RPP 2004-2005
Offices of the Information and Privacy Commissioners

Section I:

• Privacy Commissioner's Message
• Management Representation Statement

Section II:

• Raison d'Être

Section III:

• Planning Overview

Section IV:

• Plans and Priorities by Strategic Outcome
• Strategic Outcome 1
• Strategic Outcome 2
• Strategic Outcome 3

Section V:

• Organization
• Accountability
• OPC Planned Spending

Section VI: Annexes

• Annex 1: Summary of Transfer Payments
• Annex 2: Net Cost of Program for 2003-04

Section VII: Supplementary Information

1. Legislation Administered by the Privacy Commissioner
2. Statutory Annual Reports and Other Publications
3. Contact for Further Information

Office of the Privacy Commissioner of Canada's
Report on Plans and Priorities

I am pleased to submit my Office's Report on Plans and Priorities for the fiscal period April 1, 2004 to March 31, 2005.

Jennifer Stoddart
Privacy Commissioner of Canada

SECTION I: Privacy Commissioner's Message

This Report on Plans and Priorities--the work and planning which must go into such an important document--is a welcome and unique opportunity for the Office of the Privacy Commissioner of Canada (OPC). After having undergone a particularly difficult period in its history, it is an opportunity for me, as the new Commissioner, to work with the Office and its staff to identify new priorities. It is an opportunity for a more open and consultative approach to organizational planning. And, most importantly, it is an opportunity to identify new strategic directions and approaches to the way the OPC does business in order to carry out activities for the benefit of Canadians in the most efficient and effective manner possible.

Establishing priorities

I assumed the role of Privacy Commissioner of Canada on December 1, 2003 and I immediately identified a series of priorities for the Office. They include, among others:

• Helping organizations implement Canada's new private sector privacy law, which came fully into effect on January 1^st of this year;
• Monitoring government initiatives to ensure that they take into account citizens' privacy rights;
• Developing the OPC's research capabilities to track technological trends and to help Canadians understand their potential privacy encroachments; and
• Monitoring compliance with both federal privacy laws, through complaint investigations, to ensure that citizens' rights are protected.

My most immediate priority, however, has been to lead the Office's institutional renewal by strengthening its management processes, particularly as they relate to human resources and financial management -- planning, budgeting, reporting and control mechanisms. The plans for institutional renewal and the necessary corrective measures follow those established by Robert Marleau, the Interim Commissioner between July and December of 2003, and which are mentioned in the 2002-2003 Departmental Performance Report.

I have said before that without these corrective measures in place, the rest cannot work. As became clear in our planning process, the OPC must become a well-managed and efficient Parliamentary agency in order to effectively defend and protect individuals' privacy rights. I believe that we are well on our way and I anticipate that by summer of 2004, most of these legacy issues will be behind us.

A new approach to organizational planning

As part of this period of renewal we have also established a new, open and more consultative approach to organizational and strategic planning for the OPC, the outcomes of which can be found in this Report.

To begin the strategic planning process, 32 members of the OPC staff met in mid-January for a strategic planning workshop. The purpose was to develop recommendations to serve as the framework for the organization's corporate priorities and key actions for 2004-2005.

The OPC's Planning Working Group was then established to refine the agreed-upon strategic outcomes and develop strategies to flesh out each of these outcomes, which are further described in this Report.

An interim report was presented to the OPC's new External Advisory Committee, which is made up of key external stakeholders and experts, for their input. It was also shared with OPC managers, who discussed it with their staff and provided feedback on employees' comments and suggestions.

The result: a Report on Plans and Priorities for the 2004-2005 fiscal year which truly reflects the direction, the responsibilities and the views of the OPC and its employees, and which clearly sets its sights on the benefits which the OPC can bring to Canadians. This Report describes the environment in which we operate. It identifies three relatively new strategic outcomes for the OPC, and it outlines key priorities and the rationale for each, as well as performance indicators and associated costs.

I look forward to the challenges ahead, and to working with the dedicated staff of the OPC and with Parliament as we endeavour to defend and protect the privacy rights of Canadians, in 2004-2005 and in the coming years.

Management Representation Statement

I submit, for tabling in Parliament, the 2004-2005 Report on Plans and Priorities (RPP) for the Office of the Privacy Commissioner of Canada.

This document has been prepared based on the reporting principles and disclosure requirements contained in the Guide to the preparation of the 2004-2005 Report on Plans and priorities.

• It accurately portrays the organization's plans and priorities.
• The planned spending information in this document is consistent with the directions provided in the Minister of Finance's Budget and by TBS.
• Is comprehensive and accurate.
• Is based on sound underlying departmental information and management systems.

The reporting structure on which this document is based has been approved by Treasury Board Ministers and is the basis for accountability for the results achieved with the resources and authorities provided.

SECTION II: Raison d'Être

The Office of the Privacy Commissioner of Canada is mandated to oversee the application of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act, and within that context to protect and promote privacy.

The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate. In addition to the Privacy Commissioner, the Office has two Assistant Privacy Commissioners. Raymond D'Aoust is responsible for the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and Heather Black is responsible for the PIPEDA, Canada's new private sector privacy law.

The Commissioner is an advocate for the privacy rights of Canadians whose powers include:

• investigating complaints and conducting audits under two federal laws;
• publishing information about personal information-handling practices in the public and private sector;
• conducting research into privacy issues; and
• promoting awareness and understanding of privacy issues by the Canadian public.

The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector.

Canadians may complain to the Commissioner about any matter specified in Section 29 of the Privacy Act. This Act applies to personal information held by the Government of Canada.

For matters relating to personal information in the private sector, the Commissioner may investigate complaints under Section 11 of PIPEDA.

Mediation and conciliation, with a view to corrective action if necessary, are the preferred approaches to complaint solving. The Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence if voluntary co-operation is not forthcoming. In certain circumstances, the Commissioner may take cases to the Federal Court.

SECTION III: Planning Overview

Public expectations and the demands on our Office reflect the environment in which we operate. To fulfil our mandate of promoting and protecting privacy we are expected to respond to government and private sector initiatives that raise privacy concerns. We also need to be able to respond to complaints and inquires in a timely and professional manner. However, to be effective and to fulfil our mandate, we need to do more than simply react to external initiatives and demands. To serve effectively as Parliament's window on privacy issues we also have to identify issues as they emerge and bring these issues to the attention of Parliament and policy makers. As well, we have an important role to play in terms of informing and educating the public on privacy issues. As a result, our strategic focus must reflect the environment in which we operate.

National Security, Law Enforcement and Public Safety

Over the last two to three years we have witnessed a series of government initiatives related to national security, law enforcement and public safety. Some of these initiatives were responses to the events of September 11, 2001. Although they are very different on the surface, the passage of the Anti-Terrorism Act, the introduction of the Public Safety Act, Canada Customs and Revenue Agency's creation of a database containing information on airline passengers arriving in Canada, the proposed legislation to create a national sex offender registry, the growing interest in the use of video surveillance of public places, and former Citizenship and Immigration Minister Coderre's proposal to introduce a national identity card, share certain features:

• they involve the collection, use and sharing of personal information;
• they share a common assumption that if law enforcement and national security agencies have access to more personal information about more individuals we will have a safer society; and
• they raise significant concerns from a privacy perspective.

Defending privacy in the face of apparent growing public concerns about public safety has been, and will continue to be, a challenge for this Office. We expect that the government will go forward with the initiatives mentioned above that have not yet become law. As well, we expect that there will be continuing pressure to introduce new measures related to national security, law enforcement and public safety.

Identification and Authentication

Governments and the private sector share a common belief that they need to have faster, more reliable and more secure methods to identify and authenticate individuals. This belief was front and centre in the proposal to introduce a national identity card. The issue of authentication is also central to the federal government's Government On Line initiatives. Citizenship and Immigration has introduced a new, more secure, Permanent Resident Card and we can anticipate growing interest in improving the security of our passports.

The federal, provincial and territorial governments are working together to create a coherent identity policy and uniform standards across programs and jurisdictions to improve the security of foundation documents such as birth certificates that are used for the issuance of travel and other identity documents.

In both the private sector and the public sector we are seeing growing interest in biometrics, smart cards, "e-identities" and other means of identifying and authenticating individuals. Organizations need to be able to verify that you are who you say you are, that you are entitled to the benefit being claimed and that you have not already received it. Identify theft is a real and growing problem.

These pressures to develop more reliable and new methods of identification and authentication raise a number of privacy concerns. These include the collection and use of the personal information needed to issue identification documents--information that could be used for unrelated purposes--the risk that we will be required to identify ourselves in situations where we have every right to remain anonymous; and the possibility that our day-to-day activities will be linked together to form patterns and profiles of our lives.

Over the next planning period we anticipate increasing pressure and new initiatives or proposals to improve identification and authentication of citizens in both the public sector and in the private sector. We also expect that privacy advocates and civil libertarians will increasingly resist this pressure, for example, by promoting the use of "anonymizing" and other privacy enhancing technologies. The tension between privacy and identification will increase and security considerations will get pitted against privacy considerations. This Office will need to develop a set of cogent criteria, based on fair information principles, to assess the privacy risks and opportunities of technology.

The Personal Information Protection and Electronic Documents Act

As of January 1, 2004, the application of the Personal Information Protection and Electronic Documents Act (PIPEDA) expanded. The Act now applies to the collection, use or disclosure of personal information in the course of any commercial activity within a province, except in those provinces that have adopted substantially similar privacy legislation. To date, Quebec is the only province that has legislation dealing with personal information that has been deemed to be substantially similar.

The Act will continue to apply to personal information collected, used or disclosed by federal works, undertakings and businesses throughout Canada and it also applies to all personal information in interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.

As a result of the expansion of the application of the Act, the Office workload with respect to oversight of PIPEDA is increasing significantly. We have already seen a substantial increase in the number of inquiries to our Office. Initial indications also suggest a significant increase in the number of complaints under the Act.

A major priority for the Office will be to develop the expertise to respond to complaints and inquires related to sectors of the economy that are now subject to the Act. Until January 1, 2004, the Act applied to a relatively narrow part of the economy, primarily banks, telecommunications and broadcasting companies, airlines and interprovincial transportation companies. Now the Act applies to the retail sector, manufacturing, the resource industry, the service sector and the entire financial services industry.

In addition to an increase in the number of inquires and complaints we will also need to devote resources to making individuals and organizations aware of their rights and obligations under the Act.

The combination of the increasing pressure on the protection of personal information together with the broader application of PIPEDA will have a significant impact on the obligations and workload of the Office. Responding to these challenges while fulfilling the expectations of Canadians will be the major priority of the Office during the planning period.

SECTION IV: Plans and Priorities by Strategic Outcome

As part of our commitment to be a well-managed, effective and efficient Parliamentary agency, the OPC launched a strategic planning process in January 2004. The strategic outcomes and the priorities identified below were developed and confirmed as part of this process.

Strategic Outcome 1
($ 5,344 K)

Final phase of PIPEDA

The implementation of the final phase of PIPEDA, as of January 1, 2004, will have a significant impact on this strategic outcome. PIPEDA now applies to all organizations throughout Canada which collect, use or disclose personal information in the course of commercial activities, except in those provinces that have passed substantially similar legislation.

This expansion in the scope of the Act has already started to affect our workload. The OPC received 50 per cent more complaints during the first two months of 2004 than in the comparable period of 2003. Similarly, we have experienced a dramatic increase in the number of inquiries. We expect that these trends will continue into 2004-2005.

The complaint process is central to the oversight regime for both PIPEDA and the Privacy Act. A fair, timely and resolution-oriented complaint process benefits complainants and organizations subject to the Act. For complainants, the complaint process is an important means of redress. In the case of PIPEDA, the case summaries of our findings help organizations subject to the Act understand their obligations. In addition, the complaints we receive act as an early warning system to help us identify gaps in compliance, which we can follow up with the organizations involved in order to lower the risk of future problems.

For all these reasons, ensuring the fair, effective and efficient handling of privacy inquiries and complaints will continue to be a high priority during fiscal year 2004-2005.

New approaches to dealing with investigations and inquiries

In response to the increasing PIPEDA-related workload we are introducing innovative and creative means to make our processes for handling inquiries and for carrying out investigations more effective, timelier and less administratively onerous. To help us cope with the increased volume of inquiries, we will implement an automated telephone answering application to assist in handling routine information requests. This will help free up the time of Inquiries Officers to deal with more complex requests. We are also enhancing our Web site to make a wider variety of privacy-related material available and we will direct people to it where possible.

