of policies and guidance for federal institutions as it relates to privacy. In the spring of 2008, the House of Commons Standing Committee on Access to Information, Privacy and Ethics commenced a review of the Privacy Act. The Privacy Commissioner proposed a list of 10 "quick fixes" when she appeared before the Committee in April 2008 as a first step in modernizing the legislation while we wait for comprehensive reform. The Committee heard from a number of witnesses and our Office hopes that the Committee will return to this work when Parliament reconvenes. (www.privcom.gc.ca/information/ar/200708/200708_pa_e.asp).
Expenditure Profile
In 2009-2010, the OPC plans to spend $22,323,597 to make progress on its five corporate priorities, meet the expected results of its program activities, and contribute to its Strategic Outcome.
Spending Trend From 2005-2006 To 2011-2012
The figure below illustrates the OPC's spending trend over an eight-year period.
The above spending trend graph shows a steady increase in resources for the period 2005-2006 through to 2009-2010, then a slight drop in fiscal year 2010-2011 to a fixed state thereafter. The increased spending reflects resources sought by the OPC through two business cases, as submitted to the Parliamentary Panel on the Funding and Oversight of Officers of Parliament. First, in 2005, the OPC received approval to stabilize funding for PIPEDA and increase funding in support of our overall mandate. Second, in 2008, the OPC received approval to increase funding to: deliver programs in light of recent legislation (i.e., Federal Accountability Act, Proceeds of Crime (Money Laundering) Act), eliminate the backlog of privacy investigations, expand public outreach and establish an internal audit function. The increase in funding is phased-in over three fiscal years, 2008-2009, 2009-2010 and 2010-2011. The growth for 2008-2009 was $3.3M and for 2009-2010, it is $1.2M. The third year shows a slight reduction of funding of $0.4M, which is reflective of the sun-setting of the funding for the backlog elimination.
2009-2010 Allocation of Funding by Program Activity
The figure below displays the allocation of the OPC's funding by program activity for 2009-2010. A large portion of the OPC funding is allocated to Program Activity 1 – Compliance Activities, which include the Office's main program delivery mechanisms, namely complaint investigations, responses to inquiries, audits, and privacy impact assessment reviews.
Voted and Statutory Items
The table illustrates the way in which Parliament approved the OPC's resources, and shows the changes in resources derived from the supplementary estimates and other authorities, as well as how funds were spent.
| Vote # or Statutory Item | Truncated Vote or Statutory Wording | 2008-09 Main Estimates |
2009-10 Main Estimates |
|---|---|---|---|
| 45 | Program expenditures | 15,898 | 20,101 |
| (S) | Contributions to employee benefit plans | 1,929 | 2,222 |
| Total | 17,827 | 22,323 | |
