Offices of the Information and Privacy Commissioners
Performance Report
For the period ending March 31, 2003

Section I - Privacy Commissioner's Message

I was appointed Interim Privacy Commissioner in July 2003. In the brief period I have been in the position, my appreciation of the importance of privacy as a fundamental right, at the heart of our basic freedoms, has grown considerably. To protect privacy is to protect the values of a free society. It is difficult to imagine an activity more deserving of support from public resources. Accordingly, although I cannot take credit for performance in the period preceding my appointment, I am pleased nonetheless to be able to report to Parliament and to Canadians on how those public resources were used in the promotion and protection of privacy.

Privacy in the federal public sector is protected by the Privacy Act. This statute ensures that government institutions collect, use, and disclose personal information only for purposes directly related to their operating programs or activities. It gives individuals a right of access to information about them held by government institutions. It also gives individuals, through the Office of the Privacy Commissioner, a means to ensure that government institutions comply with the Act, and to seek redress if they do not.

The Personal Information Protection and Electronic Documents Act, enacted in 2000, extends privacy protection to the private sector. The PIPED Act, as it is known, strikes a balance between individual privacy rights and the needs of organizations to collect, use, and disclose personal information. The Office of the Privacy Commissioner of Canada (OPC) oversees the administration of the law and ensures that it is respected, and that redress is available if an individual's rights are violated.

The PIPED Act began coming into force on January 1, 2001. At present it applies to all personal information collected, used, or disclosed in the course of commercial activities and employment by federal works, undertakings, and businesses, and to personal information sold, leased, or bartered across provincial or national boundaries. As of January 1, 2004, it will apply to all commercial activities in Canada, except where provinces have enacted substantially similar legislation.

Shortly after the end of the reporting period, the Standing Committee on Government Operations and Estimates of the House of Commons began an intensive examination of the operations of the OPC. This uncovered a number of serious problems, and indicated the need for audits by both the Office of the Auditor General of Canada (OAG) and the Public Service Commission of Canada (PSC).

By the time this Performance Report has gone to print, the audit reports of the OAG and the PSC will have been tabled and they will have revealed serious deficiencies in the former Commissioner's (Mr. Radwanski's) Office.

The OPC fully acknowledges the importance of the findings, conclusions and recommendations in these audit reports, which clearly reveal a major breakdown of external governance and internal control processes. The state of the financial and human resources management practices must be reformed. These audit reports will discuss how the rules and Public Service values were not properly followed and how, in many ways, Canadians did not receive full value for money. Serious allegations of misuse and abuse of public funds will also require further probing by regulatory and law enforcement agencies.

As Interim Privacy Commissioner, I intend to act decisively on these issues, with advice and assistance from the Treasury Board of Canada, the OAG and the PSC, to correct the situation. To prevent a leadership and management deficit of such magnitude from occurring again in the future, the OPC is developing the appropriate institutional safeguards.

I wholeheartedly support the independent scrutiny, which I believe will help us to rebuild the OPC, restore our relationship with Parliament, and regain the full confidence of Canadians. I would ask Parliamentarians and Canadians, however, not to let it overshadow the good work done in the past year by staff of the OPC and reported here.

Section II - Context

Current environment

Challenges at the OPC

The Office of the Privacy Commissioner of Canada has undergone a difficult period. The Standing Committee on Government Operations and Estimates of the House of Commons investigation uncovered a number of problems that brought the whole office into the media spotlight. The OPC has also undergone an audit by the Auditor General of Canada and another by the Public Service Commission. At the same time, there is much important privacy work to be done. The challenge is to ensure that problems are corrected, while the overall credibility of the organization and of its dedicated staff is not compromised.

The post-9/11 environment

Privacy is under assault as never before. Citing the heightened security requirements since the September 11th tragedies, the Government has introduced a variety of privacy-invasive initiatives. Never before has it been more important to find the appropriate balance between privacy and security.

Canadians expect the Commissioner and the OPC to take a leadership role in this critical debate - to bring privacy issues to the table, to raise awareness of the issues, to negotiate effectively with the Government, and to encourage organizations to rethink their approach to many of these initiatives.

The full implementation of the PIPED Act

The scope of the Personal Information Protection and Electronic Documents (PIPED) Act, which is being implemented in stages, will expand greatly in 2004. The PIPED Act currently applies to federal works, undertakings, and businesses, such as airlines, banking, broadcasting, interprovincial transportation and telecommunications, as well as to all organizations that disclose personal information outside a province or the country for consideration. On January 1, 2004, the Act will extend to every organization that collects, uses or discloses personal information in the course of a commercial activity except in provinces which have enacted legislation that is deemed to be substantially similar to the federal law.

It is likely that many provinces will not have a substantially similar provincial law by January 2004. A patchwork of coverage at the provincial level is more likely. For both citizens and businesses, this may create confusion about jurisdiction. In addition to its responsibilities in the federal public sector and the federally-regulated private sector, the OPC will likely be taking on the bulk of the responsibility for overseeing privacy rights in the much of the private sector. Note that, to date, only Quebec has privacy legislation deemed to be substantially similar to the federal law, although British Columbia and Alberta have introduced legislation.

Increased awareness of privacy issues

Privacy is becoming a defining issue of this decade. A number of factors - the September 11th terrorist attacks, new advances in privacy-invasive technologies, open debate in public and in the media regarding the privacy implications of new Government initiatives, among others - appear to have contributed to an overall increase in awareness of and interest in privacy issues in Canada. We expect this to continue increasing at a steady pace.

Privacy Impact Assessments (PIAs)

The introduction of electronic services by the federal Government through programs such as the Government On-Line (GOL) initiative has also added to the obligations and responsibilities of the OPC, and to the importance of appropriate personal information-handling practices in this regard.

Respect for citizens' privacy is critical to the success of these new services. The Government of Canada has initiated a new Privacy Impact Assessment (PIA) Policy. This policy is intended to protect the privacy of Canadians in all transactions with the Government by ensuring that privacy considerations are built into government projects at the outset. Canada is the first country in the world to make PIAs mandatory for all federal departments and agencies.

The OPC worked with Treasury Board Secretariat to develop the policy. We are also responsible for reviewing all PIAs and offering comments to departments and agencies, to help them build in privacy protections at the outset.

The Interim Privacy Commissioner has recently recommended to government that it consider giving PIAs the force of law.

Raison d'être

To ensure that Canadians' rights, under Canada's privacy laws, are respected.

The Privacy Commissioner of Canada is an Officer of Parliament who reports directly to the Senate and House of Commons. The Commissioner is an advocate for the privacy rights of Canadians whose powers include:

• investigating complaints and conducting audits under two federal laws;
• publishing information about personal information-handling practices in the public and private sectors;
• conducting research into privacy issues; and
• promoting awareness and understanding of privacy issues by the Canadian public.

The Commissioner works at arm's length from government to investigate complaints from individuals, and to conduct compliance audits with respect to the federal public sector and the private sector.

Canadians may complain to the Commissioner about any matter specified in Section 29 of the Privacy Act. This Act applies to personal information held by the Government of Canada.

For matters relating to personal information in the private sector, the Commissioner may investigate complaints under Section 11 of the Personal Information Protection and Electronics Documents (PIPED) Act. This Act currently applies to federally regulated businesses across Canada and to all businesses in the three territories. It also applies to personal information that is sold across provincial and national boundaries for consideration. On January 1, 2004, the PIPED Act will apply to all personal information collected, used or disclosed in the course of commercial activities by all private sector organizations, except in provinces that have, by then, enacted privacy legislation that is deemed to be substantially similar to the federal law.

As an ombudsman, the Commissioner prefers to resolve complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence if voluntary co-operation is not forthcoming.

Organization

Following is the organizational structure of the OPC as it was in the 2002-2003 period. This structure is currently under review, as a consequence of the audits by the OAG and the PSC.

The Privacy Commissioner is an Officer of Parliament appointed by the Governor-in-Council following approval of his nomination by resolution of the Senate and the House of Commons. The OPC is designated by Order-in-Council as a department for purposes of the Financial Administration Act. As such, it is established under the authority of schedule 1.1 of the Financial Administration Act and reports to Parliament for financial administration purposes through the Minister of Justice. The Privacy Commissioner is accountable and reports directly to Parliament through the Speakers of the Senate and the House of Commons on all results achieved.

Investigations Branch

The Investigations Branch is responsible for investigating, on behalf of the Commissioner, complaints received from individuals under Section 29 of the Privacy Act and Section 11 of the PIPED Act. Essentially, the OPC's investigations serve to establish whether individuals have had their privacy rights violated and/or have been accorded their right of access to their personal information.

Where privacy rights have been violated, the investigative process seeks to provide redress for individuals and keep violations from recurring. Through the Privacy Commissioner, the Branch has the authority to administer oaths, receive evidence and enter the premises of federal government institutions where appropriate. The Commissioner can also examine or obtain copies of records found in federal government institutions.

Privacy Practices and Reviews Branch

The Privacy Practices and Reviews Branch assesses how well organizations are complying with the requirements set out in the two federal Acts.

The Branch conducts compliance reviews under Section 37 of the Privacy Act and audits under Section 18 of the PIPED Act. As well, the Branch is responsible for reviewing Privacy Impact Assessments (PIAs). PIAs are conducted by federal government departments on all government projects or initiatives that involve the collection, use and disclosure of personal information, to determine the impacts of a proposal on an individual's privacy and ways to mitigate or avoid any adverse effects.

The Privacy Act permits the Commissioner to randomly initiate a compliance review of federal institutions. Paragraph 18 (1) of the PIPED Act allows the Commissioner to audit the compliance of private organizations if the Commissioner has "reasonable grounds to believe" that the organizations are contravening a provision of the Act.

Through the Privacy Commissioner, the Branch has the authority to administer oaths, receive evidence and, at any reasonable time, enter premises where appropriate. It also provides assistance to public and private sector organizations on fair information- handling practices with respect to any initiative with privacy implications.

Communications and Policy Branch

One aspect of the Commissioner's mandate is to educate individuals and organizations about privacy issues, thus increasing their awareness and understanding. The Commissioner is specifically mandated under the PIPED Act to conduct public education activities. To focus on this responsibility, the Communications and Policy Branch was established in September 2000 to raise awareness of privacy issues, to inform Canadian citizens and businesses of the new private sector legislation, and to expand the OPC's research capability.

The Strategic Research and Analysis Division of the Branch is a centre of expertise on emerging privacy issues in Canada and abroad, responsible for researching trends, providing analysis on key issues, and helping to develop policies and initiatives that advance the protection of the privacy rights of Canadians.

The Branch's Inquiries Unit responds to inquiries from members of the general public who contact the Commissioner and the OPC for advice and assistance on a wide range of privacy-related matters.

Legal Services

Legal Services, headed by the General Counsel, provides specialized legal and strategic advice and litigation support to the Privacy Commissioner with respect to the Privacy Act and the PIPED Act.

Corporate Services

In previous years, the Offices of the Information and Privacy Commissioners shared corporate services while operating independently under their separate statutory authorities. These shared services were centralized in the Corporate Management Branch.

Effective in the 2002-2003 period, the OPC established its own Corporate Services - finance, human resources, information technology and general administration - to meet the increased workload and demands of the OPC.

It is important to note that many activities related to Corporate Services within the OPC, such as finance and human resources, were the subject of audits by the Office of the Auditor General and the Public Service Commission. Many problems relating to the management of the OPC have been uncovered and are in the process of being corrected.

Section III - Performance Information by Strategic Outcome

STRATEGIC OUTCOME 1 - Encouraging compliance with fair information practices by both public and private sector organizations through complaint investigations

Through the efforts of its Investigations Branch, the OPC seeks to promote fair information management practices by both public and private sector organizations in Canada in accordance with two federal privacy laws - the Privacy Act, which was enacted in 1983 and the Personal Information Protection and Electronic Documents (PIPED) Act, which took effect on January 1, 2001. The Branch investigates complaints under both laws from individuals alleging that their personal information has been mismanaged, or that they have been denied access or correction rights accorded them under these Acts.

The Branch also responds to inquiries from the general public and from government institutions, private sector organizations, and the media who contact the OPC on a wide variety of privacy-related issues. It also conducts reviews of public interest disclosures of personal information under the Privacy Act, as well as incidents of mismanagement of personal information under both Acts.

This program activity is very much a reactive one rather than proactive, driven mostly by external factors. A number of issues - for example, the re-assessment of border security, new anti-terrorism measures as a result of the September 11th tragedies, the progressive implementation of the Government On-Line initiative - have translated into heightened awareness of issues and, therefore, more contact with the OPC in the form of complaints or simply inquiries about privacy rights.

The breadth and scope of the workload involved in complaint investigations, or the results achieved, cannot easily be anticipated or measured. At times, one complaint can precipitate a significant change in an established and far-reaching policy or practice, but only after many months of difficult and resource-consuming investigation and negotiation with the respondent. On the other hand, the investigation of dozens of individual complaints about a particular issue, while equally resource-consuming in terms of workload, may or may not uncover any significant evidence of wrongdoing in terms of violations of privacy law.

The Investigations Branch works with officials of respondent government institutions and private sector organizations, as well as with the complainants and other witnesses who have information that is required in order to conduct a thorough investigation/review. The strength of these working relationships ultimately contributes to the effectiveness of the OPC's investigations.

Resources used

The resources used in 2002-2003 for Strategic Outcome #1: Encouraging compliance with fair information practices by both public and private sector organizations through complaint investigations are approximately $5.4 million and funded activities in the Office of the Privacy Commissioner of Canada's Investigations Branch. This total also includes some related expenses shared by the Branches. There was a total of 35 staff in the Investigations Branch for the period - a Director General, a Deputy Director General, five Senior Privacy Officers, twenty privacy officers, three Intake Officers, two Writers/Analysts, one Administrative Officer and two support staff.

Outcomes achieved

The OPC's investigations serve to ensure that complainants' fundamental privacy rights are respected.

Our interaction with officials in the respondent departments and organizations serves to educate them on the principles of individual privacy rights and on their own obligations and responsibilities to adhere to the requirements of federal privacy laws. The implementation of recommendations or corrective measures taken as a result of the OPC's interventions during negotiations to resolve complaints can prove beneficial to all Canadians, not just the complainant, reaching those who may be either directly or indirectly affected by the information management practices of government institutions and private sector businesses.

For example, several investigations of PIPED Act complaints against various institutions in the banking industry identified weaknesses and inconsistencies in policies and procedures relating to consent. As a result, the banks agreed to re-vamp their guidelines for obtaining informed customer consent in a manner consistent with the Act. These positive results can have a ripple affect to the benefit of all Canadians who interact with this industry.

As outlined in the OPC's 2002-2003 Report on Plans and Priorities, the OPC focuses on pre-empting problems through consultation and assistance with government institutions, rather than resorting to formal mechanisms of compliance. The OPC is also focused on promoting compliance with fair information principles outlined in both federal privacy laws.

This past year, the OPC received 1,642 complaints under the Privacy Act. In keeping with established patterns, over 85% of the complaints received in 2002-2003 were lodged against a group of 10 departments and agencies. Several of these respondents routinely appear on the OPC's "top ten list," year after year. (For more information on the OPC's "top ten list," see the OPC's Annual Reports to Parliament.) The trend since the Privacy Act came into effect in 1983 has shown an annual average increase of 10% in the number of complaints received. This past year, however, saw a 35% increase over the previous year.

The OPC also received 332 complaints under the PIPED Act for the same period, a 144% increase over the 136 complaints received during the previous fiscal year. One significant factor in comparing the statistics under both Acts is the number of complaints received about the tardiness of private sector organizations in responding to access requests for personal information. Over the years, 30-35% of Privacy Act complaints concerned time limits, whereas there have been very few under the PIPED Act, with the result that the number of complaints received is far lower than anticipated. Individuals have so far shown much more concern about the management (or lack thereof) of their personal information by private sector organizations than in obtaining access to the information these organizations have about them.

Nevertheless, given that the PIPED Act has been in force for slightly more than two full years, it is not yet possible to establish any trends. The significant rise in complaints, particularly regarding the collection, use and disclosure of personal information, is undoubtedly as a result of the public's increased awareness of the Act since it came into force on January 1, 2001. We anticipate that the complaint intake for 2004-2005 will also rise considerably with the full implementation of the Act.

During this reporting period, the OPC concluded 3,483 complaint investigations under the Privacy Act and 176 complaint investigations under the PIPED Act.

It is important to note that the figure for Privacy Act complaints is unusually high because it includes 2,323 complaints related to the Canada Customs and Revenue Agency's (CCRA) disclosure of personal information on Customs' E-311 declaration cards to Human Resources Development Canada (HRDC). Following its review, the Supreme Court of Canada ruled that the disclosure was permissible under section 8(2)(b) of the Privacy Act and as a result, the complainants were subsequently informed that their complaints were not well-founded.

Over the years, the OPC has struggled to provide faster service to Canadians without compromising the thoroughness of its investigations. However, the concern about the turnaround time of its investigations remains unresolved, with the exception of time limit complaints. Despite attempts to ameliorate its system, the number of complaints received by the OPC continues to exceed the number of investigations completed. A shortage of investigators with heavier caseloads than they can manage has contributed to the OPC's inability to meet expectations and, in recent years, resources were reallocated to other areas in the OPC. The OPC expects to request additional funds from Treasury Board in order to help address this problem. The service standards will also be assessed in the next couple of months with a view to determining the extent to which they should be modified. These anticipated improvements will ultimately help to ensure that Canadians receive faster service from the OPC with regard to the completion of complaint investigations.

The PIPED Act requires the Commissioner to report his findings on a complaint within one year of its receipt, and it specifically allows for the resolution of complaints by means of dispute resolution mechanisms such as mediation and conciliation. Although there has been a great deal of success with dispute resolution mechanisms in Privacy Act investigations, even though that Act is silent on the issue, the investigators have not so far used this mechanism in the context of PIPED Act investigations. The OPC expects to strengthen its capacity to actively promote mediation in the future, with a return to a more ombudsman approach to resolving complaints.

Since private sector organizations need to gear up in order to comply with the PIPED Act, which comes fully into effect on January 1, 2004, the OPC has provided case summaries of findings under the Act, to provide guidance and information to businesses on the application of the Act.

Incident Investigations

The OPC also conducted 32 incident investigations of mismanagement of personal information under the Privacy Act and five under the PIPED Act during 2002-2003, brought to our attention from various sources. Most times there is no identifiable complainant but nevertheless the incident warrants further review by the OPC to determine how and why it occurred. These investigations, not unlike complaint investigations, serve to ensure appropriate corrective measures are taken to prevent a reoccurrence and ultimately enhance privacy protection for the benefit of Canadians.

Reviews of Public Interest Disclosures

Section 8(2)(m) of the Privacy Act allows the head of a Government institution to disclose personal information without an individual's knowledge or consent if there is a clear overriding public interest in doing so - either because it outweighs the individual's right to privacy or because it would clearly benefit the individual. Under section 8(5) of the Act, the Privacy Commissioner is to be notified in advance of any proposed disclosures.

The OPC received 70 notifications during the reporting year. For example, in several instances the RCMP relied on this provision to issue a media notice to a particular community that a violent offender at high risk to re-offend has been released so that the local residents could take appropriate precautions.

The OPC's role is to review the information at issue and assess whether, from a privacy perspective, there are any concerns about the disclosure and to determine whether the individual should be advised of the disclosure. These reviews serve to ensure that government institutions exercise their discretion with sensitivity and awareness of the invasion of privacy that results from such disclosures, given that they cannot otherwise be justified under any of the permissible disclosure provisions of the Act.

In sum, in 2002-2003 the OPC has fulfilled its mission to conduct investigations under both the Privacy Act and PIPED Act, encouraging compliance with fair information practices by both public and private sector organizations, for the ultimate benefit of Canadians.

STRATEGIC OUTCOME 2 - Safeguarding the right to privacy of Canadians through audits and reviews

Context and background

To safeguard Canadians' right to privacy, the OPC has been conducting compliance reviews under section 37 of the Privacy Act since 1984. Since January 1, 2001, the OPC has had the mandate to conduct audits of the personal information management practices in the Canadian private sector under section 18 of the Personal Information Protection and Electronic Documents (PIPED) Act. Since May 1, 2002, the OPC has reviewed Privacy Impact Assessments (PIAs) and Preliminary Privacy Impact Assessments (PPIAs) under the Treasury Board's PIA policy. In order to further safeguard the right to privacy of Canadians, the OPC's Privacy Practices and Reviews Branch provides federal government organizations and private sector organizations with advice on compliance issues, and the privacy implications of new and existing programs and practices. The OPC consults with and advises government institutions and private sector organizations regarding initiatives, which may have an impact on the privacy rights of Canadians.

Resources

The resources expended for Strategic Outcome #2 were approximately $3.3 million and funded activities within the Privacy Practices and Reviews Branch. This total also includes some related expenses shared by the Branches. The staff complement in the PP&R section declined from 11 to 9 during the year 2002-2003 because of departures. As of March 31, 2003 the staff complement included: a Director General for the Branch, a Director PIA, five Review Officers, one Project Officer and one Administrative Assistant.

Outcomes achieved

In conducting its compliance reviews under the Privacy Act, the OPC ensures that Canadians' personal information is safeguarded - that it is collected, disposed of, used and disclosed by government institutions according to the "fair information principles", as outlined in sections 4 to 8 of the Act. Audits under the PIPED Act ensure that private sector organizations comply with the10 privacy principles contained in Schedule 1 of the Act in protecting their clients' and employees' personal information. The OPC's review of PIAs and PPIAs ensures that the best practices for the privacy protection of Canadians' personal information are built in from the ground floor for major government projects. The aim of the OPC's other consultative and advisory work is to ensure that organizations integrate fair information practices into their new initiatives involving the personal information of Canadians.

As an ombudsman, the OPC's non-confrontational approach to privacy audits consistently produces better outcomes for the protection of Canadian's personal information than would a more confrontational method. Based on cooperation, respect and transparency, this approach is successful in resolving issues before they become complaints and correcting underlying problems before they impact on the privacy of Canadians. The OPC's independent oversight role generates public trust and credibility for organizations that are working to improve their personal information-handling practices. Such public trust is the cornerstone to the success or failure of many multi-million dollar government initiatives. Another contribution that OPC makes is to strengthen organizations' understanding of privacy issues. Increased privacy awareness within organizations works to the advantage of the organization and Canadians, by reducing areas of conflict and disagreement.

Although the Commissioner has the same powers with respect to audits that are available for privacy investigations, for example, to summon witnesses, administer oaths, and compel organizations to produce evidence, these powers would only be used as a last resort.

In its work to safeguard Canadians' right to privacy, the OPC's compliance reviews and audits rely upon various investigative and analytical techniques to measure privacy compliance and to develop recommendations:

• Research of public and specialized source information
• Review of OPC files related to the institution
• Review of relevant statutes, regulations and jurisprudence
• Obtain legal advice when necessary
• Review of organization's administrative policies and practice documents
• Review of organizational structure and delegation of authority
• Review of information systems
• Review of security systems to protect personal information
• Review of random sample of files containing personal information
• Structured interviews with front line and management staff based on fair information principles

As per the OPC's 2002-2003 Report on Plans and Priorities, we continue to improve our internal policies and procedures with relation to monitoring and profiling the personal information management practices of organizations.

Following are a few brief examples of compliance reviews conducted by the OPC's Privacy Practices and Reviews Branch:

Firearms Program

The Firearms Act requires the collection of a large amount of highly sensitive personal information about Canadians. The OPC continues to receive complaints from some of the 2.3 million firearm owners in Canada and from some Members of Parliament. Over the past year, the OPC has been conducting an ongoing review of the personal information-handling practices of certain aspects of the Firearms Program to ensure that they were meeting their obligations to protect Canadians' personal information and has been consulting with the office of the Solicitor General of Canada to ensure that any changes to the program do not impact negatively on the privacy rights of Canadians.

Review of post-September 11th initiatives

In the fall of 2001, the Government of Canada introduced a series of anti-terrorism measures in response to the tragedy of September 11, 2001. The Budget of December 2001 provided funding of $7.7 billion over the following five years for specific departmental initiatives to combat terrorism. Many of these initiatives could involve an impact on the privacy of Canadians personal information, due to the collection, use and disclosure of sensitive personal information.

A survey of Post-September 11th initiatives was conducted by OPC in 2002 to determine which initiatives represented potential privacy risks to Canadians. The OPC conducted reviews of the Communications Security Establishment, Canadian Security Intelligence Service and the Royal Canadian Mounted Police in order to review the institutions' collection, use, retention, disposal of and disclosure of Canadians' personal information and to determine if any of the initiatives or changes limit or infringe on Canadians' privacy.

Although these reviews are ongoing, they have provided an excellent opportunity for OPC to promote privacy protection within these organizations and to verify the impact of law enforcement and intelligence operations on the privacy rights of Canadians. As many initiatives are in the implementation stage, it is an important and effective time to discuss privacy enhancements with these institutions where appropriate.

Immigration and Refugee Board Compliance Review (update)

In July 2003, the Immigration and Refugee Board (IRB) provided the OPC with an update on its follow-up to the compliance review completed in April 2002. Along with its response, the IRB submitted a work plan listing our recommendations, the responsibility centres, the estimated timeframes, the proposed action plan and a completion date for the implementation of each of the 64 recommendations that we made in our compliance review report.

The IRB has agreed to provide the OPC with a more comprehensive update in the Fall of 2003. The OPC will also follow up on the implementation of the report's recommendations.

Canadian Nuclear Safety Commission Compliance Review (update)

In October 2002, the Canadian Nuclear Safety Commission (CNSC) provided the OPC with its initial plan to implement the recommendations made in an OPC compliance audit in March 2002. Of the 49 detailed recommendations, CNSC has responded and agreed to corrective action to14 in its "short term action plan." By August 2003, the CNSC had implemented all the corrective action mentioned in its "short term action plan".

CNSC found it necessary to hire an outside consultant to re-vamp its security and classification system and to provide training to its staff before it could take corrective actions pertaining to several of the remaining 35 recommendations. CNSC will respond to the remaining recommendations in its "mid-term" and "long-term action plan" in the Fall of 2003. It is anticipated that some resolutions related to information technology may take up to three years to implement.

The OPC will continue to monitor the progress of implementation.

Assessments of Human Resources Development Canada Databank Review Committee Submissions

In the 2000-2001 Departmental Performance Report, it was described how, under mounting public pressure, Human Resources Development Canada (HRDC) made the decision to dismantle the Longitudinal Labour Force File and to implement a review process and a governance protocol for all policy analysis, research and evaluation activities involving the connection of separate databanks. This review process involved consultation with the OPC to examine such projects.

In the 2002-2003 fiscal year, comments have been provided on an additional 10 HRDC data match submissions, including the projects concerning unemployment in the fishing industry, community employment, Canada Pension Plan Disability Vocational Rehabilitation, student loans and employed truck drivers among others.

The OPC has continued to customize its assessment tool to facilitate timely reviews of the HRDC submissions. The tool ensures that the reviews are thorough and that the principles of fair information practices as specified in the Privacy Act are respected. As a result of OPC's reviews, HRDC has improved the wording of its contracts with third parties to ensure that it clearly states that personal information remains under the department's control and subject to the protections of the Privacy Act.

Audits under the PIPED Act

Section 18 of the PIPED Act also provides the authority to carry out audits of personal information management practices in the private sector if there are "reasonable grounds to believe" that a private sector organization is contravening a provision of the Act. During 2002-2003, no private sector audits were undertaken because no matter had been brought to the attention of the Commissioner that would constitute reasonable grounds for an audit.

Other advice to government institutions and private sector organizations

The OPC also provides informal assistance and advice to numerous government institutions and private sector organizations on the importance of safeguarding the privacy rights of Canadians and the privacy implications of their initiatives. OPC has been involved in consultations with organizations such as: Equifax, Canadian banks, pawnbrokers, Elections Canada, the Department of Justice, Public Works and Government Services Canada, Indian and Northern Affairs and the RCMP.

The OPC's advice has led to changes such as:

• increased privacy accountability within organizations;
• limiting the collection of personal information to that which is strictly necessary;
• stricter safeguards limiting access to and the use of personal information based on the need to know principle; and
• improvements to the security measures used to protect personal information.

Privacy Impact Assessments

In April 2002, Treasury Board launched the Government of Canada's new Privacy Impact Assessment (PIA) Policy, which took effect on May 2, 2002. Under the PIA Policy, federal government departments and agencies must conduct PIAs on all new government initiatives that involve the collection, use and disclosure of personal information. The Policy's objective is to demonstrate the Government of Canada's commitment "to protecting the personal information of Canadians" by ensuring that "privacy principles are being taken into account when there are proposals for, and during the design, implementation and evolution of programs and services..."

To ensure a comprehensive and current understanding of the privacy implications inherent in proposed or redesigned programs and services, the Policy requires that government institutions furnish a copy of all PIAs conducted to the Privacy Commissioner of Canada for review and comment. The Policy further states that, at the Privacy Commissioner's discretion, the Commissioner may "provide advice and guidance to institutions and identify solutions to potential privacy risks."

In response to the Privacy Commissioner's new duty under the Policy to receive and review PIA submissions from departments and agencies, the Commissioner created a sub-division within the Privacy Practices and Reviews (PP&R) Branch dedicated to assessing PIA reports and providing expert advice to departments and agencies on how to best realize the Policy's core objectives. The PIA Division currently possesses a staff complement of four, comprised of a Director, a Project Officer, and two Project Review Officers. Two other Project Review Officers from the PP&R Branch have recently been called on to assist in handling the mounting volume of reports the Division is now receiving.

During 2002-2003, the PIA Division has received 33 final PIAs, that is to say reports submitted with the approval of the head of a government institution, 9 of which have run the full review and consultation process, culminating in the Commissioner's conveyance of satisfaction that the privacy risks associated with each project have been identified and adequately addressed. In addition to final PIAs, the OPC has received 13 Preliminary Privacy Impact Assessment (PPIA) reports. PPIAs are, for the most part, draft PIAs submitted to the OPC for review and comment before being sent to the departmental head for approval and official submission to the OPC.

In almost every submission received to date, the OPC has identified omissions or oversights that have required remedial attention. The OPC's recommendations have resulted in design modification to systems and changes to information management practices that have substantially improved their compliance with established privacy principles, hence ensuring that Canadians' privacy rights will ultimately be safeguarded by these projects.

For example, in the case of Citizenship and Immigration Canada's on-line status query service (E-CASQ) the Privacy Commissioner recommended that clients wishing to benefit from the service should be advised of the risks of using shared computers and of the tools that individuals can use to minimize their exposure to privacy invasion. The Commissioner's recommendation was accepted, resulting in modifications to the information kit sent to clients wishing to register with the service.

Similarly, in the case of Treasury Board's own Government On-Line (GOL), Secure Channel, Build 3, Load 2 project, consultations with the OPC resulted in modifications to the implementation plan that, in the opinion of the Privacy Commissioner, have contributed to a system and service significantly more compliant with established privacy principles. Build 3 Load 2 will allow individuals to change their mailing address for income tax reporting purposes on-line and constitutes the first GOL application that will make full use of the Public Key Infrastructure (PKI) certificate service.

Given the newness of the PIA Policy, omissions and oversights in the preparation of PIA reports are to be expected. That said, there is clear evidence that departments are taking their responsibilities under the Policy seriously, and that consultations with the OPC are producing tangible results. Consequently, during his appearance before the Standing Committee on Government Operations and Estimates of the House of Commons on September 22, 2003, the Interim Privacy Commissioner recommended that Parliament consider amending the Privacy Act to give the PIA Policy the force of law.

In sum, in 2002-2003 the OPC has fulfilled its mission to perform compliance reviews and audits, and has also actively participated in the PIA process, and by so doing, has assisted organizations in applying both the Privacy Act and PIPED Act for the benefit of Canadians, in order to further safeguard their privacy rights.

STRATEGIC OUTCOME 3 - Increasing public awareness and understanding of privacy issues

Context and background

The government has demonstrated its recognition of the importance of, and a commitment to, proper privacy protection mechanisms in Canada with the establishment of federal privacy laws in the public, and now the private, sectors, as well as with its new Privacy Impact Assessment (PIA) Policy for government projects and programs, described earlier in this report.

The post-September 11th environment has a strong influence on the OPC's communications approach. Through public awareness activities, the OPC has been informing Canadians of the need for an appropriate balance between privacy and security, and encouraging governments and organizations to rethink the privacy-invasiveness of some of their initiatives.

Businesses in Canada are gearing up for the implementation of the PIPED Act on January 1, 2004. Many of these businesses and organizations have questions or concerns about the effect that the Act will have on their industry. The Privacy Commissioner is specifically mandated under the PIPED Act to conduct public education activities to deal with these issues. The OPC has undertaken some communications activities to respond to this need, but clearly much more work on public education is required to ensure that businesses are aware of their responsibilities, and Canadians are aware of their rights, under the new law.

It is important to note that the focus of the former Commissioner (Mr. Radwanski) on public sector issues had a negative impact on the OPC's ability to achieve objectives related to private sector issues, to maximize its reach to citizens and businesses on the important issue of the pending PIPED Act at such a critical time - before its full implementation.

Resources

The resources used in 2002-2003 for Strategic Outcome #3: Increasing public awareness and understanding of privacy issues are approximately $3.5 million and funded activities in the Communications Division, the Strategic Research and Analysis Division, and the Inquiries Unit. This total also includes some related expenses shared by the Branches. There was a total of 23 staff in the Communications and Policy Branch - a Senior Director General for the Branch and her executive assistant; as well as five employees in the Communications Division including a director, communications advisors and administrative support; nine employees in the Strategic Research and Analysis Division including a director, policy analysts and administrative support; and nine employees in the Inquiries Unit including a manager, inquiries officers and administrative support.

The Interim Commissioner is reviewing the mandate, structure and resources of this division so as to refocus efforts on education and more effective communications and outreach initiatives.

Outcomes achieved

The Communications and Policy Branch has worked to conduct research, generate public discussion and help to raise awareness of a number of important national privacy issues. In addition to this, other branches of the OPC, such as the Investigations Branch and the Privacy Practices and Reviews Branch, have contributed to increased awareness of privacy rights and obligations.

The former Commissioner (Mr. Radwanski) and other OPC officials made use of speaking engagements and special events in order to raise awareness of federal privacy laws and a variety of other privacy issues among Canadians, businesses and associations. Over the period of this Report, the OPC received close to 150 requests. The former Commissioner and other senior staff delivered more than 49 speeches, reaching thousands of event participants. Many of these speeches focused either on the importance of balancing privacy and security issues in a post-September 11^th environment, or on gearing up for the PIPED Act. It is important to note that speaking engagements - particularly the domestic and international travel and hospitality costs associated with the speaking engagements of the former Commissioner (Mr. Radwanski) - were the subject of intense scrutiny by and concern from the Standing Committee on Government Operations and Estimates of the House of Commons, as well as the report of the Office of the Auditor General. The speaking engagements strategy is under review.

Media relations activities played a significant role in helping to generate an effective public debate and discussion on important national privacy issues in 2002-2003, such as the CCRA "Big Brother" database of Canadians' air travel patterns, biometric national identity cards, and other proposed anti-terrorism and security measures. During the 2002-2003 fiscal period, the OPC issued 25 news releases and media advisories, granted hundreds of media interviews and also responded to hundreds of media requests for information. This work generated significant media coverage of privacy issues, and ultimately very supportive editorials and columns on key issues in major daily newspapers, reaching Canadians across the country and around the world. Much of this media relations work focused on public sector issues, as opposed to concerns of the private sector. Much more work must be done to utilize media relations activities as a cost-effective means of reaching out to Canadian businesses, through targeted media, to help them get ready for the implementation of the Act. Plans are underway for targeted media relations activities of this nature in the Fall/Winter 2003.

During the 2002-2003 fiscal year, the OPC also continued its publications program. Material, including two guides to the PIPED Act - one for businesses to help them understand their obligations and another for citizens to help them understand their rights under the Act - as well as fact sheets, bookmarks, posters, etc. are available in hard copy upon request and available on the OPC Web site. During this period, the OPC disseminated more than 23,000 copies of these educational materials to better inform Canadians, businesses and associations.

As mentioned above, all of the OPC's materials are available on the Web site and traffic has been increasing steadily. Over the period of this report, there was an average of approximately 50,000 visits to the Web site per month. Among the key sections accessed on the site was the business guide, an indication that businesses are looking to the OPC for information to help them gear up for the implementation of the PIPED Act. Anecdotal evidence suggests that this guide has been well received by this audience, although there is currently no statistical evidence to substantiate this claim. The OPC plans to build benchmarks and evaluation mechanisms into its communications activities in the future, in order to better evaluate their effectiveness.

In order to further raise public awareness and understanding of privacy issues, and to respond to a demand for more information on this subject, the OPC's Inquiries Unit responds to inquiries from the general public, government institutions and private sector organizations who contact the OPC on a wide variety of privacy-related issues. The OPC responds to thousands of inquiries per month from individuals who contact the OPC for advice and information on a variety of issues related to personal privacy - issues that are becoming increasingly multifaceted and complex in nature.

The OPC's Strategic Research and Analysis Division also provides a significant contribution to public awareness initiatives. This division serves as a centre of expertise on privacy issues in Canada and abroad. It is responsible for researching trends, providing analysis on key issues, and developing policies and positions that advance the protection of the privacy rights of Canadians. In the 2002-2003 period, the Division provided this expertise to the Commissioner and the OPC, supporting a number of activities which helped to raise awareness and understanding among Canadians of privacy issues, including consultations with key stakeholders, providing expertise and content for speeches, developing positions on a variety of issues, and creating material for appearances before House of Commons and Senate committees, etc. Under the former Commissioner (Mr. Radwanski), this Division did not focus sufficiently on policy and primary research. The OPC plans to reinvigorate the activities of this Division in this regard - activities which will also have an impact on public awareness initiatives, and other important initiatives within the OPC.

Earlier in this section, we mention that other Branches, such as the Investigations Branch and the Privacy Practices and Reviews Branch, have also contributed to raising awareness of privacy issues. During the course of investigations, for example, our interaction with officials in the respondent departments and organizations serves to educate them on the principles of individual privacy rights and on their own obligations and responsibilities to adhere to the requirements of federal privacy laws. Through this, we help to strengthen organizations' understanding of privacy issues. Increased privacy awareness within organizations in this manner works to the advantage of the organization and Canadians, by reducing areas of conflict and disagreement.

In sum, in 2002-2003 the OPC conducted a series of activities to increase public awareness and understanding of privacy issues. In our view, however, the OPC did not fully meet expectations in this regard - particularly the expectations of the business community. As well, Canadians did not receive full value for money spent in this regard. Much more work needs to be done in order to help Canadian businesses understand their obligations and responsibilities, and citizens their rights, under Canada's new private sector privacy law.

Section IV - Government-Wide Initiatives

This section of the Report provides an update regarding the OPC's activities in the 2002-2003 period as they relate to two government-wide initiatives - the Government On-Line Initiative and Modern Comptrollership.

It is important to note that, because of the small size of this organization, the fact that it does not have significant assets and equipment, and because of the nature of the organization - often working at arm's length from government - the OPC has not been in a position to contribute to a number of government-wide initiatives and the content in this section is therefore limited.

Government On-Line

In the 2002-2003 period, the OPC made a significant contribution to the Government On-Line (GOL) Initiative. In April 2002, the Treasury Board launched a new policy whereby new and existing programs and services, including and especially important for the GOL programs, must now undergo a Privacy Impact Assessment (PIA) - in effect, a feasibility study from a privacy perspective. In addition to working with Treasury Board on the policy, the OPC has developed a process whereby it reviews all PIAs and offers comments to departments and agencies at the early stage of program development, to help ensure that these programs and services are respectful of Canadians' privacy rights.

The OPC has also conducted an analysis and recognizes, however, that there are elements of its communications (i.e., the Web site), which do not fully meet the standards of the Common Look and Feel Program. This is an area the OPC is looking to address in the future, resources permitting.

Modern Comptrollership

In the 2002-2003 period, the OPC committed to the Treasury Board's Modern Comptrollership initiative. The OPC has completed the Modern Comptrollership capacity assessment. The audit reports of the Auditor General and the Public Service Commission clearly identify serious deficiencies in financial and human resource management. The OPC concurs with the findings in these reports. The OPC is committed to the Modern Comptrollership Initiative and will use the Modern Comptrollership framework as the basis for the action plans that will flow from the recommendations of the OAG and PSC audits. The corrective measures implemented will comply and dovetail with the Modern Comptrollership initiative.

Section V - Financial Performance

Financial Performance Overview

In the OPC's 2002-2003 Report on Plans and Priorities (RPP), planned spending was indicated as $11.2 million. Through Supplementary Estimates and Treasury Board Vote 5, 10 and 15, the OPC received and additional amount of $0.7 million, for total authorities amounting $11.9 million.

Actual spending for the 2002-2003 fiscal year amounted to $12.2 million. The result is an over-expenditure of the OPC's total authorities in the amount of $234,000.

Over-expenditure

The OPC exceeded its appropriations by $234,000 due to following:

• Changes in accounting practices, in order to be consistent with the principles of accrual accounting in the federal government; and
• Travel, hospitality and communications expenditures.

Financial Summary Tables

The tables in this section contain summaries of financial information under three headings:

• Planned Spending - the planned spending at the beginning of the fiscal year as set out in the 2002-2003 Estimates - Report on Plans and Priorities;
• Total Authorities - the level of spending authorized by Parliament, including the Supplementary Estimates and transfers from Treasury Board (Votes 5, 10 and 15), to take into account the development of priorities, increased costs and unanticipated events; and
• Actual Spending - the amounts actually spent in the 2002-2003 fiscal year as indicated in the Public Accounts.

Table 1: Summary of Voted Appropriations

The following table indicates the level of spending authorized by Parliament, including the Supplementary Estimates and other authorities.

The difference between planned spending and total authorities can be explained mainly by the additional appropriations received in the fiscal year. (see note below)

Note: Total authorities are:

• Main Estimates - $9.8M
• Supplementary Estimates B - $0.3M
• TB Vote 5 - $0.2M
• TB Vote 15 - $0.3M
• TB Vote 10 - $0.1M
• Contributions to Employee Benefit Plans - $1.5M and
• reduced by a transfer to the Office of the Information Commissioner (Vote 40) - $(0.2M)

Table 2: Comparison of Total Planned Spending to Actual Spending

The following table indicates, in detail, the allocation of total planned spending, the authorities (in italics) and actual spending (in boldface) for 2002-2003, by business line and the nature of the spending. The differences between planned spending and total authorities by business line can be explained mainly by the additional appropriations received in the fiscal year (see note below)

Note: Total authorities are:

• Main Estimates - $9.8M
• Supplementary Estimates B - $0.3M
• TB Vote 5 - $0.2M
• TB Vote 15 - $0.3M
• TB Vote 10 - $0.1M
• Contributions to Employee Benefit Plans - $1.5M and
• reduced by a transfer to the Office of the Information Commissioner (Vote 40) - $(0.2M)

Table 3: Historical Comparison of Total Planned Spending to Actual Spending

The table below gives an historical overview of spending by business line. It also includes a comparison between total planned spending for 2002-2003 and actual spending in the Public Accounts.

Note: Total authorities are:

• Main Estimates - $9.8M
• Supplementary Estimates B - $0.3M
• TB Vote 5 - $0.2M
• TB Vote 15 - $0.3M
• TB Vote 10 - $0.1M
• Contributions to Employee Benefit Plans - $1.5M and
• reduced by a transfer to the Office of the Information Commissioner (Vote 40) - $(0.2M)

Accrual Based Financial Statements

Over the past several years, as part of the Financial Information Strategy, the Receiver General for Canada and departments have worked to put in place new financial information systems and to acquire the accounting expertise required to implement full accrual accounting. Overseeing this initiative, the Treasury Board Secretariat also developed the necessary accounting policies and training programs to implement full accrual accounting government-wide.

National and international accounting standards bodies, and the Auditor General, strongly support full accrual accounting. It is the accounting practice already used by many provinces and by foreign governments such as the United States, Australia and New Zealand. Under full accrual accounting, an entity's financial statements provide a more comprehensive and up-to-date picture of its financial situation and better reflect the impact of economic events and decisions made during the fiscal year. Better information means improved transparency and accountability.

At a government-wide level, Budget 2003 was prepared on a full accrual basis and the 2002-2003 summary financial statements, presented in the Public Accounts, are also on a full accrual basis.

Publication of accrual-based financial statements in Departmental Performance Reports is being phased in for departments and agencies. Departmental corporations began presenting accrual-based financial statements in Volume II Part II of the 2001-2002 Public Accounts of Canada.

In 2003-2004, the Office of the Privacy Commissioner will report accrual financial statements based on generally accepted accounting principals.

Section VI - Supplementary Information

1. Legislation Administered by the Privacy Commissioner

The Privacy Commissioner has an oversight responsibility to Parliament for the:

2. Statutory Annual Reports and Other Publications

The Commissioner's annual reports on privacy issues are available on the Commissioner's Web site.

• Privacy Commissioner's 2002-03 Annual Report. Ottawa: Minister of Public Works and Government Services Canada, 2001. Available on computer diskette and hardcopy from the Office of the Privacy Commissioner of Canada, Ottawa, Canada K1A 1H3; (613) 995-8210 and on the Office's Web site.
• 2002-03 Estimates: A Report on Plans and Priorities. Ottawa: Minister of Public Works and Government Services Canada, 2001. Available through local booksellers or by mail from Public Works and Government Services - Publishing, Ottawa, Canada K1A 0S9.
• 2003-04 Estimates: A Report on Plans and Priorities. Ottawa: Minister of Public Works and Government Services Canada, 2001. Available through local booksellers or by mail from Public Works and Government Services - Publishing, Ottawa, Canada K1A 0S9.
• Office of the Privacy Commissioner of Canada Web site: www.privcom.gc.ca

3. Contact for Further Information

Anne-Marie Hayden
Director, Communications
Office of the Privacy Commissioner of Canada
Place de Ville, Tower B
112 Kent St., Suite 300
Ottawa, Ontario
K1A 1H3

Telephone: (613) 995-0103
Facsimile: (613) 995-1139