Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Office of the Privacy Commissioner of Canada - Report


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Section II: Analysis by Program Activity

OPC Performance in 2010-2011


Strategic Outcome: The privacy rights of individuals are protected.
Expected Result Performance Indicator Target
Ultimate Outcome for Canadians
The OPC plays a lead role in influencing federal government institutions and private-sector organizations to respect the privacy rights of individuals and protect their personal information. Extent and direction of change in the privacy practices of federal government institutions and private-sector organizations. Note: Baseline data being developed in 2009-2010 will be used to set a target level for this indicator during 2010-2011. The target will be published in the 2011-2012 RPP.

The OPC’s performance against the above indicator will be reported starting in next year’s Departmental Performance Report, against the target set in the 2011-2012 Report on Plans and Priorities. Until then, progress toward the Strategic Outcome is informed by the performance achieved under the four Program Activities of the OPC Program Activity Architecture. For each Program Activity, subsections 2.1 to 2.4:

  • describe what is involved in the Program Activity (defined as per the implementation of the TBS Management, Resources and Results Structure Policy);
  • report on planned versus actual resource use in 2010-2011;
  • present a summary of the OPC actual performance in relation to expected results and performance indicators/targets, and include a performance status against the TBS scale (refer to section 1.2 for a description of the scale); and
  • provide an overall analysis of the OPC’s performance in 2010-2011, discuss lessons learned from the past year’s performance, and articulate the benefits that Canadians derive from the activities delivered by the OPC.

2.1 Program Activity 1: Compliance Activities

Activity Description

The OPC is responsible for investigating privacy-related complaints and responding to inquiries from individuals and organizations. Through audits and reviews, the OPC also assesses how well organizations are complying with requirements set out in the two federal privacy laws, and provides recommendations on Privacy Impact Assessments (PIAs), pursuant to Treasury Board directive. This activity is supported by a legal team that provides specialized advice and litigation support, and a research team with senior technical and risk-assessment support.

Program Activity 1: Compliance Activities

2010-2011 Financial resources ($000)

2010-2011 Human resources (FTEs)

Planned Spending Total Authorities Actual Spending Planned Actual Difference
9,198 9,791 9,938 88 78 (10)

The actual spending includes reallocations between activities to better reflect Program activity spending.

Expected Results Performance Indicators/Targets Actual Performance Performance Status
Intermediate Outcomes
Federal government institutions and private-sector organizations meet their obligations under federal privacy legislation and implement modern practices of personal information protection. Indicator: Extent to which investigation and audit recommendations are accepted and implemented over time

Target: 90 percent of 'well-founded', 'resolved' and 'well-founded and resolved' investigation recommendations are accepted and implemented
Investigations under the PIPEDA

In 2010-2011, the Commissioner made 35 recommendations in investigations that were either ‘well-founded’, ‘resolved’ or ‘well-founded and resolved’. All recommendations (100 percent) were accepted and 83 percent were implemented. The six remaining recommendations are scheduled for follow-up on implementation by June 2011.

Investigations under the Privacy Act

In 2010-2011, the Commissioner made nine recommendations in investigations that were either ‘well-founded’, ‘resolved’ or ‘well-founded and resolved’. Of those recommendations, 89 percent were accepted, although none had been implemented by the end of the fiscal year. Follow-up work continues to monitor progress on five of the nine recommendations, and an audit was launched to determine the status of the other four.
Mostly met
Target: 90 percent of audit recommendations are accepted fully by entities; upon re-audit, two years after the initial report, action to implement has begun on 90 percent of recommendations Sixteen recommendations were included in the three audits[6] that were made public in 2010-2011 and all (100 percent) were accepted by the audit entities at the time of reporting.

In 2010-2011, the OPC followed up on three audits that were conducted in 2008 and 2009, to determine how many of the recommendations had been implemented. Action was reported to have begun on 33 of the 34 recommendations (97 percent).
Exceeded
Indicator: Extent to which obligations are met through litigation

Target: Legal obligations are met in 80 percent of cases, either through settlements to the satisfaction of the Commissioner or court-enforced judgments
During 2010-2011, the OPC was involved in 14 litigation cases related to PIPEDA and six cases related to the Privacy Act in order to promote compliance with federal privacy legislation. Not applicable[7]
Immediate Outcomes
Individuals receive timely and effective responses to their inquiries and complaints. Indicator: Timeliness of OPC responses to inquiries and complaints

Target: See footnote[8]
The Office responded to 11,165 inquiries (oral and written) in 2010-2011, a 43 percent increase over the previous year. Of those, 91 percent were dealt with within 30 days. Inquiries not responded to within the service standard were more complex and either required a legal opinion or additional information to respond to the client.

The timeliness of responses to complaints[9] is measured from the date a complaint is received to the date findings are made or another type of disposition (including early resolution without an investigation) occurs:

  • Complaints under PIPEDA: 15.6 months on average to close 329 complaints in 2010, compared to 18.5 months in 2009 to close 576 complaints, and 20.7 months in 2008 to close 535 complaints.
  • Complaints under the Privacy Act: 7.2 months on average to close 570 complaints in 2010-2011, significantly faster than the 12.9-month average in 2009-2010 to close 1,154 complaints or the 19.5-month average in 2008-2009 to close 990 complaints.
Met all
The privacy practices of federal government institutions and private-sector organizations are audited and the Privacy Impact Assessments (PIAs) submitted by federal institutions are reviewed to determine compliance with federal privacy legislation and policies. Indicator: Proportion of audits and PIA reviews completed within planned times

Targets[10]: 50 percent of audits are completed within planned times and 50 percent of PIA reviews are completed within 90 days of initiation
Three audits[11] and three follow-ups to previous audits[12] were approved and published and/or substantially completed in 2010-2011, as per the approved plan (i.e., 100 percent). Exceeded
Given limited resources in 2010-2011, 35 percent of PIA reviews were responded to within the planned timelines through letters of recommendations. The Office, however, provides advice and guidance on PIAs through consultation meetings, telephone conversations and e-mail exchanges in advance of sending a formal letter of recommendations. Somewhat met
Indicator: Responsiveness of (or feedback from) federal government departments and private sector organizations to OPC advice relating to PIAs and interventions

Targets: 75 percent of institutions and organizations are responsive to the OPC advice
During 2010-2011, the OPC reviewed 12 PIAs for initiatives that involved privacy risks judged to be particularly intrusive, and sent letters of recommendations to add privacy protections to those initiatives. By March 31, 2011 the OPC had received nine written replies (75 percent) from federal institutions that responded to the OPC guidance by agreeing to adopt additional privacy-protective measures or to revisit their initiatives. The Office continues to monitor initiatives that pose significant risks to privacy. Met all

Performance Analysis

The OPC has successfully implemented new processes to respond more quickly to complaints from Canadians, thereby making better use of public funds invested in the Office.

A new method to assign internal resources based on priority and complexity of complaints allows more resources to be allocated to systemic privacy issues.

Similarly, a new inquiries reporting and analysis tool that captures emerging privacy issues and trends now enables the Office to better share critical information between the inquiries unit and other areas of the organization.

Audits were undertaken in line with a new risk-based audit plan. Under the plan, organizations to be audited are selected on a more methodologically sound basis, built on extensive consultations, documentary reviews and environmental scanning, and aligned with the OPC priority privacy issues. Consequently, the OPC invests audit resources on projects of greatest risk to privacy. As well, auditors now follow a manual, completed in 2010-2011, to ensure that privacy audits respect the spirit of generally accepted audit standards.

The work to strengthen the Privacy Impact Assessment review process was started last year and finalized in 2010-2011. A triage method is now applied to focus on PIAs for initiatives that represent the highest privacy risks, given that resources are not available to review all PIAs at this time. Despite prioritizing PIAs, the Office was not able to meet its performance target of 90 days to reviews PIAs, as staffing continues to be a challenge in this unit. Staffing actions are being completed to achieve a full complement of PIA staff and, in turn, to improve the timeliness of formal responses to institutions.

The Office did not implement a quality-assurance program for the complaints-resolution process as initially envisaged for this reporting period. However, a review of the complaints-resolution process is under way to ensure it can accommodate increasingly complex and challenging investigations.

Lessons learned

Investment in the intake process for complaints has yielded measurable efficiencies. Building on the recent re-engineering effort, more opportunities are being considered to further streamline investigation processes and systems. Organizational changes are now being introduced to better align resources with the specific needs of investigations, thus improving service delivery.

Investments to settle unresolved complaint files before they reach the Court have also resulted in more effective compliance with PIPEDA in 2010-2011. As well, collaboration with provincial and territorial counterparts continues to achieve a more harmonized oversight of private-sector privacy law.

Over the past two fiscal years, the OPC has held PIA workshops, each attended by more than 100 federal employees. These workshops are, among other things, perfect opportunities to encourage departments to engage the Office early in the PIA process. By incorporating OPC’s advice about appropriate privacy measures at the design stage of an initiative, less effort is later required to review the formal PIA.

Benefits for Canadians from Program Activity 1

In responding to inquiries, the OPC informs Canadians of their privacy rights. In conducting complaint investigations, audits and PIA reviews, the Office establishes whether government institutions and private-sector organizations plan to and/or collect, use, disclose, retain and dispose of Canadians’ personal information in accordance with the privacy protections set out in the two federal privacy laws. Where non-compliance is identified, the OPC takes action to influence change. Investigating one individual's privacy complaint or auditing an organization’s privacy practices can have a huge impact when it leads to improvements that affect many Canadians.

2.2 Program Activity 2: Research and Policy Development

Activity Description

The OPC serves as a centre of expertise on emerging privacy issues in Canada and abroad by researching trends and technological developments, monitoring legislative and regulatory initiatives, providing legal, policy and technical analyses on key issues, and developing policy positions that advance the protection of privacy rights. An important part of the work involves supporting the Commissioner and senior officials in providing advice to Parliament on potential privacy implications of proposed legislation, government programs and private-sector initiatives.

Program Activity 2: Research and Policy Development
2010-2011 Financial resources ($000) 2010-2011 Human resources (FTEs)
Planned Spending Total Authorities Actual Spending Planned Actual Difference
5,058 5,316 3,220 18 18 0

The actual spending includes reallocations between activities to better reflect Program activity spending.

Expected Results Performance Indicators/Targets Actual Performance Performance Status
Intermediate Outcome
Parliamentarians and key stakeholders have access to clear, relevant information and timely and objective advice about the privacy implications of evolving legislation, regulations and policies. Indicator: Value added to stakeholders of the OPC information and advice on selected policies and initiatives

Target: 75 percent effectiveness in adding value to public- and private-sector stakeholders through the OPC’s information and advice on their policies and initiatives
The OPC held three successful national consultations in Toronto, Montreal and Calgary, bringing together stakeholders on some of the most important emerging issues in privacy – challenges and opportunities in consumer tracking, behavioural advertising, online games and the privacy implications of emerging technologies, and cloud computing.

Stakeholders came from industry, government, consumer associations, civil society and other interested parties, and had positive feedback on the consultations. There was also discussion over whether PIPEDA can meet the challenges raised by these emerging issues. A draft report for further consultations was issued in October 2010, and a final report was to be issued in May 2011.

With counterparts from other jurisdictions in Canada, the Office submitted a joint federal-provincial-territorial letter to the Deputy Minister of Public Safety Canada with regard to proposed lawful access legislation. A copy of the letter was tabled through the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) and to the House of Commons Standing Committee on Justice, Human Rights, Public Safety and Emergency Preparedness and Subcommittee on Public Safety and National Security.

