Language selection

2017-18 Departmental Results Report (DRR)

Notice

Complete a survey on your experience using this Departmental Results Report.

Office of the Privacy Commissioner of Canada

(Original signed by)

The Honourable Jody Wilson-Raybould, P.C., Q.C., M.P.
Minister of Justice and Attorney General of Canada


Message from the Privacy Commissioner of Canada

I am pleased to present the Departmental Results Report of the Office of the Privacy Commissioner of Canada (OPC) for the fiscal year ending March 31, 2018.

Photo: Daniel Therrien Much of our focus during the past year was on shifting to a more proactive approach to privacy protection in order to have a broader and more positive impact on the privacy rights of a greater number of Canadians.

It’s an exercise that culminated last fall when we published our Report on Consent following an extensive consultation with Canadians, the privacy community and other stakeholders.

In it, we outlined a series of actions our office would take, as well as recommendations for legislative change, including new powers to make orders and issue fines under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

We believe the proposals can help address challenges associated with the opaqueness of business models and the complexity of information flows in the age of data analytics, artificial intelligence, robotics, genetic profiling and the Internet of Things.

Among our key commitments was a plan to update and issue new guidance to individuals on how to exercise their privacy rights - and to organizations on how to respect their privacy obligations. In late September we issued draft guidelines for businesses on obtaining meaningful consent and inappropriate data practices, both of which were finalized in May following further discussions with stakeholders.

Additionally, we furthered our work on the complex issue of online reputation and privacy, releasing a Draft Position on Online Reputation in January. In our report, we concluded that Canadians need better tools to help them to protect their online reputation. We highlighted measures such as the right to ask search engines to de-index web pages that contain inaccurate, incomplete or outdated information; removal or amendment of information at the source; and education to help develop responsible, informed online citizens.

This past year also saw numerous appearances before Parliament aimed at asking legislators to modernize Canada’s grossly outdated privacy laws, including the Privacy Act which has seen no substantive upgrades since 1983. For instance, in our appearances and submissions on Bill C-59, we proposed amendments to better balance privacy and national security. The government agreed with the vast majority of our recommendations and took measures to address many of our concerns. We welcome the revised bill that was passed in June by the House of Commons and is now awaiting consideration by the Senate in the fall.

One of our most significant achievements this past year was to develop a new Departmental Results Framework that lays out our new organizational structure, vision and objectives and provides a clear path forward. We streamlined our operations by clarifying program functions and reporting relationships, and we became more forward-looking by shifting the balance of our activities towards greater proactive efforts.

As a product of this change, our work now falls into one of two program areas: promotion and compliance. Activities aimed at bringing departments and organizations into compliance are now part of our Promotion Program, while those related to addressing existing compliance issues fall under our Compliance Program. This new framework and program structure was unveiled in our 2018-19 Departmental Plan. Hence, as this report relates to the fiscal year ending March 31, 2018, it is aligned with our previous program framework.

By delineating our activities and results more clearly under the Promotion and Compliance programs, we chart a new course for the OPC. We become more proactive and more citizen-focused. In so doing, we seek to empower Canadians to exert greater control over their personal information, and to give them greater confidence that their privacy rights will be protected.

The following report details important achievements undertaken by my Office on behalf of Canadians during the past fiscal year.

(Original signed by)

Daniel Therrien,
Privacy Commissioner of Canada

Results at a glance

For more information on the OPC’s plans, priorities and results achieved, see the “Results: what we achieved” section in this report.

What funds were used?

  • $25,689,371
    Actual Spending

Who was involved?

  • 173
    Actual FTEs

Results at a glance

  • Made important progress in advancing the OPC’s privacy priorities to help give Canadians more control over their personal information. Delivered on several key initiatives established in its plans supporting the priorities, including the issuance of our reports and guidelines on consent, inappropriate practices and online reputation.
  • Appeared before Parliament and made several recommendations on Bill C-59 with a view to strengthening Canada’s national security framework in a manner which balances privacy and security. Most of these recommendations were adopted by the House of Commons.
  • Supported parliamentary initiatives to reform federal privacy legislation, including the Standing Committee on Access to Information, Privacy and Ethics’ review of PIPEDA.
  • Initiated interjurisdictional and complex investigations such as Facebook/AIQ and Equifax.

Raison d’être, mandate and role: who we are and what we do

Raison d’être

As an agent of Parliament, the Privacy Commissioner of Canada reports directly to the House of Commons and the Senate. The mandate of the Office of the Privacy Commissioner of Canada (OPC) is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, along with some aspects of Canada’s anti-spam law (CASL). The OPC’s mission is to protect and promote the privacy rights of individuals.Footnote 1

Mandate and role

The Privacy Commissioner’s powers to further the privacy rights of Canadians include:

  • investigating complaints, conducting audits and pursuing court action under the authority of the Privacy Act and PIPEDA;
  • publicly reporting on the personal information-handling practices of public and private sector organizations;
  • supporting, undertaking and publishing research into privacy issues; and
  • promoting public awareness and understanding of privacy issues, including appearing before Parliament on proposed legislation and studies on issues affecting the privacy rights of Canadians.

The Commissioner works independently of government to investigate federal public sector-related complaints from individuals under the Privacy Act, and complaints related to the private sector under PIPEDA. He also has some designated responsibilities to ensure compliance with CASL.

The Commissioner may address complaints through mediation and conciliation; he also has the power to summon witnesses, administer oaths, and compel the production of evidence. In cases where the investigation does not result in a voluntary agreement/resolution and remains unresolved, the Commissioner may seek an order from the Federal Court to address the situation under certain circumstances.

For more general information about the OPC, see the “Supplementary information” section of this report.

Operating context and key risks

Operating context

The Office’s strategic and operating environment evolves rapidly year over year, given technological change and global developments. Privacy protections often lag behind sophisticated techniques that continue to be developed to collect, use and share personal information. These present constantly shifting challenges for us and our counterparts around the world.

The last several years have seen steep increases in the number of individuals affected by data breaches, particularly in the commercial sector. Fiscal year 2017-18 saw massive data breaches caused by vulnerabilities in databases containing Canadians’ personal information:

  • the hack of Equifax’s systems impacted 100,000 Canadian consumers’ information;
  • Bell Canada’s breach affected 1.9 million personal email addresses;
  • the Nissan Canada cyberattack compromised the personal information of 1.3 million people, and
  • the Uber incident affected over 800,000 individuals in Canada alone.

We’ve opened investigations into several of these breaches, many of which are ongoing. To this (in early 2018) we have the added complexity of interjurisdictional complaints such as the Facebook/Aggregate IQ investigation. With good reason, these incidents trigger increased call volumes to the Office and higher numbers of complaints.

From an organizational perspective, they also tend to generate more media requests as journalists react, calls to appear before Parliament as legislators examine the issues, and added calls for support and guidance from various sectors involved. These interactions with other branches of government, regulators, elected officials and researchers can be complex undertakings in their own right and they tend to affect the available resources of the entire organization.

New mandatory breach notification provisions for the private sector are poised to expand our mandate. The Digital Privacy Act (formerly known as Bill S-4), received royal assent in June 2015, resulting in a number of significant amendments to PIPEDA. We provided comments on the proposed regulations with respect to the content of breach reports to the Privacy Commissioner, record-keeping requirements, and the timeframe for the coming into force of the regulations. The provisions under PIPEDA dealing with mandatory breach reporting, notification and record-keeping will come into force November 1, 2018.

Privacy has always been an inter-disciplinary, cross-jurisdictional issue and recent developments only emphasize how developing and enhancing partnerships needs to be a key priority for us to be effective. We are continuing efforts to augment information-sharing and coordination efforts with other national and international data-protection authorities, as well as other consumer-protection regulators, in order to strengthen global enforcement and enhance policy development.

The European Union’s General Data Protection Regulation (GDPR) came into force in May 2018, potentially creating new obligations for Canadian businesses that handle the personal information of individuals in Europe. While the GDPR and Canada’s federal private sector privacy law, PIPEDA, share a number of core tenets, they are different laws. The Office is not responsible for enforcing compliance with the GDPR.

The challenges faced by our colleagues in the international community reflect those we are experiencing at home. Personal information is at the heart of the digital revolution, transforming virtually every aspect of daily life. It is central to new online business models and is at the heart of how government wants to transform its services to Canadians.

We have long indicated that legislative changes are needed, as federal privacy laws have not kept pace with the rapidly evolving privacy landscape. We are encouraged that parliamentarians have also recognized this need for change, as evidenced by a surge in the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) efforts over the last two years.

Since 2016, Parliament has undertaken a study of both the Privacy Act and PIPEDA. The Committee report on the study of the Privacy Act supports our recommendations and calls for a number of changes to the law in order to modernize it. The Government of Canada announcedin 2016, its intent to start work towards modernizing the law, however, no concrete proposal has yet been made public.

Last February, the same Committee (ETHI) also issued a study of PIPEDA and recommended several changes, including recommendations to confer to the Office the powers to issue binding orders and impose fines for non-compliance. The government agreed that changes are required to our privacy regime and signaled its intent to further study the viability of all options, for instance on enforcement models, with a view to presenting Canadians with proposals. To that end the Minister of Innovation, Science and Economic Development announced in June 2018 a national digital and data consultation, which could eventually result in amendments to PIPEDA in several years.

We have also responded to the welcomed increase in attention to privacy issues by parliamentarians. Specifically, Parliament continues to review legislation actively with privacy in mind. As an agent of Parliament, this surge in interest in privacy issues is encouraging.

The increasing amount of personal information exchanged between private and public sector organizations continues to pose challenges to privacy and accountability. Initiatives around border security, legislation to enable information-sharing, or discussions to expand government access to personal information held by private sector organizations have given rise to heightened privacy concerns.

Growing awareness about government surveillance has also generated proposals to reform existing oversight and control measures. We provided our views to Parliament on Bill C-59, An Act Respecting National Security Matters, which introduces a wide range of measures intended to strengthen Canada’s national security framework in a manner that safeguards the rights and freedoms of Canadians.

We were pleased that the government agreed with the vast majority of our recommendations and took measures to address many of our concerns.The revised bill is now awaiting consideration by the Senate in the fall.

Key Risks

Risks Mitigating strategy and effectiveness Link to the department’s Programs Link to departmental priorities

Risk related to programs and business activities with high privacy risks not being reviewed by the OPC because of limited resources.

  • Adopted a new Departmental Results Framework and program structure in line with a more proactive approach to privacy protection.
  • Continued to prioritize the review of PIAs that present the highest privacy risks.
  • Our office streamlined criteria to action breach reports under PIPEDA, and looked to increased collaboration with international and domestic partners where appropriate, as we did with Facebook and Equifax.
  • Using available resources, we continued to prioritize PA breaches based on a risk-management framework.
  • Proactively embarked on a review of privacy breach reporting within the federal public sector to promote the importance of safeguarding.

Compliance activities

Effective oversight of compliance with federal privacy legislation

Risk related to the OPC’s ability to maintain or recruit the right skillset to effectively deliver on its mandate, given the increasingly complex and rapidly evolving privacy landscape.

  • Implemented a competency-based staffing pilot project;
  • Continued the OPC Privacy Conversations, Tech Talks and Tech Blog series to build capacity and share knowledge on evolving privacy and technological issues;
  • Continued the learning and dissemination of knowledge from cutting-edge research funded through the Contributions Program;
  • The ability to maintain and recruit the right skillset remains a risk in the rapidly evolving privacy landscape and additional work will be done in 2018-19 to further mitigate this risk.
  • Compliance activities
  • Research and policy development
  • Public outreach

Maintain and recruit the right skillset

Risk related to the OPC’s ability to deliver on all its privacy priority commitments as the volume of responsive work continues to increase across the organization.

  • The conduct of a formative evaluation to measure progress to date and early impact of the work in advancing the privacy priorities was pushed back to 2018-19 due to competing priorities.
  • However, throughout the year, we closely monitored progress against plans to advance the privacy priorities and refined them as needed to ensure they continued to be feasible. As a result, our Office was able to deliver on the initiatives in its medium-term plans.
  • Compliance activities
  • Research and policy development
  • Public outreach

Achieving progress in advancing the OPC’s privacy priorities

Results: what we achieved

Programs

Program 1.1: Compliance Activities

Description

This program oversees compliance with federal privacy legislation for public and private sector organizations, thus contributing to the protection of Canadians’ privacy rights. Through this program, the OPC investigates privacy-related complaints and responds to inquiries from individuals and organizations, reviews breach reports and has the power to initiate its own investigations when warranted (Commissioner-initiated complaints).

Through audits and reviews, the OPC also assesses how well organizations are complying with requirements set out in the two federal privacy laws, and provides recommendations on Privacy Impact Assessments (PIAs), pursuant to the Treasury Board Directive on Privacy Impact Assessment. This program is supported by a legal team that provides specialized advice and litigation support, and a research team with senior technical and risk-assessment support.

Results

Providing Canadians with the level of privacy protection they expect and deserve is what drives our work under this program. However, we continued to encounter challenges responding to complaints within service standardsFootnote 2 and faced difficulty conducting privacy breach reviews.

Despite the elevated breach volumes we address today, our study of public sector breaches last year revealed that institutions still do not consistently and appropriately address privacy incidents. Although follow-ups with key institutions are planned for the coming year, our ability to address this trend has necessarily been limited by resource constraints.

In the private sector, we opened several investigations into high-profile cyber breaches and/or large-scale privacy incidents in the last year alone: Equifax, Uber, and Facebook/AIQ represent a small handful of such investigations. Combined with the inevitable increased demands of mandatory private-sector breach notification, anticipated to be in full force this coming year, significant and increasing challenges are on the horizon.

We continued to undertake several initiatives with a view to improving the timeliness of investigations and increasing our capacity to address issues carrying the greatest privacy risk to Canadians. Under a lean perspective, an inventory of certain low-risk Privacy Act complaints was implemented to bring investigators’ workload to a manageable level and enable us to dedicate more resources to closing aging investigations. These initiatives, in addition to the hiring of temporary resources, resulted in a 32% decrease in the overall number of Privacy Act active investigations over 12 months at year-end.

The efforts to close complaints in 2017-18, a number of which were several years old, added approximately one month to the average time taken to close an investigation.

Furthermore, early resolution continued to be a focus this past year. For example, we piloted summary investigations to issue shortened final reports. As such, 36.5% of complaints were early-resolved under the Privacy Act and 65.9% under PIPEDA.

Under PIPEDA, the Compliance Monitoring Unit ensured the satisfactory implementation of all recommendations outstanding at file closure. We also began entering into compliance agreements outside of full, cost-intensive investigations, representing an efficiency gain. An increased use of site visits and a continued focus on discontinuing complaints as appropriate allowed us to remain innovative and flexible.

Our Office conducted a study on best practices across organizations that operate an enquiries function similar to our Information Centre. Elements from the study will be implemented as appropriate in 2018-19.

As government surveillance is one of the Office’s four privacy priorities, we have dedicated resources to assessing federal government initiatives involving surveillance through PIAs, consultations and reviews.

We prioritized our review of programs and activities that involve the scrutiny and monitoring of individuals crossing borders. In this regard, we completed our reviews of:

  • the Canada Border Services Agency’s (CBSA) Scenario Based Targeting (SBT) program;
  • PIAs for the implementation of automated Primary Inspection Kiosks (PIK) at Canadian airports, and for increased sharing of immigration information by Immigration, Refugees and Citizenship Canada (IRCC) to international partners.

We noted a number of areas needing improvement in each assessment and our recommendations were accepted by both organizations.

We also conducted our third audit of FINTRAC. In addition to following up on recommendations made during our previous audit in 2013, the scope of this audit included the technical structure supporting their data and the role of Shared Services Canada (SSC) in safeguarding the IT infrastructure on which the organization’s information resides.

We found that they had made limited progress in dealing with our recommendations from 2013 and we identified a number of other privacy concerns. We provided several recommendations to address these findings, all of which were acepted by the organization.

We undertook the second phase of our Review of the operationalization of the Security of Canada Information Sharing Act (SCISA) which focused on the nature of information exchanges and mechanisms in place to ensure personal information was handled in accordance with legal and policy requirements. Our review found procedural deficiencies in the operationalization of SCISA. We made several recommendations to each of the five entities examined, all of which were accepted in whole or in part.

We also made efforts to better understand the extent to which personal information was shared for national security purposes using legal authorities other than SCISA. Although inquiries were made in that regard, we shifted our priority to a review of the Canadian Security Intelligence Service (CSIS) Operational Data Analysis Centre (ODAC) following the release of a federal court judgement involving some of ODAC’s data-retention practices.

Our review focused on the actions taken by CSIS to address the court’s decision regarding ODAC’s retention of third-party, non-threat related metadata. While work was ongoing at the time our review concluded, we were satisfied that CSIS’ plan, on its face, was in keeping with the court’s decision.

The Office’s active engagement in collaborative enforcement initiatives in 2017-18 represents a strategic leveraging of our domestic and international partners to maximize capacity internally. For example, through the Unsolicited Communications Enforcement Network (UCENet), we continued to strengthen relationships with anti-spam, telecommunications and consumer protection enforcement agencies to ensure more effective enforcement under CASL.

We also co-led the first international Global Privacy Enforcement Network Practitioners’ Workshop in June 2017. Broadly speaking, these collaborations have allowed us to become a global leader in international enforcement cooperation.

By leveraging the capacity of our international and domestic partners, we are also able to complete investigations into complex global issues in a way that is cost effective, efficient, and timely.

For example, together with the Federal Trade Commission and the Hong Kong DPA, we completed an investigation into VTech Technologies in 2017-18. This resulted in enhanced safeguards to better protect the personal information of millions globally, including more than 500,000 Canadian children and parents.

Results achieved
Expected results Performance indicators Target Date to achieve target 2017-18
Actual results
2016-17
Actual result
2015-16
Actual result
1. Federal government institutions and private-sector organizations meet their obligations under federal privacy legislation. 1.1 Percentage of complaints and incidents (breach notifications and OPC interventions) that are resolved to the satisfaction of the OPC.Footnote 3 85% March 31, 2018 97%Footnote 4 72% 79%
1.2 Percentage of audit recommendations substantially implemented two years after publication of the final audit report. 85% March 31, 2018 67% 0%Footnote 5 100%
2. Individuals receive responses to their information requests and complaints. 2.1 Percentage of information requests and complaints responded to within established service standards.Footnote 6 90% March 31, 2018 86%Footnote 7 90% 83%
3. Federal government institutions and private-sector organizations receive advice and recommendations to improve their privacy practices, in compliance with federal privacy legislation and policies. 3.1 Percentage of PIA-related advice that results in added privacy protection for government programs or initiatives. 90% March 31, 2018 90%Footnote 8 92% 93%
Budgetary financial resources (dollars)
2017-18
Main Estimates
2017-18
Planned spending
2017-18
Total authorities available for use
2017-18
Actual spending (authorities used)
2017-18
Difference (actual spending minus planned spending)
11,619,666 11,619,666 12,424,822 12,112,252 492,586
Human resources (full-time equivalents)
2017-18
Planned full-time equivalents
2017-18
Actual full-time equivalents
2017-18
Difference
(Actual full-time equivalents minus planned full-time equivalents)
87 85 (2)

Program 1.2: Research and policy development

Description

This program advances privacy knowledge, develops policy positions and provides strategic advice on the full range of privacy issues to parliamentarians, government institutions and private-sector stakeholders.

Through this program, the OPC serves as a centre of expertise on emerging privacy issues in Canada and abroad by researching trends and technological developments, monitoring and analysing legislative and regulatory initiatives, providing strategic legal, policy and technical advice on key issues and developing policy positions that advance the protection of privacy rights in both the public and private sectors.

An important part of the work involves supporting the Commissioner and senior officials in providing advice to Parliament on potential privacy implications of proposed legislation, government programs and private-sector initiatives. Since 2004, the Program includes the administration of the Personal Information Protection and Electronic Documents Act Contributions Program that funds independent privacy research and related knowledge translation initiatives, to advance knowledge and promote the practical application of that knowledge in ways that enhance privacy protection for Canadians.

Results

A key activity of this program is contributing information and recommendations to legislative reviews, regulatory consultations and subject studies. These can be undertaken both by parliamentary committees and government departments. As an agent of Parliament, charged with advising both Parliamentarians and governmental bodies on privacy, the Office places significant weight on these activities. In 2017-18, we provided input into a number of complex pieces of legislation and studies.

Unfortunately, one area that has not progressed in the past year is the review of the Privacy Act, which is the establishing statute of the Office. We have advocated for many years that this law needs an overhaul. In early 2017, the government made a commitment to Parliament that it would thoroughly review the law. No further details have been made public since that time.

In recent years, we have experienced a steady increase in Parliamentary requests for input on bills and studies. Other than the work of the ETHI Committee, we are (at the time of writing) actively monitoring 11 other studies and are engaged in monitoring and preparing for possible engagement on 13 bills with privacy implications that are currently before Parliament. We appeared before parliamentary committees on 14 occasions and submitted 20 briefs for consideration.

We also responded to a number of government public consultations. For instance, we provided a submission to the Competition Bureau in relation to its discussion paper: Big data and Innovation: Implications for Competition Policy in Canada and two submissions related to consultations by the Department of Finance Canada : one on the new oversight framework for retail payments and another positioning Canada’s financial sector for the future.

We continued our research work with a view to advancing knowledge of privacy risks and privacy-enhancing solutions, and sharing this knowledge in the form of practical guidance for stakeholders. For example, we anticipate issuing guidance on such widely debated issues as the Internet of Things, de-identification, artificial intelligence, digital health devices, and privacy breach-reporting requirements.

Our policy development work to identify improvements to the current consent model concluded last fall. We published a report outlining the results of our consultation on consent, which included actions and recommendations to address consent challenges posed by the digital age. We then updated and posted for public comment, guidance on online consent and new guidance for businesses on inappropriate zones where the use of personal information, even with consent, should be prohibited. This feedback helped inform the final guidance that we provide on this subject in May 2018.

In addition, our work on the complex issue of online reputation continued. We published a draft position aimed to highlight existing protections in Canada’s federal private sector privacy law, identify potential legislative changes and propose other solutions for consideration. The report sets out recourses, such as the right to ask search engines to de-index web pages and take down online information, and emphasizes the need for education. We have received feedback on the draft position, and are now determining appropriate next steps.

Calls under the Contributions Program are also increasingly focused on cutting-edge, innovative solutions to privacy issues across all the priorities. Indeed, as an example of this, the call for proposals for projects in 2017-18 encouraged applicants to develop privacy-enhancing technologies (PETs) to allow online users to protect their private information by letting them decide what data they are willing to share with third parties and under which circumstances.

We also published a systematic review of PETs, with the view of informing Canadians of the general types of privacy-enhancing technologies available and helping advance research and knowledge in this area.

Results achieved
Expected results Performance indicators Target Date to achieve target 2017-18
Actual results
2016-17
Actual results
2015-16
Actual results
1. Public-and private-sector stakeholders are enabled to develop policies and initiatives that respect privacy rights. 1.1 Percentage of stakeholder requests for guidance on policies and initiatives that were responded to by the OPC. 100% March 31, 2018 100% 100%Footnote 9 100%
2. Parliamentarians are able to draw on OPC expertise to identify and address privacy issues. 2.1 Percentage of requests from parliamentarians that were responded to by the OPC within service standards. 100% March 31, 2018 98% 100% 100%
3. Knowledge about privacy issues is advanced. 3.1 Increased take-up of OPC research. Annual increase relative to previous year March 31, 2018 132,470
(22% decrease)Footnote 10
169,903
(transition towards new baseline)Footnote 11
326,882
Budgetary financial resources (dollars)
2017-18
Main estimates
2017-18
Planned spending
2017-18
Total authorities available for use
2017-18
Actual spending
(authorities used)
2017-18
Difference
(actual full-time equivalents minus planned full-time equivalents)
3,234,249 3,234,249 3,959,583 3,797,155 562,906
Human resources (full-time equivalents)
2017-18
Planned full-time equivalents
2017-18
Actual full-time equivalents
2017-18
Difference
(actual full-time equivalents minus planned full-time equivalents)
25 21 (4)

Program 1.3: Public outreach

Description

This program promotes public awareness and understanding of rights and obligations under federal privacy legislation. Through this program, the OPC delivers public education and communications activities, including speaking engagements and special events, exhibiting, media relations, and the production and distribution of promotional and educational material.

Through public outreach activities, individuals are informed about privacy and personal data protection. Such activities also enable federal and private-sector organizations to better understand their obligations under federal privacy legislation.

Results

Throughout the year, we worked to educate individuals about their privacy rights to help support them in making informed privacy decisions to protect themselves.

We also undertook work to increase businesses’ and institutions’ awareness of their privacy obligations and help them comply with privacy legislation. The demand and need for information vastly exceeded our capacity to respond. With that in mind, communications and outreach strategies helped focus and guide our efforts.

In 2017-18, our outreach strategies for individuals were geared towards educating Canadians on protecting their personal information. We provided them with information through a variety of channels, including radio campaigns and a till-tape campaign in libraries across Canada.

We had an additional focus on educating youth and seniors. Presentation packages were produced to support seniors-serving organizations, and we developed a section dedicated to seniors on our website.

Initiatives aimed at children and youth focused on working with adult influencers, such as parents, teachers, librarians, various youth-serving organizations, and other trusted sources to provide information and advice on online privacy risks and how to mitigate them. For example, we included an insert promoting privacy resources to three million parents in the Canada Child Benefit notices sent out by Canada Revenue Agency.

We conducted our biennial poll of businesses in 2017-18. Despite numerous high-profile data breaches in recent years, concerns over data breaches among Canadian businesses decreased, with the proportion not concerned rising to 50% from 44% in 2015. The survey found that small businesses continue to be less aware of their privacy responsibilities than larger organizations, with only 43% of small businesses indicating awareness. In response to this survey, we developed and implemented a strategy targeted toward small businesses.

We worked with stakeholders and industry associations to develop and disseminate information and guidance that directly addressed their privacy challenges and concerns. For example, we:

  • published an article in Canadian Retailer Magazine;
  • exhibited at multiple small business events and conferences;
  • collaborated with other federal government departments such as Innovation, Science and Economic Development Canada to promote our resources to businesses;
  • included an insert in Canada Revenue Agency’s mail-out delivered to more than half a million small businesses, and
  • increased our use of the social media platform LinkedIn to reach businesses with privacy information and guidance.

In addition to our proactive communications and outreach strategies, we also sought ways to leverage opportunities as they arose to enhance our communications efforts. For example, global media headlines about allegations of unauthorized access and use of Facebook user profiles created an opportunity to highlight that the trust needed to allow the digital economy to flourish hinges on having an appropriate legal framework.

With more than two million visits per year, our website is our primary vehicle for providing privacy guidance and advice. Over the past year, we continued to enhance our website to ensure it meets the needs of our key audiences, both individuals and organizations. To this end, we:

  • developed new content offering concrete, practical advice for individuals on issues such as big data, password management, call recordings and landlord-tenant relationships;
  • updated and developed tools and information for businesses to help them meet their PIPEDA privacy obligations and the expectations of their customers;
  • conducted web usability testing to assess our web content and identify areas for improvement; and
  • established and implemented an approach to managing the lifecycle of information on our website to make it easier for individuals and organizations to find the information they need.
 
Results achieved
Expected results Performance indicators Target Date to achieve target 2017-18
Actual results
2016-17
Actual results
2015-16
Actual results
1. Federal government institutions and private-sector organizations better understand their obligations under federal privacy legislation and individuals better understand their rights. 1.1 Percentage of private-sector organizations that are moderately or highly aware of their obligations under federal privacy legislation. 85% March 31, 2018 82%Footnote 12 n/a 82%
1.2 Percentage of Canadians who feel they know about their privacy rights. 70% March 31, 2019 n/a 65%Footnote 13 n/a
2. Federal government institutions and private-sector organizations have access to useful information about their privacy responsibilities and individuals have access to relevant and timely information to protect their privacy rights. 2.1 Annual increase in website visits. Visits to OPC websites increase year over year March 31, 2018 4% 11% 5%
Budgetary financial resources (dollars)
2017-18
Main estimates
2017-18
Planned spending
2017-18
Total authorities available for use
2017-18
Actual spending
(authorities used)
2017-18
Difference
(actual spending minus planned spending)
2,869,950 2,869,950 3,066,508 2,770,740 (99,210)
Human resources (full-time equivalents)
2017-18
Planned
2017-18
Actual
2017-18
Difference
(actual full-time equivalents minus planned full-time equivalents)
21 17 (4)

Internal Services

Description

Internal services are those groups of related activities and resources that the federal government considers to be services in support of programs and/or required to meet corporate obligations of an organization.

Internal services refers to the activities and resources of the 10 distinct service categories that support program delivery in the organization, regardless of the internal services delivery model in a department. The 10 service categories are: management and oversight services; communications services; legal services; human resources management services; financial management services; information management services; information technology services; real property services; materiel services; and acquisition services.

Results

In the last year, the OPC’s internal services continued to support the organization in delivering on its mandate and priorities while also continuing to implement mandatory Government of Canada transformation initiatives such as the HR-to-Pay transformation.

As in other departments, the Office is affected by the Phoenix pay system. We are a direct-entry organization and, as such, have on-site pay advisors. This means the Office is not served by the Pay Centre located in Miramichi.

To deal with the array of system issues and related pay problems, we have more than doubled the size of the dedicated HR and finance unit managing the pay function. Despite the numerous challenges brought by the transition to this new pay system, we maintained a good level of pay service for our employees. As a result, reported errors and issues have been much lower than in the rest of government.

We redefined our desired outcomes and developed a new Departmental Results Framework (DRF) to facilitate greater reporting to parliamentarians and Canadians. As part of this work, we also undertook a comprehensive review of our organizational structure to make sure our limited resources and our activities are optimally aligned to deliver results for Canadians. Work will continue in 2018-19 to fully implement and leverage our new DRF and organizational structure.

We also have met all the expected results identified in our Integrated Business and Human Resources Plan 2016-2019, year 2. Our efforts were particularly focused on developing a wellness strategy and an action plan aligned with the Federal Public Service Workplace Mental Health Strategy.

The formative evaluation of the Office’s privacy priorities work originally planned for 2017-18 was pushed back to 2018-19 due to competing priorities. Once completed, it will provide insight into progress to date in advancing the four priorities and will support management in determining any needed course correction to make sure the Office’s work under these priorities is contributing to desired outcomes.

Information Management (IM) and Information Technology (IT) strategies were implemented to ensure that the systems and services offered meet clients’ needs while also improving IM practices and maintaining a sound IT infrastructure.

Lastly, we continued to collaborate with Agents of Parliament and other small departments and agencies to gain effectiveness, share knowledge and continue implementing best practices in areas such as IT, administrative services, legal services, training and human resources programs. We worked closely with internal and external partners to address ongoing issues with central systems such as MyGCHR, PSPM, ETMS and Phoenix.

Budgetary financial resources (dollars)
2017-18
Main Estimates*
2017-18
Planned spending*
2017-18
Total authorities available for use
2017-18
Actual spending
(authorities used)
2017-18
Difference
(actual spending minus planned spending)
6,620,626 6,620,626 6,880,719 7,009,224 388,598
* Includes Vote Netted Revenue authority (VNR) of $200,000 for internal support services to other government organizations.
Human resources (full-time equivalents)
2017-18
Planned full-time equivalents
2017-18
Actual full-time equivalents
2017-18
Difference
(actual full-time equivalents minus planned full-time equivalents)
48 50 2

Analysis of trends in spending and human resources

Actual expenditures

Departmental Spending Trend Graph

Departmental Spending Trend Graph

Fiscal year Total Voted Statutory
2015–16 24,181,403 21,834,186 2,347,217
2016–17 23,760,728 21,295,679 2,465,049
2017–18 25,689,371 23,237,576 2,451,795
2018–19 25,185,145 22,893,992 2,291,153
2019–20 24,907,981 22,653,399 2,254,582
2020-21 24,907,981 22,653,399 2,254,582

The graph above illustrates the OPC’s spending trend over a six-year period from 2015-16 to 2020-21.

Fiscal years 2015-16 to 2017-18 reflect the organization’s actual expenditures as reported in the Public Accounts. Fiscal years 2018-19 to 2020-21 represent planned spending.

The overall spending trend in the graph illustrates a decrease from 2015-16 to 2016-17, with an increase in 2017-18. The OPC’s spending in 2017-18 was $1,9M higher than in 2016-17 which is primarily explained by spending on personnel due to the new collective agreements, including retroactive salary payments, IT evergreening and the costs of relocation for the Toronto office.

Between 2018-19 and 2020-21, overall OPC spending is expected to remain fairly stable as explained on the following page.

Budgetary performance summary for Programs and Internal Services (dollars)
Program(s) and Internal Services 2017-18
Main Estimates
2017-18
Planned spending
2018-19
Planned spending
2019-20
Planned spending
2017-18
Total authorities available for use
2017-18
Actual spending (authorities used)
2016-17
Actual spending (authorities used)
2015-16
Actual spending (authorities used)
1.1 Compliance 11,619,666 11,619,666 * * 12,424,822 12,112,252 11,216,142 11,963,491
1.2 Research and policy development 3,234,249 3,234,249 * * 3,959,583 3,797,155 3,365,828 2,942,391
1.3 Public outreach 2,869,950 2,869,950 * * 3,066,508 2,770,740 2,679,125 2,296,196
Protection of privacy rights * * 18,160,148 17,814,454 * * * *
Subtotal 17,723,865 17,723,865 18,160,148 17,814,454 19,450,913 18,680,147 17,261,095 17,202,078
Internal Services** 6,620,626 6,620,626 7,024,997 7,093,527 6,880,719 7,009,224 6,499,633 6,979,325
Total 24,344,491 24,344,491 25,185,145 24,907,981 26,331,632 25,689,371 23,760,728 24,181,403
* Starting 2018-19, the OPC will report under its core responsibilities reflected in the Departmental Results Framework.
** Includes Vote Netted Revenue authority (VNR) of $200,000 for internal support services to other government organizations.

For fiscal years 2015-16 to 2017-18, actual spending represents the actual expenditures as reported in the Public Accounts of Canada.

The slight decrease in expenditures between 2015-16 and 2016-17 is mainly related to the provision of salary payments following the ratification of the new collective agreements.

The increase of $2.0M between the 2017-18 total authorities available for use ($26.3M) and the 2017-18 planned spending ($24.3M) is due to funding received as part of the operating carry-forward exercise, compensation related to the new collective bargainings and adjustments to the employee benefit plans.

The difference between actual spending and total authorities available to use in 2017-18 for Internal Services is related to expenditures for early renewal of IT equipment and higher than planned expenditures of the relocation of the Toronto office.

Total authorities available for use ($26.3M) compared to actual spending ($25.7M) resulted in a lapse of $0.6M. This amount represents normal operating lapses reported in the Public Accounts of Canada by the OPC.

The spending trend starting in 2018-19 remains fairly stable. The amounts essentially reflect fluctuations related to to collective bargaining and employee benefits costs.

Actual human resources

Human resources summary for Programs and Internal Services (full-time equivalents)
Programs and Internal Services 2015-16
Actual
full-time equivalents
2016-17
Actual
full-time equivalents
2017-18
Planned
full-time equivalents
2017-18
Actual
full-time equivalents
2018-19
Planned
full-time equivalents
2019-20
Planned
full-time equivalents
1.1 Compliance activities 89 88 87 85 * *
1.2 Research and policy development 20 20 25 21 * *
1.3 Public outreach 16 16 21 17 * *
Protection of privacy rights * * * * 133 133
Subtotal 125 124 133 123 133 133
Internal Services 50 51 48 50 48 48
Total 175 175 181 173 181 181
* Starting 2018-19, the OPC will report under its core responsibilities reflected in the Departmental Results Framework.

Expenditures by Vote

For information on the OPC’s organizational voted and statutory expenditures, consult the Public Accounts of Canada 2017-2018.

Government of Canada spending and activities

Information on the alignment of the OPC’s spending with the Government of Canada’s spending and activities is available in the GC InfoBase.

Financial statements and financial statements highlights

Financial statements

The OPC’s audited financial statements for the year ended March 31, 2018 are available on its website.

Financial statements highlights

The financial highlights presented below are drawn from the OPC’s financial statements which are prepared on an accrual accounting basis while the planned and actual spending amounts presented elsewhere in this report are prepared on an expenditure basis. As such, amounts differ.

Condensed Statement of Operations (unaudited) for the year ended March 31, 2018 (dollars)
Financial information 2017-18
Planned results
2017-18
Actual results
2016-17
Actual results
Difference
(2017-18 actual results minus 2017-18 planned results)
Difference
(2017-18 actual results minus 2016-17 actual results)
Total expenses 28,034,339 28,972,767 27,500,893 938,428 1,471,874
Total revenues (200,000) (150,409) (138,607) 49,591 (11,802)
Net cost of operations before government funding and transfers 27,834,339 28,822,358 27,362,286 988,019 1,460,072
Condensed Statement of Financial Position (unaudited) as of March 31, 2018 (dollars)
Financial Information 2017-18 2016-17 Difference
(2017-18 minus 2016-17)
Total net liabilities 5,862,409 4,628,335 1,234,074
Total net financial assets 4,333,025 2,952,184 1,380,841
Departmental net debt 1,529,384 1,676,151 (146,767)
Total non-financial assets 2,700,949 2,788,284 (87,335)
Departmental net financial position 1,171,565 1,112,133 59,432

Assests by Type

Assets by Type

Consolidated Revenue Fund: 55%

Accounts Receivable/Advances: 7%

Prepaid Expenses: 1%

Tangible Capital Assests: 37%

This graph illustrates the total assets for the OPC. Total assets were $7,034K at the end of 2017-18, an increase of $1,294K (23 percent) over the previous year’s total assets of $5,740K. Of the total assets, the Consolidated Revenue Fund totaled $3,849K (55 percent) and the Tangible Capital Assets represented $2,586K (37 percent). Accounts Receivable and Advances and Prepaid Expenses accounted for 7 percent and 1 percent of total assets, respectively.

 

Total assets were $7,034K at the end of 2017-18, an increase of $1,294K (23%) over the previous year’s total assets of $5,740K. Of the total assets:

  • the consolidated revenue fund totaled $3,849K (55%);
  • tangible capital assets represented $2,586K (37%);
  • accounts receivable and advances and prepaid expenses accounted for 7% and 1% of total assets, respectively.

Liabilities by Type

Liabilities by Type

Accounts Payable/Accrued Liabilities: 46%

Accrued Employee Salaries: 25%

Vacation Pay/Compensatory Leave: 16%

Employee Future Benefits: 13%

This graph illustrates the total liabilities for the OPC. Total liabilities were $5,862K at the end of 2017-18, an increase of $1,234K (27 percent) over the previous year’s total liabilities of $4,628K. Accounts Payable/Accrued Liabilities represented the largest portion of the total liabilities, at $2,689K (46 percent). Employee Future Benefits represented a smaller portion of liabilities, at $757K, or 13 percent of the total. Vacation Pay and Compensatory Leave and Accrued Employee Salaries accounted for 16 percent and 25 percent of total liabilities, respectively.

Total liabilities were $5,862K at the end of 2017-18, an increase of $1,234K (27%) over the previous year’s total liabilities of $4,628K.

  • Accounts payable/accrued liabilities represented the largest portion of the total liabilities, at $2,689K (46%);
  • Employee future benefits represented a smaller portion of liabilities, at $757K, or 13% of the total;
  • Vacation pay and compensatory leave and accrued employee salaries accounted for 16% and 25% of total liabilities, respectively.

Expenses - Where Funds Go

Expenses - Where Funds Go

Compliance Activities: 48%

Research & Policy Development: 15%

Public Outreach: 11%

Internal Services: 26%

This graph illustrates the total expenses for OPC. Total expenses for the OPC were $28,973K in 2017-18. The largest share of the total expenses, $13,967K or 48 percent was incurred for compliance activities, while Internal Services represented $7,530K of the expenditures or 26 percent of the total. Research and policy development activities represented $4,323K, or 15 percent, of total expenses. Public Outreach efforts represented $3,153K of the expenditures, or 11 percent of the total. (Total expenses by program activity might differ from those identified in the Public Accounts of Canada due to the methodology used to prorate the allocation in the financial statements as well as the inclusion of related party transactions).

Total expenses for the OPC were $28,973K in 2017-18.

  • The largest share of the total expenses, 48% or $13,967K was incurred for compliance activities; followed by:
  • Internal services at 26% or $7,530K;
  • Research and policy development activites at 15% or $4,323K, and;
  • Public outreach efforts of 11% or $3,153K.

(Total expenses by program activity might differ from those identified in the Public Accounts of Canada due to the methodology used to prorate the allocation in the financial statements as well as the inclusion of related party transactions.)

Supplementary information

Corporate information

Organizational Profile

Appropriate MinisterFootnote 14: Jody Wilson-Raybould

Institutional Head: Daniel Therrien

Ministerial portfolioFootnote 15: Department of Justice Canada

Enabling Instrument(s): Privacy Act, R.S.C. 1985, c. P-21; Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5

Year of Incorporation / Commencement: 1982

Reporting Framework

The OPC’s Strategic Outcome and Program Alignment Architecture of record for 2017-18 are shown below.

1. Strategic Outcome: The privacy rights of individuals are protected

  • 1.1 Program: Compliance activities
  • 1.2 Program: Research and policy development
  • 1.3 Program: Public outreach
  • Internal Services

Supporting information on lower-level programs

The OPC does not have lower-level programs as part of its Program Alignment Architecture.

Supplementary information tables

The following supplementary information tables are available on the OPC’s website.

  • Departmental sustainable development strategy
  • Evaluations
  • Fees
  • Internal audits

Approved internal audit and evaluation reports are available on the OPC’s website.

Federal tax expenditures

The tax system can be used to achieve public policy objectives through the application of special measures such as low tax rates, exemptions, deductions, deferrals and credits.

The Department of Finance Canada publishes cost estimates and projections for these measures each year in the Report on Federal Tax Expenditures. This report also provides detailed background information on tax expenditures, including descriptions, objectives, historical information and references to related federal spending programs. The tax measures presented in this report are the responsibility of the Minister of Finance.

Organizational Contact Information

30 Victoria Street
Gatineau, Quebec K1A 1H3
Canada

Telephone: 819-994-5444
Toll Free: 1-800-282-1376
Fax: 819-994-5424
TTY: 819-994-6591
Website: www.priv.gc.ca

Appendix: definitions

appropriation (crédit) :
Any authority of Parliament to pay money out of the Consolidated Revenue Fund.
budgetary expenditures (dépenses budgétaires) :
Operating and capital expenditures; transfer payments to other levels of government, organizations or individuals; and payments to Crown corporations.
Departmental Plan (Plan ministériel) :
A report on the plans and expected performance of an appropriated department over a three year period. Departmental Plans are tabled in Parliament each spring.
Departmental Results Report (Rapport sur les résultats ministériels) :
A report on an appropriated department’s actual accomplishments against the plans, priorities and expected results set out in the corresponding Departmental Plan.
evaluation (évaluation) :
In the Government of Canada, the systematic and neutral collection and analysis of evidence to judge merit, worth or value. Evaluation informs decision making, improvements, innovation and accountability. Evaluations typically focus on programs, policies and priorities and examine questions related to relevance, effectiveness and efficiency. Depending on user needs, however, evaluations can also examine other units, themes and issues, including alternatives to existing interventions. Evaluations generally employ social science research methods.
experimentation (expérimentation) :
Activities that seek to explore, test and compare the effects and impacts of policies, interventions and approaches, to inform evidence-based decision-making, by learning what works and what does not.
full-time equivalent (équivalent temps plein) :
A measure of the extent to which an employee represents a full person year charge against a departmental budget. Full time equivalents are calculated as a ratio of assigned hours of work to scheduled hours of work. Scheduled hours of work are set out in collective agreements.
gender-based analysis plus (GBA+) (analyse comparative entre les sexes plus [ACS+]) :
An analytical approach used to assess how diverse groups of women, men and gender-diverse people may experience policies, programs and initiatives. The “plus” in GBA+ acknowledges that the gender-based analysis goes beyond biological (sex) and socio-cultural (gender) differences. We all have multiple identity factors that intersect to make us who we are; GBA+ considers many other identity factors, such as race, ethnicity, religion, age, and mental or physical disability. Examples of GBA+ processes include using data disaggregated by sex, gender and other intersecting identity factors in performance analysis, and identifying any impacts of the program on diverse groups of people, with a view to adjusting these initiatives to make them more inclusive.
government-wide priorities (priorités pangouvernementales) :
For the purpose of the 2017–18 Departmental Results Report, those high-level themes outlining the government’s agenda in the 2015 Speech from the Throne, namely: Growth for the Middle Class; Open and Transparent Government; A Clean Environment and a Strong Economy; Diversity is Canada’s Strength; and Security and Opportunity.
horizontal initiatives (initiative horizontale) :
An initiative where two or more departments are given funding to pursue a shared outcome, often linked to a government priority.
Management, Resources and Results Structure (Structure de la gestion, des ressources et des résultats) :
A comprehensive framework that consists of an organization’s inventory of programs, resources, results, performance indicators and governance information. Programs and results are depicted in their hierarchical relationship to each other and to the Strategic Outcome(s) to which they contribute. The Management, Resources and Results Structure is developed from the Program Alignment Architecture.
non-budgetary expenditures (dépenses non budgétaires) :
Net outlays and receipts related to loans, investments and advances, which change the composition of the financial assets of the Government of Canada.
performance (rendement) :
What an organization did with its resources to achieve its results, how well those results compare to what the organization intended to achieve, and how well lessons learned have been identified.
performance indicator (indicateur de rendement) :
A qualitative or quantitative means of measuring an output or outcome, with the intention of gauging the performance of an organization, program, policy or initiative respecting expected results.
performance reporting (production de rapports sur le rendement) :
The process of communicating evidence based performance information. Performance reporting supports decision making, accountability and transparency.
plan (plan) :
The articulation of strategic choices, which provides information on how an organization intends to achieve its priorities and associated results. Generally a plan will explain the logic behind the strategies chosen and tend to focus on actions that lead up to the expected result.
planned spending (dépenses prévues) :
For Departmental Plans and Departmental Results Reports, planned spending refers to those amounts that receive Treasury Board approval by February 1. Therefore, planned spending may include amounts incremental to planned expenditures presented in the Main Estimates.

A department is expected to be aware of the authorities that it has sought and received. The determination of planned spending is a departmental responsibility, and departments must be able to defend the expenditure and accrual numbers presented in their Departmental Plans and Departmental Results Reports.
priority (priorité) :
A plan or project that an organization has chosen to focus and report on during the planning period. Priorities represent the things that are most important or what must be done first to support the achievement of the desired Strategic Outcome(s) or Departmental Results.
program (programme) :
A group of related resource inputs and activities that are managed to meet specific needs and to achieve intended results and that are treated as a budgetary unit.
Program Alignment Architecture (architecture d’alignement des programmes) :
A structured inventory of an organization’s programs depicting the hierarchical relationship between programs and the Strategic Outcome(s) to which they contribute.
result (résultat) :
An external consequence attributed, in part, to an organization, policy, program or initiative. Results are not within the control of a single organization, policy, program or initiative; instead they are within the area of the organization’s influence.
statutory expenditures (dépenses législatives) :
Expenditures that Parliament has approved through legislation other than appropriation acts. The legislation sets out the purpose of the expenditures and the terms and conditions under which they may be made.
Strategic Outcome (résultat stratégique) :
A long term and enduring benefit to Canadians that is linked to the organization’s mandate, vision and core functions.
sunset program (programme temporisé) :
A time limited program that does not have an ongoing funding and policy authority. When the program is set to expire, a decision must be made whether to continue the program. In the case of a renewal, the decision specifies the scope, funding level and duration.
target (cible) :
A measurable performance or success level that an organization, program or initiative plans to achieve within a specified time period. Targets can be either quantitative or qualitative.
voted expenditures (dépenses votées) :
Expenditures that Parliament approves annually through an Appropriation Act. The Vote wording becomes the governing conditions under which these expenditures may be made.
Report a problem or mistake on this page
Error 1: No selection was made. You must choose at least 1 answer.
Please select all that apply (required):

Note

Date modified: