This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
The original version was signed by
The Honourable Robert D. Nicholson, P.C., Q.C., M.P.
Minister of Justice and Attorney General of Canada
It is with great pleasure that I table before Parliament today the Departmental Performance Report of the Office of the Privacy Commissioner of Canada (OPC) for the fiscal year ending March 31, 2008.
The fiscal year 2007-2008 was marked by important milestones.
It was the year in which my Office was proud to host the privacy world with the 29th International Data Protection and Privacy Commissioners Conference, in September, in the beautiful city of Montreal. The conference program underscored the wide range of issues that will have an impact on privacy in the coming years, as well as the increasingly global nature of privacy issues. We welcomed more than 650 commissioners, academics, privacy professionals, advocates, government officials, IT specialists and others from around the globe – making it the largest-ever conference of its kind.
It was the year in which we continued to participate in discussions surrounding the parliamentary review of the Personal Information Protection and Electronic Documents Act (PIPEDA), and to actively support plans to amend the law to make breach notification mandatory. In the meantime, however, we worked with industry to develop voluntary breach notification guidelines, and we are beginning to see signs that companies, especially large businesses, are following our recommendations.
The Office also continued to promote Privacy Act reform with the research and development of an Addendum to a comprehensive document originally presented in 2006 to the Standing Committee on Access to Information, Privacy and Ethics. The Office worked on a series of proposed “quick fixes” to the Privacy Act in the event that the government does not intend to engage in a fundamental reform of the Act. As a result of this work in 2007-2008, I made two separate appearances before the Standing Committee in April 2008 and presented these documents, and the Committee also heard from a number of witnesses on our recommendations. I hope this is a signal that Canadians may, in the not-so-distant future, have a law which better protects their privacy rights in the federal public sector.
The Office continued to provide sound legal and policy analyses and expertise to support Parliamentarians in their review of the privacy implications of bills. Over the course of the year, we reviewed and commented on 19 bills with potential privacy implications, in addition to sharing 20 submissions and policy positions on a variety of government initiatives. We also enhanced our communications with Parliamentarians and, specifically, with the Standing Committee on Access to Information, Privacy and Ethics, to which we report regularly.
With the coming into force of the Federal Accountability Act, we finally became subject to the Access to Information and Privacy Acts. Accordingly, we established an ATIP unit and began training staff to ensure we effectively meet all our obligations on this front.
In addition, we continued our efforts to improve and expand service delivery, in addition to building our overall organizational capacity, priorities that go hand-in-hand. An ever-increasing complaints backlog and difficulty recruiting experienced investigators – a trend across the public service – added to our challenges in this domain. However, through new approaches to our recruitment, training and development, as well as streamlining and building innovation into our investigations processes, we are tackling these challenges. I am very pleased with the progress that we are making in solidifying our team and further improving the way we work.
In the Office, the year 2007-2008 was a year of change. Heather Black, who was the OPC’s Assistant Commissioner for PIPEDA for several years and a true pioneer in the privacy field, retired in 2007. We welcomed a dynamic new member of the executive team: Elizabeth Denham from the Office of the Information and Privacy Commissioner of Alberta. Ms. Denham is now the Assistant Commissioner for PIPEDA.
As we take stock in the Departmental Performance Report of this past fiscal year’s activities, we recognize the myriad of issues that pose significant and emerging threats to Canadians’ privacy, as well as the ongoing challenges we face from an organizational perspective. A year from now, we look forward to reporting on how we continued to help minimize many of these threats and overcome these challenges, to better promote and protect privacy rights.
(Original signed by)
Jennifer Stoddart
Privacy Commissioner of Canada
I submit for tabling in Parliament, the 2007–2008 Departmental Performance Report for the Office of the Privacy Commissioner of Canada.
This document has been prepared based on the reporting principles contained in the Guide for the Preparation of Part III of the 2007–2008 Estimates: Reports on Plans and Priorities and Departmental Performance Reports:
(Original signed by)
Jennifer Stoddart
Privacy Commissioner of Canada
The OPC has a single Strategic Outcome supported by a Program Activity Architecture (PAA) composed of three operational program activities, aimed at protecting the privacy rights of individuals, and internal services that enable the delivery of the operational activities.
Strategic Outcome | The privacy rights of individuals are protected. | ||
---|---|---|---|
Program Activities | 1. Compliance activities | 2. Research and policy development | 3. Public outreach |
Internal services |
Given that the OPC is independent from government, we do not link, or report, information from this Office to the Government of Canada outcomes.
The mandate of the OPC is to protect and promote the privacy rights of individuals.
The OPC is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law.
The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate.
The Commissioner is an advocate for the privacy rights of Canadians and her powers include:
The Commissioner works independently from any other part of the government to investigate complaints with respect to the federal public sector and the private sector. We focus on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In cases that remain unresolved, particularly under PIPEDA, the Commissioner may take the matter to Federal Court and seek a court order to rectify the situation.
The following two tables present the total financial and human resources that the OPC has managed in 2007-2008.
Planned Spending (includes Funds earmarked for FedAA implementation) | Federal Accountability Act (FedAA) Funds | Adjusted Planned Spending | Total Authorities | Actual Spending | |
---|---|---|---|---|---|
$19,711,000 | ($1,365,000) | $18,346,000 | $ 18,955,578 | $17,130,181 |
Planned | Actual | Difference |
---|---|---|
* Full-Time Equivalent | ||
143 FTEs*1 | 110 FTEs | 33 FTEs |
Privacy is a challenging right to defend. For some, security and safety take precedence over less tangible social values. As a result, questions of privacy, self-determination and other democratic rights are often overshadowed. Within government, issues of privacy and information access are sometimes viewed as operational hurdles, rather than fundamental to Canadians’ freedoms. However, many citizens seem to take another view. Research indicates that Canadians have deep-felt privacy concerns and very serious reservations about the economic, political and technological factors which threaten their freedom.
Events over the course of the year – from anti-terror trials in Toronto, to the Air India and Iacobucci inquiries in Ottawa – kept national security issues in the public eye. In that time, numerous inquiries and organizations also called for expanded oversight of the federal government’s growing national security portfolio. Similarly, given this environment, our Office has voiced concern with the slow but steady erosion of privacy rights in Canada.
At its core, our right to know what personal information our government collects or discloses about us is based on fundamental values of autonomy and liberty in a modern democratic state. In practice, however, this right often collides with the security imperatives of government. National security initiatives are often beyond review, and so beyond reproach. Meanwhile, efforts to prevent terrorism and organized crime have made it acceptable for governments to collect more personal data and greatly expand public surveillance. Government measures such as the Anti-terrorism Act, Public Safety Act and Passenger Protect Program may undermine those privacy rights that Canadians dearly cherish.
Technology is another factor affecting privacy – often in new ways every day. Canadians are great early adopters of new technologies and devices. These technologies and devices help us communicate across a vast country, keep us informed, and let us work in new ways. However, new online tools also pose serious privacy threats: social networking sites, the compilation of personal profiles from searches and communications, risks of identity theft and online fraud are very real problems. These are challenging, technical issues which blur traditional lines between information security, data protection and personal privacy.
Finally, over the past year, a spate of recent data breaches in the US, UK and Canada highlighted a growing problem: data loss. There is now an increasing need for businesses and governments to take privacy protection seriously. In the past year, our Office has been involved in a number of privacy breach initiatives, from developing guidelines for businesses to including new provisions for notification of individuals as both PIPEDA and the Privacy Act are reviewed by Parliament.
With all these issues as backdrop, last September in Montreal, the Office of the Privacy Commissioner hosted the 29th Annual Conference of Data Protection and Privacy Commissioners. The conference was an opportunity for the world’s data commissioners to discuss successes and failures in their efforts to promote privacy around the world. Over 650 participants, representing 53 countries, took part. The conference provided a forum to a wide variety of experts, researchers and policy makers, from across the spectrum of privacy and security fields. The conference provided a unique opportunity for data protection commissioners and global privacy experts to share ideas, knowledge and experience.
Over the past year, amid all these issues, trends and discussions, one clear reality has emerged: privacy protection has become a truly global issue. Like climate change, it is a problem that defies narrow solutions, narrow jurisdictions or legal boundaries. As a result, our Office is working with data protection officials around the world to strengthen privacy protections wherever possible. At the same time, the OPC will also continue to call for more privacy-protective legislation and the enforcement of data protection obligations of private and public sector organizations.
Fiscal year 2007-2008 was Year 2 of the implementation plan for the OPC’s three-year business case presented in 2005-2006 to the House of Commons Advisory Panel on the Funding and Oversight of Officers of Parliament. Performance of the Office against the objectives of this second year is presented in Section 2.1 – OPC Performance in 2007-2008 under “Other Activities: Internal Services”.
To respond to new mandatory requirements from the Federal Accountability Act, the Proceeds of Crime and Terrorist Financing Act, the Treasury Board Internal Audit Policy, coupled with exponential changes in the privacy world and staffing challenges experienced by the OPC, the Office prepared a second business case to obtain additional resources. Much of the analysis to support the drafting of the business case was completed in 2007-2008. The business case will be discussed with Treasury Board Secretariat and then subsequently presented to the House of Commons Advisory Panel on the Funding and Oversight of Officers of Parliament.
Another important internal factor relates to the challenges of recruiting and retaining qualified staff. This is discussed at length in Section 1.7 below and Section 2.1 – OPC Performance in 2007-2008 under “Other Activities: Internal Services”.
And since a major event of 2007-2008 was the 29th Annual Conference of Data Protection and Privacy Commissioners, a considerable effort from all staff was invested in this activity as well as operating resources. Section 2.1 – OPC Performance in 2007-2008 under “Other Activities: Internal Services” takes stock of the conference from a resources perspective.
The OPC had five corporate priorities for 2007-2008. The following table presents the priorities, high-level information on our actual performance and a self-assessment of performance status2.
More detailed information on actual performance is provided in Section II – Analysis by Program Activity.
OPC Priorities for 2007-2008 | Type | Actual Performance | Performance Status |
---|---|---|---|
1. Improve and expand service delivery | Ongoing | In 2007-2008, the OPC launched a comprehensive re-engineering project to design and implement a new, innovative inquiries and complaints resolution process aimed at fast-tracking response time. This project will be well-advanced or completed by the end of the next fiscal year. Focused efforts this year went to addressing the backlog of complaints. The backlog of complaints under PIPEDA was reduced by 47% in 2007-2008, and while the backlog of complaints under the Privacy Act was not reduced, the investigation team managed to achieve a stable output despite the loss of a number of experienced staff during the year. A Request for Proposals to engage contracted resources was issued to assist with backlog reduction. Service standards were developed and others refined for responding to complaints and inquiries under both Acts in 2007-2008. | Partially met |
The number of privacy impact assessments (PIA) pending review was reduced by 64% in 2007-2008 (from 50 to 18 files). A performance standard was set for processing PIAs within 90 days of receiving them. During the year, 17 of the 78 PIA reviews (22%) were processed within standard time but now that the backlog is under control, we anticipate improvements in the timeliness of PIA reviews. The OPC initiated six audit projects in 2007-2008 compared to eight projects originally planned; two audits were deferred to a later start in 2008-2009 due to a shortage of staff. Although four new resources joined the audit and review team in 2007-2008, the capacity remained the same with four departures. In addition to its traditional audit projects, the OPC conducted five other interventions3 in 2007-2008. Four audits were completed during the period, only one within original planned timelines. It has taken longer than planned to complete the audits due to a shortage of staff, the need to mature the audit process, and additional time required to secure management response to audits and address auditee concerns. A new system was introduced to track the timeliness of our audit work. | Partially met | ||
2. Engage with Parliament on privacy issues | Ongoing | The OPC continued its support of Parliamentarians in 2007-2008 through the provision of 20 submissions and policy positions relating to potential privacy implications of proposed legislation and/or government initiatives.The OPC responded to 25 direct inquiries from Parliamentarians and their staff.The OPC provided sound legal and policy analyses and expertise to support Parliamentarians in their review via six separate appearances to Parliamentary Committees. | Successfully met |
3. Continue to promote Privacy Act reform and PIPEDA review | Previous | The OPC continues to promote Privacy Act reform by engaging Parliament through a succession of submissions, discussion papers and appearances. In 2007-2008, the OPC conducted research and developed an Addendum to a comprehensive document originally presented in 2006 to the Standing Committee on Access to Information, Privacy and Ethics. The Addendum, actually issued in April 2008, discusses how events of the past two years illustrate the ongoing need for reform of the Act. (Refer to the web site for these documents and for a list of 10 Quick Fix changes that would be of significant benefit to Canadians: http://www.privcom.gc.ca/legislation/pa/pa_reform_e.asp) The OPC continues to take an active role in the PIPEDA review process by meeting with private sector stakeholders and Industry Canada as the government considers possible amendments to the Act. | Successfully met |
4. Organize, host and evaluate the 29th International Conference of Data Protection and Privacy Commissioners | Previous | The conference under the theme Privacy Horizons: Terra Incognita was held in Montreal from September 25 to 28, 2007 (http://www.privacyconference2007.gc.ca/Terra_Incognita_home_E.html). Attendance and engagement by stakeholders exceeded expectations, with 650 participants from governments, private sector enterprise, provincial, national and international privacy organizations, representing 53 countries. Speakers included Michael Chertoff, the U.S. Secretary of Homeland Security; Peter Fleisher, Google Global Privacy Counsel; Michael Geist, law professor and Canadian Internet law expert; and Barry Steinhardt, Director of Technology for the American Civil Liberties Union. Participants indicated a high level of satisfaction with the topics and research presented at the Conference, and particularly praised the work of OPC employees. | Exceeded expectations |
5. Build organizational capacity | Previous | A review of the organizational structure that started in 2006-2007 was completed in 2007-2008. All positions allocated through the 2005-2008 business case that the OPC intended to staff (this represents 42 of the 47 positions4) were classified and 37 positions were staffed by end of 2007-2008, with the remaining six positions well underway to being filled as well. The OPC, like many government departments and agencies, is experiencing challenges in recruiting qualified staff, which explains why it has not reached its full complement of staff allocated as part of the business case. | Partially met |
To assist with the integration of new employees during 2007-2008, we developed an Employee Checklist, intended to assist employees in their orientation to the OPC, and a draft Employee Tool Kit (to be finalized in 2008-2009). Original plans to open two regional offices in 2007-2008 have been revised to permit a more flexible approach to extending the Office’s regional presence across more regions of Canada. (Refer to Priority 4 described in the 2008-2009 Report on Plans and Priorities: http://www.tbs-sct.gc.ca/rpp/2008-2009/inst/ipc/ipc03-eng.asp). With the passage of the Federal Accountability Act, the OPC along with numerous other institutions became subject to the Access to Information Act (ATIA) and the Privacy Act starting in 2007-2008. To respond to this new requirement, the Office created a unit with two dedicated staff. During their first year, the new unit processed 30 ATIA requests and 22 Privacy Act requests, all within prescribed timelines. The OPC infrastructure was improved in a number of ways: one third of all workstations were replaced in line with the OPC Evergreen Program, information management policies and procedures were promulgated (i.e., blackberry use, biometric memory stick use, laptop, personnel security), and adjustments to floor plans were made to optimise existing space and accommodate new and existing staff, and work is continuing to complete a long-term accommodation plan. |
Successfully met |
The OPC is satisfied that all but two of the commitments made to advance its five corporate priorities in 2007-2008 were successfully met or expectations were exceeded. The two exceptions where commitments were partially met related to elements of: Priority 1 – improve and expand service delivery and Priority 5 – build organizational capacity. The two partial performance gaps are interrelated with both being in good part attributable to a shortage of qualified skills available in the investigative area.
To address the partial gap relating to service delivery, and in view of the realization that the skills shortage does not have a short-term solution to it, the OPC launched in 2007-2008 a comprehensive re-engineering project to design and implement a new, innovative inquiries and complaints resolution process aimed at fast-tracking response time. This work, which is treated as a corporate priority in 2008-2009, is expected to be well-advanced or completed by end of the new fiscal year.
As for the partial gap related to the recruitment of qualified staff, it is one element of the fifth priority relating to capacity building, the other elements having been satisfactorily achieved. Like many organizations, the OPC experienced challenges in the recruitment of personnel. However, despite these challenges, by March 31, 2008 the OPC staffed 37 of the 42 new positions obtained from the November 2005 Business Case. In comparing this success to the increase on FTEs, the OPC increased its FTEs by 71% from 78.5 FTEs in 2005-2006 to 110 FTEs by the end of 2007-2008. In terms of staff population, as previously reported to Parliament the OPC ended fiscal year 2007-2008 with a staff compliment of 122. This upward trend continues into the new fiscal year.
This section reports the OPC performance for each program activity of its Program Activity Architecture (PAA) in relation to their expected results and performance indicators, and also indicates how the performance contributed to the five corporate priorities for 2007-2008. Performance reporting includes a self-assessment of performance status using the same scale as what was employed to report on progress to priorities in Section 1.7.
In 2006-2007, the OPC designed its Performance Measurement Framework (PMF) and started implementation in 2007-2008, using an incremental approach continuing over two more years. The performance indicators identified in this section are those against which the OPC has started measuring its performance in 2007-2008. More indicators from the OPC PMF are being introduced in reports on plans and priorities as they become operational.