The Office collaborated with federal partners and international counterparts to prepare for and implement Canada’s anti-spam law, Bill C-28, which received Royal Assent in March 2011.

The Office developed, in consultation with key stakeholders, a guidance document, entitled A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century, which was submitted to several parliamentary committees and subcommittees (ETHI, Public Safety and National Security).
Met all

[Note: Performance against this indicator is assessed qualitatively, based on the information provided here rather than numeric target, which is currently being revisited]
Immediate Outcomes
The work of Parliamentarians is supported by an effective capacity to identify privacy issues, and to develop privacy-respectful policy positions for the federal public and private sectors. Indicator: Value added to Parliament of the OPC views on the privacy implications of relevant laws and regulations

Target: 75 percent effectiveness in adding value to Parliamentarians from the OPC views on relevant laws and regulations
In 2010-2011, the OPC made 15 appearances before seven different parliamentary committees to provide views and advice on the privacy implications of new legislation or ongoing programs. Various subject areas were addressed, including camera surveillance, aviation security, consumer product safety, the census and open government. The OPC reviewed 30 bills, including 16 intensively, and interacted with Members of Parliament on 42 occasions.

In December 2010, Parliament approved Commissioner Stoddart’s reappointment as head of the OPC for a further three years – a clear demonstration of the value that Members of Parliament see in her role and contribution to their deliberations.
Met all

[Note: Performance against this indicator is assessed qualitatively, based on the information provided here rather than numeric target, which is currently being revisited]
Knowledge about systemic privacy issues in Canada and abroad is enhanced through information exchange and research, with a view to advancing privacy files of common interest with stakeholders, raising awareness, and improving privacy-management practices Indicator: Stakeholders have had access to, and have considered, OPC research products and outreach materials in their decision-making

Target: Initiatives under all four OPC priority privacy issues (100 percent) have involved the relevant stakeholders and there is documented evidence that they were influenced by OPC research products and outreach materials
The OPC conducted research in support of its ongoing compliance activities. It also examined emerging privacy trends in areas such as the public/private divide and its effects on people’s reputation, payment systems, advanced sensor networks, biometrics, applications and mobile devices.  Research and other knowledge-advancement activities were conducted in all four priority privacy issue areas (refer to section 1.2, the Performance Summary of this Report, under Priority 2), involving relevant stakeholders, such as subject-matter experts in academia and industry, who benefit from the outcome of the OPC research work. Through this work, the OPC has deepened its knowledge about systemic privacy issues, which was then reflected in speeches, legal and policy analysis, PIAs, appearances before Parliament, and other work.

Also in 2010-2011, the OPC commissioned two university professors to study the powers and functions of the ombudsman model with respect to the Personal Information Protection and Electronic Documents Act.

The Office’s Contributions Program, which funds privacy research and public education initiatives related to PIPEDA, awarded nearly $500,000 for projects in 2010-2011 (see full list of recipients). This year again, the research initiatives focused on the Office’s four privacy priority areas: information technology, public safety, identity integrity and protection, and genetic privacy. More specifically, the work pertained to the following areas of interest to Canadians and others around the world:

  • Targeted online advertising
  • Data-sharing between governments and commercial organizations through national security programs at the border and at airports
  • Video surveillance in public spaces by commercial organizations
  • The privacy implications of patient websites, online health record databases and other “Health 2.0” tools.
Met all

Performance Analysis

With privacy emerging as an important concern in the day-to-day lives of Canadians, the OPC encouraged and enhanced the privacy dialogue on a national and international scale. Such dialogue permits the dissemination of important new privacy-related knowledge. It also continues to inform the OPC research agenda in emerging fields such as the divide between the public and private realm online, behavioural advertising, and the privacy implications of cloud computing.

Lessons learned

Part of the organizational restructuring that started in late 2010-2011 involved uniting the research and policy development units for greater synergy and collaboration. A research plan is now being developed in conjunction with all branches. The aim is to derive the most from the OPC’s research activities, both to further enhance knowledge of privacy issues within the Office, and to leverage the knowledge by translating it into useful information for Canadians. The OPC also continues to seek opportunities to partner with other public, private, and not-for-profit organizations with similar goals of promoting privacy protection.

Benefits for Canadians from Program Activity 2

By studying the privacy implications of public- and private-sector policies, initiatives and processes and developing positions for consideration by stakeholders that are respectful of privacy, the OPC advances knowledge about privacy issues and emphasizes the protection of privacy rights of individuals in Canada and abroad.

2.3 Program Activity 3: Public Outreach

Activity Description

The OPC delivers public education and communications activities such as speaking engagements and special events, media relations, and the production and dissemination of promotional and educational material. Through public outreach activities, individuals have access to information that enables them to protect their personal information and exercise their privacy rights. The activities also allow organizations to understand their obligations under federal privacy legislation.

Program Activity 3: Public Outreach
2010-2011 Financial resources ($000) 2010-2011 Human resources (FTEs)
Planned Spending Total Authorities Actual Spending Planned Actual Difference
3,846 3,701 3,283 25 21 (4)

The actual spending includes reallocations between activities to better reflect Program activity spending.

Expected Results Performance Indicators/Targets Actual Performance Performance Status
Intermediate Outcomes
Federal government institutions and private-sector organizations understand their obligations under federal privacy legislations and individuals understand how to guard against threats to their personal information. Indicator: Privacy outcome for government initiatives or programs from the PIA consultations/ recommendations

Target: In 70 percent of the government initiatives or programs for which a high-priority PIA was reviewed and a recommendation was issued, a privacy protection was added after the consultations/ recommendations from the OPC
During 2010-2011, the OPC reviewed 12 PIAs for initiatives that involved a particularly high risk to privacy and sent letters of recommendations to add privacy protections to those initiatives. By March 31, 2011 the OPC had received nine written replies (75 percent) from federal institutions that responded to the OPC guidance by agreeing to adopt additional privacy-protective measures or to revisit their initiative. Not all federal departments may have had the time to respond by the end of the fiscal year. The Office continues to monitor initiatives that pose significant risks to privacy. Exceeded
Indicator: Extent to which private-sector organizations understand their obligations under federal privacy legislation

Target: More than 40 percent of private-sector organizations report having at least moderate awareness of their obligations under PIPEDA
A survey conducted by EKOS Research Associates on behalf of the OPC (results were published in May 2010) revealed that almost half (47 percent) of the businesses surveyed reported having a high degree of awareness of their responsibilities under Canada’s privacy laws. Exceeded
Immediate Outcomes
Individuals have relevant information about privacy rights and are enabled to guard against threats to their personal information. Indicator: Reach of target audience with OPC public education activities

Target:

100 media citations of OPC officials on selected communications initiatives per year

At least 100,000 hits per month on the OPC website and 20,000 hits per month to the OPC blog

At least one news release per month on a subject of particular interest to individuals

At least 350subscribers to the e-newsletter

At least 1,000 communication tools distributed per year

Two public education initiatives annually, designed for new individual target groups

Two public events addressing needs of individual target groups
The OPC continued to be referenced widely in media coverage, in Canada and abroad. The volume of citations in 2010-2011 well surpassed 100. Both OPC annual reports received generous coverage, as did its privacy compliance audits and other announcements, such as the conclusions of the Facebook and Google Wi-Fi investigations, and a joint letter with other data protection authorities regarding the Google Buzz matter.

The OPC website and main blog saw an increase in the number of visits in 2010-2011 over last year, with more than 2.8 million unique visitors—an average of 230,000 per month.

Two or more news releases were issued per month in 2010-2011 on subjects of interest to both individuals and organizations.

As of March 31, 2011, the OPC had 1,013 subscribers (including individual and organizational subscribers) to the e-newsletter.

Approximately 19,000 publications were distributed in 2010-2011, up from 16,000 the year before. This includes 12,000 calendars featuring popular editorial cartoons.

The OPC delivered a series of presentations to more than 21,000 students, educators and parents on the privacy risks of social networking. The OPC engaged Canadians on privacy through the use of social media tools: in 2010-2011, the Office produced 73 posts on its two blogs and 581 tweets; more than doubled the number of followers to the OPC Twitter account (@PrivacyPrivee) compared to last year, bringing its total followers to 2,376; added 23 new videos to the OPC YouTube channel, including a video for small businesses on customer privacy.

The Office created a series of armchair discussions to showcase new voices in the privacy field. Two events were held in 2010-2011, attracting a total of more than 100 participants and almost 700 views on YouTube.
Exceeded
Indicator: Extent to which individuals know about the existence/role of the OPC, understand their privacy rights, and feel they have enough information about threats to privacy

Targets:

At least 20 percent of Canadians have awareness of the OPC

At least 20 percent of Canadians have an "average" level of understanding of their privacy rights

At least 35 percent of Canadians have some awareness of the privacy threats posed by new technologies
In a Harris/Decima poll conducted on behalf of the OPC in 2010-2011, involving 2,000 respondents from across Canada:

  • 31 percent of respondents said they were aware of a federal institution that helps Canadians deal with privacy and the protection of personal information. Some could actually identify the Office by name; others not specifically;
  • 30 percent of respondents described their knowledge of their privacy rights under the law as good or very good, thus exceeding an “average” level of understanding of their privacy rights;
  • 43 percent of respondents felt they understood how new technologies might affect their personal privacy.
Exceeded
Federal government institutions and private-sector organizations receive useful advice and guidance on privacy rights and obligations, contributing to better understanding and enhanced compliance. Indicator: Reach of organizations with OPC policy positions, promotional activities and promulgation of best practices

Targets:

At least 1,000 communication tools distributed per year

At least one news release per month on a subject of particular interest to organizations

Exhibiting at least four times during the year

At least 350 subscribers to the e-newsletter

Two public education initiatives annually designed for new organizational target groups

Two public events/speaking engagements addressing needs of organizational target groups
In 2010-2011, the OPC produced about 25 distinct tools and publications, including annual reports and audits, guidance on biometrics, and a summary of research on youth online privacy. The OPC redesigned and launched the “Privacy For Small Business Online Tool” to help small businesses build a privacy plan. Since its launch in October 2010, the online tool has been used by almost 8,000 visitors.

The OPC also published a document, called Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada, to guide federal entities covered under the Privacy Impact Assessment Directive on what the Office looks for in PIA reviews.

To support Data Privacy Day 2011, the OPC developed a suite of products aimed at encouraging the protection of electronic data. These products, which included a poster, stickers and fact sheets on privacy and mobile devices, were distributed to all provincial and territorial commissioners for their use in Data Privacy Day activities.

Those products were among the 34,007 communication tools distributed to various audiences in 2010-2011.

Two or more news releases per month were issued in 2010-2011 on subjects of interest to both organizations and individuals.

The Office exhibited at 13 events in 2010-2011, a 30-percent increase over the previous year.

As of March 31, 2011, the OPC had 1,013 individual and organizational subscribers to the e-newsletter.

In 2010-2011, the OPC organized the first-ever Privacy Practices Forum for federal departments to share tools, techniques and experiences for enhancing privacy protection.

OPC representatives spoke at 148 events over the past fiscal year, including delivering keynote speeches at GTEC 2010 in Ottawa and the OECD Conference on Privacy, Technology and Global Data Flows in Jerusalem.
Exceeded

Performance Analysis

With its growing numbers of public education, outreach and communications activities, the OPC is reaching out to more and more organizations, both in the public and private sectors, and to individuals. Awareness of privacy obligations and rights is increasing, but given the new privacy challenges emerging almost daily, more work is needed to disseminate information and tools.

On the international scene, the Office attracted widespread media coverage of its investigation into Google’s collection of Canadians’ personal information from unsecured wireless networks, as well as the follow-up on an investigation of Facebook’s privacy policies and practices. As well, the Privacy Commissioner and Assistant Commissioner made presentations at several international conferences and events where global organizations were present. These included, for example, presentations to the Privacy Laws and Business 23rd Annual Conference in Cambridge, UK, the ITechLaw 2010 World Technology Law Conference in Massachusetts, U.S.A., and the International Conference of Data Protection and Privacy Commissioners in Jerusalem.

Furthermore, during 2010-2011, the OPC:

  • began discussions with provincial and territorial privacy counterparts to develop localized and targeted programs in their jurisdictions that are focused on heightening small business awareness of privacy issues and safeguards, as well as digital literacy among Canadians, particularly the young, to raise awareness about the privacy risks inherent in online activities;
  • developed and implemented public outreach initiatives aimed at young people, including inviting a youth advisory panel to help identify the knowledge gaps among youth, and delivering presentations to students, educators and parents on the privacy risks of online social networking;
  • bolstered engagement with stakeholders in the Greater Toronto Area with the  opening in 2010 of a regional office in Toronto by, among other things, establishing collaborative networks with the business community to support current and future outreach activities and holding a series of information sessions with businesses and privacy practitioners;
  • in the context of the new Treasury Board Secretariat Directive on PIAs taking effect April 1, 2010, developed and communicated guidance on privacy for federal public servants, including providing an overview of the Privacy Act, reviewing the role of the OPC in reviewing PIAs, highlighting relevant TBS guidelines, and outlining  best practices in the day-to-day handling of personal information. To support this work, the OPC developed a strategic communications plan and conducted a series of executive interviews with Access to Information and Privacy (ATIP) coordinators;
  • spearheaded an initiative with nine other international data protection authorities to remind Google and other online companies that they are obliged to comply with the laws of the countries in which they launch their products and services. The joint letter and news conference in Washington received media coverage around the globe.

Lessons learned

In 2010-2011, the OPC leveraged the attention and credibility generated in part by the 2009 Facebook investigation to further raise awareness of privacy rights and obligations in the public and private sectors, in Canada and abroad. In light of its increased profile, the Office is more cognizant than ever of the impact its efforts may have. As such, the OPC recognizes the need for effective internal processes, such as knowledge sharing and quality control, to ensure that Canadians receive the best possible service from the OPC.

Benefits for Canadians from Program Activity 3

By raising organizations’ awareness of their obligations under federal privacy laws and furnishing them with tools and information to better protect the personal information in their care, the OPC is helping to strengthen the privacy protections enjoyed by Canadians. The Office also directs communications and outreach activities specifically at individuals, thus heightening their awareness of their rights and abilities to exercise them. With a better understanding of the issues, Canadians are also better equipped to protect their personal information and reduce their privacy risks.

2.4 Program Activity 4: Internal Services

Activity Description

Internal Services are groups of related activities and resources that are administered to support the Office’s programs and other corporate obligations. As a small entity, the OPC’s internal services include two sub-activities: governance and management support, and resource management services (which also incorporate asset management services). Given the specific mandate of the OPC, communications services are not included in Internal Services but rather form part of Program Activity 3 – Public Outreach. Similarly, legal services are excluded from Internal Services at OPC, given the legislated requirement to pursue court action under the two federal privacy laws, as appropriate. Hence legal services form part of Program Activity 1 – Compliance Activities and Program Activity 2 – Research and Policy Development.

Program Activity 4: Internal Services
2010-2011 Financial resources ($000) 2010-2011 Human resources (FTEs)
Planned Spending Total Authorities Actual Spending Planned Actual Difference
5,137 5,405 6,383 46 43 (3)

The actual spending includes reallocations between activities to better reflect Program activity spending.

Expected Results Performance Indicators/Targets Actual Performance Performance Status
The OPC achieves a standard of organizational excellence, and managers and staff apply sound business management practices. Indicator: Ratings against the Management Accountability Framework (MAF)

Target: Strong or acceptable rating on 70 percent of MAF areas of management
As an Agent of Parliament, the OPC is not subject to a MAF assessment by Treasury Board Secretariat. Nonetheless, the Office conducts a comprehensive self-assessment exercise against the MAF biennially. In September 2010, the OPC completed its third self-assessment, which indicated an improvement in its management practices overall. In 2006-2007, 40 percent of MAF areas of management were rated ‘strong’ or ‘acceptable’; in 2008-2009, 60 percent reached that target and, in 2010-2011, 72 percent did. Exceeded
Areas where OPC’s management practices met or exceed expectations were: Public Service values, utility of corporate performance framework, effectiveness of corporate management structure, quality and use of evaluation, quality of performance reporting, effectiveness of corporate risk management, excellence in people management, effectiveness of internal audit function, effectiveness of IT management, effectiveness of procurement, effectiveness of financial management control, quality of TB submissions, and citizen-focused services.

Three areas of management practices were rated as ‘opportunities for improvement’: investment planning, effectiveness of information management, and effective management of security. Work is underway to strengthen those areas with the development of an integrated investment plan that will substantiate resource allocation decisions; the creation of a governance structure to set priorities for business applications (e.g. current and future internal resource needs for the new case-management system); an update of the IM/IT strategic plan in line with the most pressing information management requirements; and the creation of a organizational security program to formalize the management of security.

Two areas of management were rated as ‘attention required’ in the last self-assessment: managing organizational change, and effectiveness of asset management.

To improve those areas, a formal change-management strategy was developed and all OPC initiatives involving significant change are now required to follow a road map for their smooth delivery. To improve on the management of assets, the OPC is developing a materiel management framework that will better support decision-making in this area. As well, the Office evaluated its space requirements, taking into account present and future needs and, partnering with the Office of the Information Commissioner, is negotiating with Public Works and Government Services Canada for a new joint location to move into in 2013 when the present accommodation agreement ends.

Performance Analysis

In 2010-2011, the OPC conducted its third biennial MAF self-assessment exercise, with results indicating a steady improvement in management practices. Thirteen (13) of the 18 management areas assessed met or exceeded expectations of sound management, and the remaining five are currently being improved (see table above for detail). The OPC is also strengthening its management framework to better support its corporate priorities. Specifically, the OPC:

  • implemented its 2008-2011 Integrated Business and Human Resources Plan, which effectively addressed employee orientation and specialized training; stabilized the workforce; led to increased use of social networking sites for recruiting; introduced new technologies to facilitate knowledge and information sharing; resulted in the development of policies and practices to support a healthy work environment and a talent-management program that includes succession planning activities;
  • enhanced and broadened staff knowledge in specific areas through the use of developmental assignments both within and outside the Office;
  • welcomed new resources through vehicles such as Interchange Canada;
  • increased communication between the Inquiries unit and other branches of the Office to provide value-added intelligence about the nature and frequency of inquiries and to develop tools for individuals and organizations;
  • rolled out SharePoint, an electronic collaboration tool, to all branches of the Office and provided mandatory training to all staff, in order to improve decision-making based on better sharing of information.

Lessons learned

Now that its workforce is stabilized, the Office faces the same challenge as many organizations: to maintain the momentum in a competitive and changing labour market. The Office is developing its 2011-2014 Integrated Business and Human Resources Plan, which will include the launch of a talent-management program in the first year of implementation.

The OPC experienced significant changes in recent years, including a major re-engineering of its inquiry and investigation functions from 2008 to 2010, a notable influx of new staff in 2009, the opening of a new office in Toronto in 2010, and an organizational restructuring at the end of 2010-2011. The Office will continue to evolve to further increase its effectiveness and better serve Canadians. A formal strategy for change management will be implemented in 2011-2012.