ETHI Committee Meeting

    Good afternoon everyone, and welcome to the 74th meeting of the Standing Committee on Access to Information, Privacy and Ethics.

    Pursuant to the order of reference of Tuesday, February 25, 2013, and the motion adopted by the committee on Wednesday, February 27, 2012, we are studying vote 45 of the main estimates for 2013-14. I will therefore open the discussion on vote 45, under Justice.

    I would like to start by thanking our witness today, the Privacy Commissioner of Canada, Ms. Stoddart. Joining her are Mr. Nadeau and Ms. Bernier.

    As usual, we will begin with a 10-minute presentation, followed by questions and answers.

    Ms. Stoddart, please go ahead.

    Thank you kindly, Mr. Chair.

    Good afternoon, Mr. Chair and members of the committee. It's a pleasure to be here today once again to discuss our office's main estimates for this coming fiscal year.

    Joining me today are assistant commissioner Chantal Bernier, who as you know is in charge of our day-to-day operations, along with our chief financial officer and director general of corporate services Monsieur Daniel Nadeau.

    During my time today I look forward to outlining and discussing some of our major priorities for the year ahead. For our office this is a year marked by both continuity and transition. On one hand our main program activities remain the same. On the other hand we will see change as we move to a new headquarters and have a change in leadership.

    I'll start by talking about what remains the same. First of all let me go over planned spending by program area.

    Overall we have a planned operating budget of some $29.1 million spread among four key program activities. First we have the program activity of compliance, which includes investigating privacy-related complaints as well as reviewing privacy impact assessments and undertaking audits of organizations. In the coming year this area will account for just over $11.1 million of our budget.

    Next we plan to devote some $4.6 million to the area of research and policy development under which we examine emerging privacy issues as well as provide advice to Parliament on the privacy aspects of proposed legislation.

    In order to continue informing individuals of their privacy rights and organizations of their obligations under the law, we intend to invest just over $3.1 million in public education and outreach program activity.

    Then finally we intend to direct just more than $10.1 million to the area of internal services. These include functions such as human resources management, administration, and asset management. This amount both represents an increase from the last fiscal year and accounts for an overall increase in our budget. I want to take a moment, honourable members, to explain why this is so.

    In short, the increase you see is caused by a one-year injection to cover the costs associated with moving our headquarters, something made necessary by a long-term retrofit to our current space.

    I'd like to talk now a bit about my concerns regarding an orderly transition in my office. While we are a relatively small organization, relocation comes with expense. Our costs are being covered by a $4.1 million interest-free loan, which we will repay to the Treasury Board Secretariat over the next 15 years. Our move will put us in the same building as some fellow agents of Parliament. We have planned several cost efficiencies through common and shared services, and we're exploring even more.

    Already we've made arrangements to share a common reception desk, a library, a server room, and a mail-processing room. This action contributes to our wider commitment to continuously improve our business processes to make the most of our existing resources. This is an important priority for our organization given the current economic environment.

     As I noted in last year's remarks, while not mandated to make reductions under the deficit reduction action plan, our office answered the call to adhere to its spirit and intent. As a result we will have implemented savings of 5%, or $1.1 million, per year within our total budget by the end of fiscal year 2014-15.

    In sum, while our figures show an increase because of the cost of our move, the resources we have available to meet the privacy needs of Canadians largely remained at the levels set for the last fiscal year. We made the decision to implement savings while committing to maintain the best possible level of service for Canadians. That commitment remains solidly intact for this year and underlines the need to make the most efficient use possible of our existing resources.

    I will now move on to the importance of adapting for the privacy landscape of today and tomorrow.

    As we look at the present and the future, we can all rest assured that the ever-quickening pace of technological change and its relationship with privacy will remain a constant. This is why we have created the Technology Analysis Branch, a true lab responsible for supporting investigations and audits.

    Over the years, as Canadians' interest and awareness with regard to privacy issues have increased, complaints have risen. Years ago, the rise in complaints prompted a need for further funding to deal with a backlog.

    Today, I’m happy to say that we have made efforts to maximize existing resources to continue getting the results that Canadians expect and deserve. Last year, we engaged in a project to simplify investigation procedures and reduce the time required to investigate complaints. This year, we plan to implement the improvements that this project identified in order to continue providing Canadians with results at a lower administrative burden.

    Going further, we plan to broaden this project to complaints under PIPEDA.

     In short, from both a technological and a privacy perspective, to say that the world has changed immensely in 10 years would be an understatement. And the law needs to catch up with the times. As a result, we strongly suggest that action to bring needed change be taken as soon as possible.

    With only a few months remaining in my final term, it appears more and more doubtful that a second review of PIPEDA—one that is overdue—will happen before I am replaced. Nonetheless, in the coming year, our office will work to set out a roadmap to address current and future privacy challenges more effectively. It will examine how organizations can be given greater incentive to invest in privacy and information security.

    In the absence of such incentives, it's up to our investigation process to bring about needed improvements. And while some companies are very cooperative, the process is generally long, drawn-out and resource-intensive.

    While I certainly can't speak for the committee, I think most can agree that it shouldn't be Canadian taxpayers footing an unnecessarily large bill to fund the privacy improvements of businesses.

    In addition, I want to remind everyone here about the work we undertook in the past calling for reform of the Privacy Act. The committee supported that reform. The act was written during a time when information was stored in fixed filing rooms, rather than on USB sticks and portable hard drives.

    Staying with the Privacy Act for now, I would be remiss if I didn't take a moment to note the concerns Canadians have registered in the form of complaints stemming from some large-scale federal data breaches over the last few months.

    This is a concern our office shares with federal departments, with Parliament, along with Canadians. In the coming months we hope to provide information to Parliament from our investigations into the loss at HRSDC of both a hard drive and a USB key in separate incidents, containing the personal information of more than half a million Canadians.

    In addition to exploring systemic challenges related to the use of portable electronic storage devices by federal organizations, we plan to begin an audit in this regard.

    Further on this year, we will be releasing reports on audits of both FINTRAC and the Canada Revenue Agency. Audit findings provide recommendations for subject organizations to follow. They can serve as guidance for other departments to improve practices. Our office also seeks to provide guidance to the private sector, and especially to smaller businesses.

    In the year ahead our office will continue our proactive approach towards identifying and exploring emergency privacy challenges. Some of these include mobile payments, facial recognition software, intergovernmental information sharing, and consent for obtaining personal information online.

     In conclusion, Mr. Chairman, let me underscore that my management team is wholly committed to ensuring that this year of transition, both to our new location and to new leadership, comes with no effect on service to Canadians. In the last year of my mandate I plan to do everything I can to ensure an orderly and a positive transition to new leadership upon my retirement in December.

    I think all members around the table can agree that privacy issues are challenging and increasingly closer to home for more and more Canadians. In order for this office to continue functioning as efficiently as possible throughout the course of the year, we are now working with officials from the Privy Council Office to begin the competitive process to find a new commissioner in the near future.

     As you all know, Parliament has a key role to play in the process of approving a new privacy commissioner, so I wish you well in your future deliberations on that matter.

    With that, I conclude and I look forward to your questions.

    Merci.

    Thank you very much, Madam Commissioner.

    First off, I must tell you I'm disappointed to learn that this is your last term.

    I will now turn the floor over to Mr. Angus, who will have seven minutes.

    Thank you so much, Mr. Chair.

    Thank you, Madame Stoddart. We have immense respect for the work your office has done, and as you near the end of your term we want to thank you for your commitment to ensuring the privacy rights of Canadians.

    I'm interested that you mentioned the need to update PIPEDA. We're in a completely changed world now, and you're talking about the rising number of complaints. We have seen poor protocol, where the government has lost the financial information of 500,000 people. We have issues like that. We have international cybergangs and all manner of fraud. That can happen if people don't take the issue of private information seriously.

    How much pressure is that putting on your organization, in terms of the kinds of investigations you need to undertake and their scope?

    Thank you very much, honourable member.

    I think that generally the issue of the slowness of legislative reform in comparison with the pace of change in the world in which personal information is used has created a great challenge for my office.

    As I have suggested, in the future I am hoping Parliament will make privacy legislation a priority. I think the onus should be less and less on individual Canadians to make complaints to my office, and more on organizations, notably, to take the responsibility for better protecting personal information.

    Thank you.

    You raised the issue at a previous meeting about the problem of compliance, that there are certain corporate players that feel, “Well, take us to court”. You are forced into a long series of negotiations, and public shaming or pressure, to get action.

    Given the seriousness of a potential data breach, do you believe that if we updated PIPEDA to ensure order-making powers and administrative monetary penalties, your office would not have to spend the kind of money it has to spend on legal matters and that it could get better and more timely results for Canadians?

    I do, and that's why I'm recommending it.

    Good.

    I'm interested in this issue of the move, and that it's a $4.1 million loan that you're being asked to repay over the next number of years.

     Is that a common practice in situations like this?

     I will refer this to the director of corporate services. I don't really know.

    I don't believe so.

    In meeting with central agencies to discuss the financing of this event, we explored that as a way to address it. But to my knowledge it hasn't been done as a common practice.

    Thank you.

    I was looking in the April 2012 Public Works and Government Services Canada release of the “Government of Canada Workplace 2.0 Fit-up Standards”. The document has a section, A3.2, on the funding accountabilities of Public Works and the client departments.

    There doesn't seem to be any policy governing whether relocation costs should be financed by a repayable loan, so are we moving into new territory here?

    It is possible.

    As I said, to my knowledge it hasn't been common practice in the past, but you would have to ask these questions to Public Works delegates.

    I'm looking at your planned spending for strategic outcomes program. It's being reduced by $2 million up to 2015-16.

    Would that be where you're paying the loan from, and does that mean there is going to be more pressure on your office as that budget is decreased?

    As was mentioned, the loan is for $4.1 million, and the repayment of the loan amounts to approximately $270,000 a year over the 15-year horizon.

    In addition to that, because we're making efforts to create more efficiencies as it relates to our space, PWGSC, Public Works, is partaking along with us in the savings that are going to be generated. So we're getting a portion of that back as well to compensate slightly for the loan repayment we have to make over those 15 years.

    The delivery goes from $26.9 million in 2011-12 to $24.3 million in 2015-16, and we're talking about increased pressures and the need to establish better response times because of the threat to citizens' privacy in an age of cyberfraud. How will those cuts affect the service deliverables that Canadians are expecting?

    We're working very hard to try to provide countervailing trends to these cuts, notably the modernization of process of both investigation operations to put the emphasis on early resolution— between 20% to 25% of our complaints are now early resolved—as well as other measures to offset these budget decreases.

    If you had the compliance order-making powers and administrative monetary penalties, do you feel this 25% margin would go higher and you'd be able to get better savings in the long term and ensure the safety of Canadians' privacy data online?

    I think Canadians overall would be better served by that, the exact granular implication of that has yet to be seen. Sometimes organizations with greater powers meet with greater resistance at some point; that is a possibility.

    The problem I have noticed is that I think the lack of powers means that our legislation is not taken seriously until a certain amount of time and effort have gone into dealing with them.

    Thank you very much.

    It is now Ms. Davidson's turn for seven minutes.

    Thank you very much.

    Welcome, Commissioner, and your colleagues along with you. It's certainly a pleasure to have you back here again. We always enjoy hearing about the great work you're doing and we thank you for what you are doing for privacy issues for Canadians.

    It never fails to amaze me that we think we can keep up with privacy issues with the way technology is changing. I find it extremely interesting that we can, to a certain extent at any rate. I know there are big challenges there and I know this is one of the things you deal with on a day-to-day basis in trying to deal with how we can keep up with that.

    You've created the technology analysis branch that you talked about and you also told us that complaints have risen. In your remarks you strongly suggest that action to bring needed change come as soon as possible. What are those changes we need to be looking at?

    Do you mean for both acts? This is the last time I'll be here for main estimates. This committee did quite a comprehensive report a couple of years ago. I think that report is still relevant.

    I would add to that the issue of some measures of data breach for the Privacy Act. Many Canadians are extremely concerned about the safety and security of their information held by the federal government. This has come out of some of our recent polling, so I would add that to the committee's last report.

    In terms of the private sector legislation, as I said when you were wrapping up your hearing on social media networks and so on, the Canadian law is now over 10 years old and has lagged behind reforms in almost every country that we can compare ourselves to, notably the G-8, in terms of having neither the substance nor the consequences, the heft necessary for it to be taken seriously, as it should be, by the increasing international online players who are the big users of personal information.

    I would hope that Parliament could look at that law once again and give it the cutting edge it needs to better protect privacy.

    Thank you.

    I still don't understand, I guess, how we can be at the leading edge instead of always trying to catch up when it comes to privacy and technology. To me, the technology always changes so quickly that we are in a reactive mode.

    Yes, I think we're always in a reactive mode. I think that's the nature of the world. There are creative entrepreneurs out there who come up with new inventions, and the rest of society adapts to that. Certainly, the legal system has always been behind changing reality, and that is through history. I guess the issue comes when the reality has changed so much compared to the legislation, which is or is not there, that it becomes a problem.

    I also draw your attention to anti-spam legislation. Again, Canada is one of the few countries that doesn't have anti-spam legislation yet in force because the regulations have not yet been published, and that's an unfortunate delay.

    I'd just like to go back a couple of minutes to the relocation. I'm just wondering how the office is managing this relocation. I expect it will have some impact. What kind of an impact will it have on the office's work, and what would that impact be?

    Thank you for the question.

    Just to put it in context, honourable member, the office has been in the same building in downtown Ottawa, not far from here, for almost its whole existence. This building is being renovated, therefore we were told we had to vacate the premises. At that point, of the new state-of-the-art buildings that were available and were close by, one was free in Gatineau, which also attracted the interest of other agents of Parliament. This is a big move. The whole office, then, was forced to make this move.

    Unlike other departments, to follow up on another honourable member's question, we don't have bits of cash left around through which we can finance a move. That's why we had to get specific money.

    The move impacts the personnel and it impacts almost all our operations. Not only do we move to a new kind of template for workspace, but we have to renew a lot of our IT equipment, even our phone lines and so on, so that is going to be a big and costly change.

    The transition, I think, is being very ably managed by Mr. Nadeau and his staff. However, it is disruptive. For this reason we have not set ourselves any ambitious, new goals for this year. We're trying to continue on with our work and ensure an orderly transition, both to a new office and for a new commissioner.

    In this new location you're going to be sharing resources with other officers of Parliament. Is that correct?

    Yes, we are.

    How many other officers?

    The other officers in the building are Elections Canada—it has the largest space—the Information Commissioner, and the Commissioner of Official Languages.

    Does the sharing of some of the office space resources pose any issues when it comes to privacy?

    No, I don't think so because we would raise that consistently because that's our job. We cannot share things to the extent that the personal information of Canadians is compromised. Those are some of the discussions that Daniel Nadeau has with his counterparts.

    Okay. You talked in your opening remarks about your four policy priorities. Could you just outline those again briefly for me?

    Yes, the four policy priorities for some years have been identity integrity, new information technology, national security, and genetic privacy.

    Ms. Davidson, I would ask that you keep it brief. You have just a few seconds left.

    I was just going to ask what progress you've made on those priorities since they've been introduced.

    That's a question that would take a long time to answer. We're trying to cap off those activities specifically with a different event, or a publication this year just to mark a pause and try to look back and see what we've done. So there are different activities or publications for each of them.

    Thank you.

    Thank you.

    It is now Mr. Andrews' turn, for seven minutes.

    Thank you very much, Mr. Chair.

    Welcome, Commissioner, again.

    My first question is regarding the investigative complaints and the time that is required to investigate complaints. How are your statistics on the number of complaints you've been getting and the timeframe in which you've been responding to them? You mentioned in your introduction that you've been getting more complaints as more people get knowledgeable. Have you been tracking your statistics on how successful you have been in investigating these?

    Yes. We track these very carefully on a monthly, and indeed a weekly basis.

    Could I refer the rest of this question to the assistant commissioner who oversees the complaint process? Thank you.

    Thank you for your question because this is good news. This is a good news story. Indeed the complaints have increased, yet through the efficiencies we have managed to build into our processes through the modernization process the commissioner was just referring to, we have been able to actually reduce timelines.

    For example, in spite of an increase in complaints, we have reduced the timelines for the complaints' management or treatment from 14.3 months to 12.6 months.

    In addition to that, we have an increase of 46% in early resolution, which means the complainant doesn't even necessarily have to file a complaint that goes through an investigation, but gets resolution in a timely fashion.

    What is the biggest demand or time constraint on your investigative unit? Is it dealing with the outside agencies, the inside agencies, departments? What's the biggest drain on your resources?

    You have just named it. Clearly the delays by the respondents are a huge factor and a factor over which we have little control.

    We do make a point of insisting on them meeting their timelines. But going back to further questions on what is the impact and what is the pressure, the technological complexity, which was mentioned earlier, means it's tougher for all of us, the investigators as well as the respondents, to establish what has truly happened in a breech.

    Commissioner, you talked about beginning an audit in regard to the electronic storage devices. Can you give us a little idea of what the scope of that audit is going to be? Can you give us a general idea of how far it's going to reach? You just mentioned it.

    As for the second part of the question, when we look at these storage devices, storing information on a device is nothing new. It has been going on for some time, back to the floppy disk, but it seems to have been heightened with this recent data breech.

    Are there any practices in the past that the departments should, are, or are not following with regard to storage devices?

    Could I again refer this to the assistant commissioner who is supervising this process too?

    We would break down the protective measures into three categories: physical, electronic, and procedural.

    Physical measures concern all the areas where sensitive information, personal information, is held. They ensure that the access is properly monitored and that drawers and filing cabinets are properly locked.

    Second, there are electronic measures. These are all the procedures such as encryption, for example, and solid passwords. If you look at our audit on wireless, for example, of certain federal institutions a few years ago, we found that the passwords were not secure and that threat and risk assessments on the wireless technology were not properly made.

    Then the third category is procedural. That includes all the policies surrounding the management of the information, for example, who has access to various information. How do we have audit trails to monitor access?

    So we look at the procedures, the structure of protection, through these three lenses to see if, indeed, all the protective measures, the safeguards, are in place.

    How wide is your audit going to be?

    Are you referring to the investigation in HRSDC, or are you referring to the wireless audit that I've just referred to?

    The HRSDC audit. When the commissioner mentioned audit, I didn't know if the two were linked.

    Yes. There are two things.

    First of all we have a commissionally launched complaint that's into HRSDC as well as Justice. In the case of the USB key, the USB key was lost in the legal services of HRSDC. Therefore, the Department of Justice is also a respondent. So that is an investigation, and it is going at a very good pace, but it is a very good example of the difficulty that technology raises. It is very complex. In addition to that, the facts are very complicated. How do you find out what has happened to a small portable device such as a hard drive or a USB key?

    The second is that, when we were informed of the breech, we thought this raised such systemic issues we should not limit our intervention to the mere investigation of that event. So we have decided to develop an audit plan for certain federal institutions, which will be picked according to sensitivity and relevance, and we will look at their management practices around portable devices.

     Don't portable devices normally have password-protected secure protection? I know my wife's does, the one that she uses with the school.

    Is that a practice that was not followed in this example, or is that something that we should be looking at?

    You will find that in our investigation report. When it is finished, we will be able to establish that.

    Commissioner, thank you for your service in the role.

     If we don't get to the review of PIPEDA, I hope you can give us a presentation before your term is up, or leave something with us to look at, regarding what you think needs to be updated in PIPEDA, if you wouldn't mind.

    Yes, I'm planning to do that within the next month, to go over at a very high level my observations and suggestions for modernizing the act going forward.

    Thank you.

    Thank you.

    Unfortunately, Mr. Andrews, your time is up.

    Mr. Carmichael now has seven minutes.

    Thank you, Mr. Chair. I too join my colleagues in welcoming you, Commissioner, and your colleagues.

    Clearly, your environment is a challenging one. As I've listened to some of the questions from all sides, I think we're all very well aligned on the challenge that faces you, particularly with the growth of technology, the changing times, and how to adapt to these times.

    To begin, could you clarify something I'd like to understand? When we look at the current budget that you presented, is the moving cost a one-time cost that is taken as a capital expense? I come from private business so I'm not sure. It could be a government funding issue in the way it's captured.

    Is that a one-time expense that we'll see?

    Yes, it's a one-time expense that's paid back over 15 years, but on how it's captured, I'll leave that to our chief of accounts.

    So we will see the annual repayment in some form in future budgets? Is that the idea?

    The repayment will be noticed through a decrease in the funding to the amount of about $270,000 a year for 15 years.

    Right.

    Commissioner, I wonder if we could talk about some of the challenges. You mentioned the social media study, and clearly, we were challenged on that. Every time we opened a new page and entertained a new witness, there was yet a whole new spectrum of challenges that seemed to jump off the page in the social media study, always privacy related.

    You talk about some of the challenges that you're facing within the four points that my colleague was asking you about earlier. I wonder if we could talk a little more about those. You mentioned identity, new information, national security, and genetic profiling, was it?

    Genetic privacy, yes.

    Could you speak a little more in-depth about that? Obviously, you said, it could take a long time. Maybe you could give us a bigger picture?

    Of what we're doing in each of them?

    Yes, those four items, because obviously, as you go forward, you're chasing technology. You mentioned that the laws of the land move slowly to capture these changes, and as you stated, entrepreneurs are creating new ideas and new technologies, and every time you're confronted with one of these new avenues, you have to figure out how to deal with it.

    To me, these are areas that are critically important to our day-to-day lives in so many ways. Could you give us a little more depth on that?

    Yes. Thank you, honourable member. These four priorities are just an in-house way—the suggestion came from the personnel—to organize our work because we're constantly bombarded with so much. As you say, there are new technologies and new issues. So what do we decide to prioritize all the questions of privacy that come up? We chose these four.

    I'll just, off the top of my head, give you a recent example of each of these. The work can be either prioritizing a complaint or prioritizing an educational vehicle, either a video or publication or a new part of our website, or it could be holding a conference or a publication or a position on draft legislation. So it's the range of all these different vehicles.

    As for identity integrity, the example I'll give is that we're soon to release a study on the implications of IP addresses. If you remember in the discussions over the last few years, particularly about draft legislation that has been withdrawn at this time, there was a debate about what you could find out from an IP address if the police had warrantless access to an IP address. Was it just like reading a phone book in the good old days? I don't know if you remember that debate.

    In our laboratory we did an online study of what you could find out using IP addresses. We hope to publish that within the next few weeks. To give you a preview—and I think this is going to demonstrate why we kind of stuck to our position that an IP address is more than an old-fashioned phone book—unlike a phone book it leads to other things, other activities and other actions that you may have taken on the web.

    In terms of new technology, my goodness, there is a tonne of that. In the coming year we are going to increasingly look at facial recognition analysis. One area that's fascinating and chilling that we've been following for several years in new technology is unmanned aerial vehicles, which we know as drones. How many drones are in Canada? What is the use of them? What are the rules around them? What could go wrong in the use of drones? What are the privacy implications?

    As for genetic information, we've funded several studies through our contributions program. We've had some studies done for ourselves. Perhaps the most recent thing we have done is examine draft legislation proposed by Senator Cowan, I believe, before the Senate, Bill S-218, an act to prohibit and prevent genetic discrimination, which is an issue we've been following for some years.

    National security has been a huge file for us over the years. I'll talk about the work we did—I was out of the office and the assistant commissioner appeared—to support the recent Bill C-55, An Act to amend the Criminal Code, to implement the Supreme Court decision on cases and conditions for warrantless access.

    That's a smorgasbord of what we do.

    Excellent. Thank you very much.

    Thank you.

    Ms. Borg, you may go ahead for five minutes.

    Thank you kindly, Mr. Chair.

    Ms. Stoddart, I, too, would like to thank you for all your hard work over the past 10 years and for your dedication to an important cause, protecting Canadians' privacy.

    My first question is as follows.

    In the case of Nexopia, especially, we saw that when organizations choose not to comply with your recommendations, you could end up going to court. I would like to get a sense of what type of a burden that represents for your office. How much time and money do you have to invest in that type of legal activity?

    Thank you for the question, Ms. Borg.

    It's a little ironic, because if you look at the annual reports we've produced since I've been in office, you see that very few legal actions end up being heard on the merits. We go to the Federal Court to try to bring the private sector to implement our recommendations. It's exceedingly rare for organizations to challenge us to the very end. They prefer to settle out of court. But, in order to force them to settle out of court—a decision they could have made earlier—we have to go through the process, obtain findings, hire lawyers, go to the Federal Court and wait for the action to take its course. That can go on for a certain amount of time before someone in the organization realizes how serious the matter is and how strong our arguments are. They are forced to choose between withdrawing or settling out of court because we have sound arguments.

    That's the pattern we've observed over the years. And, by the way, that's one of the reasons I became convinced of the importance of saying, this process has to be more efficient for Canadians. What's more, my office's resources are steadily decreasing, and we have to ensure that these settlements happen sooner.

    Thank you.

    You also said it was imperative that your office continue to work not just with the provinces, but also with other countries. What should be done? That's probably a piece of advice for the next commissioner. How can that cooperation be maintained? How can Canada help tackle this problem, which has entered the international realm given the nature of the data?

    If I may, Ms. Borg, I would ask the assistant commissioner to answer that, considering how involved she is in the international network of privacy commissioners, which is working towards the very thing you mentioned.

    I would start by saying that the Office of the Privacy Commissioner of Canada is not the only organization to understand the importance of establishing a set of international privacy standards. There is no doubt about that, given the fact that the information flows all around the world.

    In 2011, at the International Conference of Data Protection and Privacy Commissioners in Mexico City, a resolution was adopted to create a working group on international cooperation in the enforcement of laws protecting privacy. The resolution is implemented by a working group co-chaired by our commissioner and her British counterpart.

    The working group brings together a small number of privacy commissioners from around the world for the purpose of identifying barriers that can be addressed cooperatively and finding ways to overcome them to foster effective cooperation. The confidentiality rules are a tangible example. We are all bound by confidentiality rules. In order to work with other authorities, we need a protocol to protect the confidentiality of our investigations. We've now signed protocols with four countries, Great Britain, Germany, the Netherlands and Ireland.

    I will give you a real example of how we used that new power. We conducted the first international investigation with the Netherlands. Both we and our Dutch colleagues had concerns about WhatsApp, an American company that produces an application by the same name.

    So we pooled our resources. They did the technological analysis and we did the legal analysis and handled the negotiations with the company. We conducted two coordinated investigations. In my view, the results were excellent, partly because the company was up against two agencies responsible for the protection of personal information, instead of just one.

    In addition, we are building a very intensive network. We give many talks around the world, and we are contributing to the development of an international normative framework.

    The commissioner was at the OECD, in Paris, to help develop, consolidate and update the OECD's guidelines. The same week, I was in Mexico, and I gave two talks to our Mexican counterparts and at the University of Mexico on the international dimension of protecting personal information.

    Thank you.

    Ms. Bernier, I must stop you there. Ms. Borg is out of time.

    Mr. Butt, the floor is yours. You have five minutes.

    Thank you very much, Mr. Chair.

    Thanks to you and your team for being here today, Commissioner, and obviously for your great service to us over many years. We certainly will look forward to having you back, and hopefully a couple of times, before you're officially retired. We enjoy having you come to this committee. You're always very helpful and insightful.

    You did say in your presentation that your office was not subject to the deficit reduction action plan, although your office did, as you say, answer the call “to adhere to its spirit and intent”, and you did manage to implement savings of 5% of your base budget, or $1.1 million per year. Do you want to be a little more specific?

     How were you able to achieve those cost reductions, even though I think we all appreciate the fact that you're endeavouring to run the office, treat taxpayers' money respectfully, and still provide the services that you have to provide? How were you able to find those savings just on your own?

    Well, we did some very detailed examinations of our budget, and $700,000 of that came from something called the “fiscal framework”, which I gather is money that is set aside by Treasury Board in the main budget but that has not yet been granted to the office. We renounced that, which is why we're foreseeing a period of austerity for several years, because there are no credits available to give to us.

    We renounced that. The other $400,000 we are obtaining through various cost-cutting savings in reducing the scope of many of our expenses. I mentioned the move with agents of Parliament. We hope that will save us money in various activities so that we can reduce our overhead.

    I also note in your projections going forward that you're not recommending any reductions in your full-time equivalents over the next several years. You're noting 181 FTEs for this year, next year, and the year thereafter. You're not achieving those cost reductions by eliminating positions within the office. It's in other areas that you've been able to find some cost savings.

    Can you comment on that complement of 181? I know that some of my colleagues on both sides have talked about the challenges in the office, the caseload, and the types of things that are happening. Is that a number that you're confident about, given the shift in the cases that you're dealing with and how the general workflow in the office is working? I'm pleased to see that you're flatlining the number. Again, I think that shows some responsibility in the times that we're all dealing with right now, but Canadians expect a certain level of service as well.

    On this 181 FTEs factor that you're looking at, is it a number that you're confident about going forward with over the next three fiscal years? Do you think we'll still maintain the levels of service with it and achieve the goals that you've set out in your work plan?

    Thank you for that question, honourable member.

    I don't know if it's so much that I am confident in the number of 181 FTEs, but I understand that it is what I've been given to work with and that I have to be realistic about the demands I may make on the government at this particular time, given the overall environment of restraint.

     This is why I turn rather to the reform of the privacy laws in order to let us operate in a much more cost-efficient way, and also, ideally, to bring.... As we look at models around the world, in many of the countries where the commissioners can impose fines or fines are granted by the courts, the money then goes back to the government treasury to help fund this. We have none of this in the Canadian model, so ideally, if you said to me, “Could you keep another 10 technologists busy tomorrow?”, yes, I could. Yes, I certainly could, but we are trying to stay within this allotment.

    What we are doing as well is that when people move on, although we have a very low turnover rate at this time, we're questioning how we can combine functions or do things otherwise to make more efficient use of this.

    Do I have time for a last question, Mr. Chairman?

    Yes.

    Here's my last quick question. You have mentioned a number of the newer initiatives and newer challenges. Mr. Carmichael was asking you some questions about that. How are you keeping your staff up-to-date in these emerging changes and challenges?

     Do you want to talk a little bit about the staff development side? You were talking about drones and other things that maybe people in your office.... I certainly don't know a lot. How are you making sure that your people are up-to-date on what they need to know in order to deal with these emerging privacy issues, with these cases that are now coming in that many of us wouldn't be aware of or have never dealt with before and that certainly some of your people won't have seen before? What are you doing to deal with that challenge in making sure that your staff are up-to-date, as much as they can be, with those emerging trends?

    I think I'll be done then. Thank you, Mr. Chair.

    Ms. Stoddart, could you kindly answer that question in one minute.

    Mr. Chair, I am going to ask the assistant commissioner to answer.

    One minute? You're a tough chairman.

    Ms. Bernier, you have a minute and a half.

    First of all, we have a very well-developed training program, and that means on both legal issues and technological issues, as well as on writing decisions.

    We also have a strong component on the four priorities. Each is led by someone who chairs a working group on that priority. They bring in people from the outside. They will feed in research, making sure that our staff is always abreast of the latest developments on each of the priority issues.

    In addition to that, we have a very good, strong research function, which produces internal research so that all our work is based on absolutely the most up-to-date knowledge of the issues at hand. Of course our outreach and our stakeholder relationships are very helpful in that regard. We actually listen. We actually sit down with the various stakeholders to know what is coming up so that we are always ready for it.

    Thank you for your answer.

    Mr. Boulerice, go ahead for five minutes.

    Thank you, Mr. Chair.

    Thank you to Ms. Stoddart and our other witnesses for still being here. It's greatly appreciated.

    Ms. Stoddart, you've been on the job since 2003, so you've seen how things have changed in the past decade. The first question I want to ask you is a tough one. It has nothing to do with the calibre of the work that your office does; it's about the environment as a whole. Do you think Canadians' privacy is more protected today than it was in 2003, or is it more at risk?

    That's a tough question, but I won't take too long to think about it before answering. It is clear that Canadians' privacy is more at risk despite all the efforts that my team and others have made. The fact that Canadians' privacy is more at risk is due to technological advancements and the introduction of certain measures, like initiatives to record people's conversations in Canadian airports.

    The encouraging thing, however, is that, in my view, the legislation has become stronger, in terms of not just the two acts I talked about today, but other legislative measures as well. I read that the Minister of Justice talked to one of his counterparts about the possibility of strengthening the Criminal Code to prohibit certain behaviours, such as distributing photos online. I believe we do have some tools to deal with those threats.

    Speaking of tools, I was just going to bring that up.

    In 2010-11, complaints went up by 35%. New technologies that intrude more on people's privacy are being used. Today, there are data brokers. I didn't know there was even such a thing until a recent study we did. As a business model, they are actually quite worrisome. Then, you also have the phenomenon of Street View-type applications, which allow you to see licence plates on vehicles and people's homes. Do you think your office should have additional resources to face these mounting challenges?

    Ideally, as I mentioned to your colleague, the answer is yes.

    In the past few months, we've seen situations where USB flash drives containing the financial data of some 500,000 people, in some cases, have been misplaced. I know the incidents are under investigation, but I would still venture to ask you a question.

    As far as those infamous USB flash drives go, can you assure us, or are you certain, that the information was properly encrypted or protected, thus preventing anyone from being able to access the data?

    Mr. Boulerice, I think that pertains to the details of the investigation. Even if I knew the answer to that—which I don't because I'm not aware of the details of the investigation—I couldn't reveal that information at this time. That investigation is a priority because of the ramifications and the number of Canadians who complained. I hope you'll have an answer soon.

    I suspected you would say as much, but I was trying to get a scoop.

    Earlier, you referred to a new challenge and a concern you had. I wrote it down, and I would like you to elaborate a bit more on that. What concerns you about the use of drones and their impact on Canadians? More specifically, what are your misgivings or fears as far as drones go?

    I'll start with the good news. There are relatively few drones. There aren't many of them in Canada, and the Department of Transport has to issue those licences, so their operation is fairly well contained. However, the assistant commissioner, who oversaw that file, may be more up to date on the issue than I am.

    Obviously, the danger stems from the fact that these devices have the capacity to easily provide information on the daily activities of all Canadians, not to mention that they are pretty inexpensive to buy and can be used by amateurs. That isn't happening just yet. But our office has to be ahead of the curve on such issues. Imagine you're in your backyard or you're out for a leisurely Sunday drive or stroll, and a drone is monitoring you. We have to think that in the future, someone other than the state may have that ability. Will the state do it? It's worrisome. When and under what conditions will it happen? We see it happening in other countries. Those are the kinds of questions we need to ask.

    Thank you very much.

    Thank you.

    Ms. Stoddart, that brings your time with us to a close. Thank you.

    With respect to the main estimates, I must put the matter to a vote, pursuant to the rules. I will now switch to English.

    The Chair: Shall vote 45, less the amount voted in interim supply, carry?

    (Vote 45 agreed to)

    Very well.

    We will take a short break, so you can gather your things and head out, as we have other business on our agenda.

    Ms. Stoddart, thank you once again for being here today, and we look forward to seeing you before your term is officially over.

    [Proceedings continue in camera]