In addition to ‘performance’ indicators that generate information about the extent of achievement of ‘results’, the OPC uses ‘volume’ indicators or statistics to collect relevant information about its ‘activities’. This section reports on OPC ‘results or outcomes’, primarily using performance information, with selected information about activities to make the performance story more complete (note: the OPC Annual Reports report more comprehensively on OPC ‘activities’, ensuring that both reports are complementary and not duplicative reading for Parliamentarians and Canadians).
Expected Result | Performance Indicator |
---|---|
Ultimate Outcome for Canadians | |
The OPC plays a lead role in influencing federal government institutions and private sector organizations to respect the privacy rights of individuals and protect their personal information. | Extent and direction of change in the privacy practices of federal government institutions and private sector organizations |
Planned Spending | Total Authorities | Actual Spending |
---|---|---|
$19,711,000 | $18,955,578 | $17,130,181 |
Planned | Actual | Difference |
---|---|---|
143 FTEs | 110 FTEs | 33 FTEs |
The above-mentioned expected result and performance indicator at the “ultimate outcome level” reflect the overarching goal and measure of success for the OPC. Measuring performance at this high level will be based on the gathering of relevant performance information relating to the “intermediate” and “immediate” level outcomes. Since the OPC is implementing its comprehensive Performance Measurement Framework incrementally over a three-year period from 2007 to 2010, more performance indicators are being added each year to measure with more depth the “intermediate” and “immediate” level outcomes, hence solidifying at the same time the foundation to measure the “ultimate” level outcome.
Having started implementing its PMF in 2007-2008, the OPC presents in this Departmental Performance Report the beginning of its performance story in the next pages, which at the same time, starts to reveal the Office’s performance vis-à-vis the “ultimate outcome”.
Through this program, the OPC conducts audits to assess whether federal and private sector organizations are complying with requirements set out in the two federal privacy laws, carries out reviews of privacy impact assessments and makes recommendations pursuant to the Treasury Board Secretariat policy, and investigates complaints and responds to inquiries received from individuals and organizations that contact the OPC for advice and assistance on a wide range of privacy-related issues. This program is supported by a legal team that provides legal advice and litigation services and a research team that offers technical and risk assessment support.
Expected Results | Performance Indicators | Actual Performance | Performance Status |
---|---|---|---|
Intermediate Outcomes | |||
Individuals receive effective responses to their inquiries and complaints. | Timeliness of OPC responses to inquiries and complaints |
Turnaround times for inquiries received from the public or from organizations will be measured with more accuracy once the upgraded information management system is in place in the next fiscal year. The Office responded to 14,215 inquiries in 2007-2008. The calculation of turnaround times for complaints is based on the average number of months between the date of reception of the complaints and the date when findings are made or another type of disposition occurs. Timeliness is calculated by the proportion of complaints completed within service standards5:
|
Not met |
Federal government institutions and private sector organizations meet their obligations under federal privacy legislation and implement modern principles of personal information protection. | Extent to which audit and investigation recommendations are accepted and implemented over time6 |
Of the four audits that were completed during 2007-2008, 21 recommendations were made and 20 were accepted by auditees at the time of reporting (95%). Follow-up will be made two years after reporting to determine the rate of implementation of the recommendations. The OPC initiated its first follow-up audit in January 2008 to assess progress made by the Canada Border
Services Agency on implementing the 19 recommendations from the June 2006 audit report; results of the follow-up are not yet complete but will be published in the next departmental performance report. Under PIPEDA, the Commissioner’s investigation recommendations were accepted and implemented in 87% of the files. This meant that out of the 38 cases that included specific recommendations, there were 34 cases where organizations accepted our recommendations and actually implemented them, and only four cases where organizations did not. Under the Privacy Act, no preliminary reports of finding are issued and recommendations are not normally made. In cases where recommendations are made, they are responded to prior to concluding the complaint investigation. In the two cases where the Commissioner did make recommendations, they were both accepted and implemented, representing 100% acceptance and implementation. As well in 2007-2008, the OPC was involved in 12 litigation cases in order to promote compliance with federal privacy legislation. Some of these cases are ongoing before the courts. Four cases were settled to the satisfaction of the Commissioner and the parties. In three cases, the courts rendered judgments which helped further compliance with privacy legislation and helped to clarify legal obligations. |
Successfully met |
Immediate Outcomes | |||
The process to respond to inquiries and investigate complaints is effective and efficient. | Timeliness of OPC responses to inquiries and complaints | Refer to performance information for the same indicator two rows above in this table. | Not met |
The process to conduct audits and reviews is effective and efficient, including effective review of privacy impact assessments (PIAs) for new and existing government initiatives. | Extent to which audit and PIA recommendations are accepted7 |
Refer to the performance information for the same indicator above as it relates to audits. For PIAs, we received written responses to 32 PIA review letters previously issued (either completed in the fiscal year or prior fiscal year) and of 181 recommendations included in these, departments indicated agreement with 82 (45%). We point out that federal departments may not always indicate agreement in their responses and are under no obligation to respond to our PIA reviews. While they may not always respond when asked, they may nonetheless act on the OPC recommendations. Furthermore, departments are under no obligation to act on our recommendations as they are entirely responsible and accountable for managing their privacy risks. Nevertheless, we continue working to obtain improved responses to PIA reviews to monitor how much government initiatives contain modern privacy principles of personal information protection (as per our recommendations) and also to more objectively measure the impact of our work. |
Successfully met |
Proportion of PIA reviews and audits completed within planned timelines8 | Twenty-two (22%) of the 78 PIA reviews completed in 2007-2008 were processed within the 90-day standard time but now that the backlog of PIAs is under control, the OPC anticipates improvements in the timeliness of PIA reviews in the next year. In addition, one of the four audits (25%) that were completed during the period was within planned timelines. | Not met |
In addition to closing investigation files as discussed in the table above, the OPC closely monitored 100 incidents9 (43 under PIPEDA and 57 under the Privacy Act), which are incidents of mismanagement of personal information that are brought to our attention from various sources including the media and institutions and organizations themselves.
The Office is seeing more complaints that raise systemic issues which may potentially affect thousands, if not millions, of individuals, more complaints involving ever-changing technology, Internet issues, social networking, wireless networks, and more complaints of an international nature and involving transborder flows of data. This leads to an increased need for co-operation with provincial and international counterparts and joint investigations. To this end, the OPC is concluding a Memorandum of Understanding with its counterparts across Canada in order to facilitate joint investigations and achieve greater efficiency in meeting our obligations under our respective Acts.
In addition to PIA reviews, which are formal requests for advice on new or existing government initiatives, the OPC held 53 consultation meetings with departments and agencies during the year and responded to more ad hoc requests for guidance. We do not measure the quantum of advice rendered however informal feedback received indicates that our advice is well received and helped departments deal with privacy risks and the preparation of PIAs. Our practice is to give helpful suggestions when we can and direct those who inquire to appropriate sources of written materials, namely from the Treasury Board Secretariat that is responsible for PIA guidance.
All of our compliance activities including investigations, audits and PIA reviews illustrate a need for improvement in the privacy management capabilities of federal departments and agencies and private sector organizations. The Office’s role is to influence compliance with privacy legislation and policies through its compliance activities and litigation work in order to have the privacy rights of individuals respected and their personal information protected. While the Office did influence compliance, as evidenced by the positive rates of implementation of our recommendations, its operations were hampered again in 2007-2008 by the persistent backlog of complaints that inevitably lengthen our turnaround times and also a high turnover of staff, which is no different than other federal entities in the National Capital Region (Refer to Internal Services in this Section of the Report for further detail).
It is in this whole context that the OPC launched its comprehensive re-engineering project in 2007-2008 that includes a thorough review of its business processes with a view to streamline the current inquiry and complaint resolution process through the application of innovative, alternative approaches to noticeably improve the overall efficiency and effectiveness of the process. The re-engineering project, which is continuing into the next fiscal year, includes the design and implementation of a new case management system. The new system will provide the basis for OPC management to derive analytical and strategic information such as trends in complaint issues to facilitate a shift of resources to areas where the Office may have the most effective impact.
Planned Spending | Total Authorities | Actual Spending |
---|---|---|
$11,139,000 | $10,565,939 | $9,770,601 |
Planned | Actual | Difference |
---|---|---|
100 FTEs | 70 FTEs | 30 FTEs |
The operations under this activity contributed to the achievement of the following priority described in Section I.
Priority | Type |
---|---|
Improve and expand service delivery | Ongoing |
The compliance activities, being the core business of the OPC, are those that the Office targeted to improve and expand its service delivery, further supported by its research, policy development and outreach activities. Accomplishments this year to reduce parts of the backlog of complaints and PIAs, the establishment of service standards and the start of the major re-engineering of our business processes have contributed to this priority and makes the Office well-positioned to make significant advances in service delivery in the coming year.
Through this program, the Office of the Privacy Commissioner (OPC) provides Parliamentarians and other stakeholders with advice and information on potential privacy implications of proposed legislation, government programs and private sector initiatives. As such, the OPC serves as a centre of expertise on emerging privacy issues in Canada and abroad by researching trends and technological developments, monitoring legislative and regulatory initiatives, providing legal, policy and technical analyses on key issues, developing policy positions that advance the protection of privacy rights, and sharing information with stakeholders to advance files of common interest. All of this work leads to more privacy resilient laws, regulations, policies, initiatives and to improved privacy management practices.
Expected Results | Performance Indicators | Actual Performance | Performance Status |
---|---|---|---|
Intermediate Outcome | |||
Parliamentarians and others have access to clear, relevant information, and timely and objective advice about the privacy implications of evolving legislation, regulations and policies. | Proportion of privacy-relevant cases in which OPC was consulted for advice.Proportion of cases in which the final outcome was more privacy protective than the original version10. | In 2007-2008, of the bills introduced, 19 were assessed to have potential privacy impact. Four were of high privacy relevance, 14 of medium relevance and one of low relevance. In the same period, the OPC was consulted on two bills: Bill C-27, An Act to amend the Criminal Code (identity theft and related misconduct) and Bill C-31, An Act to amend the Canada Elections Act and the Public Service Employment Act. Bill C-31 was amended in accordance with the Commissioner's recommendation to minimize potential privacy risks for voters. Bill C-27 has not yet become law, and therefore it is too early for the OPC to report whether the final outcome was more privacy protective than the original version. | Successfully met |
Immediate Outcomes | |||
The work of Parliamentarians is supported by an effective capacity to identify and research privacy issues, and to develop policy positions for the federal public and private sectors, which are respectful of privacy. | Key privacy issues identified and positions articulated to influence the evolution of bills through the drafting stage at the departmental level and the legislative process through Parliament | The OPC provided 20 submissions and policy positions relating to potential privacy implications of proposed legislation and/or government initiatives. In this capacity, OPC officials offered extensive comment on various subjects, including aviation security programs, financial monitoring, access of law enforcement to customer name and address data, and reform of Canada's copyright enforcement regime. | Successfully met |
Knowledge about systemic privacy issues in Canada is enhanced through research, with a view to raising awareness and improving privacy management practices. | Key privacy issues identified, analysed, and potential impacts assessed. |
Research capacity and production continued to expand, fuelled in part by the wide range of subjects addressed at the 29th International Conference. As a follow-up to the conference, the OPC commissioned the writing of a summary paper to capture and convey the intellectual contribution of the event. (http://www.privacyconference2007.gc.ca/workbooks/Terra_Incognita_summary_E.html) Research and positions taken on national issues like the no-fly list, data breaches, national security and Privacy Act reform resulted in increased interest in privacy issues across Canada. In 2007-2008, 16 research papers were issued by the OPC on a variety of privacy topics and 13 research projects were either completed or well-underway to study impacts of privacy issues affecting Canadians. In addition, the OPC Contributions Program approved 10 projects for a total of $363,500 in 2007-2008 to conduct research into emerging privacy issues (Refer to web site for a list of the recipient organizations and their approved research projects: http://www.privcom.gc.ca/media/nr-c/2007/nr-c_070627_e.asp). |
Successfully met |
The 29th International Conference provided an ideal opportunity to raise awareness of significant privacy themes, such as: Public Safety, Globalization, Law Meets Technology, Ubiquitous Computing, the Next Generation and the Body as Data. Independent research commissioned under the auspices of the Office’s research program was featured before a national and international audience, and received attention from privacy advocates and the media.
Our examination of national programs with significant privacy implications, like the No-Fly list, Electronic Health Records and Enhanced Drivers’ Licences, has raised Canadians’ awareness of the threats posed to their personal privacy and encouraged more considered evaluations of the privacy implications of these programs.
Nevertheless, the challenges facing personal privacy rights continue to grow. The Office continues to expand its research capability through additional hiring, specialized training and partnerships with academics not-for-profit organizations and international data protection authorities.
Planned Spending | Total Authorities | Actual Spending |
---|---|---|
$4,534,000 | $4,442,772 | $3,667,508 |
Planned | Actual | Difference |
---|---|---|
22 FTEs | 19 FTEs | 3 FTEs |
The operations under this activity contributed to the achievement of the following priorities described in Section I.
Priorities | Type |
---|---|
Engage with Parliament on privacy issues | Ongoing |
Continue to promote Privacy Act reform and PIPEDA review | Previous |
Organize, host and evaluate the 29th International Conference of Data Protection and Privacy Commissioners | Previous |
Engaging Parliament on privacy issues and promoting legislative reform are two on-going, fundamental concerns of the Office. Without careful monitoring of legislative developments, precise analysis of draft legislation and close contact with MPs and committee staff, the recommendations of the OPC on privacy matters would be less focussed and effective.
In addition, the 29th International Conference provided a platform for the Office to raise the international profile of the research completed by Office staff and by academics and non-governmental organizations supported by the Office’s Contributions Program.
Through this program, the Office of the Privacy Commissioner (OPC) delivers a number of public education and communications activities, including speaking engagements and special events, media relations, and the production and dissemination of promotional and educational material. Through public outreach activities, individuals have access to information about privacy and personal data protection to enable them to protect themselves and exercise their rights. The activities also allow organizations to understand their obligations under federal privacy legislations.
Expected Results | Performance Indicators | Actual Performance | Performance Status |
---|---|---|---|
Intermediate Outcomes | |||
Individuals have relevant information about privacy rights and are enabled to guard against threats to their personal information. | Reach of target audience with OPC public education materials |
OPC officials were cited in the media hundreds of times on dozens of hot privacy issues, including the no-fly list, the TJX/Winners investigation, Google StreetView, identity theft and the Passport Canada breach. Each year, the number of visitors to the web site grows. There was an average of approximately 130,000 hits per month to the OPC web site, for a total of more than 1.5 million in the fiscal year. There was an average of seven speeches delivered per month by OPC officials (a total of 86 speeches throughout the year), audience sizes averaged approximately 140, for a total reach through the speeches of approximately 12,000 individuals at events, and thousands through the web site, where many speeches are posted. More than one thousand publications were sent out to individuals, including copies of the Acts, guides, annual reports, etc. There were close to 50 press releases disseminated in 2007-2008 and the OPC initiated a targeted media campaign to students, with opinion pieces on the importance of protecting privacy issued to university and college newspapers across the country. |
Successfully met |
Federal government institutions and private sector organizations understand their obligations under federal privacy legislation. | Degree of organizational awareness and understanding of privacy responsibilities11 |
Based on results published in May 2007 (http://www.privcom.gc.ca/information/survey/2007/ekos_2007_01_e.asp) from a survey of Canadian businesses on a number of issues relating to privacy and the implementation of PIPEDA, most businesses (86%) recognize taking privacy
seriously today is just good business, and the majority of the businesses (67%) that collect personal information have done so in line with the provisions of the Act. However, only one in two businesses reports having a high awareness of its responsibilities under Canada’s privacy laws, the findings suggesting there is still work to be done to raise awareness of
responsibilities under Canada’s privacy laws, as similar numbers report either low or moderate awareness. Treasury Board’s Privacy Impact Assessment Policy aims at promoting awareness and understanding of the privacy implications associated with program and service delivery. In October 2007, the OPC released its Audit Report – Assessing the Privacy Impacts of Programs, Plans and Policies – which looked at the federal government’s compliance with the policy. The results of the audit confirmed that government departments are not doing enough to protect Canadians’ personal information as they plan new programs or redesign existing programs. PIAs are not always conducted when they should be (http://www.privcom.gc.ca/ information/pub/ar-vr/pia_200710_e.asp). |
Successfully met |
Immediate Outcomes | |||
Individuals receive and have easy access to relevant information about privacy and personal data protection, enabling them to better protect themselves and exercise their rights. | Reach of target audience with OPC public education materials | Refer to performance information for the same indicator two rows above in this table. | Successfully met |
Federal government institutions and private sector organizations receive useful guidance on privacy rights and obligations, contributing to better understanding and enhanced compliance. | Reach of organizations with OPC policy positions, promotional activities and promulgation of best practices |
Fifteen (15) fact sheets or information backgrounders were prepared by the OPC in 2007-2008 to inform public sector organizations, private enterprises and the public on various privacy issues (http://www.privcom.gc.ca/fs-fi/index_e.asp). The OPC launched tools to assist businesses in safeguarding customer personal information. This included an e-learning module for retailers, to help them comply with PIPEDA, and voluntary breach notification guidelines for businesses. We also continued to make available the PIPEDA guide for businesses, as well as the guide for individuals (http://www.privcom.gc.ca/bus/index_e.asp). As well, the OPC issued an exposure draft of a PIPEDA privacy self-assessment tool for comment by private sector entities. The OPC updated its publication first issued in 2005 drawing key lessons from Quebec after more than a decade of experience interpreting and applying its private sector legislation. The OPC also drafted a key publication summarizing leading cases after the first seven years of PIPEDA in action. (The official launch was in May 2008 and will be reported on in the next fiscal year.) The OPC published a number of important papers on privacy, including a research paper on identity management and another on radio frequency identification devices (RFIDs). In addition, the OPC produced a study of all of the research conducted under its Contributions Program. Several research papers were also commissioned to enhance the discussions and outcomes of workshops held at the 29th International Conference. The OPC communicated and consulted with and/or provided guidance to a number of federal departments and agencies with respect to issues such as: PIPEDA review, enhanced drivers license, lawful access, personal health information, spam and spyware, the no-fly list. The OPC also communicated and consulted with and/or provided guidance to a variety of business groups with respect to issues such breach notification, privacy policies, outsourcing, security, etc. The OPC articulated its position in a number of venues (appearances, media statements, resolutions) with respect to important privacy matters, for example, at the Air India Inquiry on Canada’s Financial Monitoring Regime and Privacy Implications of Aviation Security Measures, as well as on the Copyright Act, automated teller machine fees and electronic payments, identity theft, digital rights management, Google StreetView, the no-fly list, the enhanced drivers licence, etc. In addition, the OPC launched a blog in which Canadians and organizations may share their views and concerns (http://blog.privcom.gc.ca/). |
Successfully met |
This year, the OPC's goals with respect to communications and outreach were well met. In addition to the activities outlined above, the OPC expanded the tools it uses to communicate, launching a pilot project to build a more responsive and interactive dialogue with Canadians through an official Office of the Privacy Commissioner of Canada blog as well as on-line videos. There has been a positive response from the general public as well as privacy advocates in Canada and internationally.
In addition to this, in response to reports that compliance in the retail sector could be improved, the OPC developed and published an online e-learning module to help this sector better comply with PIPEDA. Federal/regional relations were further enhanced through Federal/Provincial/Territorial meetings, as well as joint resolutions on privacy issues such as enhanced driver's licenses and the no-fly list. Media relations efforts on the TJX/Winners investigation resulted in significant media coverage, including an appearance by the Commissioner on the prominent news program 60 Minutes, raising awareness nationally and internationally. This level of national and international recognition for the importance of privacy rights was also paramount in media coverage surrounding the 29th International Conference of Data Protection and Privacy Commissioners, hosted by the OPC in September 2007. The OPC has recognized a need for additional outreach activities and an expanded regional presence, and is reorganizing and resourcing accordingly.
Planned Spending | Total Authorities | Actual Spending |
---|---|---|
$4,038,000 | $3,946,867 | $3,692,072 |
Planned | Actual | Difference |
---|---|---|
21 FTEs | 21 FTEs | 0 FTEs |
The operations under this activity contributed to the achievement of the following priorities described in Section I.
Priorities | Type |
---|---|
Engage with Parliament on privacy issues | Ongoing |
Continue to promote Privacy Act reform and PIPEDA review | Previous |
Organize, host and evaluate the 29th International Conference of Data Protection and Privacy Commissioners | Previous |
Engaging in a dialogue with different groups, providing individuals and organizations, both in the public and private sectors, with information and guidance, helping them better understand their rights and obligations under federal privacy laws, has helped the OPC with its delivery on the three priorities below. Hosting the 29th International Conference of Data Protection and Privacy Commissioners was an important and rewarding outreach effort for the OPC this past year. Actively communicating with our stakeholders on an ongoing basis, and enhancing our work with these groups, enables the OPC to more effectively and thoughtfully engage Parliament on privacy matters, and to continue to promote Privacy Act reform and PIPEDA review.
The OPC continues to enhance and improve its management practices in order to meet the highest standards of performance and accountability. The resources associated with the corporate services, including human resources management services, have been apportioned to the three first Program Activities, which they support. All managers are expected to take responsibility for the expected results, and to integrate the necessary activities in their operational plans.
Expected Results | Performance Indicators | Actual Performance | Performance Status |
---|---|---|---|
Intermediate Outcome | |||
The OPC achieves a standard of organizational excellence, and managers and staff apply sound business management practices. | Ratings against Management Accountability Framework - MAF (as being the expectations for high organizational performance in modern public service management) |
As an Officer of Parliament, the OPC is not subject to a MAF assessment by Treasury Board Secretariat. The Office nevertheless embraces the expectations for high organizational performance in modern public service management that the MAF promotes. In May 2007, the OPC completed its first self-assessment against the MAF and intends to conduct a similar comprehensive
exercise biennially (other small agencies are subjected to an assessment by TBS once every three years). As well, the OPC prepares a semi-annual status report of the improvement plan that was developed with the May 2007 MAF Self-Assessment Report and uses the status report to inform its fall strategic planning session with areas requiring management attention. The May 2007 MAF Self-Assessment Report indicated good management practices in the following areas: utility of corporate performance framework, quality of program and policy analysis, managing organizational change, fair workplace, IT management, asset management, procurement, and accountability. Of the areas requiring improvement, progress was made in 2007-2008 as follows: a corporate risk profile was developed and served as an important element of priority-setting, service standards were developed in core functions, values and ethics were promoted namely through communicating to staff the Public Service Disclosure Protection Act proactively, information management was improved through the utilization throughout the Office of a record and document management information system (RDMIS) and the creation of a web based library catalogue. More work is continuing to improve other management areas namely internal audit and evaluation, completion and testing of the business continuity plan, development of a values and ethics code of conduct, preparation of more robust and user-friendly monthly financial reports, conducting a major review of financial authority delegations and further integration of human resources and business planning. |
Successfully met |
Immediate Outcomes | |||
Key elements of the OPC Management Accountability Framework (MAF) are integrated into management practices and influence decision-making at all levels. | Ratings against Management Accountability Framework - MAF (as being the expectations for high organizational performance in modern public service management) | Refer to performance information for the same indicator in the row above. | Successfully met |
The OPC has a productive, principled, sustainable and adaptable workforce that achieves results in a fair, healthy and enabling workplace. | Employee satisfaction; number of grievances received; quality of labour relations; retention of staff |
Employee satisfaction The next Public Service Employee Survey is planned for 2008, however, comparing results from the two last surveys (2002 and 2005), the OPC made significant progress, notably in the following areas: respondents indicated being strongly committed to their work and to the organization, knowing where to go for help if faced with an ethical dilemma and believing in the fairness of the selection process for positions. Number of grievances received Quality of labour relations As well, much emphasis was placed on learning within the OPC with all managers having been offered a series of modules in labour relations. Workshops on ‘respect in the workplace’ were mandatory for all staff. Training sessions were offered through the Canada School of Public Service, the Small Agency Transition Support Team and other Officers of Parliament (namely Elections Canada) in the areas of: integrated business and HR planning, classification, conflict management, supervisory training for new supervisors, orientation to the Public Service and the Public Service Employment Act, etc. Retention of staff In addition, we developed an Exit Questionnaire to learn from departing employees on how to improve our HR management policies and practices. We are exploring flexible working arrangements and considering the development of a Workplace Fitness Program and an Awards and Recognition Program – all within the context of Treasury Board policies and guidelines. As well, we continue to strengthen our communication mechanisms through ongoing dialogue with employees. |
Successfully met |
HR management practices reflect new accountabilities stemming from Public Service Modernization Act and Public Service Employment Act. | Full, unconditional staffing delegation from PSC; HR planning integrated into business planning at the OPC |
Full, unconditional staffing delegation from PSC HR prepared detailed, comprehensive reports in response to the Annual Reports required in the areas of Official Languages, Staffing and Classification as well as other yearly reports in Multiculturalism, and Values and Ethics (e.g. Harassment, Employment Equity). Those reports are submitted to central agencies who evaluate the Deputy Head’s accountability in these programs. Feedback on reports submitted by the OPC in 2007-2008 was very positive. As for the staffing function specifically, the Commissioner signed once again the Appointment Delegation and Accountability Instrument with the Public Service Commission, and as such the OPC maintains its full, unconditional staffing delegation from PSC. HR planning integrated into business planning at the OPC |
Successfully met |
Managers and staff demonstrate exemplary professional and ethical conduct in all of their work, and are responsive to the highly visible and complex nature of the environment in which they operate. | Feedback from employees on fairness, respect and engagement | The OPC continued to reaffirm its commitment to the Public Service Values and Ethics through promoting the values and ethics, namely through the creation of a dedicated section on the opening page of its Intranet site to values and ethics. Senior management decided not to have its own internal disclosure mechanism but rather to have any disclosures made directly to the Public Sector Integrity Commissioner. This decision was communicated to all staff and posted on the Intranet. The OPC also took the opportunity to remind staff of other key personnel that they could turn to as required. Only one harassment-related incident was reported in 2007-2008 for a staff complement of 110 FTEs (0.9%). | Successfully met |
The performance of the OPC is defined, measured and reported upon regularly in a meaningful and transparent manner. | OPC reports, particularly RPP and DPR, are well received by Central Agencies and stakeholders | Based on informal comments from Parliamentarians, Parliamentary Committee members and Treasury Board Secretariat officials, the OPC received positive or very positive feedback on its annual reports, Report on Plans and Priorities and Departmental Performance Report in 2007-2008. | Successfully met |
In addition to performance reporting in the above table, the OPC had committed to undertake the following management activities in 2007-2008 as identified in its 2007-2008 Report on Plans and Priorities:
Fiscal year 2007-2008 was Year 2 of the implementation plan for the OPC’s three-year business case presented in 2005-2006 to the House of Commons Advisory Panel on the Funding and Oversight of Officers of Parliament. The review of organizational structures stemming from the business case was finalized with the exception of the regional positions due to a management decision to revisit this approach. In response to some of the challenges posed by the Public Service Commission’s implementation of a national area of selection policy for external recruitment and in an effort to accelerate the assessment process and reduce travel costs, the Office developed a web-based tool to administer exams on-line through the use of a portal on the OPC web-site. The preparation time and overall administrative costs were minimal and allowed us to very easily accommodate candidates regardless of their location – Canadians as far as India and Malaysia were successfully able to write the exams. We also noted that candidates with disabilities much prefer this approach as their personal computers (or work environment) are already properly equipped to address their special needs.
Fiscal year 2007-2008 was the first of three years of incremental implementation of the PMF approved by senior management in December 2006. The first year covered about half of the total number of performance indicators. This Departmental Performance Report is the evidence that implementation did take place, including the development of measurement instruments such as tracking tools, revised scorecard reporting, development of service standards in core functions. Work has started to implement the second year of implementation in 2008-2009, with the inclusion of performance targets that were set as part of the work to support the Management, Resources and Results Structure (MRRS) Policy.
Completion of the Business Continuity Plan (BCP) – Work was realized to advance the development of the BCP but given some internal changes in responsibility, it was not completed as planned in 2007-2008. Completion of the BCP will be realized in 2008-2009 at the same time as new requirements under the Government Security Policy will be integrated and renewal of the enterprise threat and risk assessments to test the BCP will be carried out in the next fiscal year.
Establishment of the Internal Audit Function – Work on this initiative has not advanced due to an unsuccessful competition to engage an AS-07 to help set up a new internal audit function. An intense effort is being invested in 2008-2009 through collaboration with other Officers of Parliament and the engagement of a contracted resource (until the new competition for an AS-07 that is underway concludes) to meet the requirements of the Internal Audit Policy by March 31, 2009. These requirements include: appointing a Chief Audit Executive that reports to the Commissioner, establishing an independent audit committee comprised of members from outside the Office and the Federal Public Service, and developing a risk-based audit plan designed to support an annual opinion from the Chief Audit Executive on the OPC’s risk management, control, and governance processes.
Development of a Corporate Risk Profile and management of risks – In early 2007-2008, the OPC developed its first formal corporate risk profile through the involvement of a senior manager from each area of the Office. The exercise generated very useful discussions and the resulting product served as a critical input to the senior management exercise to set the 2008-2009 corporate priorities that subsequently became the basis for the Report on Plans and Priorities. In addition to integrating risk management to strategic planning, the operational plans from each branch of the Office also integrated to the risk mitigating strategies such that those truly are commitments that managers are engaged to deliver to manage risks proactively.
Two new positions in information management were created and staffed in 2007-2008, basic training on the use of the new record and document information management system (RDIMS) was provided to all OPC staff, and a new web-based library catalogue called In Magic was launched on the OPC Intranet site allowing personnel to search library holdings and make loans on-line via their desktops.
The 29th Annual Conference of Data Protection and Privacy Commissioners, which was highly successful, was governed effectively through a steering committee chaired by the Commissioner and supported by three key management components: program, logistics and financial aspects. The conference was delivered within the net forecasted budget of $400,000 for the event; financial details are disclosed on the OPC website (http://www.privcom.gc.ca/pd-dp/other-autre/2007-08/070925_e.asp).
Progress is well underway within the OPC to address the challenges we face with respect to recruiting and retaining our staff. A draft Human Resources Strategy was presented to senior management in October 2007, and based on discussions at the senior management committee, and in view of the need for OPC to present a second business case for additional resources, there was a decision to revisit our approach to the HR Strategy. A revised Integrated Business and Human Resources Plan is currently under development, which incorporates a resourcing strategy as well as methods to retain our talent across the organization, and identifies our plans and priorities for the next three years to address the challenges pertaining to recruitment and retention. This integrated plan will be completed in 2008-2009.
This has become an ongoing task which is integrated in our management practices. In 2007-2008, information sessions were offered to all managers on the implementation of the PSMA and PSEA. We continue to explore the flexibilities provided under the new PSEA. . Additionally, a number of policies and guidelines were developed and/or reviewed in line with the PSMA and PSEA.
The OPC strategic plan (or Report on Plans and Priorities) addresses both business and human resources planning. As well, the operational or branch plans also integrate both aspects of planning. The Directors of Human Resources and Finance work together to better inform OPC managers of their resource situation in an integrated manner. As well, the OPC continues to refine its capacity to produce demographic data on its human resources for use by managers in doing the planning and management of their resources. Work on an improved quarterly presentation of integrated resources data intended to senior management has progressed in 2007-2008 and will be completed in the next year. A fully Integrated Business and Human Resources Plan is currently in draft format and will be presented to the senior management committee in 2008-2009.
The operations under this activity contributed to the achievement of the following priority described in Section I.
Priorities | Type |
---|---|
Build organizational capacity | Previous |
This program activity is about organizational excellence and ensuring that sound business management practices are applied by OPC managers and staff in delivering the Office’s mandate. Efforts to develop and continually assess and improve the institutional infrastructure of the Office contribute directly to building and maintaining our capacity, both in terms of human capital and management processes and practices.
This section presents two resource tables, the audited financial statements and sources of additional information.
2005-2006 Actual | 2006-2007 Actual | 2007-2008 ($000) | ||||
---|---|---|---|---|---|---|
Main Estimates | Planned Spending | Total Authorities | Actual | |||
Compliance Activities | 7,909 | 9,373 | 11,139 | 11,139 | 10,566 | 9,771 |
Research & Policy Development | 2,094 | 2.976 | 4,534 | 4,534 | 4,443 | 3,667 |
Public Outreach | 1,628 | 3,367 | 4,038 | 4,038 | 3,947 | 3,692 |
Total | 11,631 | 15,716 | 19,711 | 19,711 | 18,956 | 17,130 |
Less: Non-respendable revenue | - | - | N/A | - | N/A | - |
Plus: Cost of services received without charge | 1,375 | 1,586 | 1,888 | 1,888 | 1,774 | 1,774 |
Total Spending | 13,006 | 17,302 | 21,599 | 21,599 | 20,73012 | 18,904 |
Full Time Equivalents | 78.5 | 10013 | N/A | 143 | N/A | 110 |
2007-2008 ($000) | |||||
---|---|---|---|---|---|
Vote or Statutory Item | Truncated Vote or Statutory Wording | Main Estimates | Planned Spending | Total Authorities | Actual |
45 | Program expenditures | 16,262 | 17,482 | 17,503 | 15,677 |
(S) | Contributions to employee benefit plans | 2,084 | 2,229 | 1,453 | 1,453 |
Total Department or Agency | 18,346 | 19,711 | 18,956 | 17,130 |
Responsibility for the integrity and objectivity of the accompanying financial statements for the year ended March 31, 2008 and all information contained in these statements rests with the management of the Office of the Privacy Commissioner of Canada. These financial statements have been prepared by management in accordance with Treasury Board accounting policies which are consistent with Canadian generally accepted accounting principles for the public sector, and year-end instructions issued by the Office of the Comptroller General.
Management is responsible for the integrity and objectivity of the information in these financial statements. Some of the information in the financial statements is based on management's best estimates and judgment and gives due consideration to materiality. To fulfill its accounting and reporting responsibilities, management maintains a set of accounts that provides a centralized record of the Office’s financial transactions. Financial information submitted to the Public Accounts of Canada and included in the Office’s Departmental Performance Report is consistent with these financial statements.
Management maintains a system of financial management and internal control designed to provide reasonable assurance that financial information is reliable, that the Office’s assets are safeguarded and that transactions are in accordance with the Financial Administration Act, are executed in accordance with prescribed regulations, within Parliamentary authorities, and are properly recorded to maintain accountability of Government funds. Management also seeks to ensure the objectivity and integrity of data in its financial statements by careful selection, training and development of qualified staff, by organizational arrangements that provide appropriate divisions of responsibility, and by communication programs aimed at ensuring that regulations, policies, standards and managerial authorities are understood throughout the Office.
The financial statements of the Office of the Privacy Commissioner of Canada have been audited by the Auditor General of Canada, the independent auditor for the Government of Canada.
(Original signed by)
Jennifer Stoddart
Privacy Commissioner of Canada
(Original signed by)
Tom Pulcine, CMA
Director General, Corporate Services and Chief Financial Officer
Ottawa, Canada
July 18, 2008
To the Speaker of the House of Commons and the Speaker of the Senate
I have audited the statement of financial position of the Office of the Privacy Commissioner of Canada as at March 31, 2008 and the statements of operations, equity of Canada and cash flow for the year then ended. These financial statements are the responsibility of the Office’s management. My responsibility is to express an opinion on these financial statements based on my audit.
I conducted my audit in accordance with Canadian generally accepted auditing standards. Those standards require that I plan and perform an audit to obtain reasonable assurance whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation.
In my opinion, these financial statements present fairly, in all material respects, the financial position of the Office as at March 31, 2008 and the results of its operations and its cash flows for the year then ended in accordance with Canadian generally accepted accounting principles.
Further, in my opinion, the transactions of the Office that have come to my notice during my audit of the financial statements have, in all significant respects, been in accordance with the Financial Administration Act and regulations and the Privacy Act.
(Original signed by)
John Wiersema, FCA
Deputy Auditor General
For the Auditor General of Canada
Ottawa, Canada
July 18, 2008
2008 | 2007 | |
---|---|---|
Assets | ||
Financial assets | ||
Due from the Consolidated Revenue Fund | 1,364 | 1,303 |
Accounts receivable and advances (Note 4) | 701 | 692 |
Total financial assets | 2,065 | 1,995 |
Non-financial assets | ||
Prepaid expenses | 57 | 17 |
Tangible capital assets (note 5) | 1,449 | 1,187 |
Total financial assets | 1,506 | 1,204 |
TOTAL | 3,571 | 3,199 |
Liabilities and Equity of Canada | ||
Liabilities | ||
Accounts payable and accrued liabilities | 1,700 | 1,796 |
Accrued employee salaries | 363 | 286 |
Vacation pay and compensatory leave | 464 | 382 |
Employee severance benefits (Note 6) | 1,517 | 1,464 |
Total liabilities | 4,044 | 3,928 |
Equity of Canada (Note 10) | (473) | (729) |
TOTAL | 3,571 | 3,199 |
Contingent liabilities (Note 7)
Contractual obligations (Note 8)
The accompanying notes are an integral part of the financial statements
(Original signed by)
Jennifer Stoddart
Privacy Commissioner of Canada
(Original signed by)
Tom Pulcine, CMA
Director General, Corporate Services and Chief Financial Officer
Ottawa, Canada
July 18, 2008
2008 | 2007 | ||||
---|---|---|---|---|---|
Assess and Investigate | Privacy Education | Research and policy | Total | Total | |
Operating Expenses | |||||
Salaries and Employee benefits | 6,704 | 2,164 | 2,094 | 10,962 | 9,987 |
Professional and special services | 2,465 | 659 | 707 | 3,831 | 3,729 |
Accommodation | 582 | 189 | 217 | 988 | 875 |
Transportation and communications | 360 | 303 | 246 | 909 | 619 |
Amortization | 274 | 90 | 103 | 467 | 404 |
Information | 115 | 246 | 51 | 412 | 405 |
Repairs and maintenance | 161 | 53 | 60 | 274 | 170 |
Utilities, materials and supplies | 74 | 26 | 26 | 126 | 130 |
Rentals | 33 | 19 | 12 | 64 | 50 |
Equipment | 31 | 11 | 11 | 53 | 222 |
Other | 2 | 1 | 1 | 4 | 9 |
Total Operating expenses | 10,801 | 3,761 | 3,528 | 18,090 | 16,600 |
Transfer Payments | - | - | 451 | 451 | 387 |
Net Cost of Operations | 10,801 | 3,761 | 3,979 | 18,541 | 16,987 |
The accompanying notes form an integral part of these financial statements.
2008 | 2007 | |
---|---|---|
Equity of Canada, beginning of the year | (729) | (809) |
Net cost of operations | (18,541) | (16,987) |
Net cash provided by Government (Note 3(c)) | 17,029 | 15,775 |
Change in Due from Consolidated Revenue Fund | 61 | (294) |
Services received without charge from other government departments (Note 9) | 1,707 | 1,586 |
Equity of Canada, end of year | (473) | (729) |
The accompanying notes are an integral part of the financial statements.
2008 | 2007 | |
---|---|---|
Operating Activities | ||
Net cost of operations | 18,541 | 16,987 |
Non-cash items: | ||
Amortization of tangible assets | (467) | (404) |
Services received without charge (Note 9) | (1,707) | (1,586) |
Loss on disposal of tangible capital assets | - | (9) |
Variations in Statement of Financial Position: | ||
Increase (decrease) in accounts receivable and advances | 9 | 644 |
Increase (decrease) in prepaid expenses | 40 | (30) |
Decrease (increase) in liabilities | (116) | (617) |
Cash used by operating activities | 16,300 | 14,985 |
Capital investment activities | ||
Acquisition of tangible capital assets | 729 | 790 |
Net cash provided by Government of Canada | 17,029 | 15,775 |
The accompanying notes are an integral part of the financial statements
The Office of the Privacy Commissioner of Canada (the Office), was created under the Privacy Act, which came into force on July 1, 1983. The Privacy Commissioner is an independent officer of Parliament appointed by the Governor-in-Council following approval of her nomination by resolution of the Senate and the House of Commons. The Office is designated, by Order-in-Council, as a department for purposes of the Financial Administration Act. As such, it is established under the authority of Schedule I.1 of the Act and is funded through annual appropriations. The Commissioner is accountable for, and reports directly to Parliament on the results achieved.
The objectives of the Office of the Privacy Commissioner of Canada are:
These financial statements have been prepared in accordance with Treasury Board accounting policies which are consistent with Canadian generally accepted accounting principles for the public sector, and year-end instructions issued by the Office of the Comptroller General.
Significant accounting policies are as follows:
Due from the Consolidated Revenue Fund (CRF) represents the amount of cash that the Office is entitled to draw from the Consolidated Revenue Fund without further appropriations, in order to discharge its liabilities.
The Office of the Privacy Commissioner of Canada is financed by the Government of Canada through Parliamentary appropriations. Appropriations provided to the Office do not parallel financial reporting according to generally accepted accounting principles since appropriations are primarily based on cash flow requirements. Consequently, items recognized in the statement of operations and the statement of financial position are not necessarily the same as those provided through appropriations from Parliament. Note 3 provides a high-level reconciliation between the bases of reporting.
The Office operates within the Consolidated Revenue Fund, which is administered by the Receiver General for Canada. All cash received by the Office is deposited to the CRF and all cash disbursements made by the Office are paid from the CRF. The net cash provided by Government is the difference between all cash receipts and all cash disbursements including transactions between departments of the federal government.
Expenses are recorded on the accrual basis:
Accounts receivable are stated at amounts expected to be ultimately realized. A provision is made for receivables where recovery is considered uncertain.
Contingent liabilities are potential liabilities which may become actual liabilities when one or more future events occur or fail to occur. To the extent that the future event is likely to occur or fail to occur, and a reasonable estimate of the loss can be made, an estimated liability is accrued and an expense recorded. If the likelihood is not determinable or an amount cannot be reasonably estimated, the contingency is disclosed in the notes to the financial statements.
All tangible capital assets and leasehold improvements having an initial cost of $2,500 or more are recorded at their acquisition cost.
The amortization of tangible capital assets is done on a straight-line basis over the estimated useful life of the asset as follows:
Asset Class | Amortization Period |
---|---|
Machinery and equipment | 3 years |
Informatics hardware | 3 years |
Computer software | 3 years |
Other equipment | 10 years |
Leasehold improvements | Term of the lease |
The preparation of these financial statements in accordance with Treasury Board accounting policies, which are consistent with Canadian generally accepted accounting principles for the public sector, and year-end instructions issued by the Office of the Comptroller General, requires management to make estimates and assumptions that affect the reported amounts of assets, liabilities, and expenses reported in the financial statements. At the time of preparation of these statements, management believes the estimates and assumptions to be reasonable. The most significant items where estimates are used are contingent liabilities, the liability for employee severance benefits and the useful life of tangible capital assets. Actual results could significantly differ from those estimated. Management’s estimates are reviewed periodically and, as adjustments become necessary, they are recorded in the financial statements in the year they become known.
The Office receives most of its funding through annual Parliamentary appropriations. Items recognized in the statement of operations and the statement of financial position in one year may be funded through Parliamentary appropriations in prior, current or future years. Accordingly, the Office has different net results of operations for the year on a government funding basis than on an accrual accounting basis. The differences are reconciled in the following tables:
2008 | 2007 | |
---|---|---|
Net cost of operations | 18,541 | 16,987 |
Adjustments for items affecting net cost of operations but not affecting appropriations: | ||
Add (Less): | ||
Services received without charge | (1,707) | (1,586) |
Amortization of tangible capital assets | (467) | (404) |
Reversal of previous years accounts payable | 78 | 89 |
Vacation pay and compensatory leave | (82) | (12) |
Employee severance benefits | (53) | (182) |
16,310 | 14,892 | |
Adjustments for items not affecting net cost of operations but affecting appropriations: | ||
Add (Less): | ||
Acquisition of tangible capital assets | 729 | 790 |
Change in prepaid expenses | 40 | (30) |
Other adjustments | 51 | 64 |
820 | 824 | |
Current year appropriations used | 17,130 | 15,716 |
2008 | 2007 | |
---|---|---|
Vote 45 - Program expenditures | 17,503 | 14,754 |
Statutory contributions to employee benefit plans | 1,453 | 1,270 |
18,956 | 16,024 | |
Lapsed Appropriations: Operating | (1,826) | (308) |
Current year appropriations used | 17,130 | 15,716 |
2008 | 2007 | |
---|---|---|
Net cash provided by Government | 17,029 | 15,775 |
Reversal of previous years accounts payable | 78 | 89 |
Variation in accounts receivable and advances | (9) | (644) |
Variation in accounts payable and accrued liabilities | (96) | 383 |
Variation in accrued employee salaries | 77 | 40 |
Other adjustments | 51 | 73 |
Current year appropriations used | 17,130 | 15,716 |
The following table presents details of accounts receivable and advances:
2008 | 2007 | |
---|---|---|
Receivables from other Federal Government departments and agencies | 693 | 691 |
Receivables from external parties | 7 | - |
Employee advances | 1 | 1 |
Total | 701 | 692 |
Opening Balance | Acquisitions | Disposals | Closing Balance | |
---|---|---|---|---|
Machinery and equipment | - | 6 | - | 6 |
Informatics hardware | 1,604 | 462 | - | 2,066 |
Computer software | 427 | 4 | - | 431 |
Other equipment | 745 | 118 | - | 863 |
Leasehold improvements | 123 | 139 | - | 262 |
2,899 | 729 | - | 3,628 |
Opening Balance | Amortization | Disposals | Closing Balance | |
---|---|---|---|---|
Machinery and equipment | - | 2 | - | 2 |
Informatics hardware | 989 | 317 | - | 1,306 |
Computer software | 332 | 50 | - | 382 |
Other equipment | 332 | 72 | - | 404 |
Leasehold improvements | 59 | 26 | - | 85 |
1,712 | 467 | - | 2,179 |
Opening Balance | Closing Balance | |
---|---|---|
Machinery and equipment | - | 4 |
Informatics hardware | 615 | 760 |
Computer software | 95 | 49 |
Other equipment | 413 | 459 |
Leasehold improvements | 64 | 177 |
1,187 | 1,449 |
Amortization expense for the year ended March 31, 2008 was $467,000 (2007 was $404,000).
The Office’s employees participate in the Public Service Pension Plan, which is sponsored and administered by the Government of Canada. Pension benefits accrue up to a maximum period of 35 years at a rate of 2 percent per year of pensionable service, times the average of the best five consecutive years of earnings. The benefits are integrated with Canada/Québec Pension Plans benefits and they are indexed to inflation.
Both the employees and the Office contribute to the cost of the Plan. The 2007-2008 expense amounts to $1,059,315 ($935,432 in 2006-2007), which represents approximately 2.1 times (2.2 in 2006-07) the contributions by employees.
The Office’s responsibility with regard to the Plan is limited to its contributions. Actuarial surpluses or deficiencies are recognized in the financial statements of the Government of Canada, as the Plan’s sponsor.
The Office provides severance benefits to its employees based on eligibility, years of service and final salary. These severance benefits are not pre-funded. Benefits will be paid from future appropriations. Information about the severance benefits, measured as at March 31, is as follows:
2008 | 2007 | |
---|---|---|
Accrued benefit obligation, beginning of year | 1,464 | 1,282 |
Expense for the year | 282 | 236 |
Benefits paid during the year | (229) | (54) |
Accrued benefit obligation, end of year | 1,517 | 1,464 |
Claims and litigation - Claims have been made against the Office in the normal course of operations. Legal proceedings for claims totalling approximately $50,000 were still pending at March 31, 2008 ($50,000 in 2007). Some of these potential liabilities may become actual liabilities when one or more future events occur or fail to occur. To the extent that the future event is likely to occur or fail to occur, and a reasonable estimate of the loss can be made, an estimated liability is accrued and an expense recorded in the financial statements. As of March 31, 2008, no amount has been accounted for in the financial statements.
The nature of the Office’s activities can result in some large multi-year contracts and obligations whereby the department will be obligated to make future payments when the services/goods are received. Included within the 2008-2009 amount is $842,857 for goods and services contracts signed in 2007-2008 which extend into 2008-2009. The remaining balance of $36,050 in 2008-2009 is for operating leases. The amounts for 2009-2010 through 2012-2013 are all for operating leases.
2008-09 | 2009-10 | 2010-11 | 2011-12 | 2012-13 |
---|---|---|---|---|
879 | 35 | 15 | 5 | - |
The Office is related as a result of common ownership to all Government of Canada departments, agencies, and Crown corporations. The Office enters into transactions with these entities in the normal course of business and on normal trade terms. During the year, the Office expensed $4,996,533 ($4,450,384 in 2007) from transactions with other government departments, agencies and Crown corporations. These expenses include services received without charge in the amount of $1,706,775 ($1,585,560 in 2007), as presented in part (a).
During the year, the Office received without charge from other departments, accommodation, the employer’s contribution to the health and dental insurance plans, payroll services, and audit services. These services without charge have been recognized in the Office’s Statement of Operations as follows:
2008 | 2007 | |
---|---|---|
Accommodation provided by Public Works and Government Services Canada | 980 | 863 |
Contribution covering employer’s share of employees’ insurance premiums and expenditures paid by Treasury Board Secretariat | 611 | 629 |
Payroll services provided by Public Works and Government Services Canada | 4 | 4 |
Audit services provided by the Office of the Auditor General of Canada | 112 | 90 |
Total | 1,707 | 1,586 |
2008 | 2007 | |
---|---|---|
Accounts receivable with other government departments and agencies | 693 | 691 |
Accounts payable to other government departments and agencies | 429 | 259 |
The Equity of Canada, which is currently in a deficit position, represents liabilities incurred by the Office, net of capital tangible assets, which have not yet been funded through appropriations. Significant components of this amount are employee severance benefits and vacation pay liabilities. These amounts are expected to be funded by appropriations in future years as they are paid.
Privacy Act 85, ch. P21, amended 1997, c. 20, s. 55 | R.S., 1985, ch. P-21, amended 1997, c.20, s. 55 |
Personal Information Protection and Electronic Documents Act | 2000, c.5 |
Statutory reports, publications and other information are available from the Office of the Privacy Commissioner of Canada, Ottawa, Canada K1A 1H3; tel.: (613) 995-8210 and on the OPC's Web site at www.privcom.gc.ca
Mr. Tom Pulcine
Director General, Corporate Services/Chief Financial Officer
Office of the Privacy Commissioner of Canada
Place de Ville, Tower B
112, Kent St., Suite 300
Ottawa, Ontario K1A 1H3
Telephone: (613) 996-5336
Facsimile: (613) 947-6850