Language selection

2018-19 Departmental Plan

Operating context and key risks

Operating context

The OPC’s strategic and operating environment is in a constant state of evolution given the unrelenting speed of technological change, which is outpacing privacy protections. An increase in massive data breaches affecting millions and the blinding fast pace at which technology is morphing and advancing, represent just a few realities of today’s privacy landscape.

The swift evolution of technology—big data, the Internet of Things, biometrics and artificial intelligence, among other innovations—is continuing to have a tremendous impact on personal privacy. It is becoming increasingly difficult for individuals to fully comprehend, let alone control, how and for what purposes organizations collect, use and disclose their personal information.

Privacy issues are also becoming more inter-disciplinary and cross-jurisdictional. Respect for privacy in a digital world where data flows across borders requires collaboration with other jurisdiction. The OPC must continue information-sharing and coordination efforts with other national and international data protection authorities in order to strengthen global enforcement and protect the privacy rights of Canadians.

The OPC has long indicated that legislative changes are needed as federal privacy laws have not kept pace with the rapidly evolving privacy landscape. The OPC is encouraged that Parliamentarians have also recognized this need for change, as evidenced by a surge in ETHI Committee efforts over the last two years. 

Since 2016, Parliament has undertaken a study of both the Privacy Act and PIPEDA. The Committee report on the study of the Privacy Act supports OPC recommendations and calls for a number of changes to the law in order to modernize it. The Government of Canada has since announced that it is undertaking a study on the modernization of the law.

On February 28, 2018, the same Committee (ETHI) has also issued a study of PIPEDA and recommended several changes, including recommendations to confer to the OPC the powers to issue binding orders and impose fines for non-compliance. The Government must now respond to these recommendations.

Introduced in 2016, Bill C-59 proposes a wide range of measures intended to strengthen Canada’s national security framework in a manner that safeguards the rights and freedoms of Canadians. In previous Parliamentary briefs and government submissions the OPC called for rigorous legal standards around the collection and sharing of personal information, effective oversight, and minimization of risks to privacy (particularly through privacy sensitive retention and destruction practices). The review of this legislation is still very much a live issue in Parliament and the OPC has submitted detailed recommendations.

In addition to the issues noted above, other developments are contributing to an increase in the volume and complexity of the OPC’s workload. For example, the Government’s revamped Access to Information Act (C-58) contains an amendment requiring the Office of the Information Commissioner to consult with the OPC when an order is to be made involving personal information, gives the OPC an opportunity to seek judicial review where such an order is at issue, and mandates new proactive disclosure by the OPC for various types of departmental information.

Other changes are expected, and include for example, new mandatory breach notification requirements in the private sector. New mandatory breach notification provisions for the private sector are poised to expand the OPC’s mandate. The Digital Privacy Act (formerly known as Bill S-4), received Royal Assent in June 2015, resulting in a number of significant amendments to PIPEDA. Many amendments came into force upon Royal Ascent; however, those dealing with breach reporting, notification and recordkeeping will be brought into force once related regulations are developed and in place. In October 2017, the OPC made a detailed submission as government consulted stakeholders via pre-publication of the Breach of Security Safeguards Regulations in the Canada Gazette. The Government has indicated that it hopes to have new rules in place by the end of 2018.

The complexity of our work is growing. The OPC must develop and maintain a high level of privacy expertise and become increasingly knowledgeable of an ever-expanding broad range of issues — the technologies mentioned above are but a few examples. We are also increasingly challenged by the privacy risks posed by new legislation, and corporate business models that use personal data in novel ways, often affecting personal information and the private lives of the citizenry.

To remain effective in this challenging operating context, the OPC continues to focus efforts on finding efficiencies across the Office. At the operational level, the Office is increasing the use of risk management approaches, undertaking service improvement initiatives and making greater and smarter use of technology.

At the organizational level, in the last year, the Office redefined its desired outcomes with its new Departmental Results Framework (DRF), consolidated its programs and conducted an organizational review. As a result, the Office is implementing a new organizational structure that ensures greater alignment and integration of activities. This structure, once fully implemented, should help the organization achieve its DRF objectives.

Key Risks

As noted in the previous section, the rapid rate of technological change has had a profound impact on privacy protection. Technologies such as always-on smartphones, geo-spatial tracking tools, wearable computing, cloud computing, Big Data (advanced analytics), genetic profiling, and the Internet of Things (IoT) raise significant, novel and highly complex privacy issues. These developments impact both the private and public sectors in ways that test legal boundaries, but also necessitate critical reflection and inclusive debate on appropriate ethical parameters.

To remain effective the OPC must develop and maintain a high level of privacy expertise and become increasingly knowledgeable of an ever-expanding range of issues. The Office is also increasingly challenged by the privacy risks posed by new legislation, and corporate business models that use personal data in novel ways, often affecting the private lives of Canadians.

The constant and accelerating pace of technological innovation, its expanding adoption by private and public organizations, and its profound impact on privacy protection creates challenges for the OPC’s capacity to deliver on its mandate and protect the privacy rights of Canadians.

Risk Risk Response Strategy Link to the department’s Core Responsibilities
Adapting to external environment

Ability to remain effective and innovate in the way the OPC delivers its mandate given the rapid pace of change in the external environment and the need to continually adapt.
  • Make greater use of technology to gain efficiencies (i.e., automate data entry wherever possible, use “smart” online forms).
  • Support innovation projects flowing from Blueprint 2020 within the office.
  • Make strategic use of our formal powers, including Commissioner-initiated investigations, to address privacy issues at a more systemic level.
  • Continue to build capacity and share knowledge on evolving privacy and technological issues.
Protection of privacy rights
Achieving progress on departmental results

Ability to achieve progress against departmental results should demands keep growing and resources remaining limited.
  • Fully implement the organizational review change management strategy to ensure an effective transition to the new organizational structure.
  • Refine the operational planning and monitoring processes to make sure resources are aligned with priorities and progress is monitored in a timely way.
  • Make greater use of risk management frameworks and approaches as a means to prioritize work and address capacity issues.
Protection of privacy rights
Maintaining and recruiting the right skillset

Ability to maintain or recruit the right skillset to effectively deliver on its mandate given the increasingly complex and rapidly evolving privacy landscape.
  • Continue implementation of the Integrated Business and Human Resource Plan which includes strategies to support the organization's needs.
  • Continue to build capacity and share knowledge on evolving privacy and technological issues.
  • Continue to learn and disseminate knowledge from cutting-edge research funded through the Contributions Program.
  • Continue to promote the use of OPC competency profile in staffing processes.
Protection of privacy rights
Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: