This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Standing Committee on Access to Information, Privacy and Ethics
May 31, 2005
Opening Statement by Jennifer Stoddart
Privacy Commissioner of Canada
(CHECK AGAINST DELIVERY)
Good morning. Thank you for inviting us to appear before this Committee to discuss the Main Estimates for the Office of the Privacy Commissioner of Canada. With me today is Tom Pulcine, our Director General, Corporate Services to assist in addressing any operational or financial questions.
Although our appearance today is to discuss Main Estimates, we believe it is important that the Committee be provided with a complete picture of the Office's operations. I'll begin with an overview of the current resource base for our Office and then bring clarity and precision about our multi-faceted mandate which contributes to our uniqueness as an Officer of Parliament. I will close by sharing some insights on the current privacy landscape and public environment in which we operate and provide a rationale for why a case for permanent funding for the Office is required.
Before addressing our Main Estimates, I would like to congratulate the Committee on its comprehensive report to address issues of funding for Officers of Parliament. I will come back to the report later in my remarks.
How is the Office funded?
As mentioned in previous appearances before this Committee, the Office of the Privacy Commissioner currently negotiates its budget with the Treasury Board Secretariat which then makes a recommendation to the Treasury Board ministers.
Our Office's total operating budget in the past has been $11.3 million to fulfill responsibilities under both the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). Funding of $4.7 million for requirements under the Privacy Act is funded through Main Estimates. Funding of $6.6 million for PIPEDA has been funded in the past through Supplementary Estimates. This unusual funding situation which you acknowledge in your report on funding for Officers of Parliament is summarized for further clarity in the financial table I have distributed to members of the Committee.
I would like to stress that although the Office has received funding in the past through both the Main Estimates for the Privacy Act and Supplementary Estimates for PIPEDA, from a management and organizational perspective, we do not separate resource allocation under each Act. The Office manages from one central funding source which is allocated in support of planned strategic outcomes to fulfill requirements under both Acts. This is done through the normal business planning process and provides for flexibility to address emerging and ongoing issues in either the public or private sector.
I would like to now turn your attention to the multi-faceted nature of our mandate. The Office of the Privacy Commissioner is unique in relation to other Officers of Parliament in that as an oversight agency for Parliament it has responsibility for two Acts: the Privacy Act, which applies to federal institutions and PIPEDA which governs personal information management in commercial activities in Canada. Contrary to other Officers of Parliament, the OPC is the only one to have a broad private sector mandate.
Given the authority provided to us by Parliament, we have a multi-faceted mandate to ensure that both federal government departments and agencies in the public sector and companies in the private sector are held accountable for their personal information handling practices and that the public is informed about their privacy rights. This mandate is at times not fully understood.
As an independent ombudsman, we are:
- an investigator and auditor with full powers to conduct follow-up audits on well-founded cases and to monitor compliance under both Acts;
- a public educator and advocate with a responsibility to both sensitize businesses about their obligations under PIPEDA and to engage the public in a greater understanding of their personal information protection rights;
- a researcher and expert advisor on privacy issues to Parliament, government and businesses on personal information protection issues; and
- a legal advisor involved in litigation concerning the application and interpretation of the two privacy laws, in fine tuning procedures to deal with cross-jurisdictional complaints. We also analyze the legal and policy implications of bills and government proposals.
How has the OPC spent its budget allocation
When we look at the Office's total operating budget, approximately 66 per cent of the budget is allocated to assessing and investigating compliance with privacy obligations. This includes responding to inquiries, investigating complaints, carrying out audits and the provision of legal interpretation and support.
In 2004-2005, the OPC closed 2407 complaints under the Privacy Act and 379 complaints under PIPEDA. The majority of complaints are filed against organizations in the banking, telecommunications and broadcasting sectors. It is important to note that we have had great success as an ombudsman in the first four years of PIPEDA's enforcement, with a significant number of organizations responding to our recommendations.
The Office also carried out in 2004-2005, a scoping review of the Canadian Border Services Agency's multiple programs and information management activities. This exercise was undertaken in order to identify the areas where the impact on individual privacy of Canadians is deemed to be the highest and to direct audit resources accordingly for detailed examination and audit by our Office this year.
To address our role as public educator and advocate, we have allocated a total of 21 percent of our operating budget to privacy education activities aimed at promoting and protecting privacy rights and obligations.
Many small and medium-sized organizations sought advice from the Office with the full implementation of PIPEDA. This has required a strong emphasis by our Office on communications outreach to the business community across Canada through speaking engagements, media relations activities and distribution of print and online educational materials and guidance tools to explain and clarify the impact of the Act. Our web site provides indicators of our success with up to 94,000 visits being recorded monthly. This represents a 40% increase over the last six months. We will be placing greater emphasis in the next two years on targeted efforts to reach Canadians to improve their understanding of their rights, which will likely result in an increase in the number of complaints our Office receives.
Staying on top of emerging and ongoing privacy issues is an important part of our mandate and accounts for 13 per cent of our operating budget.
Our efforts on this front are reflected in the eleven appearances we have made in 2004-2005 before House and Senate Committees, the various consultations we have conducted with key stakeholders on the analysis of key issues, on the policies and positions developed to advance the protection of privacy rights, and in the twenty speeches and presentations we have made on issues ranging from the privacy implications of DNA Data banks, e-government, public safety and national security measures, to provision of passenger data and privacy laws and health information. In 2004, our Office launched a Contributions Program to support the development of a national privacy research capacity to advance knowledge and policy development in the areas of privacy and data protection. We will be continuing with the program in 2005.
Finally an important aspect of our Office's operations has been to resolve outstanding legacy issues to support the organization in meeting its responsibilities to be a well-managed and efficient agency.
On the human resources side, the classification review of positions within our Office by the Public Service Human Resources Management Agency are now completed. As for the audits of our financial statements, the Auditor General of Canada completed the audit and confirmed "... in all significant respects, that transactions have been in accordance with the Financial Administration Act and regulations and the Privacy Act."
The Public Service Commission is currently reviewing our revised human resource practices in order to ascertain if any steps still need to be taken before reinstating our staffing delegation.
Canada's Privacy Landscape
Many external factors impact our day to day operations. Today's privacy environment is infinitely more complex and knows no borders. Privacy rights are increasingly being eroded with incremental advances in technology, the growth of commercial interests in exploiting personal data and governmental responses to concerns about public safety.
Canadians are becoming more aware of the consequences of their privacy rights and are beginning to challenge assumptions about security and technology and their sometimes adverse impacts on the protection of personal information. A recent survey commissioned by our Office which will be released publicly this summer, reveals that Canadian opinions on privacy issues is maturing and that the public has a high sense of erosion of the protection of their personal information. In fact 70 per cent of study respondents believe they have less protection of their personal information today than ten years ago.
Privacy concerns by the public are high in both government and the private sector and there is a broad consensus that strong laws are crucial to protect Canadians' privacy and their personal information. Nine in 10 Canadians see a need for ongoing updating of privacy legislation to keep pace with changing technologies and emerging threats.
In the public sector, our Office is calling for a reform of the Privacy Act, which has not been amended in any significant way since it was passed in 1983. The Act does not provide the Government of Canada and the Canadian public with adequate standards to protect privacy rights and needs to be modernized to deal with transborder data flows, to impose responsibilities on data users and to ensure adequate protection personal information when it is transferred or disclosed to other jurisdictions.
There is in fact a pervasive belief by those surveyed by our Office that personal information is flowing freely to other countries, particularly the United States and there is an extremely high concern about cross-border transfer of personal information.
The Government of Canada has been relatively silent on the issue of outsourcing of personal information and slow to respond to concerns concerning the USA PATRIOT Act and the privacy implications of cross-border transfer of personal information. Our Office has made a number of proactive suggestions for the development of a more robust and Integrated Privacy Management Framework to mitigate privacy risks associated with the handling of personal information. We have urged the Government to move forward decisively to adopt a vigorous set of measures and policies to protect personal information.
Our Office routinely receives complaints of privacy violations in the public sector and is faced with departments and agencies mistakenly citing the Privacy Act as an obstacle to legitimate government business. The Privacy Act is often cited as a hindrance to information sharing between agencies, to the disclosure of public interest information (e.g. release of sex offenders into the community) and to the effective fight against money laundering and other activities of organized crime. There is and will continue to be a compelling need to bring the Privacy Act in line with the privacy standards Canadians are accustomed to in the private sector.
Privacy issues in the private sector are no less challenging. Recent investigations by our Office point to the need for improvements in business information handling practices. Canadians demand nothing less and will continue to lodge complaints with our Office if businesses do not fully conform with their obligations under PIPEDA.
Efforts to seek private sector compliance with the principles of consent, appropriate safeguards, limited disclosure and use of personal information as well as accountability will continue to occupy the attention of our Office and the concern of Canadians. There is still a formidable task ahead of us to educate businesses to their obligations and citizens to their privacy rights.
PIPEDA, and similar provincial legislation, has provided for a respectable, though clearly far from perfect, set of standards for the protection of personal information in Canada. Issues of appropriate notification of customers in the context of a significant privacy breach also need to be examined. In addition, appropriate models of oversight for our Office, whether it be the ombudsman model under which we operate or an order-making power model may likely be discussed as Parliament moves to a legislative review of PIPEDA.
A Case for Permanent Funding
In an environment where privacy rights are continuously under threat, the Office of the Privacy Commissioner needs to be funded adequately across its entire operations to address the multitude of emerging privacy issues in the public and private sector.
The Office is not currently adequately resourced to fully exercise its powers and responsibilities under the two Acts.
Without adequate permanent funding, we cannot:
- reinforce our audit and review functions to effectively address systemic issues of compliance under both privacy laws;
- strengthen our capacity to monitor, research and respond to emerging issues of technology and privacy;
- proactively conduct outreach and public education efforts to influence change so policies and programs are viewed through a privacy lens; and
- continue to carry out our investigations and resolve the increasing level of complaints under both Acts.
- continue to provide specialized legal and strategic advice and litigation support under both federal privacy legislation and strengthen established approaches and procedures to deal with cross-jurisdictional complaints.
To this end, our Office's priority in the last few months has been to complete a review of our business processes across our entire operations. This has included establishing workload indicators and reviewing the legislative requirements as well as external and internal factors impacting on our operations. We are also nearing completion of a benchmarking exercise which should put the Office in a position to make a formal submission this summer to the Treasury Board Secretariat to stabilize our resource base and seek permanent funding for the Office.
It is our hope that with adequate permanent funding, we may provide further assurances to Parliament of the effectiveness of our Office in ensuring the personal information protection rights of Canadians are respected in the public and private sectors.
In closing, I would like to indicate that the report for funding Officers of Parliament is a positive step and that we would be pleased to work within the new framework for obtaining our funding. We understand that there are measures that would be put in place in 2006-2007 on a trial basis. As you acknowledge in your report, our long term financial needs have not been meet and we are therefore proceeding as planned with our business case to Treasury Board in August to stabilize our funding.
Thank you very much for your time today. I would be pleased to take your questions.
- Date modified: