Jennifer Stoddart
Privacy Commissioner of Canada |
The Honourable Vic Toews
Minister of Justice and Attorney General of Canada |
Section I:
Privacy Commissioner's Message
Management Representation Statement
Section II:
Raison d'Être
Overview of Resources and Priorities
Operating Environment
Internal Factors Affecting Program Delivery
External Factors Affecting Privacy
and the Office
OPC Plans and Priorities for 2006-2007
Section III:
Analysis of Program Activities by Strategic Outcome
Organizational Information
Resource Tables
Sources of Additional Information
Section I
Privacy Commissioner of Canada's Message
I am pleased to present this 2006-2007 Report on Plans and Priorities, which
sets out the strategic directions, priorities, expected results and spending
estimates for the Office of the Privacy Commissioner of Canada for the coming
fiscal year.
Privacy is important, and Parliament has signalled its relevance and importance
with the enactment of privacy laws and with the creation of this Office. Privacy
is a right seen by many as fundamental, as the bedrock to many other civic,
political, social and economic rights, including the right to autonomy, dignity
and integrity of the person.
Increasingly, there are pressing and complex issues putting Canadians' informational
privacy at risk — the willingness of government to share more and more information
in the name of national security, personal data flowing across the borders,
the pervasive use of technologies such as global positioning systems and radio
frequency identification devices (RFIDs), and the potential of publicly available
personal information being used for invasive or malevolent purposes.
In the last few years, it has been difficult for this Office to fully deliver
on its multi-faceted mandate to fully promote and protect the privacy rights
of Canadians. We do not have permanent funding to carry out our mandated activities
under the Personal Information Protection and Electronic Documents Act (PIPEDA), as PIPEDA funding was granted initially for only
three years and then renewed annually. With the coming into force of PIPEDA,
which began in 2001 and reached full implementation in 2004, we understand
that it was important to take stock before making long-term commitments. But PIPEDA has
now been in full force for two years and the pressures are increasing. Furthermore,
this Office has not had the adequate funding to deliver on our obligations
under the Privacy Act.
This past year, our Office was pleased to take part in an innovative and entirely
new process for seeking funding approval for the operations of Officers of
Parliament. We embraced the opportunity to engage Parliament in a constructive
dialogue about our funding needs. But before doing so, we certainly did our
homework. Our Vision and Institutional Service Plan and our Business Case for
Permanent Funding provided a comprehensive framework for protecting the privacy
rights of Canadians and residents, and for serving Parliament in meeting its
needs for privacy expertise as it considers legislation. The Service Plan and
Business Case are the Office's blueprint for a stronger and more effective
institutional role.
This Report on Plans and Priorities outlines the strategic directions, priorities,
anticipated results and spending estimates within the context of this new Vision
for our Office and for the federal privacy protection regime. A new Office,
which will emerge in 2006-2007, will be one:
- that can undertake a meaningful number of audits and reviews to encourage
greater compliance and proactively assist in the development of a robust
privacy management framework in the public and private sectors;
- that can conduct legal and policy analyses of bills and legislation in
support of the Parliamentary legislative role;
- that can make more proactive, extensive and effective use of the enforcement
tools entrusted to us by Parliament, including Commissioner-initiated complaints,
court action and public interest disclosure;
- that can carry out research, both internally and externally, into emerging
privacy issues and trends, to help citizens and policy makers understand
current privacy challenges resulting from globalization and technology;
- that can engage in significant public education to better inform individuals
of their rights, and organizations of their obligations, as well as strategies
to address privacy risks and vulnerabilities;
- whose streamlined investigation process can tackle the growing backlog
of privacy complaints and ensure timely response to complaints from individuals;
and, finally,
- is an organization that can truly sustain the institutional renewal efforts
that have been put into place to ensure that it never again finds itself
in the situation of 2003.
This is all very good data protection news for our Office, for Canadians,
and for the organizations covered by federal privacy laws, both in the public
and private sectors. The year 2006-2007 promises to be exciting and full of
challenges. This Office is now poised to meet these challenges, to work toward
fully implementing the mandate that was entrusted to us by Parliament, and
to ultimately better protect the privacy rights of Canadians.
In closing, the OPC has recently expanded the membership of its External Advisory
Committee to include a wider spectrum of Canadian society's interest in privacy
protection. The Committee reviewed the strategic directions of the OPC and
offered invaluable advice and insights to help our institution move forward
with the implementation of our Vision and Institutional Service Plan. We are
indebted to many distinguished members of the Committee for their observations
and their support of our work. We look forward to continue receiving their
advice on a range of privacy issues on which they are knowledgeable.
Jennifer Stoddart
Privacy Commissioner of Canada
Management Representation Statement
I submit for tabling in Parliament, the 2006-2007 Report on Plans and Priorities
( RPP ) for
the Office of the Privacy Commissioner of Canada.
This document has been prepared based on the reporting principles contained
in Guide for the Preparation of Part III of the
2006-2007 Estimates: Reports on Plans and Priorities and Departmental Performance
Reports.
It adheres to the specific reporting requirements outlined in the TBS guidance:
- It is based on the department's approved Program Activity
Architecture structure as reflected in its Management, Resources and Results
Structure (MRRS);
- It presents consistent, comprehensive, balanced and accurate
information;
- It provides a basis of accountability for the results achieved
with the resources and authorities entrusted to it; and
- It reports finances based on approved planned spending numbers
from the Treasury Board Secretariat in the RPP.
Jennifer Stoddart
Privacy Commissioner of Canada
Section II
Raison D'Être
The mandate of the Office of the Privacy Commissioner (OPC) is to oversee
the application of the Personal Information Protection and Electronic Documents
Act (PIPEDA) and the Privacy Act, and within that context to
promote privacy.
Our mission is to protect and promote the privacy rights of individuals in
Canada, as they are set down in data protection law and the Canadian Charter
of Rights and Freedoms. The oversight powers are those of an ombudsman, which
allows us to play a fundamental role in providing advice and guidance, and
brokering consensus and optimal compliance with the spirit of the law. This
vision is based on existing powers as found in the Privacy Act (sections
29 to 68 and section 70.1) and PIPEDA (sections 11 to 25).
As ombudsman and public advocate for the privacy rights of Canadians, the
Commissioner carries out the following activities:
- investigates complaints
- promotes awareness and understanding of privacy issues
- conducts audits
- participates in court actions
- publishes information about personal information handling practices in
the public and private sectors
- advises on privacy impact assessments (PIAs) of new government initiatives
- reports to Parliament annually and on special issues
- comments on legislative initiatives
- conducts research into privacy issues
We interpret this mandate broadly and expansively, as an ombudsman should.
The powers (sections 23 and 24) under PIPEDA give us a further role
to coordinate with provinces with substantially similar legislation.
As an Officer of Parliament responsible for the application of two federal
privacy statutes respecting the protection of personal information in Canada
and as an ombudsman, the OPC defines its service framework along four mutually
reinforcing roles (see graphic below):
- Parliament (MPs/Senators): Proactively supporting
Parliament's needs
- Economy (Commercial Activities): Proactively
promoting and enabling compliance
- Society (Individuals): Effectively processing
complaints and increasing public literacy in privacy
- Government (Federal Departments/Agencies):
Supporting the federal government's efforts to improve the privacy management
framework
Firstly, the OPC serves the Parliament of Canada by providing
expert advice on privacy issues raised by bills, legislation and regulations.
In 2005, the OPC appeared before parliamentary committees a total of 16 times
to comment on a broad range of bills and policy issues including amendments
to the Statistics Act dealing with the release of census information,
the review of the Anti-terrorism Act and consumer issues in the financial
services sector. The OPC also serves Parliament by enforcing two federal privacy
statutes. Thus, the OPC is both an implementation vehicle for Parliament and
a tool to achieve accountability and transparency for the privacy management
practices of the federal agencies and departments and private sector organizations
engaged in commercial activities in Canada. From that perspective, the OPC
can be seen as an institution serving democratic governance in Canada. Parliamentarians
need to have access to current, clear information and advice on the impact
that emerging technologies and enhanced security initiatives have on privacy
rights. While the requirement for such information may relate to legislation,
it might also relate to policy debates in Parliament, to constituency issues,
or to the scrutiny of government operations in committees. Parliamentarians
need the assurance that the information they require to make decisions and
to do their jobs can be provided to them in a timely and unbiased fashion.
Secondly, the OPC helps Canadians, residents, visitors to Canada,
and clients of organizations in Canada by investigating
their complaints about the personal information management practices of the
federal government and of the private sector. The OPC also helps the people
of Canada by fostering better awareness and understanding of privacy issues
and responding to their inquiries about the Privacy Act and PIPEDA.
The OPC thus functions as a public institution serving to protect the fundamental
privacy rights of individuals. We are a key institution to help preserve
the trust of citizens and non citizens alike in the Canadian government and
the private sector. Individuals need to have confidence in organizations
that collect, use and share personal information that relates to them, and
oversight is necessary to ensure trust. In an era of globalization, heightened
security concerns and increasing transborder data flows, exercising oversight
and building trust have become more important, and more challenging, than
ever. With increasing amounts of personal information flowing across borders
we have opened dialogues with other national agencies with similar mandates
about working together to foster compliance and assist individuals who wish
to pursue redress.
Thirdly, the OPC helps private sector organizations engaged
in commercial activities meet their obligations under PIPEDA by providing
guidance and promoting best practices. We do this by investigating complaints
from clients, customers and employees, by publishing summaries of our complaint
findings to help organizations understand their obligations, and by providing
advice about the privacy implications of new products, services and technologies.
The OPC plays a vital role in maintaining a viable commercial sector in Canada
that adheres to the highest standards in the protection of personal information.
This is necessary to meet growing expectations and rising standards in data
protection both domestically and globally, as more and more countries adopt
data protection statutes. Growing threats from trans-national criminal activity,
notably spam, identity theft and data breaches, are driving the demand for
more precise guidance, regulation, and oversight. From that perspective, the
OPC can be seen as an institution serving a sustainable and competitive economy.
Fourthly, the OPC assists the federal government by helping
departments and agencies covered by the Privacy Act implement
the elements of a privacy management framework to comply with the provisions
of the Act. Through our investigations, audit, review and privacy
impact assessment functions, we try to provide advice that will prevent mistakes
and subsequent breaches and complaints. Through policy analysis, research,
and participation in interdepartmental committees, we contribute the privacy
perspective at the design phase in policy development. The OPC serves as an
instrument to achieve an effective and accountable public administration at
the federal level. Complementary roles are performed by provincial and territorial
commissioners, and through our collaboration with them, we try to ensure a
harmonious approach to common policy challenges. The OPC also serves the cause
of ethical government, because compliance with the Privacy Act is
an integral part of the federal public service Code of Values and Ethics adopted
by the government of Canada in June 2003, and which has since become a condition
of employment for all federal public service employees. The Privacy Act has
served Canada well for almost 25 years, but our values and privacy expectations
have evolved. The OPC believes that the Privacy Act needs
to be updated to reflect this new environment. Privacy Act reform
will be a major priority for OPC in 2006-2007.
These four service roles define the OPC as a public institution dedicated
to the protection of what many see as a fundamental human right, to accountable
government, and to fostering a competitive marketplace through fair and equitable
business practices. The Office of the Privacy Commissioner is unique in relation
to other Officers of Parliament in that as an oversight agency it has responsibility
for the private sector through PIPEDA, which applies to organizations
engaged in commercial activities in Canada, as well as the public sector through
the Privacy Act.
Overview of Resources and Priorities
Financial Resources (planned)
2006-2007 |
2007-2008 |
2008-2009 |
$16,298,000 |
$18,320,000 |
$17,833,000 |
Human Resources (planned)
2006-2007 |
2007-2008 |
2008-2009 |
125 |
143 |
139 |
The planned increase in financial and human resources from 2006-2007 to 2007-2008
is due to the phasing in of the resource levels. The resource levels peak in
2007-2008 due to the one-time costs associated with equipping new employees.
The resource levels for 2008-2009 represent the forecast requirements for future
years.
The planned spending numbers for 2006-07 through 2008-09 do not include spending that will be required for the implementation of the upcoming Federal Accountability Act (FedAA). The OPC is in the process of developing a business case and implementation plan with respect to aspects of the FedAA which will impact the OPC; namely, the creation of an office to handle access to information and privacy requests, and an increased number of privacy investigators to handle new organizations who will now be subject to the Privacy Act upon passage of the FedAA. The exact funding and resource requirements will not be known until the OPC has concluded its internal analysis based on the final wording of the legislation and the coming into force dates.
Agency Program Priorities for 2006-2007
Given the broad scope of the OPC mandate, the number of issues that could
be addressed at any given time is quite extensive. For 2006-2007, the OPC will
focus its attention on a few key questions of national importance, understanding
that we will also address urgent issues as they arise in Parliament and in
national dialogue. The OPC plans to make these issues the main focus of research,
communications, policy analysis and development.
New technologies |
New data-gathering technologies, such as
global positioning systems, radio frequency identification (RFID) and
black boxes in vehicles, are being introduced on the market at an unprecedented
rate. These technologies pose significant risks to privacy by making
it easier to carry out illicit surveillance and privacy invasion. Additional
research and communications are required to ensure that individuals'
understanding and awareness of these risks keep pace with the technological
progress. |
Interconnected information systems |
Electronic information records, including
the most sensitive information such as financial, health and employment
records held by the private and public sectors, pose challenges to the
protection of personal information because information stored electronically
is easier to analyze, manipulate and share. As the ability to create
linkages between different records increases, so does the risk that information
collected for a specific purpose will be used inappropriately or find
its way into the wrong hands. Sound policy decisions are required to
ensure effective privacy management frameworks govern networked information
systems and their interconnections and that the risks to privacy are
appropriately managed. |
Trans-border data flows |
The advances in communication networks, notably
the Internet, have facilitated 24/7 processing of personal information
around the globe. Borders have become irrelevant to data flows as business
and governments seek more efficient and seamless data processing. Access
to information about Canadians can be gained from anywhere in the world,
thus raising a wide range of risks from the nuisance of spam to financial
consequences of identity theft. The OPC must respond to these challenges
through applied research, better collaboration with other jurisdictions
and joint enforcement actions. |
National security and law enforcement |
There are many national security and law
enforcement initiatives on the government's agenda. This Office is responsible
for analyzing their implications for privacy, exercising oversight over
such activities as well as creating greater public awareness of the effects
of large scale surveillance on the rights of privacy and civic trust
in public institutions. The OPC will examine the privacy implications
of the DNA Identification Act, the Proceeds of
Crime (Money Laundering) and Terrorist Financing Act, the Lawful
Access legislative proposals as well as other bills, policies, measures
(such as national identity cards, e-passports, etc.) and systems in support
of national security and law enforcement objectives. |
Legislative Review: Keeping the privacy
rights of Canadians up to date |
In the context of the statutory review of PIPEDA,
planned for 2006-2007, the OPC intends to bring forward a set of proposals
to strengthen and clarify the privacy rights afforded under the Act.
The Privacy Act, however, is a first generation privacy law
which has not been substantially amended since its inception in 1983.
The law has not kept up with technological change and therefore the privacy
management framework that determines the Canadian government's information
practices does not meet the standard set in the private sector. The OPC
will continue to advocate for a fundamental overhaul of the Privacy
Act. Canadian privacy laws need to be periodically reviewed to
ensure that they remain effective in protecting the right of privacy
in the midst of new economy and e-government initiatives. |
Agency Management Priorities for 2006-2007
|
Type |
Short-Term Outcomes |
Strategic Outcome: Privacy
rights of Canadians are protected |
1. Improve and expand service
delivery |
Ongoing |
- Improved service levels — timeliness,
responsiveness, initiative
- Reduced backlogs of complaints and PIA reviews
- Increased commissioner-initiated
complaints and audits
- Increased participation in court applications
- Management
of Information Technology Security Standard compliance achieved
- Business
continuity plan in place
- Engagement
activities launched for key audiences, such as Parliament,
business, federal government, the general public, academics and the
legal community
|
2. Respond to Parliament |
Ongoing |
- Positive engagement with Parliament
- Key privacy issues identified
and positions articulated
- Dialogue
with provinces on issues of common interest
|
3. Participate in PIPEDA review
and Privacy Act reform |
Ongoing |
- PIPEDA review and Privacy
Act reform framework documents available
- OPC strategy
developed for PIPEDA review and Privacy
Act reform, and implementation under way
|
4. Plan and prepare for the 2007 International
Data Protection and Privacy Commissioners Conference |
New |
- Plan for 2007 conference on
track
|
5. Build organizational capacity: hire and integrate new staff,
engage and train existing staff |
New |
- Allocated resources fully utilized
- New staff fully integrated
- Trained
management & staff, sub-delegated managers
- Regional
offices planning completed
|
6. Develop results-based systems
and baselines |
New |
- Draft performance management
framework and baseline measures in place
- Records information
easily and quickly retrievable
|
Operating Environment
This section describes the operating environment of the OPC in three parts.
The first part describes the major program delivery mechanisms; the second
and third parts describe important internal and external factors affecting
program delivery.
Major Program Delivery Mechanisms
Investigations and Inquiries
The OPC seeks to promote fair information management practices by both public
and private sector organizations in Canada in accordance with two federal privacy
laws — the Privacy Act, which was enacted in 1983, and PIPEDA,
which began coming into effect in 2001 and which came into full force in 2004.
The principal means of doing this is through complaint investigations, which
are conducted by the OPC's Investigations and Inquiries Branch. The Branch
investigates complaints from individuals alleging that their personal information
has been collected, used or disclosed inappropriately.
In conducting this work, Investigations and Inquiries is supported by activities
of other branches, such as the Legal Services and Research and Policy branches.
The Legal Services Branch helps with the interpretation of the two Acts and
is involved in litigation concerning the interpretation and application of
these Acts and in cases relating to the jurisdiction and powers of the Commissioner.
The Research and Policy Branch works with the Investigations and Inquiries
Branch in establishing the Office's position on policy matters and provides
investigators with research material to assist with the development of needed
expertise in such areas as newly emerging technologies, which are the subject
of an increasing number of complaints to the Office.
The Investigations and Inquiries Branch also responds to inquiries from members
of the general public, government institutions, private sector organizations,
and the legal community, who contact the Office on a wide variety of privacy-related
issues.
Audits and Reviews
To safeguard Canadians' right to privacy, the OPC's
Audit and Review Branch conducts compliance reviews under Section 37 of the Privacy
Act. These reviews assess systems and practices for managing personal
information from collection to disposal by federal departments and agencies.
These reviews are carried out with reference to sections 4 to 8 of the Privacy
Act and government policies and standards. This work is intended to
encourage the growth of fair information practices by government institutions.
The OPC also has the mandate, under Section 18 of PIPEDA, to conduct
audits of the personal information management practices in the Canadian private
sector.
Privacy Impact Assessments
The Government of Canada's Policy on Privacy Impact Assessments (PIA) has
added to the responsibilities of the OPC. Our role, as defined in the Policy,
is to assess the extent to which a department's PIA has succeeded in identifying
privacy risks associated with a project or initiative and to comment on the
appropriateness of the measures proposed to mitigate identified risks. The
OPC views PIAs as an integral part of the federal government privacy management
framework.
Support to Parliament
The Commissioner acts as Parliament's advisor on privacy issues, bringing
to the attention of Parliament issues that have an impact on the privacy rights
of Canadians. We do this by tabling annual reports to Parliament, by appearing
before Committees of the House of Commons and the Senate to comment and advise
on the privacy implications of proposed legislation and government initiatives
and by identifying and analyzing issues that we believe should be brought to
Parliament's attention.
The Office also assists Parliament to become better informed about privacy,
acting as a resource or centre of expertise on privacy issues. This includes
responding to a significant number of inquiries and letters from Senators and
Members of Parliament.
Public Education and Communications
The Privacy Commissioner is specifically mandated under PIPEDA to
conduct public education activities to ensure that the business community in
Canada is complying with its obligations, as well as to make individuals aware
of their rights.
Contributions Program
The Contributions Program supports the development of a national privacy research
capacity in the voluntary, academic and not-for-profit sectors to generate
and transfer knowledge on the privacy impact of emerging technologies, and
the personal information management practices of the private and public sectors.
Internal Factors Affecting Program Delivery
The OPC is confident that in 2005-2006 we "turned a corner" in terms of dealing
with the legacy of issues and challenges of the past few years. All of our
staff continue to demonstrate an unwavering commitment to protecting and enhancing
the privacy rights of Canadians, and there is new momentum in the organization
as a result of changes implemented in recent years.
This new momentum offers for the Office both an opportunity and a challenge.
The opportunity is to acquire new staff and to realign the organization so
that all aspects of the OPC mandate are effectively and efficiently supported
and resourced. The challenge is to successfully pilot the organization through
the significant change that this will represent, so that all OPC resources
are aligned, integrated, and effectively contributing to achieve our mandate
and mission.
External Factors Affecting Privacy and the Office
The climate in which the OPC operates is a complex one, characterized by conflicting
goals and trends. Canadians overwhelmingly, even in the face of threats to
their security, believe that privacy is their right, and that it must be protected.
They also want security, law enforcement, convenience, and value for money
in the marketplace and in government services. This cluster of needs has some
inherent conflict. The data protection law we administer to meet the privacy
need is still very new in societal terms. It takes a while to seep into the
culture, and until it does, there is an ongoing job of teaching, correcting
and enforcement.
To some extent, that desire for and belief in privacy is ahead of reality,
as our Office deals with a population that has not learned enough about the
matter to take steps to protect themselves. Public education is essential if
we are to live in a community with respect for basic rights. Meanwhile, society
rushes forward with the implementation of new technologies that erode privacy
and produce new ways to gather data, making that job of public education more
difficult each day. Who understands the black box that is in their new car,
reporting on geo-positioning and speed? Who understands what data their cellular
operator has about their calls? When Canadians say to pollsters that they support
or don't support a national identity card or a biometric passport, who understands
what that means and what databanks and registration platforms, what security
measures and physical readers might be entailed in the process?
Neither the population subject to these new surveillance systems, nor the
organizations or government departments implementing them, are finding it easy
to keep up with the pace of change. They all struggle to understand the impact
of new initiatives and technologies, and systems integrators both in the public
and private sectors need help to try to ensure they respect the requirements
of data protection law. It is the OPC 's responsibility, mandated through law
and policy, to assist them.
None of these technical issues had presented themselves when the Privacy
Act was drafted in 1982, because there were no personal computers,
no Internet, no cell phones, no geo-positioning systems, let alone biometrics
and RFID chips or nanotechnology. Our Office has pointed out on many occasions
that the Privacy Act is long overdue for an update, because it
was crafted in the era of reel to reel computer tapes and paper files in
filing cabinets, when trans-border data flow almost entirely was achieved
through shipping goods, tapes or paper, not digital bits.
Nevertheless, even with the old car we are driving to transport the privacy
rights of Canadians into the 21st century, we believe we can refocus our activities
to achieve more, and to reflect what Parliament asked of us when it passed PIPEDA in
2000. PIPEDA contains a broader suite of powers than the Privacy
Act, including public education, a broader basis for litigation, the
right to take our own cases to the Federal Court, and the power of the Court
to award damages. We are trying to respond to the growing demands of Canadians
and of Parliament to be the counterbalance on the teeter-totter of public safety
and national security versus the rights of the individual to a private life,
and we must fully utilize the toolkit Parliament has provided in this recent
legislation, not cling to old ways.
OPC Plans and Priorities for 2006-2007
Detailed Description
The OPC is confident that an increase in resources will enable it to increase
its capacity to:
- carry out audits and reviews to encourage greater compliance
of the federal public sector and commercial activities with federal privacy
laws;
- conduct legal and policy analyses of bills and legislation
in support of Parliament's interest for privacy protection;
- carry out research, both internally and externally, in emerging
privacy issues and trends (technology, etc);
- engage in significant public education to better inform individuals
about contemporary privacy challenges;
- streamline the investigation process and tackle the growing
backlog of privacy complaints from individuals; and
- sustain its institutional renewal efforts by offering greater
professional development opportunities, improving management practices
and making optimal use of information technology.
As a result, 2006-2007 will be a pivotal year for the OPC, the year in which
we build a foundation for this capacity increase and renewal, by focusing on
the following strategic priorities:
2006-2007 Strategic Priorities |
Type |
1. Improve and expand service
delivery |
Ongoing |
2. Respond to Parliament |
Ongoing |
3. Participate in PIPEDA review
and Privacy Act reform |
Ongoing |
4. Plan and prepare for
the 2007 International Data Protection and Privacy Commissioners Conference |
New |
5. Build organizational
capacity; hire and integrate new staff, engage and train existing staff |
New |
6. Develop results-based
systems and baselines |
New |
1. Improve and expand service delivery
This priority crosses all program activities and organizational boundaries,
with a particular focus on the following:
- Reduce the backlog of complaints and PIA reviews
This is an
essential step in increasing the trust of Canadians in the OPC and our ability
to protect privacy rights of Canadians. Prompt and effective treatment of
these files also provides a key opportunity for education and knowledge transfer.
In addition to hiring new resources, activities planned to reduce the backlog
include:
- Increasing automation and use of technology
- Reviewing and changing business processes to increase efficiency
- Increase commissioner-initiated complaints and audits
This is an essential
component of our strategy to transform our basic role from being a complaints-driven,
responsive organization to one that is proactive, with a holistic and multifaceted
approach to privacy protection. The OPC will select specific issues to move
forward through intentional action to raise awareness and enforce compliance.
- Launch
engagement and education activities for key audiences
These key audiences
may include Parliament, business, federal government, the general public,
academics and the legal community. A comprehensive plan has been developed
for public education and communications activities. In addition, all branches
of the organization will be expected to integrate information-sharing and
education into their communications with external groups.
2. Respond to Parliament
As stated above, the OPC is committed to providing Parliamentarians with accurate
and timely information on privacy issues, whether the request relates to legislation,
to policy debates in caucus or in Parliament, to constituency issues, or to
the scrutiny of government operations in Committees. In addition to responding
promptly to requests from Parliament, the OPC plans to:
- Identify key privacy issues and clearly articulate positions
on these issues; this work will support advice to Parliament as well as
public education and awareness efforts.
- Engage provinces/territories in dialogue on issues of common
interest; the purpose of this work is to help build Canadian expertise
in the protection of personal information and to help ensure that all elements
of the system work together for the protection of privacy rights.
3. Participate in PIPEDA review and Privacy
Act reform
PIPEDA includes a provision for a parliamentary review every five
years after its coming into force. Since the Act came into effect in 2001,
a review by a committee of the House of Commons, or of both Houses of Parliament,
is expected in 2006. The OPC will prepare for this review by developing an
adoption and implementation strategy, and by drafting framework documents that
highlight the issues and lessons learned in this first implementation period.
Our Office has pointed out on many occasions that the Privacy Act is
long overdue for an update. When it was drafted in 1982, there were no personal
computers, no Internet, no cell phones, no geo-positioning boxes, let alone
biometrics and RFID chips or nanotechnology, and there is a need to modernize
the Act to take into account the proliferation of these new technologies. We
remain ready to support Parliament in the review of the Privacy Act in
the event that it chooses to proceed.
4. Plan and prepare for the 2007 International Data Protection
and Privacy Commissioners Conference
In September 2007, Canada will be hosting the 29 th International Data Protection
and Privacy Commissioners Conference, bringing together representatives from
the world of business, public administration, science, the IT industry as well
as governmental and non-governmental organizations to discuss leading-edge
issues related to privacy and the protection of personal information. This
will provide a unique opportunity to highlight and enhance Canada 's international
role in promoting privacy standards. To succeed, s uch a major event requires
careful planning and preparation, and these activities will require significant
resources in 2006-2007. The planning effort is already under way, and responsibilities
have been assigned within OPC to move forward on the event programme and logistics.
The OPC intends to work in partnership with provincial and territorial commissioners
to ensure that this conference is a success.
5. Build organizational capacity: hire and integrate new
staff, engage and train existing staff
Much of our energy and effort will be directed to increasing our organizational
capacity to approved levels. In order to achieve success, our plan includes
two major components:
- Hire and integrate new staff
Although this appears simple, in the federal
government context it is a lengthy and time-consuming process, all the more
so when new organizational structures have to be put in place. Planned activities
include:
- Reviewing and revising the organizational structure,
including the creation of regional offices
- Creating and classifying new positions
- Recruiting applicants
- Screening and selecting new staff
- Orienting and integrating new staff into the organization
- Engage and train existing staff
All of our energy cannot be
directed to new staff. Success also depends on our ability to build the capacity
of existing staff, who will play a critical role in keeping the organization
on track by sharing their expertise and mentoring newcomers to quickly adapt
and become productive. Planned activities include the identification and
provision of training and development opportunities for staff, based on personal
learning plans and organizational learning priorities.
6. Develop results-based systems and baselines
This priority is a cornerstone of our strategy to increase capacity and become
a model of corporate excellence and innovation. To be able to report on progress,
we must have the systems in place to measure our performance, and we must have
a clear baseline of our current levels of performance. In 2006-2007, we will
focus specifically on the following elements:
- Finalize the OPC performance management framework and establish
baseline measures.
- Implement the use of records-management systems so that information
is easily and quickly retrievable.
Section III
Analysis by Program Activity
This section provides information on the basis of the Office's program activity
architecture (PAA). The PAA provides the structure for planning and reporting
the Office's activities.
Our program has four operational activities aimed at achieving one strategic
outcome on behalf of Canadians.
Strategic Outcome |
Protection
of the Privacy Rights of Canadians |
Activities |
1. Assess and investigate compliance with
privacy obligations |
2. Privacy issues: research and policy |
3. Privacy education — promotion and protection of privacy |
Program Activity 1: Assess and investigate compliance
with privacy obligations
Planned Resources:
|
2005-2006 |
2006-2007 |
2007-2008 |
2008-2009 |
Financial Resources - $000 |
7,696 |
10,154 |
11,115 |
10,681 |
Human Resources - FTEs |
76 |
88 |
98 |
93 |
The planned increase in the level of resources from 2005-2006 to 2007-2008
is based on the phasing in of resource levels. The resource levels for 2006-2007
and 2007-2008 include the one-time costs of equipping new offices for employees
and additional resources for those years to eliminate the backlogs in investigations
and inquiries.
Activity Description
The OPC is responsible for investigating complaints and responding to inquiries
received from individuals and organizations who contact the Office for advice
and assistance on a wide range of privacy-related issues. The OPC also assesses
how well organizations are complying with requirements set out in the two federal
laws and provides recommendations on PIAs pursuant to the Treasury Board of
Canada policy. This activity is supported by a legal team that provides specialized
legal advice and litigation support.
Expected Results for 2006-2007
- Improved service levels — timeliness, responsiveness, initiative
- Reduced backlogs of complaints and PIA reviews
- Increased commissioner-initiated complaints and audits
Priorities for this Activity
The operations under this activity will contribute to the achievement of the
following priority described in Section II.
Priorities |
Type |
Improve and expand service delivery |
Ongoing |
Performance Measurement and Reporting
We will report on our performance under this activity using indicators that
measure workload and output such as:
- the number of inquiries, complaints and PIAs received, in
process and closed
- the volume of court applications in which the OPC is actively
involved
- the number of audits and reviews completed compared to plan
/ as received
- the percentage of complaints resolved to the satisfaction
for both the complainant and the respondent using alternate dispute resolution
methods
- the number of commissioner-initiated complaints and audits
We will also measure outcomes, for example the implementation of recommendations
made as a result of investigations, reviews of PIAs, and audits and reviews.
Program Activity 2: Privacy issues: research and policy
Planned Resources:
|
2005-2006 |
2006-2007 |
2007-2008 |
2008-2009 |
Financial Resources - $000 |
2,003 |
3,393 |
3,956 |
3,930 |
Human Resources - FTEs |
14 |
19 |
23 |
23 |
Activity Description
The OPC serves as a centre of expertise on emerging privacy issues in Canada
and abroad by researching trends, monitoring legislative and regulatory initiatives,
providing analysis on key issues, and developing policy positions that advance
the protection of privacy rights. An important part of the work done involves
supporting the Commissioner and Assistant Commissioners in providing advice
to Parliament on legislation and on government program and private sector initiatives
that may impact on privacy.
Expected Results for 2006-2007
- Positive engagement with Parliament
- Involved in dialogue with provinces and territories on issues
of common interest
- PIPEDA review and Privacy Act reform framework
documents available
- OPC strategy developed for PIPEDA review and Privacy
Act reform, and implementation under way
- Plan for 2007 International Data Protection and Privacy Commissioners
Conference on track
Priorities for this Activity
The operations under this activity will contribute to the achievement of the
following three priorities described in Section II.
Priorities |
Type |
Respond to Parliament |
Ongoing |
Participate in PIPEDA review and Privacy
Act reform |
Ongoing |
Plan and prepare for the 2007 International
Data Protection and Privacy Commissioners Conference |
New |
Performance Measurement and Reporting
The Office will report in the 2006-2007 Departmental Performance Report and/or
in its annual reports on the outputs of this activity using indicators such
as the appearances before parliamentary committees (number, purpose and result);
the support provided to individual Parliamentarians (number of inquiries, meetings,
requests for information, etc.); the major research and policy documents produced
(number and issues addressed); and the status of PIPEDA review and Privacy
Act reform processes. We will also report on key milestones achieved
in the preparation of the 2007 International Data Protection and Privacy Commissioners
Conference.
Program Activity 3: Privacy education — promotion and protection of privacy
Planned Resources:
|
2005-2006 |
2006-2007 |
2007-2008 |
2008-2009 |
Financial Resources - $000 |
1,614 |
2,751 |
3,249 |
3,222 |
Human Resources - FTEs |
10 |
18 |
22 |
22 |
Activity Description
The OPC plans and implements a number of public education and communications
activities, including speaking engagements and special events, media relations,
and the production and dissemination of promotional and educational material.
Expected Results for 2006-2007
- Key privacy issues identified and positions articulated
- Engagement activities launched for key audiences, such as
Parliament, business, federal government, the general public, academics and
the legal community
Priorities for this Activity
This activity will contribute to the achievement of the following two priorities
described in Section II.
Priorities |
Type |
Improve and expand service delivery |
Ongoing |
Respond to Parliament |
Ongoing |
Performance Measurement and Reporting
We will report on the outputs and results of this activity using indicators
such as the volume of inquiries handled, the use of our Web site, the number
of publications distributed, the number of presentations made to key target
audiences. We will also wherever possible, evaluate the impact or outcome of
our proactive outreach efforts through anecdotal and quantitative and qualitative
research.
Other Activities
Activity Description
The OPC continues to enhance and improve its management practices in order
to meet the highest standards of performance and accountability. Although the
resources captured in this section are those allocated specifically to Corporate
Services, all managers of the OPC are expected to take responsibility for the
expected results, and to integrate the necessary activities in their operational
plans.
Expected Results for 2006-2007
- Trained management and staff, sub-delegated managers
- Allocated resources fully utilized
- New staff fully integrated
- Records information easily and quickly retrievable
- MITS compliance achieved
- Business continuity plan in place
- Regional offices planning completed
- Draft performance management framework and baseline measures
in place
Priorities for these Activities
These activities will contribute to the achievement of the following three
priorities described in Section II.
Priorities |
Type |
Build organizational capacity: hire and integrate
new staff, engage and train existing staff |
New |
Improve and expand service delivery |
Ongoing |
Develop results-based systems and baselines |
New |
Performance Measurement and Reporting
We will report on the outputs and results of this activity using indicators
such as:
- the number of staffing actions initiated, in process and completed
- the number of new employees hired
- investments in learning and development
We will also report on changes to the organization and improvements to our
management capacity, such as:
- changes to the organization structure, if any
- new systems and baselines
Organizational Information
The Privacy Commissioner is an Officer of Parliament appointed by the Governor-in-Council
following approval of her nomination by resolution of the Senate and the House
of Commons. The OPC is designated by Order-in-Council as a department for the
purposes of the Financial Administration Act. As such, it is established
under the authority of schedule 1.1 of the Financial Administration Act and
reports to Parliament for financial administration purposes through the Minister
of Justice. The Privacy Commissioner is accountable to and reports directly
to Parliament on all achieved results.
The roles of the Research and Policy, Public Education and Communications,
Legal Services, Investigations and Inquiries, and Audit and Review Branches
are described in the preceding sections. The roles of the administrative branches,
Corporate Services and Human Resources, are set out below.
Corporate Services
The Corporate Services Branch, headed by the Office's Chief Financial Officer
provides advice and integrated administrative services (corporate planning,
finance, information technology and general administration) to managers and
staff.
The Branch's most important priority will be to lead the implementation of
the business case plans that will enable the Office to fulfil its mandate efficiently
and effectively. The business case plans will necessitate a complete review
of branch design, staffing and classification requirements as well as a comprehensive
accommodation plan.
The Corporate Services Branch will also lead a number of important initiatives
linked to the OPC 's goal of becoming a well-managed, effective and efficient
Parliamentary agency. These initiatives focus on developing and implementing
the Office's management accountability framework and integrated information
management architecture. Specific projects include:
- threat and risk assessment, business impact assessment, and business continuity
plan
- phase 2 of the information management project
- review of Corporate Services policies
- continuation of OPC strategic planning exercises with integrated human
resource, financial and information technology/information management plans.
Human Resources
Human Resources is responsible for the management and delivery of comprehensive
human resource management programs in areas such as staffing, classification,
staff relations, human resource planning, learning and development, employment
equity, official languages and compensation.
The priorities for the HR Branch in the 2006-2007 fiscal year include:
- continue working with the Public Service Commission in order to regain
full, unconditional delegation in staffing;
- implementing the
human resource strategy that addresses the Office's staff recruitment,
retention and development needs;
- completing a review of branch designs, staffing
and classification requirements as a result of the newly approved resources;
- continuing
to work with the Canada School of Public Service on training and information
sessions for all staff as part of the OPC learning environment;
- capacity
building and enhancing staff skills as well as developing a retention and
succession strategy;
- continuing implementation of requirements under the
new Public Service
Employment Act and the Public Service Modernization Act ;
and
- integrating human resources planning with overall strategic planning
and identifying key risks, challenges and necessary actions.
Resource Tables
Table 1: Departmental Planned Spending and Full Time Equivalents
|
($ thousands) |
Forecast Spending
2005-2006 |
Planned Spending
2006-2007 |
Planned Spending
2007-2008 |
Planned Spending
2008-2009 |
Vote 45 - Operating expenditures |
3,925 |
14,460 |
16,192 |
15,764 |
Statutory - Contributions to employee benefit
plans |
728 |
1,838 |
2,128 |
2,069 |
|
|
Total Main Estimates |
4,653 |
16,298 |
18,320 |
17,833 |
Adjustments: |
|
|
|
|
Funding provided through transfers from TB
Vote 5 and Governor General Special Warrants in lieu of Supplementary
Estimates for activities under PIPEDA |
7,135 |
-- |
-- |
-- |
|
|
|
|
|
|
|
Total Planned Spending |
11,788 |
16,298 |
18,320 |
17,833 |
Plus: Cost of services received
without charge |
|
|
|
|
Accommodation provided by Public Works and
Government Services Canada (PWGSC) |
823 |
990 |
1,065 |
1,146 |
Contributions covering employers' share of
employees' insurance premiums and expenditures paid by TBS (excluding
revolving funds) |
572 |
774 |
896 |
871 |
Audit of the financial statements by the
Office of the Auditor General of Canada |
110 |
90 |
90 |
90 |
|
|
Cost of Program |
13,293 |
18,152 |
20,371 |
19,940 |
|
|
Full Time Equivalents |
80 |
125 |
143 |
139 |
|
Explanation of Trends
The planned increased resources are being phased-in over two years, 2006-2007
and 2007-2008. The planned spending for those two years also includes the one-time
costs of fitting up offices and systems for the increased staff; in addition
resources are temporarily provided in those years to eliminate the backlog
in Investigations and Inquiries. The planned spending for 2008-2009 represents
the resource utilization on an on-going basis.
Table 2: Program Activities
Program Activity ($) |
Operating |
Contributions |
Total
Main Estimates |
Assess and investigate compliance with privacy
obligations |
10,154,000 |
-- |
10,154,000 |
Privacy issues: research and policy |
3,018,000 |
375,000 |
3,393,000 |
Privacy education — promotion and protection
of privacy |
2,751,000 |
-- |
2,751,000 |
Total |
15,923,000 |
375,000 |
16,298,000 |
Table 3: Resource Requirements by Branch - 2006-2007
($) |
Assess and investigate compliance with privacy
obligations |
Privacy issues: research and policy |
Privacy education — promotion and protection
of privacy |
Total |
Offices of the Commissioner and Assistant
Commissioners |
428,000 |
428,000 |
428,000 |
1,284,000 |
Investigations and Inquiries |
3,567,000 |
-- |
-- |
3,567,000 |
Research and Policy |
-- |
1,713,000 |
-- |
1,713,000 |
Audit and Review |
1,655,000 |
-- |
-- |
1,655,000 |
Legal Services |
927,000 |
397,000 |
|
1,324,000 |
Regional Offices |
162,000 |
-- |
378,000 |
540,000 |
Communications |
-- |
-- |
1,257,000 |
1,257,000 |
Corporate Services |
2,811,000 |
743,000 |
609,000 |
4,163,000 |
Human Resources |
604,000 |
112,000 |
79,000 |
795,000 |
|
|
|
|
|
Total |
10,154,000 |
3,393,000 |
2,751,000 |
16,298,000 |
The Offices of the Commissioner and Assistant Commissioners include the costs
of federal-provincial coordination and international activities. The OPC budgets
centrally for many of its costs. For example, Corporate Services includes the
costs of information management and information technology (computer systems
and computer equipment for all employees), office furniture and supplies and
telecommunications. Human Resources Branch includes the cost of employee training.
Sources of Additional Information
Legislation Administered by the Privacy Commissioner
Privacy Act 85,
ch. P21, amended 1997, c. 20, s. 55 |
R.S.C. 1985, ch. P21, amended 1997, c.20,
s. 55 |
Personal Information Protection and
Electronic Documents Act |
2000, c.5 |
Statutory Annual Reports, other Publications and Information
Statutory reports, publications and other information are available from the
Office of the Privacy Commissioner of Canada, Ottawa, Canada K1A 1H3; tel.:
(613) 995-8210 and on the Office's Web site at www.privcom.gc.ca
- Privacy Commissioner's annual reports
- Performance Report to Parliament, for the period ending March
31, 2005
You can obtain a copy through local
booksellers or by mail from Public Works and Government Services — Publishing,
Ottawa, Canada K1A 0S9
- Your Privacy Rights: A Guide for Individuals to the Personal
Information Protection and Electronic Documents Act
- Your Privacy Responsibilities: A Guide for Businesses
and Organizations to the Personal Information Protection and Electronic
Documents Act
Contact for Further Information on the Report on Plans and Priorities
Mr. Tom Pulcine
Director General, Corporate Services/Comptroller
Office of the Privacy Commissioner
of Canada
Place de Ville, Tower B
112, Kent St., Suite 300
Ottawa, Ontario K1A 1H3
Telephone: (613) 996-5336
Facsimile: (613) 947-6850
|