Appearance before the Standing Committee on Access to Information, Privacy and Ethics on Main Estimates 2014-15

May 6, 2014
Ottawa, Ontario

Opening Statement by Chantal Bernier
Interim Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good morning, Mister Chair and members of the Committee.

Thank you for your invitation to discuss our Main Estimates for fiscal year 2014-15.

Joining me today is Daniel Nadeau, our Chief Financial Officer and Director-General of Corporate Services along with Maureen Munhall, Director of Human Resources.

In my time today, I want to:

  • outline our financial situation;
  • discuss some of the key challenges we face in pursuing our mandate; and
  • explain the actions we have taken to maximize the effectiveness of our resources in order to continually enhance service for Canadians.

Reduced resources

Beginning with our financial situation, looking at the numbers, you see a decrease in our resources of nearly $5 million. This is due to two key factors.

First, our 2013-14 budget reflected a one-time injection to cover the costs of the mandatory move of our headquarters from downtown Ottawa to Gatineau. 

This injection came in the form of a $4.1 million interest free loan; one which we are repaying Treasury Board Secretariat over the next 15 years, starting this year with a payment near $300,000.

The other factor accounting for the decrease is a planned reduction under the Deficit Reduction Action Plan. 

While we were not mandated to make reductions under the Plan, in the spirit of collegiality, our Office answered the call to adhere to its intent.

As a result, we have implemented savings of 5% or $1.1M per year within our total budget as of this fiscal year.  This began with $700,000 reduction per year starting in 2012-13 and an additional $400,000 takes effect this year.

Increasing pressures

While I am proud of our contributions to the Deficit Reduction Action Plan, it comes at a time when privacy matters continue to be of wide interest to the public – and we must ensure we maintain our level of excellence in this context of reduced resources and increased interest.

We see this rising interest reflected in our statistics.

For example, in the last completed calendar year, we saw an increase in complaints under the Personal Information Protection and Electronic Documents Act going from 220 the previous year to 426 this year. 

Much of this increase owes to the fact that 168 complaints were all on the subject of changes made by Bell to its privacy policy, and these are being handled under one, single, Commissioner-initiated complaint.

However, even with these subtracted, the total is still up 17% from the year before.

We saw the same percentage increase in complaints about federal organizations under the Privacy Act, accepting 1,675, with more than 300 of which related to a breach regarding Health Canada’s medical marijuana access program. 

The year before, we accepted 2,273 complaints, nearly one-third of which were tied to the loss of ESDC’s student loan hard drive. 

After subtracting complaints related to these high profile incidents, we still see a jump of just more than 17% in the public sector.

Added to this, we are faced with a growing number of data breach reports.

From businesses, we saw a year-over-year 81 percent increase of breach reports from private sector organizations. 

Meanwhile, breach reports from federal organizations more than doubled, to 228. That marks a record high for the third year running.

From these numbers we must not jump to the conclusion that breaches are increasing. More likely, what we may be witnessing is an increase in notification, which would be an improvement in compliance.

Innovation to increase efficiency

To continue serving Canadians with excellence as the volume and complexity of our work increases, we have adopted the following measures. 

In the face of rising data breaches notifications, we implemented a calibrated approach by which we meet each incident with a response tailored to its severity. Under this approach, we determine severity on the basis of the organization’s demonstrated accountability along with the risk of harm to individuals.   

We have worked to modernize our investigation processes, enabling a proportional approach that matches the appropriate tool per issue we face.  

Our tools include:

  • grouping investigations as appropriate in favour of broader investigations looking at multiple complaints, as we did in the face of 168 complaints about Bell’s privacy policy and the even more numerous complaints we received about ESDC’s lost hard drive;
  • assigning a single investigator to handle multiple complaints from the same individual complainant and dealing with these in a single report, wherever possible;
  • leveraging our domestic and international partnerships to expand our enforcement capacity and achieve more expedient and effective results – as we did with the Dutch Data Protection Authority in relation to an investigation of WhatsApp and are now doing with our Irish counterpart on an investigation of Facebook;
  • undertaking informal activities promoting broad-based compliance, such as the international privacy sweep which we spearheaded last year, prompting 40 organizations to significantly boost their privacy transparency in response to our Office’s concerns;
  • developing guidance to share best practices and promote compliance; and
  • conducting formal investigations and audits when necessary. 

We have made greater use of our early resolution process to resolve complaints, with an increase of 15% in relation to the private sector and 10% in relation to the public sector. 

This serves to resolve matters to the satisfaction of both the complainant and respondent while foregoing the need for a resource-intensive investigation. 

On top of this, in 2013 we reduced the average treatment time to conclude PIPEDA complaints from 12.6 months to 6.7 months, for a 47% improvement.  

And under the Privacy Act, the average treatment decreased to 6.1 months, down from 6.8 months in the previous year.

We have also made greater efforts to triage and prioritize the review of Privacy Impact Assessment from federal organizations, which are required under federal policy for any new initiative making use of personal information for decision-making.

We are focussing on initiatives holding the highest significance for the right to privacy of Canadians, ensuring that those with the biggest possible risks receive the greatest attention. 

As an example, we have struck an internal task force to look specifically at initiatives under the Beyond the Border action plan, which involves a multitude of programs with possible privacy impacts on Canadians.

Conclusion

In sum, we face challenges brought forth by the nature and volume of our work amidst a tighter fiscal context, and we are doing so determined to continue meeting the needs of Canadians.

We have developed, and will continue to develop new ways to make the most efficient use of our resources to do just that. 

The statistics I just mentioned on our increased workload as well as our recent reports to Parliament on oversight for the Canadian intelligence community, the loss of the student loan hard drive and our prominent report of findings on Google in relation to the business model of online behavioural advertising; demonstrate that we are pursuing our work at a continued high level, with unwavering dedication, under resource pressures.

I wish to take the opportunity to publicly recognize the remarkable hard-work and innovativeness of the OPC staff who make this possible.

Mister Chair and members of the Committee thank you, and I look forward to your questions.

Date modified: