ARCHIVED - Office of the Privacy Commissioner of Canada - Report

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Message from the Privacy Commissioner of Canada

I am pleased to present our 2012-13 Report on Plans and Priorities, which sets out the strategic directions, priorities, expected results and spending estimates for the Office of the Privacy Commissioner of Canada ( OPC) for the coming fiscal year.

The privacy landscape is evolving constantly and, particularly as Canadians live more of their lives online, public interest in issues associated with personal information protection has never been higher. These factors call upon our Office to be adaptable and responsive to the needs of Canadians.

As the new fiscal year unfolds, we will continue focusing on the four priority areas we feel pose the greatest risks to privacy: information technology; public safety; identity integrity and protection; and genetic information. Each of these issues has at least two important things in common; each has tremendous implications for privacy and neither one are bounded by our borders. In general, and with online issues in particular, privacy matters are global in scope. This is why the information sharing provisions of Canada’s anti-spam law are so important. During the year, we will introduce a new process and procedure to perform joint or collaborative investigations with international partners and develop enhanced protocols for sharing information with provincial/territorial and international data protection agencies.

We will monitor the progress of Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act ( PIPEDA), with a view to determining what operational changes may be required within our Office should the bill, which would introduce mandatory data breach notification requirements, become law. We will continue preparations for the second mandated five-year parliamentary review of PIPEDA. In the realm of public safety, we will monitor the implementation of the Beyond the Border Action Plan and provide advice on how to mitigate any risks posed by its particular initiatives to the privacy of Canadians. On the same note, we will continue to provide advice to Parliamentarians on proposed lawful access legislation.

In addition to advising Parliamentarians on how legislative proposals and other government initiatives may impact privacy, we will continue with outreach efforts to the federal public service to ensure that senior leaders along with staff who design policies and administrate programs are engaged and well-versed on how to best identify and mitigate risks to privacy in their endeavours. Further, we will continue and deepen our efforts to reach out to youth, parents and educators on protecting privacy and personal information in the online world.

Further, we will finalize preparation for the full coming into force of Canada’s anti-spam law, which will see our Office responsible for enforcing provisions regarding the collection of personal information through illicit access to other people’s computer systems and electronic address harvesting, where bulk e-mail lists are compiled through mechanisms including the use of computer programs to automatically mine the Internet for addresses.

Lastly, we will carry out our work mindful of Canadians’ expectations. Today’s economic realities make it incumbent for all organizations, be they in the private or public sector, to seek out efficiencies to make best use of resources. As a result, we are committed to find efficiencies within our operations while maintaining the best possible level of service to Canadians. Further toward this end, we will work at sustaining our organizational capacity through continuous improvement, more specifically to strengthen our knowledge management and embrace change in our management practices.

Section I: Organizational Overview

Raison d'être

The mandate of the Office of the Privacy Commissioner of Canada ( OPC) is to oversee compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, the Personal Information Protection and Electronic Documents Act ( PIPEDA), Canada’s private-sector privacy law, along with some aspects of Canada’s anti-spam law. The OPC’s mission is to protect and promote the privacy rights of individuals¹.

Responsibilities

As an Agent of Parliament, the Privacy Commissioner of Canada reports directly to the House of Commons and the Senate. The Commissioner’s powers to further the privacy rights of Canadians include:

• investigating complaints, conducting audits and pursuing court action under the Privacy Act and PIPEDA;
• publicly reporting on the personal information-handling practices of public- and private-sector organizations;
• supporting, undertaking and publishing research into privacy issues; and
• promoting public awareness and understanding of privacy issues.

The Commissioner works independently of the government to investigate complaints from individuals with respect to the federal public sector and the private sector. While the focus is on mediation and conciliation, if voluntary co-operation does not result, the Commissioner has the power to summon witnesses, administer oaths, and compel the production of evidence. In cases that remain unresolved, the Commissioner may seek an order from the Federal Court to rectify the situation.

Strategic Outcome and Program Activity Architecture (PAA)

In line with its mandate, the OPC pursues the protection of the privacy rights of individuals as its Strategic Outcome. Toward that end, the Office’s program activity architecture is composed of three operational activities and one management activity. The PAA diagram below presents information at the program activity level:

Strategic Outcome	The privacy rights of individuals are protected.
Program Activity	1. Compliance Activities	2. Research and Policy Development	3. Public Outreach
	4. Internal Services

Alignment of PAA to Government of Canada Outcomes

Federal departments are required to report on how their PAA aligns with Government of Canada Outcomes. The Privacy Commissioner, however, being independent from government and reporting directly to Parliament, is not obliged to make such alignment. The Strategic Outcome and the expected results from the work of the OPC are detailed in Section II of this Report.

Organizational Priorities

The OPC has a single Strategic Outcome (SO 1), which is that the privacy rights of individuals be protected. Toward that end, the OPC identified three organizational priorities.

The table below describes how each organizational priority contributes to the Strategic Outcome, and what the OPC plans to do in 2012-2013 to make progress in each one. More detail on these is provided under Planning Highlights in Section II.

Organizational Priority	Type2	Link to Strategic Outcome	Description
1. Fully implement new service delivery models to maximize results for Canadians.	Previously committed to	SO 1	The OPC compliance mandate evolves as does the nature of privacy business. Hence it is imperative to establish new processes, continuously improve service delivery and optimize the use of available resources namely through cooperation. In 2012-2013, the OPC will: Continue integration of fundamental changes to OPC processes and systems (e.g. re-engineered complaint resolution process, alternative interventions, case management system, Toronto office, and redesigned Information Centre); Adapt the OPC mandate in accordance with new and expected legislative developments  (e.g. Canada’s Anti-Spam Legislation and Bill C-12); Cooperate with selected Canadian and international stakeholders to address global privacy issues in a more coordinated and effective manner.
2. Provide leadership to advance the four priority privacy issues (information technology, public safety, identity integrity and protection, and genetic information) for Canadians.	Ongoing	SO 1	The OPC strategically focuses its activities on the four identified priority areas to derive the greatest privacy protection for Canadians from its available resources. To keep pace with the rapid evolution of privacy issues, OPC needs to maintain a reliable knowledge foundation from which to provide leadership. In 2012-2013, the OPC will: Build more knowledge and capacity in the four priority privacy areas; Use innovative and strategic approaches to translate knowledge on the four priority privacy issues into concrete outcomes for Canadians and organizations.
3. Sustain organizational capacity through continuous improvement.	Ongoing	SO 1	To maintain high quality, consistent service levels to Canadians in an increasingly complex environment, the Office will continue to nourish its organizational capacity through working better horizontally and managing change seamlessly. In 2012-2013, the OPC will: Strengthen the management and transfer of knowledge across the OPC through the optimized use of systems, enhanced collaboration, training and development, and effective handling of information assets; Implement the change-management strategy and evaluate how the Office is embracing change in its management practices.

Risk Analysis

Key risks influence the OPC’s choice of organizational priorities, affect plans and performance, and drive decision-making. The OPC continually scans its environment to remain responsive to change. This section describes the OPC’s strategic context and operating environment, outlines key risks and identifies the associated mitigation strategies.

Strategic Context and Operating Environment

Information technology innovations continue to unfold rapidly. Competitive pressures among developers to bring these innovations to market, and among organizations to adopt them quickly mean that privacy implications can often be overlooked, increasing the risk of data breach and requiring a game of “catch up” after the fact to implement features needed to protect personal information. The sheer complexity and interconnectivity of information systems, the proliferation of personal mobile devices and the new web 3.0 require highly specialized capacity and expertise for data protection authorities, such as the OPC, to keep pace with technological advances.

National security and public safety concerns continue to take priority in Canada and internationally. The increasing involvement of the private sector in assisting governments with law enforcement efforts requires an ongoing analysis of their reasonableness and effect on privacy. E-Government initiatives, once but a line item in future plans and budgets are happening here and now. The domestic and global economic situation is causing financial pressures to reduce organizational spending, which may affect investments in privacy protection. At the same time, increasing globalization and trans-border data flows continue to challenge the jurisdictional limits of individual national data protection authorities. This requires new mechanisms for sharing information between them and coordinating enforcement efforts in order to more effectively address international privacy issues.

Moving to the ever-evolving online world, individuals’ search terms and online behavioural patterns were once considered as benign, anonymous data. Today however, the increasing capacity of advertisers and website operators to collect, store and aggregate data at minimal cost is challenging our traditional concepts of what constitutes personal information and what is or is not identifiable. Further, the number of very young children online is increasing and social media has emerged as the new and preferred way of communicating among youth. These trends increase the need for effective public education and outreach so that youth, parents and educators understand the full implications of the new digital world and make informed choices.

Key Risks

Risks are continuously monitored informally while the OPC formally updates its corporate risk profile annually. Risk analysis informs corporate priority-setting and operational plans then include strategies to mitigate risks throughout the year. During 2012-2013, the OPC will pay particular attention to the challenges it will face as a result of budget restraints and the planned relocation of its main office. In that context the OPC will ensure measures are in place to make optimal use of its resources and ensure service to Canadians is not compromised. Additionally, the Office will focus on managing the following corporate risks:

Organizational Responsiveness – Risk that the organization will not be sufficiently responsive to rapid change.

Rapid evolutions in the privacy world coupled with continuously increasing workload have led the OPC to move toward more efficient, timely, innovative and responsive operations. For example, the Office is preparing to implement an online complaint process that modernizes the complaint intake and investigation process. To remain responsive in a turbulent environment, the OPC will continue investing in proactive measures such as public education, outreach and special investigations and audits on emerging issues. The Office is also committed to informing and influencing public policy through further engagement with the public, media and Parliamentary committees. As well, an integrated business and human resources plan is designed to support the organization in delivering on its mandate and meeting its business challenges.

To mitigate this risk in 2012-2013, the Office will complete the implementation of its change management strategy and accompanying tools and evaluate their effectiveness in bringing the Office to embrace change in its management practices. The Office will also evaluate and assess the business-driven training needs of the organization with the objective of building internal capacity and promoting employee excellence.

Organizational Impact of Canada’s anti-spam law – Risk that the organization will not implement its new responsibilities under Canada’s anti-spam law in a way that meets Canadians’ expectations.

The intent of the new legislation is to curb the amount of damaging and deceptive unsolicited electronic communications (spam) that circulate in Canada. Once in force, the new law will broaden the OPC’s mandate through enforcement responsibilities that are shared with the Canadian Radio-television and Telecommunications Commission and the Competition Bureau. The implementation of the law must be managed well, in light of the impact that the expanded responsibilities will have on the organization internally, as well as the external demands of working with other enforcement partners.

To mitigate this risk, the OPC will continue to collaborate with its partner institutions through various interdepartmental working groups to ensure an effective and coherent implementation process. Internally, the OPC will continue work to prepare for its new role through such things as developing investigation scenarios and operational processes. The OPC will also increase the capacity of its laboratory facilities to provide timely and relevant support to the organization in carrying-out its new responsibilities.

Meeting Service Standards – Risk that the OPC’s capacity to respond to complaints and information requests will not meet enhanced service standards in the face of increasing demands and expectations.

The OPC allocates its resources as strategically as possible in a context of increasing demands and expectations. It however remains at risk of being unable to deliver quality service in the timeframe expected by Canadians and international stakeholders. To address this risk, the OPC has introduced a number of important organizational changes to better align resources with its core functions and improve service delivery. It has also redefined its standards to meet the demand for responses to often-pressing privacy concerns and tracks and reports performance against these new service standards.

To further mitigate this risk, the OPC will continue to update and improve its complaint intake and investigation processes, through strengthening capacity building and procedures and incorporating alternative dispute resolution delivery methods where appropriate. The Office will also regularly conduct qualitative analysis of performance data to continually improve its performance against its new service standards.

Information Management (Knowledge Capital) – Risk that the OPC will not have complete or sufficient information to support effective operations and decision-making in an increasingly complex environment.

As an organization, the OPC has grown considerably over the past 10 years and the volume of its business activities continues to increase. At the same time, privacy issues have become increasingly complex, requiring integrated solutions with multiple perspectives. This demands that the Office’s increasing amount of business intelligence be managed, stored for easy access, and shared effectively within the organization. The OPC already has tools to support information management, including: a case-management system offering more integrated, easier-to-access information; Sharepoint, used as a collaboration tool; an electronic document management system; improved research databases;and other initiatives to better share information among branches, including cross-training of employees and work in horizontal teams.

However, the ever increasing volume of business activities, the inevitable turnover in staff in the highly specialized field of privacy and the interconnected privacy issues point to the need to better retain, manage and share the information on which decisions are made. To mitigate this risk, the Office will: assess the feasibility of strategies to capture and share knowledge to preserve OPC corporate memory; finalize the update to the OPC’s records management system to better support information management across the Office; develop an internal communications strategy; and design a new systematic quality control program that generates better quality and transferability of investigations data in the case management system.

Planning Summary

The following two tables summarize the total planned financial and human resources allotted to the OPC for the next three fiscal years.

Financial Resources ($000)

	2012-2013	2013-2014	2014-2015
Planned Spending	24,606	24,606	24,606

Human Resources (FTEs*)

*FTE: Full-Time Equivalent.
	2012-2013	2013-2014	2014-2015
Planned FTEs	176	176	176

Expenditure Profile

In 2012-2013, the OPC plans to spend $24.606 million to advance its three organizational priorities, meet the expected results of its Program Activities, and contribute to its Strategic Outcome.

Spending Trend from 2008-2009 to 2014-2015

The adjacent figure illustrates the OPC’s spending trend over a seven-year period.

[text version]

The graph shows a slight increase in expenditures over the period of 2008-2009 to 2010-2011. The forecasted expenditures for the period of 2011-2012 reflect an increase of approximately $2 million mainly resulting from new funding for Canada’s anti-spam legislation. Subsequently the funding for 2012-2013 and beyond stabilizes at 2011-2012 levels. This, however, could change significantly due to the relocation of the main office in the fall of 2013; the increased spending would be mostly due to the office set up and equipment as well as the new technology infrastructure. Also, the spending trend does not reflect, at this time, any further reductions resulting from the OPC’s efforts to find efficiencies within its operations and use of resources.

2012-2013 Allocation of Funding by Program Activity

The figure below displays the allocation of OPC funding by Program Activity for 2012-2013. More than 40 percent of OPC funding is allocated to Program Activity 1 - Compliance Activities, which encompasses the Office’s main program delivery mechanisms: responses to information requests, complaint investigations, legal opinions, litigation proceedings, audits, and Privacy Impact Assessment reviews.

[text version]

Estimates by Vote

Estimates by Vote are presented in the 2012-13 Main Estimates, which are available at the following link: http://www.tbs-sct.gc.ca/est-pre/20122013/me-bpd/docs/me-bpd-eng.pdf.

• Previous Page
• Table of Contents
• Next Page