For our investigation process, we will place increased emphasis on dealing with complaints through alternative dispute resolution as a means of resolving complaints more quickly and efficiently. We are also exploring new ways to report on the complaints we receive to make this information more useful to Canadians in terms of helping them understand their rights and obligations under PIPEDA. For instance, we are developing a set of "best practices" on selected topics, based on our findings issued to date, to assist organizations in interpreting the Act.

We are also taking a series of steps to streamline administrative aspects of our investigation process. For example, we have reduced the level of sign-offs and legal review required in certain types of complaint investigations. In addition, in 2004-2005, we will also complete the roll-out of a new caseload management system called IIA that will facilitate caseload tracking and reporting, as well as give us better tools for managing PIPEDA-related investigations.

Harmonizing our approach with the provinces

A good number of privacy investigations involve federal-provincial cross-jurisdictional issues. In order to minimize duplication of effort and maximize benefits for all Canadians, the OPC has held discussions with our provincial counterparts in British Columbia and Alberta about a harmonized approach to the handling of complaints where the complaint is against an organization in either of these provinces. (Both British Columbia and Alberta passed Personal Information Protection Acts that came into effect as of January 1, 2004.) Initiatives to harmonize the OPC's PIPEDA complaint-handling activities with those of provincial commissioners' offices will continue throughout 2004-2005.

All these process-related initiatives, taken together, will allow us to better serve the Canadian public, while managing the significant increase in workload.

Performance indicators

We will monitor our performance on an ongoing basis in conducting our investigations and issuing findings within established time frames. Equally important, we will measure the percentage of complaints that we are able to resolve satisfactorily to both parties without issuing a formal finding.

Audits, reviews and Privacy Impact Assessments

Two of the other ways that we monitor compliance with PIPEDA and the Privacy Act are through audits and reviews and by assessing the privacy impact of government initiatives.

Reflecting the increased emphasis on national security and the international fight against terrorism, our audits and reviews under the Privacy Act will focus on information sharing among federal departments and agencies and information sharing agreements with foreign governments. Predicting audit activities under PIPEDA is more difficult because the Act stipulates that the Privacy Commissioner must have reasonable grounds to believe that an organization is contravening the law before initiating an audit.

In 2002, Canada became the first country in the world to make privacy impact assessments (PIAs) mandatory for all federal departments and agencies. The Treasury Board's PIA policy is intended to protect the privacy of Canadians in all transactions with the government by ensuring that privacy considerations are built into government projects at the outset. Assessing the privacy impact up-front helps assist managers and decision-makers avoid or mitigate privacy risks and promote fully informed policy, program and system design choices.

While the OPC supports the goals and objectives of the PIA policy, there are significant resource implications which need to be addressed. The Office was never funded by the Treasury Board to provide expert advice to government departments as they seek to comply with the policy. Resource constraints and competing priorities are forcing the OPC to re-examine its role in relation to PIAs. Discussions with the Treasury Board Secretariat to clarify service expectations and resource requirements will be undertaken.

Strategic Outcome 2
($ 2,442 K)

Bringing privacy issues to the attention of Parliament

As an independent Officer of Parliament, the Privacy Commissioner of Canada has a special relationship with Parliament.

Acting as Parliament's window on privacy issues primarily involves bringing issues to the attention of Parliament that have an impact on the privacy rights of Canadians, more accurately on the protection of their personal information. We do this in a number of ways: by tabling our Annual Report with Parliament; by appearing before House and Senate committees to comment on the privacy implications of proposed legislation and government initiatives; and by identifying issues that we believe should be brought to Parliament's attention.

Acting as Parliament's window also involves serving as the medium through which Parliament can become better informed about privacy issues. In this role, the OPC acts as a resource or centre of expertise on privacy issues. This includes responding to a significant number of inquiries and letters from Senators and MPs.

Establishing a Parliamentary liaison function and enhancing policy expertise

Achieving this strategic outcome requires that we will have to enhance our processes and skills needed to monitor and interact with Parliament, including MPs and Senators, their assistants, and Parliamentary Committees. Creating a liaison unit to improve our relationship with Parliament will be a priority during 2004-2005. In addition to providing us with parliamentary affairs expertise, this unit will also liaise with other external stakeholders such as Provincial/Territorial Privacy Commissioners and Privacy Commissioners from other countries.

We also need to enhance our policy expertise to provide sound advice to Parliament and to be recognized by Parliament for our expertise. We plan to identify potential partners and sources of external expertise to augment our internal policy and research capabilities. In addition, we will strengthen our own internal research capacity, with particular focus on the impacts of technology on privacy, through the addition of resources with this expertise.

We recognize that to act as an effective Officer of Parliament we need to have good working relationships with federal departments and agencies. Identifying and raising privacy concerns when government initiatives are being developed rather than waiting until they reach Parliament increases the possibility that these concerns will be taken into account.

Performance indicators

We will assess our performance for this strategic outcome by tracking the number of times the Commissioner and Assistant Commissioners are asked to appear before Parliamentary Committees, meetings with MPs and Senators, inquiries from Parliamentarians and expressions of support for OPC positions from MPs and Senators.

Strategic Outcome 3
($ 3,577 K)

Reaching out to individuals and organizations

In broad terms, this strategic outcome will have two main thrusts: to help citizens and organizations understand their rights and obligations under the two laws that we oversee; and to make Canadians aware of emerging technologies and initiatives that have or could have an impact on their privacy. This second thrust has been particularly important since September 11, 2001.

In the post-September 11^th environment in which we find ourselves, communicating with Canadians and making them aware of the privacy implications of the government's attempts to respond to this new face of terrorism is critically important. Ensuring that our privacy rights are not needlessly sacrificed in the interests of national security is more important and more challenging than ever before. The OPC has a critical role to play in informing Canadians of these critical issues, and in reminding the government of the fundamental importance of privacy.

In order to ensure a smooth roll-out of the last phase of the implementation of PIPEDA, communications activities will also be critical to ensuring that the business community in Canada is fully aware of its obligations under Canada's new private sector privacy law. Continued efforts will also be required to ensure that individuals are made aware of their privacy rights.

A more strategic approach to public education and communications

Moving forward, we propose to take a more strategic and focussed approach to our communications and public education activities. This will require identifying who our audiences are, assessing their needs, and developing programs and materials to meet these needs.

We communicate with Canadians in a number of ways. For example, we make information available on our Web site; we participate in media interviews; and we have produced two publications--a guide for businesses and organizations, and another for individuals--to help Canadians and organizations understand PIPEDA. The Commissioner and senior staff speak frequently at conferences, workshops and other venues to diverse audiences. We respond to thousands of inquiries annually.

Establishing a contributions program

We recognize that we need partners in our goal of fostering an understanding of privacy rights and obligations. We propose to establish a contribution program to assist the OPC in its efforts to protect personal information and foster public awareness and understanding of privacy rights. More specifically, the program will capitalize on existing research expertise and capability; build links with researchers, voluntary organizations, academics and our provincial counterparts; and encourage the development of privacy expertise. We also anticipate that the organizations and individuals who receive contributions will have their own methods of disseminating the results of their research.

Performance indicators

We measure our performance for this strategic outcome in a number of ways. We track traffic to our Web site and we monitor the number of inquires we receive and their subject matter. We carefully assess requests for public appearances by the Commissioner and other staff members in order to ensure that we are reaching a variety of audiences in all regions of the country. In addition, we conduct media analyses to provide a qualitative assessment of the impact of OPC initiatives. During 2004-2005 we will review our performance indicators for each of our strategic outcomes, and using the Treasury Board's suggested methodology, a results chain performance measurement approach, consider how to best assess our progress and our level of achievement.

SECTION V: Organization

The Office of the Privacy Commissioner of Canada was created under the Privacy Act, which came into force on July 1, 1983.

In order to meet its objectives and provide Canadians with the established strategic outcomes, the Office organized its activities around the following business lines:

• Protection of personal information -- federal public sector
• Protection of personal information -- private sector
• Corporate services

The protection of personal information -- federal public sector business line focuses on all activities related to the administration of the Privacy Act.

The protection of personal information -- private sector business line focuses on all activities related to the administration of PIPEDA.

The corporate services business line focuses on all activities related to the administrative support of the Office.

Although we have presented the federal public sector and private sector as two separate business lines, the reality is that several of the activities underlying these two business lines are often common to both, to varying degrees. Also, Corporate Services does not exist as an end to itself, but rather as a set of support services for the OPC's main program activities. To better reflect our focuses and how the OPC operates in practice, in next year's Report on Plans and Priorities, we plan to revisit our Program Activity Architecture and how we account for resource utilization.

($ Thousands)

The amounts shown above include contributions to the Employee Benefits Plan (EBP), which are non-discretionary expenditures for the Office.

Accountability

Following is the organizational structure of the OPC, as of March 2004.

Click image to enlarge

(1) The Privacy Commissioner is an Officer of Parliament appointed by the Governor-in-Council following approval of her nomination by resolution of the Senate and the House of Commons. The OPC is designated by Order-in-Council as a department for purposes of the Financial Administration Act. As such, it is established under the authority of schedule 1.1 of the Financial Administration Act and reports to Parliament for financial administration purposes through the Minister of Justice. The Privacy Commissioner is accountable and reports directly to Parliament on all results achieved.

Resources, financial and Full-Time Equivalents (FTEs), required by the Office to attain its results represent the following; additional details are included in annexes.

Click image to enlarge

The decrease in funding and FTEs beginning in 2005-2006 reflects the government's plan to review the protection of personal information -- private sector business line. Funding for this business line was originally provided in 2000-2001 with the introduction of PIPEDA. At that time, the ongoing resource requirements could not be satisfactorily determined considering the uncertainty of the impact of PIPEDA on the Office's activities. This review of funding requirements was originally intended to be completed in 2003-2004, but was postponed due to the organizational renewal which was required following problems highlighted in the Auditor General's September 2003 report regarding the OPC. In the meantime, the planned spending in 2004-2005 for PIPEDA is 6.7 million.

The Office will work with TBS in 2004-2005 to re-establish an appropriate ongoing financial framework as of April 2005.

The Privacy Commissioner of Canada reports directly to the House of Commons and to the Senate. The Commissioner is supported by two Assistant Privacy Commissioners. One Assistant Privacy Commissioner is responsible for PIPEDA, while the other Assistant Privacy Commissioner is responsible for the Privacy Act.

Investigations and Inquiries

The Investigations and Inquiries Branch reports directly to the Privacy Commissioner. The Branch is responsible for investigating, on behalf of the Commissioner, complaints received from individuals under Section 29 of the Privacy Act and Section 11 of PIPEDA.

Essentially, the Office's investigations serve to establish whether individuals have had their privacy rights violated and/or whether they have been accorded their right of access to their personal information. Where privacy rights have been violated, the investigation process seeks to provide redress for individuals and to keep violations from recurring.

Mediation and conciliation, with a view to corrective action if necessary, are the preferred approaches to complaint solving. The Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence if voluntary co-operation is not forthcoming. In certain circumstances, the Commissioner may take cases to the Federal Court.

To date, all complaints brought before the Commissioner have been resolved without having to use these formal investigative powers, because voluntary co-operation with investigations has been forthcoming.

The Branch's Inquiries Division responds to thousands of inquiries annually from the general public and organizations who contact the Office for advice and assistance on a wide range of privacy-related matters.

Legal Services

Legal Services, headed by the General Counsel and reporting directly to the Privacy Commissioner, provides specialized legal and strategic advice and litigation support to the Privacy Commissioner with respect to the Privacy Act and PIPEDA.

Corporate Services

The Corporate Services Branch, headed by the Office's Chief Financial Officer and reporting to the Privacy Commissioner, provides advice and integrated administrative services (finance, information technology and general administration) to managers and staff.

The Corporate Services Branch will play a lead role in a number of important initiatives linked to the OPC's goal of becoming a well-managed, effective and efficient Parliamentary agency. The most significant of these will be in spearheading the implementation of Office's Modern Comptrollership plan. This is a fundamental part of the overall Office's organizational renewal strategy. In addition, in the 2004-05 fiscal year, the Corporate Services Branch will lead, take part in or support business process redesign initiatives focused on streamlining the Office's core business processes and making them more effective.

In the Information Technology area specifically, we plan to update the Office's network infrastructure, and to acquire and implement applications in support of emerging business requirements, as resources permit. Specific proposals will be assessed on a business case basis and will be directly linked to business priorities. Moreover, some additional investment in desktop/laptop computers and standard applications for them will be required. In previous years, investment in such IT tools and applications has been limited due to other OPC priorities. This means that the Office will be in "catch up" mode to some extent over the next several years and that basic infrastructure investments will be necessary, e.g. to ensure that all the Office's staff have access to core applications.

Human Resources

Human Resources, which also reports directly to the Privacy Commissioner, is responsible for the management and delivery of comprehensive Human Resource Management programs in areas such as staffing, classification, staff relations, human resource planning, learning and development, employment equity, official languages and compensation. This includes maintaining relationships and remaining abreast of HR trends and directions with HR counterparts at the Public Service Commission, the Treasury Board Secretariat (Public Service Human Resources Management Agency of Canada), PWGSC, Privy Council Office, Commissioner of Official Languages, Bargaining Agents etc. A few key priorities for the HR Branch in the 2004-2005 fiscal year include developing an overall Strategic HR Plan, a detailed Staffing Strategy, a Learning Strategy with CCMD for all staff, enhanced HR policies and employee programs, as well as new Health Workplace initiatives.

There are also three Branches within the OPC that report to the Assistant Privacy Commissioner responsible for the Privacy Act. These include the Privacy Practices and Reviews Branch, the Research and Policy Branch, and the Public Education and Communications Branch.

Privacy Practices and Reviews

The Privacy Practices and Reviews Branch reports to the Assistant Privacy Commissioner responsible for the Privacy Act. The Privacy Practices and Reviews Branch assesses how well organizations are complying with requirements set out in two federal laws.

Following accepted standard audit objectives and criteria, the Branch conducts compliance reviews under Section 37 of the Privacy Act and audits under Section 18 of PIPEDA.

The Privacy Act permits the Commissioner to initiate a compliance review of federal institutions. PIPEDA allows the Commissioner to audit the compliance of private organisations if the Commissioner has "reasonable grounds to believe" that the organisations are contravening a provision of the Act.

Through the Privacy Commissioner, the Branch has the authority to administer oaths, receive evidence and, at any reasonable time, enter the premises where appropriate.

It also provides assistance to public and private sector organisations regarding fair information handling practices with respect to any initiative with privacy implications.

In addition to the Branch's compliance audit functions, it receives, analyses, and provides comments and recommendations on Privacy Impact Assessment (PIA) Reports prepared by federal government departments pursuant to the Secretariat of Treasury Board of Canada's Privacy Impact Assessment Policy.

The PIA policy, which came into effect in May 2002, requires federal government departments and agencies to conduct PIAs for all new programs or services that may potentially impact on individual privacy. The PIA policy further requires federal government departments and agencies conducting PIAs to consult with the OPC.

In performing its role as a source of expert advice, the Privacy Practices and Reviews Branch helps ensure that privacy risks associated with specific programs and services are properly identified and that appropriate measures are taken to mitigate those risks. As stated earlier, this role needs to be re-examined in light of resource pressures and emerging priorities.

Research and Policy

The Research and Policy Branch reports to the Assistant Privacy Commissioner responsible for the Privacy Act.

The Research and Policy Branch serves as the centre of expertise on emerging privacy issues in Canada and abroad. The Branch is responsible for researching trends, monitoring legislative and regulatory initiatives, providing analysis on key issues, and developing policies and positions that advance the protection of the privacy rights.

The Branch supports the Commissioner, Assistant Commissioners and the other branches by identifying legislation, new programs and emerging technologies that raise privacy concerns; providing strategic advice and policy options; drafting discussion and/or position papers for public consumption on issues affecting privacy; and preparing briefing material for public appearances by the Commissioner and other staff members.

An important part of the work done by this Branch involves supporting the Commissioner and Assistant Commissioners in providing advice to Parliament on legislation or government program initiatives that may impact on privacy. In doing so, the Branch works closely with other units of the OPC, namely Legal Services.

Public Education and Communications

The Public Education and Communications Branch reports to the Assistant Privacy Commissioner responsible for the Privacy Act. One of the Office of the Privacy Commissioner's key priorities is to foster understanding of privacy rights and obligations, and this Branch helps the Office to fulfil that mandate. It is important for individuals to understand their rights, and organizations their responsibilities, under both federal privacy laws.

In addition to providing strategic communications advice to the Privacy Commissioner and Assistant Commissioners, the Public Education and Communications Branch plans and implements a number of public education and communications activities on behalf of the Office, including speaking engagements and special events, media relations, advertising, the production and dissemination of promotional and educational material, the development of content for the OPC's Web site, as well as internal communications activities.

OPC Planned Spending

¹ The decrease in funding and FTEs beginning in 2005-2006 reflects the government's plan to review the Protection of personal information -- private sector business line. Funding for this business line was originally provided in 2000-2001 with the introduction of PIPEDA. At that time, the true resource requirements could not be satisfactorily determined considering the uncertainty of the impact of PIPEDA on the Office's activities. This review of funding requirements exercise was originally intended to be completed in 2003-2004 but was postponed due to the organizational renewal which was required following problems highlighted in the Auditor General's September 2003 report regarding the OPC. In the meantime, funding for PIPEDA has been approved, at its original amount, for 2004-2005 only.

The Office will work with TBS in 2004-2005 to re-establish an appropriate ongoing financial framework as of April 2005.

² Reflects the best forecast of total net planned spending to the end of the fiscal year.

³ Adjustments are to accommodate approvals obtained since the Main Estimates and include Supplementary Estimates items and transfers from TBS votes for various initiatives.

Adjustments for 2003-2004, in the amount of $673K include:

• $621K for corrective measures;
• $162K transfer from vote 5 -- Paylist shortfalls for severance and maternity
• $64K Transfer from Vote 15 -- Collective Agreements
• $60K transfer from Vote 10 -- Modern Comptrollership
• ($234K) 2002-2003 over-expenditure

Planned adjustments for 2004-05, in the amount of $6,664K include:

• $6,664K funding renewal for the Protection of Personal Information - Private Sector business line.

SECTION VI: Annexes

Annex 1: Summary of Transfer Payments

Annex 2: Net Cost of Program for 2003-2004

SECTION VII: Supplementary Information

1. Legislation Administered by the Privacy Commissioner

The Privacy Commissioner has an oversight responsibility to Parliament for the:

2. Statutory Annual Reports and Other Publications

The Office of the Privacy Commissioner of Canada's annual reports on privacy issues are available on the Commissioner's Web site.

• Privacy Commissioner's 2002-03 Annual Report. Available on computer diskette and hardcopy from the Office of the Privacy Commissioner of Canada, Ottawa, Canada K1A 1H3; tel.: (613) 995-8210 and on the Office's Web site at www.privcom.gc.ca.
• Performance Report to Parliament, for the period ending March 31, 2003. Ottawa: Minister of Public Works and Government Services Canada, 2003. Available through local booksellers or by mail from Public Works and Government Services - Publishing, Ottawa, Canada K1A 0S9.
• 2003-04 Estimates: A Report on Plans and Priorities. Ottawa: Minister of Public Works and Government Services Canada, 2003. Available through local booksellers or by mail from Public Works and Government Services - Publishing, Ottawa, Canada K1A 0S9.
• Your Privacy Rights: A Guide for Individuals to the Personal Information Protection and Electronic Documents Act. Available through the Office of the Privacy Commissioner of Canada, Ottawa, Canada K1A 1H3; tel.: (613) 995-8210 and on the Office's Web site at www.privcom.gc.ca.
• Your Privacy Responsibilities: A Guide for Businesses and Organizations to the Personal Information Protection and Electronic Documents Act. Available through the Office of the Privacy Commissioner of Canada, Ottawa, Canada K1A 1H3; tel.: (613) 995-8210 and on the Office's Web site at www.privcom.gc.ca.
• Office of the Privacy Commissioner of Canada Web site: www.privcom.gc.ca

3. Contact for Further Information

Bob Hertzog
Chief Financial Officer
Office of the Privacy Commissioner of Canada
Place de Ville, Tower B
112, Kent St., Suite 300
Ottawa, Ontario
K1A 1H3

Telephone: (613) 996-5336
Facsimile: (613) 947-6850