:
Thank you kindly, Mr. Chair.
[English]
Good afternoon, Mr. Chair and members of the committee. It's a pleasure to be here today once again to discuss our office's main estimates for this coming fiscal year.
Joining me today are assistant commissioner Chantal Bernier, who as you know is in charge of our day-to-day operations, along with our chief financial officer and director general of corporate services Monsieur Daniel Nadeau.
During my time today I look forward to outlining and discussing some of our major priorities for the year ahead. For our office this is a year marked by both continuity and transition. On one hand our main program activities remain the same. On the other hand we will see change as we move to a new headquarters and have a change in leadership.
I'll start by talking about what remains the same. First of all let me go over planned spending by program area.
Overall we have a planned operating budget of some $29.1 million spread among four key program activities. First we have the program activity of compliance, which includes investigating privacy-related complaints as well as reviewing privacy impact assessments and undertaking audits of organizations. In the coming year this area will account for just over $11.1 million of our budget.
Next we plan to devote some $4.6 million to the area of research and policy development under which we examine emerging privacy issues as well as provide advice to Parliament on the privacy aspects of proposed legislation.
In order to continue informing individuals of their privacy rights and organizations of their obligations under the law, we intend to invest just over $3.1 million in public education and outreach program activity.
Then finally we intend to direct just more than $10.1 million to the area of internal services. These include functions such as human resources management, administration, and asset management. This amount both represents an increase from the last fiscal year and accounts for an overall increase in our budget. I want to take a moment, honourable members, to explain why this is so.
In short, the increase you see is caused by a one-year injection to cover the costs associated with moving our headquarters, something made necessary by a long-term retrofit to our current space.
I'd like to talk now a bit about my concerns regarding an orderly transition in my office. While we are a relatively small organization, relocation comes with expense. Our costs are being covered by a $4.1 million interest-free loan, which we will repay to the Treasury Board Secretariat over the next 15 years. Our move will put us in the same building as some fellow agents of Parliament. We have planned several cost efficiencies through common and shared services, and we're exploring even more.
Already we've made arrangements to share a common reception desk, a library, a server room, and a mail-processing room. This action contributes to our wider commitment to continuously improve our business processes to make the most of our existing resources. This is an important priority for our organization given the current economic environment.
As I noted in last year's remarks, while not mandated to make reductions under the deficit reduction action plan, our office answered the call to adhere to its spirit and intent. As a result we will have implemented savings of 5%, or $1.1 million, per year within our total budget by the end of fiscal year 2014-15.
In sum, while our figures show an increase because of the cost of our move, the resources we have available to meet the privacy needs of Canadians largely remained at the levels set for the last fiscal year. We made the decision to implement savings while committing to maintain the best possible level of service for Canadians. That commitment remains solidly intact for this year and underlines the need to make the most efficient use possible of our existing resources.
[Translation]
I will now move on to the importance of adapting for the privacy landscape of today and tomorrow.
As we look at the present and the future, we can all rest assured that the ever-quickening pace of technological change and its relationship with privacy will remain a constant. This is why we have created the Technology Analysis Branch, a true lab responsible for supporting investigations and audits.
Over the years, as Canadians' interest and awareness with regard to privacy issues have increased, complaints have risen. Years ago, the rise in complaints prompted a need for further funding to deal with a backlog.
Today, I’m happy to say that we have made efforts to maximize existing resources to continue getting the results that Canadians expect and deserve. Last year, we engaged in a project to simplify investigation procedures and reduce the time required to investigate complaints. This year, we plan to implement the improvements that this project identified in order to continue providing Canadians with results at a lower administrative burden.
Going further, we plan to broaden this project to complaints under PIPEDA.
In short, from both a technological and a privacy perspective, to say that the world has changed immensely in 10 years would be an understatement. And the law needs to catch up with the times. As a result, we strongly suggest that action to bring needed change be taken as soon as possible.
With only a few months remaining in my final term, it appears more and more doubtful that a second review of PIPEDA—one that is overdue—will happen before I am replaced. Nonetheless, in the coming year, our office will work to set out a roadmap to address current and future privacy challenges more effectively. It will examine how organizations can be given greater incentive to invest in privacy and information security.
In the absence of such incentives, it's up to our investigation process to bring about needed improvements. And while some companies are very cooperative, the process is generally long, drawn-out and resource-intensive.
While I certainly can't speak for the committee, I think most can agree that it shouldn't be Canadian taxpayers footing an unnecessarily large bill to fund the privacy improvements of businesses.
In addition, I want to remind everyone here about the work we undertook in the past calling for reform of the Privacy Act. The committee supported that reform. The act was written during a time when information was stored in fixed filing rooms, rather than on USB sticks and portable hard drives.
[English]
Staying with the Privacy Act for now, I would be remiss if I didn't take a moment to note the concerns Canadians have registered in the form of complaints stemming from some large-scale federal data breaches over the last few months.
This is a concern our office shares with federal departments, with Parliament, along with Canadians. In the coming months we hope to provide information to Parliament from our investigations into the loss at HRSDC of both a hard drive and a USB key in separate incidents, containing the personal information of more than half a million Canadians.
In addition to exploring systemic challenges related to the use of portable electronic storage devices by federal organizations, we plan to begin an audit in this regard.
Further on this year, we will be releasing reports on audits of both FINTRAC and the Canada Revenue Agency. Audit findings provide recommendations for subject organizations to follow. They can serve as guidance for other departments to improve practices. Our office also seeks to provide guidance to the private sector, and especially to smaller businesses.
In the year ahead our office will continue our proactive approach towards identifying and exploring emergency privacy challenges. Some of these include mobile payments, facial recognition software, intergovernmental information sharing, and consent for obtaining personal information online.
In conclusion, Mr. Chairman, let me underscore that my management team is wholly committed to ensuring that this year of transition, both to our new location and to new leadership, comes with no effect on service to Canadians. In the last year of my mandate I plan to do everything I can to ensure an orderly and a positive transition to new leadership upon my retirement in December.
I think all members around the table can agree that privacy issues are challenging and increasingly closer to home for more and more Canadians. In order for this office to continue functioning as efficiently as possible throughout the course of the year, we are now working with officials from the Privy Council Office to begin the competitive process to find a new commissioner in the near future.
As you all know, Parliament has a key role to play in the process of approving a new privacy commissioner, so I wish you well in your future deliberations on that matter.
With that, I conclude and I look forward to your questions.
Merci.
:
Thank you for the question.
Just to put it in context, honourable member, the office has been in the same building in downtown Ottawa, not far from here, for almost its whole existence. This building is being renovated, therefore we were told we had to vacate the premises. At that point, of the new state-of-the-art buildings that were available and were close by, one was free in Gatineau, which also attracted the interest of other agents of Parliament. This is a big move. The whole office, then, was forced to make this move.
Unlike other departments, to follow up on another honourable member's question, we don't have bits of cash left around through which we can finance a move. That's why we had to get specific money.
The move impacts the personnel and it impacts almost all our operations. Not only do we move to a new kind of template for workspace, but we have to renew a lot of our IT equipment, even our phone lines and so on, so that is going to be a big and costly change.
The transition, I think, is being very ably managed by Mr. Nadeau and his staff. However, it is disruptive. For this reason we have not set ourselves any ambitious, new goals for this year. We're trying to continue on with our work and ensure an orderly transition, both to a new office and for a new commissioner.
:
We would break down the protective measures into three categories: physical, electronic, and procedural.
Physical measures concern all the areas where sensitive information, personal information, is held. They ensure that the access is properly monitored and that drawers and filing cabinets are properly locked.
Second, there are electronic measures. These are all the procedures such as encryption, for example, and solid passwords. If you look at our audit on wireless, for example, of certain federal institutions a few years ago, we found that the passwords were not secure and that threat and risk assessments on the wireless technology were not properly made.
Then the third category is procedural. That includes all the policies surrounding the management of the information, for example, who has access to various information. How do we have audit trails to monitor access?
So we look at the procedures, the structure of protection, through these three lenses to see if, indeed, all the protective measures, the safeguards, are in place.
:
Yes. Thank you, honourable member. These four priorities are just an in-house way—the suggestion came from the personnel—to organize our work because we're constantly bombarded with so much. As you say, there are new technologies and new issues. So what do we decide to prioritize all the questions of privacy that come up? We chose these four.
I'll just, off the top of my head, give you a recent example of each of these. The work can be either prioritizing a complaint or prioritizing an educational vehicle, either a video or publication or a new part of our website, or it could be holding a conference or a publication or a position on draft legislation. So it's the range of all these different vehicles.
As for identity integrity, the example I'll give is that we're soon to release a study on the implications of IP addresses. If you remember in the discussions over the last few years, particularly about draft legislation that has been withdrawn at this time, there was a debate about what you could find out from an IP address if the police had warrantless access to an IP address. Was it just like reading a phone book in the good old days? I don't know if you remember that debate.
In our laboratory we did an online study of what you could find out using IP addresses. We hope to publish that within the next few weeks. To give you a preview—and I think this is going to demonstrate why we kind of stuck to our position that an IP address is more than an old-fashioned phone book—unlike a phone book it leads to other things, other activities and other actions that you may have taken on the web.
In terms of new technology, my goodness, there is a tonne of that. In the coming year we are going to increasingly look at facial recognition analysis. One area that's fascinating and chilling that we've been following for several years in new technology is unmanned aerial vehicles, which we know as drones. How many drones are in Canada? What is the use of them? What are the rules around them? What could go wrong in the use of drones? What are the privacy implications?
As for genetic information, we've funded several studies through our contributions program. We've had some studies done for ourselves. Perhaps the most recent thing we have done is examine draft legislation proposed by Senator Cowan, I believe, before the Senate, Bill , an act to prohibit and prevent genetic discrimination, which is an issue we've been following for some years.
National security has been a huge file for us over the years. I'll talk about the work we did—I was out of the office and the assistant commissioner appeared—to support the recent Bill , to implement the Supreme Court decision on cases and conditions for warrantless access.
That's a smorgasbord of what we do.
:
I would start by saying that the Office of the Privacy Commissioner of Canada is not the only organization to understand the importance of establishing a set of international privacy standards. There is no doubt about that, given the fact that the information flows all around the world.
In 2011, at the International Conference of Data Protection and Privacy Commissioners in Mexico City, a resolution was adopted to create a working group on international cooperation in the enforcement of laws protecting privacy. The resolution is implemented by a working group co-chaired by our commissioner and her British counterpart.
The working group brings together a small number of privacy commissioners from around the world for the purpose of identifying barriers that can be addressed cooperatively and finding ways to overcome them to foster effective cooperation. The confidentiality rules are a tangible example. We are all bound by confidentiality rules. In order to work with other authorities, we need a protocol to protect the confidentiality of our investigations. We've now signed protocols with four countries, Great Britain, Germany, the Netherlands and Ireland.
I will give you a real example of how we used that new power. We conducted the first international investigation with the Netherlands. Both we and our Dutch colleagues had concerns about WhatsApp, an American company that produces an application by the same name.
So we pooled our resources. They did the technological analysis and we did the legal analysis and handled the negotiations with the company. We conducted two coordinated investigations. In my view, the results were excellent, partly because the company was up against two agencies responsible for the protection of personal information, instead of just one.
In addition, we are building a very intensive network. We give many talks around the world, and we are contributing to the development of an international normative framework.
The commissioner was at the OECD, in Paris, to help develop, consolidate and update the OECD's guidelines. The same week, I was in Mexico, and I gave two talks to our Mexican counterparts and at the University of Mexico on the international dimension of protecting personal information.