Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Office of the Privacy Commissioner of Canada

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Section I: Overview

1.1 Message from the Privacy Commissioner of Canada

It is with great pleasure that I table before Parliament today the Departmental Performance Report of the Office of the Privacy Commissioner of Canada (OPC) for the fiscal year ending March 31, 2008.

The fiscal year 2007-2008 was marked by important milestones.

It was the year in which my Office was proud to host the privacy world with the 29th International Data Protection and Privacy Commissioners Conference, in September, in the beautiful city of Montreal. The conference program underscored the wide range of issues that will have an impact on privacy in the coming years, as well as the increasingly global nature of privacy issues. We welcomed more than 650 commissioners, academics, privacy professionals, advocates, government officials, IT specialists and others from around the globe – making it the largest-ever conference of its kind.

It was the year in which we continued to participate in discussions surrounding the parliamentary review of the Personal Information Protection and Electronic Documents Act (PIPEDA), and to actively support plans to amend the law to make breach notification mandatory. In the meantime, however, we worked with industry to develop voluntary breach notification guidelines, and we are beginning to see signs that companies, especially large businesses, are following our recommendations.

The Office also continued to promote Privacy Act reform with the research and development of an Addendum to a comprehensive document originally presented in 2006 to the Standing Committee on Access to Information, Privacy and Ethics. The Office worked on a series of proposed “quick fixes” to the Privacy Act in the event that the government does not intend to engage in a fundamental reform of the Act. As a result of this work in 2007-2008, I made two separate appearances before the Standing Committee in April 2008 and presented these documents, and the Committee also heard from a number of witnesses on our recommendations. I hope this is a signal that Canadians may, in the not-so-distant future, have a law which better protects their privacy rights in the federal public sector.

The Office continued to provide sound legal and policy analyses and expertise to support Parliamentarians in their review of the privacy implications of bills. Over the course of the year, we reviewed and commented on 19 bills with potential privacy implications, in addition to sharing 20 submissions and policy positions on a variety of government initiatives. We also enhanced our communications with Parliamentarians and, specifically, with the Standing Committee on Access to Information, Privacy and Ethics, to which we report regularly.

With the coming into force of the Federal Accountability Act, we finally became subject to the Access to Information and Privacy Acts. Accordingly, we established an ATIP unit and began training staff to ensure we effectively meet all our obligations on this front.

In addition, we continued our efforts to improve and expand service delivery, in addition to building our overall organizational capacity, priorities that go hand-in-hand. An ever-increasing complaints backlog and difficulty recruiting experienced investigators – a trend across the public service – added to our challenges in this domain. However, through new approaches to our recruitment, training and development, as well as streamlining and building innovation into our investigations processes, we are tackling these challenges. I am very pleased with the progress that we are making in solidifying our team and further improving the way we work.

In the Office, the year 2007-2008 was a year of change. Heather Black, who was the OPC’s Assistant Commissioner for PIPEDA for several years and a true pioneer in the privacy field, retired in 2007. We welcomed a dynamic new member of the executive team: Elizabeth Denham from the Office of the Information and Privacy Commissioner of Alberta. Ms. Denham is now the Assistant Commissioner for PIPEDA.

As we take stock in the Departmental Performance Report of this past fiscal year’s activities, we recognize the myriad of issues that pose significant and emerging threats to Canadians’ privacy, as well as the ongoing challenges we face from an organizational perspective. A year from now, we look forward to reporting on how we continued to help minimize many of these threats and overcome these challenges, to better promote and protect privacy rights.

(Original signed by)

Jennifer Stoddart
Privacy Commissioner of Canada

1.2 Management Representation Statement

I submit for tabling in Parliament, the 2007–2008 Departmental Performance Report for the Office of the Privacy Commissioner of Canada.

This document has been prepared based on the reporting principles contained in the Guide for the Preparation of Part III of the 2007–2008 Estimates: Reports on Plans and Priorities and Departmental Performance Reports:

  • It adheres to the specific reporting requirements outlined in the Treasury Board Secretariat guidance;
  • It is based on the department’s Strategic Outcome and Program Activity Architecture that were approved by the Treasury Board;
  • It presents consistent, comprehensive, balanced and reliable information; 
  • It provides a basis of accountability for the results achieved with the resources and authorities entrusted to it; and
  • It reports finances based on approved numbers from the Estimates and the Public Accounts of Canada.

(Original signed by)

Jennifer Stoddart
Privacy Commissioner of Canada

1.3 OPC Strategic Outcome and Program Activity Architecture (PAA)

The OPC has a single Strategic Outcome supported by a Program Activity Architecture (PAA) composed of three operational program activities, aimed at protecting the privacy rights of individuals, and internal services that enable the delivery of the operational activities.

Strategic Outcome The privacy rights of individuals are protected.
Program Activities 1. Compliance activities 2. Research and policy development 3. Public outreach
Internal services

Given that the OPC is independent from government, we do not link, or report, information from this Office to the Government of Canada outcomes.

1.4 Raison d’tre

The mandate of the OPC is to protect and promote the privacy rights of individuals.

The OPC is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law.

The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate.

The Commissioner is an advocate for the privacy rights of Canadians and her powers include:

  • Investigating complaints, conducting audits and pursuing court action under two federal laws;
  • Publicly reporting on the personal information-handling practices of public and private sector organizations;
  • Supporting, undertaking and publishing research and policy development in respect of privacy issues; and
  • Promoting public awareness and understanding of privacy issues.

The Commissioner works independently from any other part of the government to investigate complaints with respect to the federal public sector and the private sector. We focus on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may take the matter to Federal Court and seek a court order to rectify the situation.

1.5 Financial and Human Resources

The following two tables present the total financial and human resources that the OPC has managed in 2007-2008.

Financial Resources
Planned Spending (includes Funds earmarked for FedAA implementation) Federal Accountability Act (FedAA) Funds Adjusted Planned Spending Total Authorities Actual Spending
$19,711,000 ($1,365,000) $18,346,000 $ 18,955,578 $17,130,181

Human Resources
Planned Actual Difference
* Full-Time Equivalent
143 FTEs*1 110 FTEs 33 FTEs

1.6 Factors Affecting OPC Performance in 2007-2008

External Factors

Privacy is a challenging right to defend. For some, security and safety take precedence over less tangible social values. As a result, questions of privacy, self-determination and other democratic rights are often overshadowed. Within government, issues of privacy and information access are sometimes viewed as operational hurdles, rather than fundamental to Canadians’ freedoms. However, many citizens seem to take another view. Research indicates that Canadians have deep-felt privacy concerns and very serious reservations about the economic, political and technological factors which threaten their freedom.

Events over the course of the year – from anti-terror trials in Toronto, to the Air India and Iacobucci inquiries in Ottawa – kept national security issues in the public eye. In that time, numerous inquiries and organizations also called for expanded oversight of the federal government’s growing national security portfolio. Similarly, given this environment, our Office has voiced concern with the slow but steady erosion of privacy rights in Canada.

At its core, our right to know what personal information our government collects or discloses about us is based on fundamental values of autonomy and liberty in a modern democratic state. In practice, however, this right often collides with the security imperatives of government. National security initiatives are often beyond review, and so beyond reproach. Meanwhile, efforts to prevent terrorism and organized crime have made it acceptable for governments to collect more personal data and greatly expand public surveillance. Government measures such as the Anti-terrorism Act, Public Safety Act and Passenger Protect Program may undermine those privacy rights that Canadians dearly cherish.

Technology is another factor affecting privacy – often in new ways every day. Canadians are great early adopters of new technologies and devices. These technologies and devices help us communicate across a vast country, keep us informed, and let us work in new ways. However, new online tools also pose serious privacy threats: social networking sites, the compilation of personal profiles from searches and communications, risks of identity theft and online fraud are very real problems. These are challenging, technical issues which blur traditional lines between information security, data protection and personal privacy.

Finally, over the past year, a spate of recent data breaches in the US, UK and Canada highlighted a growing problem: data loss. There is now an increasing need for businesses and governments to take privacy protection seriously. In the past year, our Office has been involved in a number of privacy breach initiatives, from developing guidelines for businesses to including new provisions for notification of individuals as both PIPEDA and the Privacy Act are reviewed by Parliament.

With all these issues as backdrop, last September in Montreal, the Office of the Privacy Commissioner hosted the 29th Annual Conference of Data Protection and Privacy Commissioners. The conference was an opportunity for the world’s data commissioners to discuss successes and failures in their efforts to promote privacy around the world. Over 650 participants, representing 53 countries, took part. The conference provided a forum to a wide variety of experts, researchers and policy makers, from across the spectrum of privacy and security fields. The conference provided a unique opportunity for data protection commissioners and global privacy experts to share ideas, knowledge and experience.

Over the past year, amid all these issues, trends and discussions, one clear reality has emerged: privacy protection has become a truly global issue. Like climate change, it is a problem that defies narrow solutions, narrow jurisdictions or legal boundaries. As a result, our Office is working with data protection officials around the world to strengthen privacy protections wherever possible. At the same time, the OPC will also continue to call for more privacy-protective legislation and the enforcement of data protection obligations of private and public sector organizations.

Internal Factors

Fiscal year 2007-2008 was Year 2 of the implementation plan for the OPC’s three-year business case presented in 2005-2006 to the House of Commons Advisory Panel on the Funding and Oversight of Officers of Parliament. Performance of the Office against the objectives of this second year is presented in Section 2.1 – OPC Performance in 2007-2008 under “Other Activities: Internal Services”.

To respond to new mandatory requirements from the Federal Accountability Act, the Proceeds of Crime and Terrorist Financing Act, the Treasury Board Internal Audit Policy, coupled with exponential changes in the privacy world and staffing challenges experienced by the OPC, the Office prepared a second business case to obtain additional resources. Much of the analysis to support the drafting of the business case was completed in 2007-2008. The business case will be discussed with Treasury Board Secretariat and then subsequently presented to the House of Commons Advisory Panel on the Funding and Oversight of Officers of Parliament.

Another important internal factor relates to the challenges of recruiting and retaining qualified staff. This is discussed at length in Section 1.7 below and Section 2.1 – OPC Performance in 2007-2008 under “Other Activities: Internal Services”.

And since a major event of 2007-2008 was the 29th Annual Conference of Data Protection and Privacy Commissioners, a considerable effort from all staff was invested in this activity as well as operating resources. Section 2.1 – OPC Performance in 2007-2008 under “Other Activities: Internal Services” takes stock of the conference from a resources perspective.

1.7 Performance Status of OPC Priorities

The OPC had five corporate priorities for 2007-2008. The following table presents the priorities, high-level information on our actual performance and a self-assessment of performance status2.

More detailed information on actual performance is provided in Section II – Analysis by Program Activity.

Strategic Outcome: The privacy rights of individuals are protected.
OPC Priorities for 2007-2008 Type Actual Performance Performance Status
1. Improve and expand service delivery Ongoing In 2007-2008, the OPC launched a comprehensive re-engineering project to design and implement a new, innovative inquiries and complaints resolution process aimed at fast-tracking response time. This project will be well-advanced or completed by the end of the next fiscal year. Focused efforts this year went to addressing the backlog of complaints. The backlog of complaints under PIPEDA was reduced by 47% in 2007-2008, and while the backlog of complaints under the Privacy Act was not reduced, the investigation team managed to achieve a stable output despite the loss of a number of experienced staff during the year. A Request for Proposals to engage contracted resources was issued to assist with backlog reduction. Service standards were developed and others refined for responding to complaints and inquiries under both Acts in 2007-2008. Partially met
The number of privacy impact assessments (PIA) pending review was reduced by 64% in 2007-2008 (from 50 to 18 files). A performance standard was set for processing PIAs within 90 days of receiving them. During the year, 17 of the 78 PIA reviews (22%) were processed within standard time but now that the backlog is under control, we anticipate improvements in the timeliness of PIA reviews. The OPC initiated six audit projects in 2007-2008 compared to eight projects originally planned; two audits were deferred to a later start in 2008-2009 due to a shortage of staff. Although four new resources joined the audit and review team in 2007-2008, the capacity remained the same with four departures. In addition to its traditional audit projects, the OPC conducted five other interventions3 in 2007-2008. Four audits were completed during the period, only one within original planned timelines. It has taken longer than planned to complete the audits due to a shortage of staff, the need to mature the audit process, and additional time required to secure management response to audits and address auditee concerns. A new system was introduced to track the timeliness of our audit work. Partially met
2. Engage with Parliament on privacy issues Ongoing The OPC continued its support of Parliamentarians in 2007-2008 through the provision of 20 submissions and policy positions relating to potential privacy implications of proposed legislation and/or government initiatives.The OPC responded to 25 direct inquiries from Parliamentarians and their staff.The OPC provided sound legal and policy analyses and expertise to support Parliamentarians in their review via six separate appearances to Parliamentary Committees. Successfully met
3. Continue to promote Privacy Act reform and PIPEDA review Previous The OPC continues to promote Privacy Act reform by engaging Parliament through a succession of submissions, discussion papers and appearances. In 2007-2008, the OPC conducted research and developed an Addendum to a comprehensive document originally presented in 2006 to the Standing Committee on Access to Information, Privacy and Ethics. The Addendum, actually issued in April 2008, discusses how events of the past two years illustrate the ongoing need for reform of the Act. (Refer to the web site for these documents and for a list of 10 Quick Fix changes that would be of significant benefit to Canadians: The OPC continues to take an active role in the PIPEDA review process by meeting with private sector stakeholders and Industry Canada as the government considers possible amendments to the Act. Successfully met
4. Organize, host and evaluate the 29th International Conference of Data Protection and Privacy Commissioners Previous The conference under the theme Privacy Horizons: Terra Incognita was held in Montreal from September 25 to 28, 2007 ( Attendance and engagement by stakeholders exceeded expectations, with 650 participants from governments, private sector enterprise, provincial, national and international privacy organizations, representing 53 countries. Speakers included Michael Chertoff, the U.S. Secretary of Homeland Security; Peter Fleisher, Google Global Privacy Counsel; Michael Geist, law professor and Canadian Internet law expert; and Barry Steinhardt, Director of Technology for the American Civil Liberties Union. Participants indicated a high level of satisfaction with the topics and research presented at the Conference, and particularly praised the work of OPC employees. Exceeded expectations
5. Build organizational capacity Previous A review of the organizational structure that started in 2006-2007 was completed in 2007-2008. All positions allocated through the 2005-2008 business case that the OPC intended to staff (this represents 42 of the 47 positions4) were classified and 37 positions were staffed by end of 2007-2008, with the remaining six positions well underway to being filled as well. The OPC, like many government departments and agencies, is experiencing challenges in recruiting qualified staff, which explains why it has not reached its full complement of staff allocated as part of the business case. Partially met

To assist with the integration of new employees during 2007-2008, we developed an Employee Checklist, intended to assist employees in their orientation to the OPC, and a draft Employee Tool Kit (to be finalized in 2008-2009). Original plans to open two regional offices in 2007-2008 have been revised to permit a more flexible approach to extending the Office’s regional presence across more regions of Canada. (Refer to Priority 4 described in the 2008-2009 Report on Plans and Priorities:

With the passage of the Federal Accountability Act, the OPC along with numerous other institutions became subject to the Access to Information Act (ATIA) and the Privacy Act starting in 2007-2008. To respond to this new requirement, the Office created a unit with two dedicated staff. During their first year, the new unit processed 30 ATIA requests and 22 Privacy Act requests, all within prescribed timelines.

The OPC infrastructure was improved in a number of ways: one third of all workstations were replaced in line with the OPC Evergreen Program, information management policies and procedures were promulgated (i.e., blackberry use, biometric memory stick use, laptop, personnel security), and adjustments to floor plans were made to optimise existing space and accommodate new and existing staff, and work is continuing to complete a long-term accommodation plan.

Successfully met

The OPC is satisfied that all but two of the commitments made to advance its five corporate priorities in 2007-2008 were successfully met or expectations were exceeded. The two exceptions where commitments were partially met related to elements of: Priority 1 – improve and expand service delivery and Priority 5 – build organizational capacity. The two partial performance gaps are interrelated with both being in good part attributable to a shortage of qualified skills available in the investigative area.

To address the partial gap relating to service delivery, and in view of the realization that the skills shortage does not have a short-term solution to it, the OPC launched in 2007-2008 a comprehensive re-engineering project to design and implement a new, innovative inquiries and complaints resolution process aimed at fast-tracking response time. This work, which is treated as a corporate priority in 2008-2009, is expected to be well-advanced or completed by end of the new fiscal year.

As for the partial gap related to the recruitment of qualified staff, it is one element of the fifth priority relating to capacity building, the other elements having been satisfactorily achieved. Like many organizations, the OPC experienced challenges in the recruitment of personnel. However, despite these challenges, by March 31, 2008 the OPC staffed 37 of the 42 new positions obtained from the November 2005 Business Case. In comparing this success to the increase on FTEs, the OPC increased its FTEs by 71% from 78.5 FTEs in 2005-2006 to 110 FTEs by the end of 2007-2008. In terms of staff population, as previously reported to Parliament the OPC ended fiscal year 2007-2008 with a staff compliment of 122. This upward trend continues into the new fiscal year.