2016-17 Departmental Results Report (DRR)

Office of the Privacy Commissioner of Canada

 

(Original signed by)

The Honourable Jody Wilson-Raybould, P.C., Q.C., M.P.
Minister of Justice and Attorney General of Canada


Message from the Privacy Commissioner of Canada

I am pleased to present the Departmental Results Report of the Office of the Privacy Commissioner of Canada (OPC) for the fiscal year ending March 31, 2017.

Photo: Daniel TherrienConstant and accelerating technological change has had a profound impact on privacy protection in recent years. It is becoming increasingly difficult for Canadians to fully understand, and control, how and for what purposes government institutions and businesses collect, use and disclose their personal information. According to our latest public opinion survey, 92 per cent of Canadians expressed concern about the protection of their privacy, and nearly half said they felt as though they had lost control over how organizations collect and use their data.

In the last year, the OPC made progress in advancing its privacy priorities to help give Canadians more control over their personal information, and delivered on several key initiatives established in our plans supporting the priorities. Most notably, we completed a consultation process aimed at identifying potential improvements to the existing consent model under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

Long considered a foundational element of PIPEDA, consent is the chief mechanism by which individuals are able to express their autonomy and exercise control over their personal information. But obtaining meaningful consent has become increasingly challenging in the Internet age and the digital marketplace. We heard from many stakeholders and individual Canadians and in September 2017, we released our final report which identifies a number of improvements and offers recommendations for legislative change. I believe we need to act urgently in this area.

This past year, our Office also put forward a comprehensive series of recommendations for modernizing the Privacy Act during a study by the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI). The Committee agreed with all our recommendations in a report issued in December 2016. While government officials understandably have their own objectives when it comes to reform, they too have responded positively to our call for modernization. I look forward to working with the government in the year ahead so that we can breathe new life into the Privacy Act, which has not seen any substantive updates since it came into force back in 1983.

As always, we continued our efforts to fulfill our mandate, which includes conducting investigations, examining breach reports, undertaking audits, reviewing Privacy Impact Assessments, and offering advice to Parliamentarians.

Public education and outreach also remained an important priority for my Office in ensuring that Canadians are empowered to exercise their privacy rights, and that organizations understand their obligations. In 2016 we overhauled our website to make it more user-friendly for individuals looking for privacy information.

We provided information and guidance to enhance the privacy protection of individuals, as well as for certain vulnerable groups, such as seniors and youth. We also focused our outreach efforts on small businesses, which have less knowledge of their privacy responsibilities than larger businesses, to help strengthen accountability and promote good privacy governance.

The OPC has made optimal use of existing resources to be as effective as possible in addressing the volume and increasing complexity of work, while meeting the expectations of the public and other stakeholders in addressing privacy concerns. The following report details important achievements undertaken by my Office on behalf of Canadians during this fiscal year.

(Original signed by)

Daniel Therrien,
Privacy Commissioner of Canada

Results at a glance

For more information on the Office of the Privacy Commissioner of Canada’s plans, priorities and results achieved, see the “Results: what we achieved” section in this report.

What funds were used?

  • $23 760 728 Actual Spending

Who was involved?

  • 175 Actual FTEs

Results at a glance

  • Made important progress in advancing the OPC privacy priorities to help give Canadians more control over their personal information, and delivered on several key initiatives established in its plans supporting the priorities.
  • Continued to build and leverage effective partnerships to maximize expertise and resources to achieve positive outcomes for Canadians.
  • Contributed to the federal government’s consultation on Canada’s national security framework, in partnership with provincial and territorial counterparts.
  • Put forward a comprehensive series of recommendations for modernizing the Privacy Act during a study by the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) which were received favourably.
  • Significantly improved the OPC’s key outreach and education tool – its website – completely overhauling it to make it more user-friendly for individuals looking for privacy information.
  • Began the development of a new Results Framework that defines the results the OPC is trying to achieve for Canadians and how success will be measured.

Raison d’être, mandate and role: who we are and what we do

Raison d’être

As an agent of Parliament, the Privacy Commissioner of Canada reports directly to the House of Commons and the Senate. The mandate of the Office of the Privacy Commissioner of Canada (OPC) is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, along with some aspects of Canada’s anti-spam law (CASL). The OPC’s mission is to protect and promote the privacy rights of individuals.Footnote 1

Mandate and role

The Privacy Commissioner’s powers to further the privacy rights of Canadians include:

  • investigating complaints, conducting audits and pursuing court action under the authority of the Privacy Act and PIPEDA;
  • publicly reporting on the personal information-handling practices of public and private sector organizations;
  • supporting, undertaking and publishing research into privacy issues; and
  • promoting public awareness and understanding of privacy issues.

The Commissioner works independently of government to investigate federal public sector-related complaints from individuals under the Privacy Act, and complaints related to the private sector under PIPEDA. He also has some designated responsibilities to ensure compliance with CASL. While his mandate to investigate includes mediation and conciliation, the Commissioner has the power to summon witnesses, administer oaths, and compel the production of evidence. In cases where the investigation does not result in a voluntary agreement/resolution and remains unresolved, the Commissioner may seek an order from the Federal Court to address the situation under certain circumstances.

For more general information about the OPC, see the “Supplementary information” section of this report.

Operating context and key risks

Operating context

The OPC’s strategic and operating environment is in a constant state of evolution given the unrelenting speed of technological change, which is outpacing privacy protections and posing both legal and ethical challenges. New and sophisticated techniques to track, use and sometimes compromise personal information continue to be developed. These issues pose formidable challenges to the OPC and its counterparts around the world.

Because privacy issues are more interdisciplinary and cross-jurisdictional, this year again, the OPC made developing and enhancing partnerships with stakeholders a key priority. Work continued to increase information-sharing and coordination efforts with other national and international data protection authorities in order to strengthen global enforcement and enhance policy development.

2016 saw Parliament undertake a study on the Privacy Act; the Committee report supports OPC recommendations and calls for a number of changes to the law in order to modernize it. The Government of Canada has since announced that it will be undertaking a study on the modernization of the law as well. The beginning of 2017 saw Parliament also initiate a study on PIPEDA.

Public and private sector organizations constantly identify new ways to use personal information. New economic models are emerging based on the mining of personal information. These were issues that were raised during the Parliamentary studies of the Privacy Act and PIPEDA.

Moreover, the increasing amount of personal information exchanged between private- and public-sector organizations continues to pose challenges to privacy and accountability. Initiatives to expand surveillance powers, facilitate warrantless disclosures or broaden government access to personal information held by private sector organizations have given rise to heightened privacy concerns. This has prompted court actions to contain government surveillance practices, ensure effective accountability and stress the importance of due process.

Growing awareness about government surveillance has also generated proposals to reform existing oversight and control measures. The Government of Canada conducted a consultation on national security reform and cybersecurity during the course of 2016. Parliament also conducted reviews of national security, and introduced a bill to create a National Security and Intelligence Committee of Parliamentarians.

The OPC has made government surveillance one of its four privacy priorities. It has dedicated resources to reviewing the information-sharing practices of federal departments and agencies in the context of national security to ensure privacy compliance and inform public debate and awareness on the issue. The OPC has also participated in various consultations, studies, and reviews of legislation related to national security and law enforcement.

In addition to the issues noted above, other developments are contributing to an increase in the OPC’s workload. They include, for example, increasing concerns about private sector breaches, the increased complexity of complaints and investigations and rapidly evolving information technologies.

New mandatory breach notification provisions for the private sector are poised to expand the OPC’s mandate. The Digital Privacy Act (formerly known as Bill S-4), received Royal Assent in June 2015, resulting in a number of significant amendments to PIPEDA. Many amendments came into force upon Royal Assent; however, those dealing with breach reporting, notification and recordkeeping will be brought into force once related regulations outlining specific requirements are developed and in place. At the time of the writing of this report, the Office was still awaiting the introduction of the proposed regulations.

Key Risks

Risk Risk Response Strategy Link to departmental priorities

The OPC’s ability to meet increasing demands and obligations given the relentless pace of technological advances and their impact on the volume and complexity of complaints.

This risk was ranked medium in terms of likelihood and moderate in terms of impact.

To mitigate this risk the Office focused on advancing its privacy priorities and continued to find strategic and innovative ways to deliver on its mandate. Some examples include making greater use of risk management and early resolution strategies to prioritize limited investigations resources, and refining the OPC’s “smart” online information form, to dynamically provide clients with information related to their request, thereby providing them more immediate assistance and possibly reducing their need to contact the Information Centre.

Identify strategies to 1) use the powers of the law and 2) consider more proactive activities, in a more effective way.

Advance the OPC privacy priorities.

Enhance organizational capacity and agility.

Enhance strategic partnership and collaboration opportunities.

The OPC’s ability to effectively manage through a period of sustained changes due to its evolving mandate, particularly in the context of the accelerating pace of technological change, and Government of Canada change initiatives (e.g., back-office transformation).

This risk was ranked medium in terms of likelihood and moderate in terms of impact.

The Office mitigated this risk by managing with agility, building in flexibility where possible to adapt and remain responsive to the changing environment while delivering on its commitments. For instance, plans were reviewed regularly to ensure they remained achievable. As a result, the Office was able to make significant progress in advancing its privacy priorities work while also adapting to increases in parliamentary work as Parliamentarians undertook a review of both the Privacy Act and PIPEDA during the year.

As the government introduced the new pay system—Phoenix—the OPC adapted to issues with this new system, establishing additional control mechanisms and re-aligning internal processes to minimize the impact on employees.

Enhance organizational capacity and agility.

The Office’s ability to make effective use of business intelligence to support more strategic or operational decision-making.

This risk was ranked medium in terms of likelihood and moderate in terms of impact.

The Office dedicated efforts to increase the sharing of business intelligence across the Office, for instance, by sharing trends and lessons learned from outreach and compliance work more broadly within the organization.

With the introduction of the Treasury Board Policy on Results, the Office also began work to define a new Results Framework and supporting performance measurement framework at the OPC. When completed, this work will better support management decision-making by promoting the collection and regular use of performance information across the organization.

Enhance organizational capacity and agility.

Results: what we achieved

Programs

Program 1.1: Compliance Activities

Description

This Program oversees compliance with federal privacy legislation for public and private sector organizations, thus contributing to the protection of Canadians’ privacy rights. Through this Program, the OPC investigates privacy-related complaints and responds to inquiries from individuals and organizations, reviews breach reports and has the power to initiate its own investigations when warranted (Commissioner-initiated complaints). Through audits and reviews, the OPC also assesses how well organizations are complying with requirements set out in the two federal privacy laws, and provides recommendations on Privacy Impact Assessments (PIAs), pursuant to the Treasury Board Directive on Privacy Impact Assessment. This program is supported by a legal team that provides specialized advice and litigation support, and a research team with senior technical and risk-assessment support.

Results

This year again the OPC has seen a high overall volume and an increase in the complexity of its compliance work. The Office implemented a number of improvements to help deal with these increases. Notably the OPC:

  • implemented a risk management framework to assist in prioritizing complaints that have the greatest impact on privacy, which led to the piloting of additional Early Resolution strategies and tools to reduce the use of full investigations in low-risk cases;
  • developed a streamlined approach to access-related complaints under the Privacy Act, in consultation with key federal institutions;
  • developed a Quality Assurance Program and a Quality Control Program for complaints under the Privacy Act, with full implementation expected by end of 2017-18;
  • assessed the utilization/under-utilization of formal powers under PIPEDA and increased the strategic consideration and use of proactive measures to promote broad-based privacy compliance at a lower resource cost;
  • streamlined the provision of legal services in order to gain efficiencies and accelerate service delivery;
  • further enhanced its technology lab and internal technological capacity to support investigations and audits, including through the use of tools for analyzing Internet-connected devices;
  • worked towards modernizing its Case Management System (Ci2) to better identify and report on trends and to increase its outreach activities.

Many of the above noted improvements have contributed to the Office’s ability to meet its target related to service standards. However, the Office continues to see a large and growing inventory of investigations exceeding 12 months for complaints that raise more complex or systemic privacy issues. Indeed, at the end of the reporting period, the caseload of active investigations over 12 months had increased by 70 percent for both PIPEDA and Privacy Act over the previous year. This trend is of concern for the Office, as these investigations continue to challenge the OPC’s static resources.

The OPC continued to prepare for the coming into force of the Digital Privacy Act, which brings about, among other things, mandatory breach reporting for private sector organizations subject to PIPEDA. The Office embedded additional support into the structure of its dedicated Breach Response Unit thus enabling it to keep pace with the doubling of voluntary private sector breach reports since 2015 and took various measures to develop additional breach response expertise, such as bringing investigative staff from other OPC units into the Breach Response Unit on a short-term or part-time basis to develop specific breach-related skills. The experience of other jurisdictions informs us that further increases in volume of breach reports are likely to occur when mandatory breach reporting regulations are finalized. The Office foresees such an increase overwhelming its current resources and significantly limiting the Office’s capacity to respond to, and adequately address, private sector breach incidents.

On the public sector side, the Office has noted a significant drop in breaches reported in 2016-17 (147 breach reports compared to 298 in the previous year). The Office intends to follow-up with institutions in the coming months to better understand this downward shift.

Working in tandem with provincial and international counterparts helps the OPC to maximize expertise and resources to achieve positive privacy outcomes for Canadians. To that end, the OPC:

  • completed its first international tripartite investigation—with the US and Australian privacy authorities into AshleyMadison.com;
  • expanded its collaboration with domestic partners, such the Ontario Information and Privacy Commissioner;
  • participated in the fourth annual GPEN Privacy Sweep, focused on the Internet of Things, which elicited privacy-enhancing responses from a number of companies;
  • enhanced its key leadership role in international enforcement coordination as a member of the GPEN Executive Committee and administrator of the GPEN website thereby enhancing its collaborative value to a rapidly growing network of 65 member authorities.

In 2016-17, the OPC signed its first three Compliance Agreements and established a Compliance Monitoring Unit (CMU) to monitor adherence to these Agreements, and ensure sustained oversight and timely implementation of recommendations in files resulting in “well-founded and conditionally resolved” dispositions. Since its inception, the CMU has successfully monitored the implementation of organizations’ commitments to undertake corrective action—centralizing this previously distributed activity.

In line with its privacy priority action plans, the Office focused its audit and PIA review efforts on national security and surveillance, the increasing use of biometrics at border crossings, and the government’s interest in using publicly available information and social media for investigative purposes and fraud detection. With respect to privacy audits, the Office’s focus has been to assess and report on the extent to which Canadians’ information is being shared amongst government of Canada departments for national security purposes. The Office undertakes this work to help ensure that that such sharing is lawful, carefully considered, fully and clearly documented for transparency and accountability, and governed by detailed written Information Sharing Agreements.

The OPC completed the development of its new Three Year Compliance Audit and Review Plan for the federal government covering the period 2016-2019. This plan focuses the Office’s public sector audit work on those areas where there is likely to be a significant impact on the privacy of Canadians, and where the Office’s advice and recommendations would be likely to result in increased awareness of privacy risks and opportunities for improvement in personal information handling practices.

In March of 2017, the Information Centre further enhanced the features of its “smart” online information request form, which dynamically provides users with information and links to advice and guidance. This enables the Office to provide users with some immediate online assistance with their privacy questions and concerns by automatically giving them information relevant to their request while in the process of submitting their query.

On the litigation front, the OPC intervened in a number of court proceedings to help advance key privacy concepts and jurisdictional issues in Canadian law in both the public and private sectors.

Results achieved
Expected results Performance indicator Target Date to achieve target 2016-17 Actual results 2015-16 Actual result 2014-15 Actual result
1. Federal government institutions and private sector organizations meet their obligations under federal privacy legislation. 1.1 Percentage of complaints and incidents (breach notifications and OPC interventions) that are resolved to the satisfaction of the OPCFootnote 2 80% March 31, 2017 72%Footnote 3 79% 76%
1.2 Percentage of audit recommendations substantially implemented two years after publication of the final audit report 85% March 31, 2017 0%Footnote 4 100% 100%
2. Individuals receive responses to their information requests and complaints. 2.1 Percentage of information requests and complaints responded to within established service standardsFootnote 5 90% March 31, 2017 90%Footnote 6 83% 96%
3. Federal government institutions and private sector organizations receive advice and recommendations to improve their privacy practices, in compliance with federal privacy legislation and policies. 3.1 Percentage of the PIA-related advice that results in added privacy protection for government programs or initiatives 90% March 31, 2017 92% Footnote 7 93% 94%
Budgetary financial resources (dollars)
2016-17 Main Estimates 2016-17 Planned spending 2016-17 Total authorities available for use 2016-17 Actual spending (authorities used) 2016-17 Difference (actual minus planned)
11,406,623 11,406,623 11,873,204 11,216,142 (190,481)
Human resources (full-time equivalents)
2016-17 Planned 2016-17 Actual 2016-17 Difference (actual minus planned)
81 88 7

Program 1.2: Research and Policy Development

Description

This Program advances privacy knowledge, develops policy positions and provides strategic advice on the full range of privacy issues to Parliamentarians, government institutions and private sector stakeholders.

Through this program, the OPC serves as a centre of expertise on emerging privacy issues in Canada and abroad by researching trends and technological developments, monitoring and analysing legislative and regulatory initiatives, providing strategic, legal, policy and technical advice on key issues and developing policy positions that advance the protection of privacy rights in both the public and private sectors.

An important part of the work involves supporting the Commissioner and senior officials in providing advice to Parliament on potential privacy implications of proposed legislation, government programs and private sector initiatives. Since 2004, the Program includes the administration of the OPC Contributions Program that funds independent privacy research and related knowledge translation initiatives, to advance knowledge and promote the practical application of that knowledge in ways that enhance privacy protection for Canadians.

Results

The OPC undertook a number of actions in the first phase of its privacy priority work. It released a consultation paper on consent and PIPEDA in the spring of 2016, following which the Office received 51 written submissions. The OPC undertook consultations with stakeholders and focus group meetings with Canadians to gather their views and explore potential solutions. Likewise, the OPC issued a consultation paper on reputation, which resulted in 28 written submissions. These two consultations will shape the OPC’s position on the future of consent under PIPEDA, and its position on the “right to be forgotten”, and other recourse mechanisms to help address the reputational issues that arise from the online environment.

In terms of the OPC’s other privacy priorities, the Office made a submission to the Government of Canada’s consultations on national security and cybersecurity. The OPC also conducted internal research on digital health technologies, followed by a Global Privacy Enforcement Network (GPEN) Sweep on these technologies, and has been building up its technology lab with the tools needed to capture and analyze the information flows on the data networks of Internet-connected devices and services more generally.

This year, the OPC launched its new “Tech-know blog” to help explain complex information technologies and related privacy implications in simple language that people can more readily understand.

Throughout the year, the Office made 13 appearances and submitted 16 briefs to Parliamentary committees. In addition to its appearances and submissions on the PIPEDA study, Privacy Act reform and National Security related matters, the Office also advised Parliament on a variety of other issues, including impaired driving and connected and automated vehicles.

The Office focused its Contributions Program on the privacy priorities and related strategies, and issued a special call for proposals aimed at developing codes of practice. It also reviewed the Office's involvement in various international fora in order to maximize its overall strategic impact in protecting the personal information of Canadians. For example, as a member of the Executive Committee of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), the OPC plays a critical role in orienting the strategic directions and future work of the International Conference.

The Office continued to work actively on numerous international and domestic fora, for instance in relation to the ICDPPC, mentioned above, and as a key contributor to the 38th Annual Conference in Marrakesh. The OPC also enhanced its collaboration with Asia-Pacific partners by joining the Asia-Pacific Privacy Authorities (APPA) governance committee and agreeing to co-host, with the British Columbia Office of the Information and Privacy Commissioner (OIPC), the winter 2017 APPA meetings in Vancouver.

Further, the OPC renewed existing partnerships with its provincial and territorial counterparts to better address privacy issues of mutual interest. For example, the OPC worked with its provincial counterparts to update its policy position on Genetic Information and Insurance in light of the adoption of Bill S-201, The Genetic Non-Discrimination Act. In addition, through its consent-related work, the Office explored appropriate discussion and collaboration opportunities with many new stakeholders across Canada to better understand the challenges they face and help identify potential areas for future research or guidance.

Results achieved
Expected results Performance indicator Target Date to achieve target 2016-17 Actual results 2015-16 Actual result 2014-15 Actual result
1. Public and private sector stakeholders are enabled to develop policies and initiatives that respect privacy rights. 1.1 Percentage of stakeholder requests for guidance on policies and initiatives that were responded to by the OPC 100% March 31, 2017 100%Footnote 8 100% 100%
2. Parliamentarians are able to draw on OPC expertise to identify and address privacy issues. 2.1 Percentage of requests from parliamentarians that were responded to by the OPC within service standards 100% March 31, 2017 100% 100% 100%
3. Knowledge about privacy issues is advanced. 3.1 Increased take-up of OPC research Annual increase relative to previous year March 31, 2017 169,903 (new baseline)Footnote 9 326,882 (new baseline) 24% increase
Budgetary financial resources (dollars)
2016-17 Main Estimates 2016-17 Planned spending 2016-17 Total authorities available for use 2016-17 Actual spending (authorities used) 2016-17 Difference (actual minus planned)
3,381,673 3,381,673 3,805,990 3,365,828 (15,845)
Human resources (full-time equivalents)
2016-17 Planned 2016-17 Actual 2016-17 Difference (actual minus planned)
29 20 (9)

Program 1.3: Public Outreach

Description

This Program promotes public awareness and understanding of rights and obligations under federal privacy legislation. Through this program, the OPC delivers public education and communications activities, including speaking engagements and special events, exhibiting, media relations, and the production and distribution of promotional and educational material.

Through public outreach activities, individuals are informed about privacy and personal data protection. Such activities also enable federal and private sector organizations to better understand their obligations under federal privacy legislation.

Results

In 2016-17, the OPC worked on implementing communications and outreach strategies and related activities to enhance privacy protection for vulnerable groups, in particular seniors and young people. Through its youth communications and outreach strategy, the OPC worked with parents, teachers and other trusted sources to provide children and young people with information and guidance on how to recognize privacy risks and protect their personal information online.

The Office worked with its provincial and territorial counterparts to co-brand its popular graphic novel for students and also jointly developed three lesson plans for teachers. At the international level, the Office co-authored a resolution calling for the adoption of a framework for privacy education that will help to support the inclusion of privacy and data protection in the education of students around the world. The OPC spoke at major teacher conferences and reached over 53,000 people at multiple exhibits primarily targeting families. The Office promoted its “House Rules” privacy tool via radio and print campaigns resulting in some two million impressions. Through this work the Office learned that, while ongoing stakeholder relations are vital to the success of its campaigns, many organizations have limited resources and competing priorities. Moving forward, the Office will look at further increasing linkages between campaign activities and products, and the impacts on web visits and on the OPC’s Information Centre.

Through the OPC’s new seniors’ communications and outreach strategy, the OPC undertook activities to disseminate information to seniors to help them identify privacy issues and take action to minimize identity theft and other risks associated with their online activities. The OPC also worked with national seniors’ associations to broaden its reach.

The Office developed and updated advice on issues identified as being of particular interest to seniors, such as ID theft, online and mobile privacy. Privacy tips were promoted through a campaign on library due-date receipts, involving more than 1,000 participating libraries and resulting in 1.8 million impressions. A radio campaign included four “spots” resulting in between one and two million impressions each. The OPC also participated in senior-focused exhibits that reached over 70,000 people. Through a demographic analysis of its biennial poll of Canadians, the OPC has identified a number of key privacy issues of concern to seniors, in particular, and this information will inform the next phase of the Office’s work in this area.

In addition, the Office undertook outreach activities aimed at strengthening accountability and promoting good privacy governance among small businesses, with a new focus on the rental accommodations and retail sectors, which were found to generate a higher number of complaints against small businesses, relative to other industry sectors.

The OPC’s small business communications and outreach strategy also involved a cross-country speaking tour with the Chambers of Commerce and local media, highlighting to businesses not only what their privacy obligations are, but also how responsible privacy practices are good for business. This also provided an opportunity for the Office to hear what the key challenges are for small businesses in complying with privacy laws. The OPC developed resources that address the specific concerns of small businesses, which are generally less likely to have in-house resources to advise on privacy matters —paying special attention to those sectors mentioned above. The OPC worked with associations and business organizations to ensure guidance materials are relevant and reach the intended audiences.

The Office also developed enhanced outreach tools to disseminate educational messages from PIPEDA enforcement activities more broadly. For instance, the OPC instituted a new series of well-received events targeted at Canadian privacy professionals and businesses, where the Office ‘deconstructed’ the lessons learned from key enforcement activities.

Further, the Office overhauled its website to make it more user-friendly for individuals looking for privacy information. The OPC focused efforts on ensuring that individuals have easy access to practical and clear information and advice about privacy that helps them exercise their rights and protect their personal information, and conducted web usability testing to further enhance and refine the OPC website to ensure that it is meeting the information needs of Canadians and organizations.

The OPC’s new website features a feedback tool that allows users to comment on the OPC’s information, advice and guidance pages. For the period following the launch of the new site in September to the end of the fiscal year, we received 1,003 instances of feedback via this tool, many included specific suggestions or actionable comments. This feedback is proving to be extremely useful, and the Office is using it to guide the next phase of its web renewal work, which is focused on content enhancement.

Results achieved
Expected results Performance indicator Target Date to achieve target 2016-17 Actual results 2015-16 Actual result 2014-15 Actual result
1. Federal government institutions and private sector organizations better understand their obligations under federal privacy legislation and individuals better understand their rights. 1.1 Percentage of private sector organizations that are moderately or highly aware of their obligations under federal privacy legislation 85% March 31, 2018 n/a 82% n/a
1.2 Percentage of Canadians who feel they know about their privacy rights 30% March 31, 2017 65%Footnote 10 n/a 32%
2. Federal government institutions and private sector organizations have access to useful information about their privacy responsibilities and individuals have access to relevant and timely information to protect their privacy rights. 2.1 Annual increase in website visits Visits to OPC websites increase year over year March 31, 2017 increase of 11% Increase of 5% Increase of 31%
Budgetary financial resources (dollars)
2016-17 Main Estimates 2016-17 Planned spending 2016-17 Total authorities available for use 2016-17 Actual spending (authorities used) 2016-17 Difference (actual minus planned)
2,401,395 2,401,395 2,930,365 2,679,125 277,730
Human resources (full-time equivalents)
2016-17 Planned 2016-17 Actual 2016-17 Difference (actual minus planned)
21 16

(5)

Internal Services

Description

Internal Services are groups of related activities and resources that are administered to support the needs of programs and other corporate obligations of an organization. The OPC’s Internal Services include Management and Oversight Services, Human Resources Management Services, Financial Management Services, Information Management Services, Information Technology Services, Real Property Services, Materiel Services, Acquisition Services, and Travel and Other Administrative Services. Internal Services include only those activities and resources that apply across an organization and not those provided to a specific program.

Results

The Internal Services Program continued to support the organization in delivering its mandate and its priorities, while also implementing mandatory Government of Canada transformation initiatives (e.g., MyGCHR, Phoenix).

The OPC conducted its sixth biennial Management Accountability Framework (MAF) self-assessment to gain insight into its management practices. This year’s self-assessment focused on Financial Management; People Management; and, Information Management and Information Technology (IM/IT) Management. Overall the assessment was very positive, with a few gaps noted in the area of IM/IT. Management is working to address these gaps in the coming year.

To allow the Office to effectively advance its privacy priorities and deliver on its mandate, the OPC continued to strengthen its financial management and stewardship through the application of a timely budget and forecasting process, monthly financial reporting analysis and discussions at senior management committee.

In-line with the Government of Canada’s initiative to modernize pay services, the Office moved to the Phoenix Pay System. In light of the complexities in implementing the new pay system, the Office established additional control mechanisms and re-aligned internal processes to minimize the impact on employees.

The Office participated in the Treasury Board (TB) Policy Reset Initiative, providing feedback on revised TB policies wherever relevant to ensure the independence of the Office is maintained and that the realities of small organizations, such as the OPC, are considered. The OPC will continue to actively participate in this initiative in the coming year and will make necessary adjustments to its internal processes and procedures to comply with revised policies as they are introduced.

On July 1, 2016, the TB introduced a new Policy on Results aimed at improving the achievement of results. In response to this new Policy, the OPC began the development of a new Results Framework that identifies the results the OPC is trying to achieve for Canadians, as well as the indicators it intends to use to measure success. This framework will not only guide the Office’s work in the coming years but it will also guide the allocation of its resources to ensure results are achieved for Canadians. This new framework will be completed in the coming year and will be unveiled in the OPC’s 2018-19 Departmental Plan.

The Office approved a new three-year Integrated Business and Human Resources Plan. This plan highlights strategies that enable the Office to recruit skilled, diverse, people and engage and develop its staff while creating a healthy, respectful workplace.

The Office embraced the Public Service Commission’s new direction in staffing. Using a balanced increase in accountability with appropriate monitoring, hiring managers now have increased flexibility in their staffing activity.

And finally, the Office pursued opportunities to partner with other Agents of Parliament to increase effectiveness, share knowledge and continue implementing best practices in areas such as information technology, administrative services, training, and human resources programs. For example, the OPC completed onboarding of the Office of the Commissioner of Lobbying of Canada (OCL) organization onto its IT platform.

Results achieved
Expected results Performance indicator Target Date to achieve target 2016-17 Actual results 2015-16 Actual result 2014-15 Actual result
The OPC achieves a standard of organizational excellence, and managers and staff apply sound business management practices. Percentage of the MAF areas where no significant gaps have been identified.Footnote 11 90% March 31, 2017 90% N/A (biennial self-assessment) 100%
Budgetary financial resources (dollars)
2016-17 Main Estimates 2016-17 Planned spending 2016-17 Total authorities available for use 2016-17 Actual spending (authorities used) 2016-17 Difference (actual minus planned)
7,324,253 7,324,253 6,766,209 6,499,633 (824,620)
Human resources (full-time equivalents)
2016-17 Planned 2016-17 Actual 2016-17 Difference (actual minus planned)
50 51 1

Analysis of trends in spending and human resources

Actual expenditures

Departmental spending trend graph

Statutory spending covers annual costs for employee benefits. Such costs may vary from year to year and are dictated by the Treasury Board Secretariat on the basis on calculated expenses and forecasts.

The graph above illustrates the OPC’s spending trend over a six-year period from 2014-15 to 2019-20.

Fiscal years 2014-15 to 2016-17 reflect the organization’s actual expenditures, as reported in the Public Accounts. Fiscal years 2017-18 to 2019-20 represent planned spending.

The overall trend in the graph illustrates a decrease from 2014-15 to 2016-17 with a slight planned increase starting 2017-18.

In 2014, the OPC moved its headquarters to a new location at 30 Victoria Street in Gatineau, Quebec. Minimal costs were incurred in 2014-15 for residual work that was completed after its relocation.

In 2016-17, the OPC was expecting to incur the cost of retroactive payments resulting from collective bargaining. Since agreements were not ratified or signed by the end of 2016-17, the OPC spent less in that year when compared to 2015-16.

Between 2017-18 and 2019-20, overall OPC spending is expected to remain stable.

Budgetary performance summary for Programs and Internal Services (dollars)
Program(s) and Internal Services 2016-17 Main Estimates 2016-17 Planned spending 2017-18 Planned spending 2018-19 Planned spending 2016-17 Total authorities available for use 2016-17 Actual spending (authorities used) 2015-16 Actual spending (authorities used) 2014-15 Actual spending (authorities used)
1.1 Compliance Activities 11,406,623 11,406,623 11,619,666 11,619,666 11,873,204 11,216,142 11,963,491 12,031,142
1.2 Research and Policy Development 3,381,673 3,381,673 3,234,249 3,234,249 3,805,990 3,365,828 2,942,391 3,040,117
1.3 Public Outreach 2,401,395 2,401,395 2,869,950 2,869,950 2,930,365 2,679,125 2,296,196 2,508,474
Subtotal 17,189,691 17,189,691 17,723,865 17,723,865 18,609,559 17,261,095 17,202,078 17,579,733
Internal Services Subtotal 7,324,253 7,324,253 6,620,626 6,620,626 6,766,209 6,499,633 6,979,325 7,990,102
Total 24,513,944 24,513,944 24,344,491 24,344,491 25,375,768 23,760,728 24,181,403 25,569,835

The increase of $0.9M between the 2016-17 Total Authorities Available for Use ($25.4M) and the 2016-17 Planned Spending ($24.5M) is due to funding received as part of the operating carry forward exercise and adjustments to the employee benefit plans.

Total Authorities Available for Use ($25.4M) compared to Actual Spending ($23.8M) resulted in a lapse of $1.6M. In addition to normal operating lapses, the OPC had set aside a significant portion of its Total Authorities Available for Use in the event collective bargaining between Treasury Board Secretariat and bargaining units would be ratified and subsequently signed prior to March 31, 2017. These did not materialize. As a result, the OPC will be seeking authority to create a frozen allotment to ensure the funds are set aside in 2016-17 and made available in future years to offset collective bargaining pressures.

Actual human resources

Human resources summary for Programs and Internal Services (full-time equivalents)
Programs and Internal Services 2014-15 Actual 2015-16 Actual 2016-17
Planned
2016-17 Actual 2017-18 Planned 2018-19 Planned
1.1 Compliance Activities 91 89 87 88 87 87
1.2 Research and Policy Development 17 20 25 20 25 25
1.3 Public Outreach 18 16 21 16 21 21
Subtotal 126 125 133 124 133 133
Internal Services 50 50 48 51 48 48
Total 176 175 181 175 181 181

Expenditures by Vote

For information on the OPC’s organizational voted and statutory expenditures, consult the Public Accounts of Canada 2017.

Alignment of Spending with the Whole-of-Government Framework

Alignment of 2016-17 Actual Spending with the Whole-of-Government Framework (dollars)
Program Spending area Government of Canada activity 2016-17 Actual spending
1.1 Compliance Activities Government Affairs A transparent, accountable, and responsive federal government 11,216,142
1.2 Research and Policy Development Government Affairs A transparent, accountable, and responsive federal government 3,365,828
1.3 Public Outreach Government Affairs A transparent, accountable and responsive federal government 2,679,125
Total Spending by Spending Area (dollars)
Spending area Total planned spending Total actual spending
Economic Affairs 0 0
Social Affairs 0 0
International Affairs 0 0
Government Affairs 17,189,691 17,261,095

Financial statements and financial statements highlights

Financial statements

Information on the OPC’s audited financial statements can be found on its website.

Financial statements highlights

The financial highlights presented below are drawn from the OPC’s financial statements, which are prepared on an accrual accounting basis while the planned and actual spending amounts presented elsewhere in this report are prepared on an expenditure basis. As such, amounts differ.

Condensed Statement of Operations (unaudited) as at March 31, 2017 (dollars)
Financial information 2016-17 Planned results 2016-17 Actual 2015-16 Actual Difference (2016-17 actual minus 2016-17 planned) Difference (2016-17 actual minus 2015-16 actual)
Total expenses 27,945,259 27,500,893 27,377,301 (444,366) 123,592
Total revenues (100,000) (138,607) (25,000) (38,607) (113,607)
Net cost of operations before government funding and transfers 27,845,259 27,362,286 27,352,301 (482,973) 9,985
Condensed Statement of Financial Position (unaudited) as at March 31, 2017 (dollars)
Financial Information 2016-17 2015-16 Difference (2016-17 minus 2015-16)
Total net liabilities 4,628,335 5,095,247 (466,912)
Total net financial assets 2,952,184 3,323,256 (371,072)
Departmental net debt 1,676,151 1,771,991 (95,840)
Total non-financial assets 2,788,284 3,287,345 (499,061)
Departmental net financial position 1,112,133 1,515,354 (403,221)

Total assets were $5,740K at the end of 2016-17, a decrease of $872K (15 percent) over the previous year’s total assets of $6,612K. Of the total assets, the Consolidated Revenue Fund totaled $2,595K (45 percent) and the Tangible Capital Assets represented $2,544K (45 percent). Accounts Receivable and Advances and Prepaid Expenses accounted for 6 percent and 4 percent of total assets, respectively.

Total liabilities were $4,628K at the end of 2016-17, a decrease of $467K (10 percent) over the previous year’s total liabilities of $5,095K. Accounts Payable/Accrued Liabilities represented the largest portion of the total liabilities, at $1,600K (35 percent). Employee Future Benefits represented a smaller portion of liabilities, at $938K, or 20 percent of the total. Vacation Pay and Compensatory Leave and Accrued Employee Salaries accounted for 18 percent and 27 percent of total liabilities, respectively.

Total expenses for the OPC were $27,501K in 2016-17.The largest share of the funds, $13,179K, or 48 percent, was spent on Compliance Activities, while Internal Services represented $7,368K of the expenditures or 27 percent of the total. Research and policy development represented $3,875K, or 14 percent, of total expenses. Public Outreach efforts represented $3,079K of the expenditures, or 11 percent of the total. (Note that expenses by program activity might differ from those identified in the Public Accounts of Canada due to the methodology used to prorate the allocation in the financial statements as well as the inclusion of related party transactions).

Supplementary information

Corporate information

Organizational Profile

Appropriate MinisterFootnote 12: Jody Wilson-Raybould

Institutional Head: Daniel Therrien

Ministerial portfolioFootnote 13: Department of Justice Canada

Enabling Instrument(s): Privacy Act, R.S.C. 1985, c. P-21; Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5

Year of Incorporation / Commencement: 1982

Reporting Framework

The OPC’s Strategic Outcome and Program Alignment Architecture of record for 2016-17 are shown below.

  1. Strategic Outcome: The privacy rights of individuals are protected
    • 1.1 Program: Compliance Activities
    • 1.2 Program: Research and Policy Development
    • 1.3 Program: Public Outreach
    • Internal Services

Supporting information on lower-level programs

The OPC does not have lower-level programs as part of its Program Alignment Architecture.

Supplementary information tables

The supplementary information tables listed in the 2016-17 Departmental Results Report are available on the OPC’s website.

  • Internal Audits and Evaluations;
  • Departmental Sustainable Development Strategy (Greening Government Operations); and,
  • User Fees, Regulatory Charges and External Fees.

Approved internal audit and evaluation reports are available on the OPC’s website.

Federal tax expenditures

The tax system can be used to achieve public policy objectives through the application of special measures such as low tax rates, exemptions, deductions, deferrals and credits. The Department of Finance Canada publishes cost estimates and projections for these measures annually in the Report of Federal Tax Expenditures. This report also provides detailed background information on tax expenditures, including descriptions, objectives, historical information and references to related federal spending programs. The tax measures presented in this report are the responsibility of the Minister of Finance.

Organizational Contact Information

30 Victoria Street
Gatineau, Quebec K1A 1H3
Canada

Telephone: 819-994-5444
Toll Free: 1-800-282-1376
Fax: 819-994-5424
TTY: 819-994-6591
Website: www.priv.gc.ca

Appendix: definitions

appropriation (crédit) : Any authority of Parliament to pay money out of the Consolidated Revenue Fund.

budgetary expenditures (dépenses budgétaires) : Operating and capital expenditures; transfer payments to other levels of government, organizations or individuals; and payments to Crown corporations.

Core Responsibility (responsabilité essentielle) : An enduring function or role performed by a department. The intentions of the department with respect to a Core Responsibility are reflected in one or more related Departmental Results that the department seeks to contribute to or influence.

Departmental Plan (Plan ministériel) : Provides information on the plans and expected performance of appropriated departments over a three-year period. Departmental Plans are tabled in Parliament each spring.

Departmental Result (résultat ministériel) : A Departmental Result represents the change or changes that the department seeks to influence. A Departmental Result is often outside departments’ immediate control, but it should be influenced by program-level outcomes.

Departmental Result Indicator (indicateur de résultat ministériel) : A factor or variable that provides a valid and reliable means to measure or describe progress on a Departmental Result.

Departmental Results Framework (cadre ministériel des résultats) : Consists of the department’s Core Responsibilities, Departmental Results and Departmental Result Indicators.

Departmental Results Report (Rapport sur les résultats ministériels) : Provides information on the actual accomplishments against the plans, priorities and expected results set out in the corresponding Departmental Plan.

Evaluation (évaluation) : In the Government of Canada, the systematic and neutral collection and analysis of evidence to judge merit, worth or value. Evaluation informs decision making, improvements, innovation and accountability. Evaluations typically focus on programs, policies and priorities and examine questions related to relevance, effectiveness and efficiency. Depending on user needs, however, evaluations can also examine other units, themes and issues, including alternatives to existing interventions. Evaluations generally employ social science research methods.

full-time equivalent (équivalent temps plein) : A measure of the extent to which an employee represents a full person-year charge against a departmental budget. Full-time equivalents are calculated as a ratio of assigned hours of work to scheduled hours of work. Scheduled hours of work are set out in collective agreements.

government-wide priorities (priorités pangouvernementales) : For the purpose of the 2016-17 Departmental Results Report, government-wide priorities refers to those high-level themes outlining the government’s agenda in the 2015 Speech from the Throne, namely: Growth for the Middle Class; Open and Transparent Government; A Clean Environment and a Strong Economy; Diversity is Canada's Strength; and Security and Opportunity.

horizontal initiatives (initiative horizontale) : An initiative where two or more federal organizations, through an approved funding agreement, work toward achieving clearly defined shared outcomes, and which has been designated (for example, by Cabinet or a central agency) as a horizontal initiative for managing and reporting purposes.

Management, Resources and Results Structure (Structure de la gestion, des ressources et des résultats) : A comprehensive framework that consists of an organization’s inventory of programs, resources, results, performance indicators and governance information. Programs and results are depicted in their hierarchical relationship to each other and to the Strategic Outcome(s) to which they contribute. The Management, Resources and Results Structure is developed from the Program Alignment Architecture.

non-budgetary expenditures (dépenses non budgétaires) : Net outlays and receipts related to loans, investments and advances, which change the composition of the financial assets of the Government of Canada.

performance (rendement) : What an organization did with its resources to achieve its results, how well those results compare to what the organization intended to achieve, and how well lessons learned have been identified.

performance indicator (indicateur de rendement) : A qualitative or quantitative means of measuring an output or outcome, with the intention of gauging the performance of an organization, program, policy or initiative respecting expected results.

performance reporting (production de rapports sur le rendement) : The process of communicating evidence-based performance information. Performance reporting supports decision making, accountability and transparency.

planned spending (dépenses prévues) : For Departmental Plans and Departmental Results Reports, planned spending refers to those amounts that receive Treasury Board approval by February 1. Therefore, planned spending may include amounts incremental to planned expenditures presented in the Main Estimates.

A department is expected to be aware of the authorities that it has sought and received. The determination of planned spending is a departmental responsibility, and departments must be able to defend the expenditure and accrual numbers presented in their Departmental Plans and Departmental Results Reports.

plans (plans) : The articulation of strategic choices, which provides information on how an organization intends to achieve its priorities and associated results. Generally a plan will explain the logic behind the strategies chosen and tend to focus on actions that lead up to the expected result.

priorities (priorité) : Plans or projects that an organization has chosen to focus and report on during the planning period. Priorities represent the things that are most important or what must be done first to support the achievement of the desired Strategic Outcome(s).

program (programme) : A group of related resource inputs and activities that are managed to meet specific needs and to achieve intended results and that are treated as a budgetary unit.

Program Alignment Architecture (architecture d’alignement des programmes) : A structured inventory of an organization’s programs depicting the hierarchical relationship between programs and the Strategic Outcome(s) to which they contribute.

results (résultat) : An external consequence attributed, in part, to an organization, policy, program or initiative. Results are not within the control of a single organization, policy, program or initiative; instead they are within the area of the organization’s influence.

statutory expenditures (dépenses législatives) : Expenditures that Parliament has approved through legislation other than appropriation acts. The legislation sets out the purpose of the expenditures and the terms and conditions under which they may be made.

Strategic Outcome (résultat stratégique) : A long-term and enduring benefit to Canadians that is linked to the organization’s mandate, vision and core functions.

sunset program (programme temporisé) : A time-limited program that does not have an ongoing funding and policy authority. When the program is set to expire, a decision must be made whether to continue the program. In the case of a renewal, the decision specifies the scope, funding level and duration.

target (cible) : A measurable performance or success level that an organization, program or initiative plans to achieve within a specified time period. Targets can be either quantitative or qualitative.

voted expenditures (dépenses votées) : Expenditures that Parliament approves annually through an Appropriation Act. The Vote wording becomes the governing conditions under which these expenditures may be made.

Date modified: