Language selection


Highlights from the Commissioner’s 2022-2023 annual report for public servants

September 19, 2023

Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.

The Privacy Commissioner of Canada’s annual report to Parliament for 2022-2023 was tabled on September 19.

In his message, Commissioner Philippe Dufresne identifies his office’s strategic priorities, developed in the first year of his term:

  • keeping up with and staying ahead of technological advancements and their impact on privacy, particularly with respect to artificial intelligence (AI) and generative AI;
  • protecting children’s privacy so that they can benefit from technology and be active online safely and free from fear that they may be targeted, manipulated, or harmed as a result; and
  • preparing for potential law reform should Bill C-27, the Digital Charter Implementation Act, be adopted by Parliament.

The Commissioner notes that the OPC’s latest poll of Canadians suggests that Canadians are concerned about the impact of new technologies on their privacy – 93% have some level of concern about protecting their personal information, and half do not feel that they have enough information to understand the privacy implications of new technologies. Yet they want and need to trust that their privacy rights are being protected so that they can feel confident about participating freely in the digital economy.

Privacy Act investigations

The Annual Report gives a capsule report of a number of investigations. Those summarized in the report include:

Privacy Act breaches

In the past fiscal year, the Office received 298 reports of breaches, down from 463 the previous year.

The breaches primarily related to the loss of personal information (44%). Another 33% were related to unauthorized disclosure, the majority of which were caused by employee error – for example, using “CC” instead of “BCC” when sending out a mass email. Unauthorized access was a factor in 22% of the reported breaches, and involved employees accessing information without privileges, misusing privileges, or falling for social engineering ploys.

Takeaway: These kinds of errors demonstrate the need to strengthen the implementation of privacy policies by ensuring that employees who deal with sensitive personal information are properly trained and that technological safeguards are implemented in a timely manner.

As in past years, the OPC continues to receive most of the reports from the same federal institutions, with the number of breaches reported by the public sector fluctuating year to year. Our Office remains concerned about under-reporting, as many of the government institutions subject to the Privacy Act that handle sensitive personal information have never reported a breach to us. Equally concerning is the likelihood that individuals whose personal information has been compromised have not been notified and are, therefore, unable to take timely measures to reduce potential further harms, such as changing passwords, being aware of possible email scams, etc.

Only 1 reported public-sector breach involved a cyber-attack – compared with 278 cyber-breaches reported in the private sector. In light of the Communications Security Establishment reporting that it blocks billions of cyber attempts per day against Government of Canada networks, the OPC continues to be concerned that cyber-attacks, including malware and phishing attacks, are being under-reported by public institutions.

Takeaway: It is important to be alert to the possibility of cyber-attacks, to protect against them and to report them promptly to affected individuals as well as the OPC, which has the expertise to help federal institutions deal with the issue.

The OPC continues to receive a high volume of PIAs and consultation requests from federal institutions with 180 PIAs and consult requests received this past year.

Want to know more?

You can find information on Responding to privacy breaches on our website.

Expectations: OPC’s Guide to the Privacy Impact Assessment Process will help you effectively manage privacy risks as part of the PIA process. You can also consult the OPC’s Government Advisory Directorate by contacting us at

Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.

Date modified: