Public opinion survey

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Qualitative Research with Federal Access to Information and Privacy (ATIP) Officers

March 31, 2011

Prepared for the Office of the Privacy Commissioner of Canada
by Phoenix Strategic Perspectives Inc.

---

Executive Summary

The Office of the Privacy Commissioner of Canada (OPC) commissioned Phoenix SPI to undertake qualitative research with federal government Access to Information and Privacy (ATIP) Officers. Within the ATIP community, the focus was on departments whose mandate and activities involve privacy-related issues. In total, 20 in-depth interviews were conducted with representatives of the target audience between March 2nd and 30th, 2011. This included a mix of departments/agencies by size and number of privacy-related complaints received. The findings will be used by the OPC to help refine and improve communications and outreach activities that target the federal ATIP community, as well as increase the OPC’s understanding of this community.

This research was qualitative in nature, not quantitative. As such, the results provide an indication of participants’ views about the issues explored, but cannot be generalized to the full population of federal ATIP officers.  

Background Information About ATIP Unit

The size of the ATIP units represented in this study varies considerably – from as few as two to as many as 52 people. While there was no uniformity in the size of ATIP units, most have at least 10 people. And while most staff were full-time employees, some were identified as outside consultants. In some larger organizations, there is a division of labour, where one section deals exclusively with privacy issues and another with access to information issues. In other, typically smaller ATIP units, both types of issues tend to be handled by the same staff members.

The budget of ATIP units, like their size, varies considerably. Budgets (including salary and non-salary dollars) ranged from a low of $200,000 to a high of about $8 million. The bulk of the budget covers salaries, while the rest covers operations and administration. Some participants specified that the bulk of their budget is dedicated to access to information issues, as opposed to privacy issues.

The proportion of time that units spend on privacy issues versus access issues varies by organization, although for most a greater proportion of time gets devoted to access issues than to privacy. However, even within this group there was variation, ranging from about 15% to 40% of the time being devoted to privacy. Others said there is an approximate 50/50 split in time between privacy and access issues, while only a few indicated that a greater proportion of time generally gets devoted to privacy. But, in addition to variations between organizations, the proportion of time devoted to privacy versus access issues can vary within organizations. The extent to which this changes was described as primarily issue- or event-driven, although this can also be influenced by backlogs.

Generally speaking, the requirements related to privacy issues and access issues do not tend to conflict or cause challenges for participants in their daily work. This is especially the case in organizations where different units handle privacy and access to information issues, but not only. To the extent that conflicts do arise, this usually involves managing resources to ensure that both priorities are addressed.

While all participants are involved in the Privacy Impact Assessment (PIA) process in their organization, their involvement tends to involve management and oversight. None are directly involved in preparing the actual privacy impact assessments. That said, everyone indicated that people in their organization contact them for advice or input in terms of the development of PIAs. However, the frequency of such contact varies, depending on the number of changes being made in the organization (e.g. upgrading of IT, creating new databases) and/or the nature of the PIAs being prepared (i.e. straightforward or complicated). The frequency of such contact ranged from regular or almost daily contact, to weekly contact, to every few months, to a few times a year.

In many of the organizations represented in this study, the ATIP unit is located under Corporate Services or Corporate Secretariat. In other organizations, areas that house ATIP units include Information Management Directorate, and Public Affairs.

Training and Professional Development

All participants said that they and others in their unit have attended training related to their privacy responsibilities. However, there was no consistency in the frequency of training. Frequency tends to depend on a variety of factors, including the content or subject matter of the training, its perceived relevance or importance, and its form (e.g. half-day workshop vs. 3-day course), timing, availability, and cost.

Participants routinely distinguished between internal training and external training. In terms of external sources, participants and their staff tend to receive ATIP-related training from the same or similar sources. These include the Treasury Board Secretariat (e.g. ATIP Community Meetings, training sessions, PIA e-learning tool), the Canada School of Public Service, private consultants (routinely identified, including one individual in particular), the University of Alberta certification program, conferences, and the OPC (e.g. one-day workshop for federal employees on PIAs).

In addition to external training, nearly all participants identified internal training provided to staff. This was sometimes described as informal and ad hoc, but it was nonetheless considered very important. The most common type was on-the-job training, which often involved mentoring by senior staff. In some instances, this included individual learning plans. Other forms of internal training identified relatively often were: training/information sessions or workshops on specific access or privacy cases, general training on the Privacy Act and Access to Information Act and their impact on programs/initiatives, training on specific sections of this legislation, and orientation sessions for new staff. As well, some provide awareness or information sessions on privacy and access issues for departmental employees in general.

Participants did not express themselves categorically regarding the adequacy or relevance of the training they/their staff receive. For the most part, training was seen as necessary, but not sufficient in preparing staff to understand and deal with privacy issues.  In addition to training, participants routinely observed that on-the-job experience is crucial to the development of a good privacy officer. The explanation given is that dealing with privacy issues involves dealing with particulars, details, specifics, exceptions, and exemptions, which no amount of training can adequately address.

The areas identified where participants would like to receive more training for themselves or their staff tended to focus on specifics as opposed to general issues, with participants routinely saying they would like training that is less ‘theoretical’ and more ‘practical’ (e.g. applying specific clauses of the Privacy Act, exclusions/exemptions under the law, new or emerging issues, privacy issues related to social media, preparing PIAs, etc.).

There was widespread awareness that there is certification or accreditation for privacy professionals. Participants were most likely to be aware of the certification program offered by the University of Alberta (some have completed this program). Small numbers were aware that there is certification/accreditation provided through the Canadian Association of Professional Access and Privacy Administrators and/or the International Association of Privacy Professionals. And a few were under the impression that it is possible to obtain accreditation through the Canada School of Public Service.

Among those aware of such programs (and who have not pursued them), there was limited interest in pursuing certification or accreditation. In explaining why, these participants routinely explained that pursuing professional certification or accreditation will not improve their professional skills in a meaningful way. Some added that they have acquired enough expertise in the area, or felt that meaningful additional professional development could only come through on-the-job experience.
                                                                                                                                
Most participants said that they and members of their staff (though not necessarily all members) are involved in professional associations. With few exceptions, participants identified themselves and members of their staff as belonging to the Canadian Association of Professional Access and Privacy Administrators (CAPAPA), the International Association of Privacy Professionals (IAPP) or both.

Only a few participants indicated that they and/or their staff network with others in the privacy community outside the federal government. In explaining why, participants said that their world is governed by the Privacy Act. Consequently, their networking tends to be limited to interactions with those governed this statute. To the extent that there is networking outside of the federal government, it tends to be with personnel of other governments. Beyond this, the only opportunities identified for communication and/or networking outside government involved meetings at conferences or symposia.

Types of Privacy Issues

Participants collectively identified a range of top privacy issues that they and their units deal with on a regular basis. The types of issues identified can be grouped into five categories. For the most part, participants typically identified issues that fell into one or two categories, although some identified key issues in three or more areas. Top privacy issues include:

• Privacy Impact Assessments: This was the issue identified most often, and the only one identified by nearly all participants. The key consideration was described as identifying/resolving privacy risks related to the redesign of programs and services. Some added that an important issue is that the people completing PIAs are not experts in the field of privacy, so they require considerable support.
• Ensuring the Safety and Security of Personal Information: For many, one of the key issues, often the key issue, is ensuring the safety and security of personal information collected and stored in databanks or personal information banks.
• Issues Surrounding the Release or Disclosure of Personal Information: This typically involves dealing with requests for personal information and determining what information, if any, can be released (in some cases without the consent of the individual to whom it relates).
• Privacy-Related Complaints: Some identified the main privacy issues they deal with as complaints.
• Appropriate Use of Personal Information: For some, the key issue they deal with involves ensuring the appropriate use of personal information that is collected.

Participants collectively identified a variety of challenges they encounter in terms of privacy issues, but most identified only one key challenge. The challenges include:

• Privacy Impact Assessments: Some identified the PIA process as a significant challenge, for a variety of reasons, including the amount of work required, lack of expertise (of those creating PIAs), lack of resources/guidance in this area, and conflicting requirements (between the TBS and OPC).
• Operational challenges: Some described their main challenge as operational – ensuring the protection of vast amounts of personal information that get used and shared every day by a variety of actors. With so much information in circulation, the challenge is avoiding breaches (accidental or criminal), the consequences of which could be disastrous.
• Sensitivity surrounding privacy: To some, dealing with the sensitivity surrounding privacy is a key challenge. This was seen to be a consequence of the importance assigned to privacy as a right and its protection.
• Staff-related issues: Staffing issues can make it difficult to effectively carry out privacy-related responsibilities (e.g. lack of staff, staff turnover/retention).
• Backlog in ATIP requests.
• New/emerging issues (see below).

Participants identified a variety of new and emerging privacy issues with which they are dealing or which they expect to have to deal with:

• Balancing privacy with security and public safety: One of the most frequently-identified issues was the importance of balancing the right to privacy with the need for security and public safety. While not necessarily a new issue, it has taken on added significance, given the increased concern with terrorism.
• Ensuring privacy while embracing social media: Another top issue is the need to ensure privacy as government embraces social media to engage and interact with citizens.
• Ensuring privacy protection as the capacity to collect information increases:Many participants observed that as the capacity to gather and store personal information increases, so must the measures to ensure its protection.
• Ensuring privacy as the capacity to monitor increases: Some felt that a key emerging issue concerns government’s increasing ability to monitor through technology. Examples include the use of GPS systems, traffic surveillance technologies, web crawlers, and monitoring of social media sites.
• Genetic information: A few identified the storage of genetic information as the new frontier in the world of privacy, and an area in which the implications for privacy are still not fully known.
• Need to recruit/develop privacy experts: Some said that one of the new challenges they face is recruiting and developing people interested in dealing with the types of privacy issues identified above (and others).

Interactions with the Office of the Privacy Commissioner

The frequency with which participants and others in their units interact with the OPC varies considerably.  A few described their interactions as frequent or regular, while others described it as periodic, irregular, or infrequent. Participants interact with the OPC for a range of reasons, including issues related to PIAs, seeking general guidance or advice, participating in consultations, interactions related to breaches, complaints, audits and investigations, and attending OPC workshops or presentations. Interaction typically includes a mix of e-mail, phone, and in-person contact.

Virtually all participants said they and/or their staff use or have used OPC resources or tools. However, they do not tend to use them regularly. Resources that they have used include reports and publications, videos, best practices, case summaries, Commissioner’s findings, quizzes, guidance regarding PIAs/PIA workshop, speakers’ series, and information on social networking, privacy breaches, and identity theft. Some said they and/or staff periodically visit the OPC website to see what is new. When discussing their use of OPC resources, many re-iterated that they contact OPC personnel for guidance or advice on various matters.

Overall, participants have positive impressions of the OPC resources they have used. The general impression is that they are informative, provide general guidance, and keep practitioners up-to-date on issues. At the same time, there was also a relatively widespread view that resources tend to be general and therefore not always detailed or precise enough to help them with specific issues with which they may be seeking help.

Asked what has worked well in their dealings with the OPC, participants routinely identified two organizational strengths: its openness or receptivity (including a willingness to help) and its professionalism. There was also a widespread impression that the OPC has an understanding of the environment in which government privacy officers work. Asked what has not worked well in their dealings with the OPC, participants most often said that while the OPC clearly wants to help them, it tends to be reluctant to give concrete advice and seems to want to remain non-committal.

Participants routinely expressed the general view that the OPC should play a leading role in terms of providing support, education, and guidance on privacy-related issues. Indeed, many added that this is one of the reasons why they contact the OPC. Some immediately added that this might cause tension with the Treasury Board Secretariat, but that they consider the OPC to be the expert in the field of privacy. More specifically, participants expressed the following expectations in relation to the OPC: increased outreach, increased role in education and training, providing guidance, looking ahead/scanning the horizon, serving as a hub of information, and linking to/networking with other privacy commissions. Participants identified two specific services that the OPC could provide to enhance their privacy work. One, mentioned relatively often, was assistance preparing PIAs. The other was a tool to help with risk assessment when it comes to privacy issues. Beyond this, no specifics were offered, but many re-iterated that the OPC should focus on education and training – both for ATIP officers and the general public.

Introduction

The Office of the Privacy Commissioner of Canada (OPC) commissioned Phoenix SPI to undertake qualitative research with federal Access to Information and Privacy (ATIP) Officers.

Background and Objectives

The OPC is an advocate for the privacy rights of Canadians with the power to investigate the handling of personal information in both the public and private sector. The Office’s mandate is to protect and promote privacy rights. While the Treasury Board Secretariat has ultimate responsibility for the Access to Information and Privacy (ATIP) function within the federal government, the OPC communicates with federal government ATIP organizations on a regular basis.

In order to enhance their communications and outreach initiatives with this audience, the OPC wanted to conduct qualitative research with federal ATIP Officers in order to better understand issues related to the context in which departmental ATIP organizations operate. 

More specifically, the research was designed to obtain the following type of information from ATIP officers:

• The size of their organization, including the number of people they have working in ATIP and the size of their budget.
• The amount of time they spend on privacy versus access issues.
• Whether other people in their department/agency come to them for advice or input in the development of privacy impact assessments (PIAs), as well as how involved they are in the PIA process in their organization.
• Whether they attend regular privacy training, including the providers of such training, and whether they feel they receive enough training.
• Issues related to certification and their involvement in professional associations.
• Identification of the top privacy issues that they deal with on a regular basis, as well as any new and emerging privacy issues that they are dealing with.
• The nature and extent of their interaction with the OPC, and their satisfaction with the service they receive.
• Whether they use OPC’s materials in their work and to what extent.
• Their expectations with respect to the OPC.
• Whether there are additional services the OPC could provide that could enhance their privacy work.

The findings will be used by the OPC to help refine and improve communications and outreach activities that target the federal ATIP community, as well as increase the OPC’s understanding of this community.

Research Design

The target audience for this study was federal ATIP Officers. Within this community, the focus was on departments whose mandate and activities involve privacy-related issues. As well, the OPC was interested in a mix of departments/agencies by size and number of privacy-related complaints received ^{Footnote 1}.

To address the research objectives, a set of in-depth interviews was conducted with representatives of the target audience. The following specifications applied to this research:

• In total, 20 in-depth interviews were conducted with representatives of the target audience between March 2nd and 30th, 2011.
• Interviews averaged approximately 45 minutes.
• All interviews were conducted by Phoenix research staff (i.e. not hourly-paid telephone interviewers).
• Participants were interviewed in the official language of their choice. In total, 16 interviews were conducted in English, and four in French.
• The following table presents the sample frame established for the in-depth interviews and the extent to which the various targets were met.

• Sample Frame
  Criteria	Number of Interviews Allocated	Number of Interviews Completed
  Number of Complaints (2009-10)
  Over 10 complaints	10	10
  5-10 complaints	6	6
  4 complaints or less	4	4
  Total	20	20
  Size of Department/Agency
  Large	6	6
  Medium	10	10
  Small	4	4
  Total	20	20

• Eligible participants included ATIP coordinators or designates (as long as the latter were able to provide meaningful feedback on the issues explored). Contact information for federal ATIP officers was obtained from the Treasury Board of Canada Secretariat website (http://www.tbs-sct.gc.ca/atip-aiprp/apps/coords/index-eng.asp).
• In advance of the research, a background/notification letter was sent to potential participants to inform them about the research and help secure their willingness to participate in it. The letter was signed by the OPC’s Director of Communications and sent by Phoenix. It explained the background and purpose of the research, introduced Phoenix as the firm conducting it, offered assurances of confidentiality, encouraged participation, and provided contact information for an individual at the OPC who could answer questions about the study.
• Following the sending of the background letter, Phoenix personnel contacted potential participants by phone to secure their agreement to participate and schedule the interviews.
• All participants were sent a short confirmation e-mail, confirming the timing of the interview. A copy of the interview guide was sent with the e-mail so that participants could reflect on the issues and offer more considered feedback. 
• The interviews focused on the privacy part of participants’ responsibilities, not on the access to information part.
• The first few interviews served as a pre-test of the interview guides, where researchers were attentive to the functioning of the instrument to determine whether any adjustments are required. No changes were made to either guide on the basis of these first interviews

This research was qualitative in nature, not quantitative. As such, the results provide an indication of participants’ views about the issues explored, but cannot be generalized to the full population of federal ATIP officers.  

Appended to this report are the following:

• Interview guide
• Confirmation e-mail

Background Information About ATIP Unit

Size of ATIP Units

The size of ATIP units varies across the departments/agencies represented in this study. The size of units, measured by the number of people working on ATIP issues, varied from as few as two to as many as 52. While there was no uniformity in the size of ATIP units, most have at least 10 people. Most of the people working on ATIP issues (and in some cases all of them) were identified as being full-time employees. However, some of the people working in this area were identified as consultants hired to work on ATIP issues.

In some organizations, typically those with larger numbers of people working on ATIP issues, there is a division of labour, whereby one section or unit deals exclusively with privacy issues and another deals exclusively with access to information issues. In other organizations, typically ones with smaller ATIP units, both types of issues tend to be handled by the same staff members.

In the course of discussing the size of their ATIP units, some participants specified that they are not always functioning at full capacity. In other words, the number of people working on ATIP issues may (or does) fall short of the number of positions assigned or dedicated to ATIP issues. A few went on to identify staff retention as a challenge – an issue they and others focused on later when asked explicitly about challenges they face dealing with privacy issues.

Budget of ATIP Units

The budget of ATIP units, like their size, varies considerably. Budgets (including salary and non-salary dollars) ranged from a low of $200,000 to a high of approximately $8 million. The bulk of the budget covers salaries, while the rest covers operations and administration costs. Some participants specified that the bulk of their budget is dedicated to access to information issues, as opposed to privacy issues.

ATIP Responsibilities

Most of the participants involved in this study were directors with general responsibility for ATIP issues within their respective organizations. The rest were managers with responsibilities related to ATIP, or specifically in relation to privacy issues. In describing their responsibilities, directors typically identified some or all of the following:

• Delegating responsibilities
• Budget oversight
• Oversight/monitoring compliance with the Privacy Act
• Oversight of all ATIP requests
• Developing internal policies/procedures and guidelines to ensure implementation of the Privacy Act
• Spokesperson for the department/agency with other government organizations
• Responding to consultation requests from other departments/agencies
• Oversight of Privacy Impact Assessments (PIAs)
• Oversight of training
• Oversight of annual report on privacy for Parliament
• Briefing senior management on ATIP issues.

For their part, the managers involved in this study identified some or many of the following as their responsibilities:

• Processing requests made under the Privacy Act
• Promoting awareness of the Privacy Act within their department/agency (e.g. through awareness sessions)
• Tool development/internal training
• Advice regarding privacy impact assessments
• Dealing with breaches and complaints
• Records/database management.

Proportion of Time Devoted to Privacy Issues Varies

The proportion of time that units spend on privacy issues versus access issues varies by organization, although most indicated that a greater proportion of time generally gets devoted to access issues than to privacy. However, even within this group there was variation, with the proportion of time devoted to privacy ranging from approximately 15% to 40%. Some said there is an approximate 50/50 split in time between privacy and access issues, while only a few indicated that a greater proportion of time generally gets devoted to privacy than to access (the proportion of time devoted to privacy ranging from 60-75%).

Some participants said this is not an issue for them because different units in their organization handle privacy and access to information issues. In other words, the unit dealing with privacy issues devotes 100% of its time to these issues and the unit dealing with access to information issues does the same. A few added that resources may, on occasion, get pulled from one unit to another.

Variations in Time Devoted to Privacy vs. Access Often Issue- or Event-Driven

In addition to variations between organizations, the proportion of time devoted to privacy versus access to information issues can vary within organizations. The extent to which this changes was consistently described as primarily issue- or event-driven. For example, an issue or event may lead to an increase in the number of privacy or access to information requests, thereby increasing the proportion of time devoted to one or the other. Similarly, a scandal might lead to a need to tighten up on privacy-related measures, thereby increasing the amount of time devoted to the latter.

A few participants observed that the amount of time devoted to one or the other can also be influenced by backlogs in meeting requests. For example, a backlog in responding to access to information requests may result in more time and/or resources being devoted to them in order to reduce the backlog.

Privacy and Access Issues Rarely Conflict

Generally speaking, the requirements related to privacy issues and access issues do not tend to conflict or cause challenges for participants in their daily work. This is especially the case in organizations where different units handle privacy and access to information issues, but not only. To the extent that conflicts or challenges do present themselves, this usually involves managing resources to ensure that both priorities are addressed. For example, as noted earlier, a backlog in responding to access to information requests may result in more time and/or resources needing to be devoted to them in order to reduce the backlog. One participant explained that these priorities can conflict in situations where there are staff shortages. In such situations, the challenge once again is managing resources in such a way to address both priorities.

The only other types of conflicts or challenges identified pertained to requests. One participant said that some people confuse access to information with privacy, and make requests related to privacy that have to do with access or vice versa. Another participant explained that the requirements related to privacy issues and access issues can cause challenges when someone makes a request that is both a privacy and an access issue.

Involvement in PIAs Tends to Focus on Oversight

While all of the participants in this study are involved in the Privacy Impact Assessment (PIA) process in their organization, their involvement tends to involve management and oversight. None of the participants, for example, is directly involved in preparing the actual privacy impact assessments. Their involvement typically includes most or all of the following: providing advice and guidance to those preparing PIAs, reviewing PIA reports and making sure they comply with Treasury Board requirements, signing off on the PIAs and sending them to the OPC, and liaising with the OPC regarding PIAs.

All participants indicated that people in their organization contact them for advice or input in terms of the development of PIAs. However, the frequency of such contact varies, with some adding that it depends on the number of changes being made in the organization (e.g. upgrading of IT, creation of new databases) and/or the nature of the PIAs being prepared (i.e. straightforward or complicated?). The frequency of such contact ranged from regular or almost daily contact, to weekly contact, to every few months, to a few times a year.

Limited Direct Involvement of ATIP Coordinators in Senior Management Meetings

While it happens that an ATIP coordinator will sit in on a senior management meeting, this is not a regular occurrence. When it does happen, it tends to involve briefing senior management on an important privacy or access to information issue. What typically happens is that the ATIP coordinator will report to or brief a superior, usually a director general or executive director, who does attend senior management meetings and briefs the assistant deputy minister.

In many of the organizations represented in this study, the ATIP unit is located under Corporate Services or Corporate Secretariat. In other organizations, areas that house ATIP units include Information Management Directorate, and Public Affairs.

Training and Professional Development

This section reports on training and professional development and related issues.

Frequency of Training

All participants in this study said that they and others in their ATIP unit attend or have attended training related to their privacy responsibilities. For the most part, there was no consistency or regularity in the frequency of training (i.e. how often participants and their staff receive training). That is not to say that training was described as haphazard or irregular. Rather, participants tended to explain that while training is regularly available, the frequency with which it is taken can vary, and tends to depend on a variety of factors including the following:

• The content or subject matter of training: What is the topic or focus of the training in question?
• The perceived relevance or importance of training: How topical or relevant is the training in question?
• The form of training: How is the training provided? For example, is it a half-day workshop, a 3-day course, a certification program, etc.
• Scheduling or timing: This includes issues such as when the training is offered, and whether staff members are free to attend the training (e.g. how busy is the ATIP unit?).
• Availability: Are there any places left for the training session in question or is the session full?
• The cost of training: How much does the training cost and will the budget allow it?

Nature of Training Received

Participants in this study routinely distinguished between internal training received by ATIP staff and external training (i.e. provided by outside individuals or organizations). In terms of external sources, participants and their staff tend to receive ATIP-related training from the same or similar sources. These sources, as well as the type of training provided, are identified below:

• Treasury Board Secretariat: Participants routinely identified the Treasury Board Secretariat (TBS) as a source of ATIP-related training taken by themselves and/or others in their unit. Three types of training were identified:
• • ATIP CommunityMeetings: The type of training identified most often was TBS’s regular ATIP community meetings, which take place on a monthly basis. While identified as a form of training, participants were more likely to describe these meetings as information sessions designed to keep ATIP practitioners up-to-date on such things as recent developments, new initiatives, and recent cases involving privacy or access-related issues.
  • Trainingsessions: Some participants said members of their staff have attended TBS training sessions on InfoSource (TBS’s annual publications on Government of Canada information holdings), and how to create or revise a personal information bank. Both were identified as two-hour training sessions.
  • PIA e-learning tool: Some participants said members of their staff have used TBS’s online tool designed to help practitioners complete PIAs.
• Canada School of Public Service: Many participants said that they and/or members of their staff have taken training through the Canada School of Public Service. The only form of training identified was a 3-day course on the Access to Information Act and the Privacy Act. A few participants described this as an introductory course that provides an overview of both pieces of legislation, designed for people who are new to the ATIP field.
• Private consultants: Private consultants, one individual in particular, were routinely identified as a source of training. While such training included introductory courses on the Access to Information Act and the Privacy Act, it tended to be described as more detailed, in-depth, or focused on specific issues. The length of such courses varied from half a day to five days. Examples of such training/courses included:
• • Specific sections of the Privacy Act and Access to Information Act
  • Exemptions under the Privacy Act and Access to Information Act
  • Provincial and territorial privacy legislation
  • Protection of information and human resources
  • Privacy Impact Assessments.
• University of Alberta certification program: Some participants said that they and/or members of their staff have gone through the Information Access and Protection of Privacy Program at the University of Alberta. This program includes five courses and takes approximately 1-12 years to complete.
• Conferences: While not described as a form of training per se, some participants identified conferences as good ways of keeping up-to-date on ATIP-related issues. As such, they encourage their staff members to attend conferences whenever possible, particularly the Canadian Association of Professional Access and Privacy Administrators annual conference.
• Office of the Privacy Commissioner of Canada: Some participants identified the OPC’s one-day workshop for federal employees on privacy impact assessments as a form of training they and/or members of their staff have taken.

As mentioned, participants routinely distinguished between internal and external training received by ATIP staff. In addition to the external training identified above, nearly all participants identified internal training provided to staff. Such training was sometimes described as informal and ad hoc, but it was nonetheless considered very important.

The most commonly-identified type of training was described as on-the-job training, which often involved mentoring by senior staff to ensure that all ATIP analysts have the knowledge and resources to do their job effectively. In some instances, this involved individual learning plans developed in consultation with ATIP staff to ensure that their training and development needs have been addressed.

Other forms of internal training identified relatively frequently included the following:

• Training/information sessions/workshops on specific access or privacy cases within the organization (e.g. ‘lessons learned’ sessions)
• General training on the Privacy Act and Access to Information Act and their impact on programs/initiatives
• Training on specific sections of the Privacy Act and Access to Information Act (e.g. exemptions under the Privacy Act)
• Orientation sessions for all new/incoming ATIP staff regarding obligations and responsibilities under the legislation.

Finally, some participants volunteered that their unit provides awareness or information sessions on privacy and access issues for departmental employees in general. This includes providing information related to the following types of issues:

• Roles and responsibilities vis-à-vis ATIP
• Privacy in the workplace
• Faxing personal information
• How to access your personal information and lodge a complaint.

Nuanced Views Regarding Adequacy and Relevance of Training

Generally speaking, participants did not express themselves categorically regarding the adequacy and relevance of the training they and their staff receive. Instead, they tended to express nuanced views on these issues. One participant’s statement regarding training is revealing because it reflects a view expressed by many others who used different words to express something similar: “The training tends to be adequate and relevant in the sense that it provides staff everything it can; it is inadequate in the sense that it cannot provide staff with everything they need”. The main point being made (by this participant and others) was that training is necessary, but not sufficient in preparing staff to understand and deal with privacy-related issues. 

In addition to training, participants routinely observed that on-the-job experience is crucial to the development of a good privacy officer. The reason given to explain why is that dealing with privacy issues involves dealing with particulars, details, specifics, exceptions, and exemptions, which no amount of training can adequately address. In the words of another participant: “when you deal with privacy issues, you spend a lot of time down in the weeds.” Some participants made a similar point differently by suggesting that dealing with privacy issues is a constant act of interpretation (i.e. applying the general to the particular). This involves not only applying the provisions of the Privacy Act to particular circumstances, but to particular circumstances that change constantly.

Presenting this general view or outlook provides a context for understanding two characteristics of additional feedback received on training. The first concerns the extent to which staff receives enough training. Interestingly, those who felt that their staff members do not receive enough training tended to point to the newness and/or lack of experience of their staff to explain why. For example, some explained that there has been a lot of staff turnover in their ATIP unit and that the new employees require training. Conversely, some participants explained that training is adequate because, in addition to formal training, they have a number of experienced senior officers who act as mentors to newer staff.

The second concerns the areas in which participants said they would like to receive more training for themselves or their staff. The areas identified tended to focus on specifics as opposed to general issues, with participants routinely saying they would like training that is less ‘theoretical’ and more ‘practical’. This included training related to the following:

• Applying specific clauses/sections of the Privacy Act
• Exclusions and exemptions under the law
• New or emerging issues in privacy
• Privacy issues related to social media
• Preparing PIAs
• Negotiating/dealing with key actors in the privacy community (e.g. the OPC, requesters, applicants).
• More guidance from the TBS regarding PIAs (including apparent discrepancies between TBS and OPC requirements).

Widespread Awareness of Privacy Professional Certification

There was widespread awareness that there is certification or accreditation for privacy professionals. Indeed, nearly all participants were aware that this is available. Participants were most likely to be aware of the certification program provided through the University of Alberta. Moreover, as noted earlier, some participants said that they and/or members of their staff have completed this program.

Small numbers of participants were aware that there is certification or accreditation provided through the Canadian Association of Professional Access and Privacy Administrators and/or the International Association of Privacy Professionals. Finally, a few were under the impression that it is possible to obtain accreditation through the Canada School of Public Service. None of the participants said that they and/or members of their staff have completed programs offered through either of these three organizations.

Limited Interest in Pursuing Professional Certification

Among those aware of such programs (and who have not pursued them), there was limited interest in pursuing certification or accreditation. In explaining why, these participants routinely explained that pursuing professional certification or accreditation will not improve their professional skills in a meaningful way. Some added that they have acquired enough expertise in the area, or felt that meaningful additional professional development could only come through on-the-job experience. Some others suggested that the training provided through these programs tends to be general and/or theoretical, and therefore not relevant or practical enough to help them in a meaningful way. It is worth noting that a few of the participants who completed the University of Alberta program also described it as general, with a focus on theory.

Only a couple of other reasons were given to explain the lack of interest in this. One Francophone participant explained that the University of Alberta program is offered only in English. Another participant suggested that the focus of these programs tends to be on the private sector, and therefore they are not as relevant to people who work in the public sector.

In discussing this issue, one participant suggested that the most important skills needed to work in this area cannot be acquired through certification or accreditation. These skills were identified as analytical, organizational, and communication/negotiating skills.

Membership in Professional Associations

Most participants said that they and members of their staff (though not necessarily all members) are involved in professional associations. With few exceptions, participants identified themselves and members of their staff as belonging to the Canadian Association of Professional Access and Privacy Administrators (CAPAPA). A few said they and some members of their staff belong to the International Association of Privacy Professionals (IAPP). Finally, a few identified themselves as members of both CAPAPA and IAPP.

Limited Networking with Privacy Communities Outside of Federal Government

Only a few participants indicated that they and/or their staff network or have contact with others in the privacy community outside of the federal government. In explaining why they have no such contact, participants explained that their world is governed by the statute that applies to the federal government (i.e. the Privacy Act). Consequently, their networking tends to be limited to interactions with those governed by the same statute (i.e. other federal departments/agencies) and the institution that has oversight of the legislation (i.e. the OPC).

To the extent that there is networking outside of the federal government, it tends to be with personnel of other governments. A few participants said they sometimes engage in consultations with provincial governments because of information-sharing agreements or simply to discuss privacy-related issues in general. One participant said that her department sometimes has interactions with government departments in other countries on issues related to the transfer of information.

Beyond this, the only opportunities that participants identified for communication and/or networking outside the federal government involved meetings at conferences or symposia.

Types of Privacy Issues

This section reports on the types of privacy issues that participants and others in their ATIP units deal with, as well as the challenges they face and new and emerging privacy issues that they deal with.

PIAs – Privacy Issue Identified Most Often

Participants collectively identified a range of top privacy issues that they and others in their units deal with on a regular basis. The types of issues identified can be grouped into five categories. For the most part, participants typically identified issues that fell into one or two of these categories. Having said that, some identified key issues in three or more areas. Top privacy issues include:

• Privacy Impact Assessments: This was the privacy issue identified most often, and the only one identified by nearly all participants. For the most part, the key consideration was described as identifying and resolving privacy risks related to the redesign of programs and services. Some added that an important issue is that the people completing PIAs are not experts in the field of privacy, so they require considerable support.
• Ensuring the Safety and Security of Personal Information: For many participants, one of the key issues, often the key issue, is ensuring the safety and security of personal information collected and stored in databanks or personal information banks (PIBs). This includes dealing with the following types of issues:
• • What personal information is collected? (e.g. what type of information does the organization have/collect?).
  • How/where is personal information stored?
  • How is personal information shared/transferred/transmitted?
  • How is personal information disposed of?
• Issues Surrounding the Release or Disclosure of Personal Information: Some participants said the main privacy-related issue they deal with concerns the release or disclosure of personal information. This typically involves dealing with requests for personal information and determining what information, if any, can be released (in some cases without the consent of the individual to whom it relates). Routinely-given examples include the following:
• • Lawyers requesting clients’ files.
  • Investigative bodies or law enforcement agencies requesting information related to an investigation or case.
  • Employees requesting information on or about themselves (e.g. e-mails, assessments).
  • Applicants for government services requesting their files (e.g. why they were denied a service).

Identified less often, but still described as a key issue by a few participants, were public interest disclosures. These were described as situations in which a determination has to be made as to whether an individual’s right to privacy outweighs the public’s interest or right to know. An example of such a situation would be one in which someone has threatened violence because they were denied a government service.

• Privacy-Related Complaints: Some identified the main privacy-related issues they deal with as complaints. Examples include the following:
• • Complaints about unauthorized disclosure of personal information.
  • Complaints about lost, misplaced, or misdirected personal information.
  • Claims that personal information was used for purposes other than the reason it was collected.
  • Complaints regarding the collection of personal information (e.g. on the census).
  • Complaints about exemptions to disclosed personal information (i.e. someone did not obtain all the information they requested).
• Appropriate Use of Personal Information: For some, the key privacy issue they deal with involves ensuring the appropriate use of personal information that is collected. This includes the following types of issues:
• • Ensuring that personal information is used only for the purposes for which it was collected.
  • Ensuring that only the minimal amount of personal information required for a specific purpose is collected.
  • Ensuring that personal information is not retained longer than necessary.
  • Data-matching issues (i.e. under what circumstances, if any, can someone’s personal data be matched or linked to other personal data).
  • Data-sharing issues (i.e. ensuring that personal information collected is not shared inappropriately).

Main Challenges Encountered

Participants collectively identified a variety of challenges they face or encounter in terms of the privacy issues that they deal with, but most identified only one key challenge. The challenges that were identified include:

• Privacy Impact Assessments: A number of participants identified the privacy impact assessment process as a significant challenge they face. More specifically, the following aspects were identified as challenges:
• • Amount of work required: To some, the main challenge posed by PIAs is the amount of work involved in what they referred to as ensuring ‘privacy by design’. In other words, the amount of work involved in identifying and resolving privacy risks related to all redesign of programs and services, including modified personal information banks.
  • Lack of expertise: As noted, for some a key challenge related to PIAs is that the people responsible for doing them are not experts in the field of privacy. Therefore, they require a lot of support and advice when it comes to completing them.
  • Lack of resources/guidance: Related to the latter point was a sense among some participants that insufficient resources and guidance are available to those who have to complete PIAs. It was observed that while the Treasury Board Secretariat has issued its PIA policy, there has been little done to help departments and agencies actually meet the requirements.
  • Conflicting requirements: Regarding requirements, a few participants said that one of the challenges they face is that the TBS and the OPC have different requirements when it comes to completing PIAs. It was observed that while government departments/agencies are accountable to the TBS and its guidelines, PIAs have to be submitted to the OPC whose assessment or review sometimes involves criticism.

Types of support or assistance that would help participants deal with challenges posed by PIAs include more resources and guidance for those responsible for completing them, and agreement between the TBS and OPC regarding the requirements for PIAs.

• Operational challenges: Some participants described the main challenge they face as being on the operational level. What they were referring to is the challenge of ensuring the protection of vast amounts of personal information that get used and shared every day by a variety of actors. With so much information in circulation, the main challenge is avoiding breaches (accidental or criminal). Moreover, a few participants added that the consequences of a breach can be disastrous. In the words of one participant: “given the amount of information we hold and handle, one breach could compromise the privacy of literally thousands of people”. Participants who identified this challenge could not identify specific type of support or assistance to help them meet this challenge.
• Sensitivity surrounding privacy: To some, dealing with the sensitivity surrounding privacy and privacy-related issues is a key challenge. This was seen to be a consequence of the importance assigned to privacy as a right and its protection. For example, it was observed that when it comes to matters that affect their privacy, people can become (perhaps justifiably) very vocal, demanding, and uncompromising. In addition, given the importance generally attributed to privacy, any incident has the potential to become a public issue, either because the press covers it or because of advocates interesting in taking up a cause. As an example, one participant pointed to fall out from the recent incident in which a veteran’s personal information was inappropriately circulated.

Types of support or assistance that would help participants deal with this challenge include training that would help develop negotiating and communications skills, including skills in dealing with ‘difficult’ individuals. Regarding the latter, it was observed that some people who make privacy-related complaints have a fundamental suspicion of government and can be very hard to deal with.

• Staff-related issues: Some identified staff-related issues as a challenge they face. By this, they meant staff-related issues making it difficult to effectively carry out all of their privacy-related responsibilities. This took a variety of forms, including:
• • Lack of staff: As mentioned when discussing the size of ATIP units, some participants said they are not always functioning at full capacity. In other words, the number of people working on ATIP issues falls short of the number of positions assigned or dedicated to ATIP issues. This was described as a problem when and if the workloads increase because existing resources are strained.
  • Staff turnover: Some participants identified staff turnover as an important challenge they face in their unit. Reasons for this include retirement, burn-out, and a desire to change one’s career path. The result is that there tends to limited corporate memory regarding privacy issues, as people with experience get replaced by people with little or no experience who require training.
  • Staff retention: While related to the previous challenge, a few participants focused specifically on staff retention as a challenge (i.e. retaining people in the ATIP unit so as to increase the number of experienced analysts).

Some participants suggested that there should be a professional development program in order to cultivate privacy analysts and develop an experienced staff. One participant said that his/her department has developed such a program, and that it has improved overall retention and succession planning.

• Backlog in ATIP requests: A couple of participants identified backlogs in dealing with ATIP requests as a challenge they face in dealing with privacy issues. They explained that backlogs in responding to access to information requests have resulted in more time and/or resources being devoted to them in order to reduce the backlogs. The challenge they face is managing resources to ensure that they address both their access and privacy priorities.
• New/emerging issues: Finally, some participants identified new and/or emerging issues as a challenge they face when dealing with privacy issues. However, since all participants were asked explicitly about such issues, this topic will be discussed below so as to avoid repetition.

New and Emerging Issues

Participants identified a variety of new and emerging privacy issues with which they are dealing or which they expect to have to deal with. These issues tend to fall into six general categories:

• Balancing privacy with security and public safety: One of the most frequently-identified new or emerging issues was the importance of balancing the right to privacy with the need for security and public safety. Some said that while this is not necessarily a new issue, it has taken on added significance over time, given the increased concern with terrorism. On the other hand, one participant suggested that there is a new dimension to this issue precisely because of the growth of terrorism. Specifically, the threat posed by terrorism is typically a threat posed by individuals (e.g. not armies or other states). Consequently, effectively dealing with terrorism inevitably involves interference with the privacy of individuals. The following are specific examples of issues where a balance between privacy and security needs to be set:
• • Using security bracelets to track the location of released convicts.
  • Using full body scanners in airports.
  • Using video surveillance technology
  • Public interest disclosures.
• Ensuring privacy while embracing social media: Another routinely-identified new/ emerging issue was described as the need to ensure that privacy is maintained as government embraces social media to engage and interact with citizens. It was noted that while this opens an avenue for government to effectively communicate with citizens (especially younger ones), there are also important privacy-related issues to consider. Some observed, for example, that the ability to tap into wireless communications could compromise the privacy of individuals. One participant also noted that, at present, there is no overarching framework in the federal government regarding the use of social media. At present, departments and agencies are forging ahead independently, so even if the issue of privacy is being considered, it is not being considered in an overarching way (i.e. one that applies to all departments and agencies).
• Ensuring privacy protection as the capacity to collect information increases:Many participants observed that as the capacity to gather and store personal information increases, so must the measures to ensure its protection. A few added that the greater the amount of information collected, the greater the potential that a breach could be disastrous.
• Ensuring privacy as the capacity to monitor increases: Some participants felt that a key emerging issue concerns the government’s increasing ability to monitor through technology. In other words, the sheer ability or potential for monitoring people, in and of itself, is something that has privacy implications. Examples included the use of GPS systems, traffic surveillance technologies, web crawlers, and monitoring of social media sites. As an example, it was observed that traffic surveillance technologies will help capture traffic violators, but they may also capture information about people who are not in contravention of the law.
• Genetic information: A few participants identified the storage of genetic information (i.e. genetic data banks) as the new frontier in the world of privacy, and an area in which the implications for privacy are still not fully known.In the words of one participant “we’re no longer talking about your SIN or credit card number, but your basic genetic code, and the privacy implications at this point are anybody’s guess”.

Need to recruit/develop privacy experts: Finally, some participants said that one of the new challenges they face is recruiting and developing people interested in dealing with the types of privacy issues identified above (and others). As noted already, some participants suggested that there should be a professional development program in order to cultivate privacy analysts and develop experienced staff. It was felt that this becomes all the more important as new challenges emerge in the privacy world. In the words of one participant: “the more complex the issues, the more important the need for people trained to deal with them”.

Interactions with the Office of the Privacy Commissioner

This section reports on interactions and dealings with the Office of the Privacy Commissioner (OPC).

Frequency of Interactions with OPC Varies

The frequency with which participants and others in their ATIP units interact with the OPC varies considerably.  A few participants described their interactions as frequent or regular, with one describing contact as ‘sometimes daily’. Others described their interaction as periodic, with a few specifying that they meet with the OPC on a quarterly basis. Some described their interactions as irregular, saying they vary or tend to be issue-driven (e.g. there may be an upsurge in complaints at some point in time). Finally, some described their interactions and dealings as infrequent or very infrequent.

Nature of Interactions with OPC

Participants tend to interact with the OPC for a range of reasons, which include the following:

• Issues related to PIAs: This was the most frequently-identified purpose of interaction with the OPC. It includes asking questions or seeking advice about PIAs, submitting them, and communicating with the OPC regarding their review/ assessment of PIAs.
• General guidance or advice: Most participants said they contact the OPC on an as-needed basis for guidance or advice on various privacy-related issues.
• Consultations: Some participants said they have been involved with the OPC in various consultations.
• Breaches, complaints, audits and investigations: Some said they are in contact with the OPC regarding such things as breaches, complaints, audits, and investigations that involve their department or agency. This includes delays in responding to privacy requests.
• Workshops or presentations: Some said they have attended workshops and/or presentations given by the OPC, including a recent workshop on PIAs.

Interaction typically includes a mix of e-mail, phone, and in-person contact.

Use of OPC Tools/Resources

Virtually all participants said they and/or members of their staff use or have used resources or tools provided by the OPC. However, they do not tend to use such resources frequently or regularly. Resources that participants or their staff members use or have used include the following, none of which dominated:

• Reports and publications
• Videos
• Best practices
• Case summaries
• Commissioner’s findings
• Quizzes
• Guidance regarding PIAs/PIA workshop
• Speakers’ series
• Information on social networking
• Information on privacy breaches
• Information on identity theft.

Some said that they and/or members of their staff periodically visit the OPC website to see what is new.

It should be noted that when discussing their use of OPC resources, many participants re-iterated that they contact OPC personnel for guidance or advice on various matters. Therefore, to the extent that OPC personnel can be considered resources, they should be included here as well. A few participants also added that they try to attend talks given by the Privacy Commissioner or read transcripts of them.

Perceived Usefulness of OPC Resources

Overall, participants have positive impressions of the OPC resources they have used. The general impression is that they are informative, provide general guidance, and keep practitioners in the area of privacy up-to-date on issues. At the same time, there was also a relatively widespread impression that resources tend to be general and therefore not always detailed or precise enough to help them with specific issues with which they may be seeking help (e.g. specific situations that provisions of the Privacy Act do not seem to cover or address). Having said that, a few participants added that one cannot expect the OPC to have answers to every question and every specific problem they have.

Openness, Receptivity, Professionalism – Main Perceived Strengths of OPC

Asked what has worked well in their dealings with the OPC, participants routinely identified two organizational strengths: its openness or receptivity (including a willingness to help) and its professionalism (whether in the course of an audit, an investigation, or a consultation). There was also a widespread impression that the OPC has an understanding of the environment in which government privacy officers work, which facilitates interaction with them even when the latter involves an investigation or complaint.

Reluctance to Provide Advice – Main Criticism

Asked what has not worked well in their dealings with the OPC, participants most often indicated that while the OPC clearly wants to help them, it tends to be reluctant to give concrete advice and seems to want to remain non-committal. A few added that they find this frustrating because they go to the OPC for advice in recognition of its expertise in the area of privacy. One participant, focusing specifically on PIAs, felt that the OPC is reluctant to provide advice on PIAs, but will criticize if they feel they have not been done properly.

Other criticisms of the OPC were identified by no more than a few participants. These include a perceived zealousness in some of their investigators, especially regarding delays, and a perception that they are sometimes difficult to contact by phone. In this regard, one participant felt better served by the Office of the Information Commissioner because when one calls the OIC, the phone is always answered by an individual. This makes one feel better served because in dealing with an individual, one has the opportunity to better explain what one needs or is looking for.

Widespread View that OPC Should Take Lead in Support, Education, and Guidance

Participants routinely expressed the general view that the OPC should play a leading role in terms of providing support, education, and guidance on the privacy-related issues or challenges that they face. Indeed, many added that this is one of the reasons why they contact the OPC. Some participants immediately added that this might cause tension and conflict with the Treasury Board Secretariat, but that they consider the OPC to be the expert in the field of privacy.

More specifically, participants expressed the following expectations in relation to the OPC:

• Increased outreach: A number of participants said they would like to see an increase in outreach activities on the part of the OPC. Some referred specifically to the PIA workshop they attended, noting that they would like to see more of this type of get-together where information can be openly shared with others in their field.
• Increased role in education and training: Most expressed a desire for the OPC to take on a more active role in education, training, and guidance in the area of privacy, especially areas that are cross-departmental in terms of relevance (e.g. the use of social media by government). Some added that the OPC should have an educational, as well as an enforcement mandate because of its expertise.
• Provide guidance: Referring back to their main criticism of the OPC, a number participants said they would like the OPC provide concrete guidance to them regarding the questions they might have on privacy issues.
• Looking ahead/scanning the horizon: A number of participants said they expect the OPC to be a kind of look-out or forecaster in terms of what is coming, or in terms of new and emerging issues in the area of privacy.
• Hub of information: Some said they expect the OPC to be a hub or repository of information and developments on privacy-related issues.
• Link/network to other privacy commissions: A few participants think the OPC should network and work with privacy commissions at both the provincial and the international level. In the words of one of these participants: “privacy issues are like the weather, they go beyond political boundaries”.

In the course of discussing expectations in relation to the OPC, a few participants stated that it would be very helpful to them if the OPC and Treasury Board Secretariat were on the same wave length when it comes to privacy issues. Two examples were provided of where this is not seen to be the case. One involves PIAs, the observation being that the OPC’s requirements exceed those of the TBS. The other involves the question of whether information already available in the public domain can be released. According to one participant, the TBS takes the position that the answer is ‘yes’, while the OPC says ‘no’.

OPC Tools Should Focus on Education and Training

Participants identified only two specific tools or services that the OPC could be providing to enhance their privacy work. One, mentioned relatively frequently, was assistance preparing PIAs. The other was a tool to help with risk assessment when it comes to privacy issues.

Beyond this, no specifics were offered, but many re-iterated that the OPC should focus on education and training. There were two components to this. First, and most important, participants said the OPC could provide training and education to practitioners in the field of privacy. In addition, a few participants mentioned that the OPC should play an active role in educating the general public about privacy issues. It was observed that while members of the general public are generally aware of the importance of privacy issues, most probably have little or no idea about what constitutes a legitimate versus an illegitimate or frivolous privacy-related complaint.

Appendix

Interview Guide

Initial contact:

• Interview should be conducted with the manager of the ATIP unit (or a person he/she designates). If that is not the person contacted, ask for referral. 
• Confirm agreement to take part in the study.
• Refer to OPC notification letter that informs potential respondents about the research (e-mail to be sent by Phoenix before initial contact).  Resend letter if needed.
• Interview would take approximately 30-40 minutes.
• Note that participation is voluntary and that responses are confidential – no individuals or organizations will be identified in any way.
• Schedule time for interview, if agreeable.
• E-mail interview guide for review (confirm e-mail coordinates).
• Ask them to review the guide in advance of the interview.

Subsequent contact:

• Determine if person is available. If not available, re-schedule interview.
• Refer to interview guide that was sent to him/her.
• Interview would take approximately 30-40 minutes.
• Remind him/her that responses are confidential, but a public report will be produced.
• Record name, position, organization, phone number, length/date of interview.

NOTE: While the research is being conducted with ATIP coordinators, the focus is on the privacy part of their responsibilities, not on the access to information part.

Information About ATIP Unit

I’d like to begin by asking you a few questions about the way in which the ATIP function is organized in your department ^{Footnote 2}.

1. First, what is the size of the ATIP unit in your department? That is, how many people do you have working on ATIP issues?
2. Could you briefly tell me about your own responsibilities with respect to ATIP?
3. What is the budget for your ATIP unit? Please include salary and non-salary dollars in this budget figure.
4. How much time would you say you and others in your unit spend on privacy issues versus access issues? RECORD PERCENTAGE. Is this fairly consistent or does it vary by month, or season, or in some other way? If it varies, please describe.
5. Do these two priorities ever conflict or cause challenges for you in your daily work?
6. How involved are you in the PIA (Privacy Impact Assessment) ^{Footnote 3} process in your department?
7. Do other people in your department come to you for advice or input in terms of the development of Privacy Impact Assessments? If so, how often does this happen?
8. How does the ATIP group feed into the organizational hierarchy – for example, does the ATIP coordinator participate in senior management meetings?

Training, Certification & Involvements

These next few questions concern training and professional development.

9. Do you and others in your ATIP Unit attend privacy training related to your privacy responsibilities?

IF ‘YES’ ASK NEXT TWO QUESTIONS ^{Footnote 4}:

10. How often do you/your staff receive training for ATIP? Who (or what organization) provides that training? What is involved in the training?

• Probe:
  • training frequency
  • nature of training (e.g. length of course[s], main focus)

11. Overall, do you feel you/your staff receive enough training? Why do you say that?
12. Is the nature of the training available to you relevant to your work? What areas would you like to receive more training in, if any?
13. Are you aware that there is certification for privacy professionals and, if so, is this something you either have or are interested in pursuing?
14. Are you or your staff involved in any professional associations? If so, what associations do you belong to? Any others?
15. To what extent do you/your staff network or otherwise have contact with others in the privacy community outside of the federal government? In what circumstances do you do this? What opportunities exist for this type of communication and/or networking?

• Probe:
  • other public sector
  • private sector

Types of Privacy Issues

Turning briefly to the types of privacy issues you deal with.

16. What are the top privacy issues you deal with on a regular basis? Anything else?
17. And what are some new and emerging privacy issues that you are dealing with? Any others?
18. What are the most significant challenges that you encounter in terms of the privacy issues that you deal with? Any others? What type of support or assistance do you feel you need, if any, to help you deal with those challenges?

Interactions with OPC

I’d now like to ask you a few questions about your dealings with the Office of the Privacy Commissioner, OPC for short.

19. How often do you or others in your ATIP unit, interact with, or have dealings with, the OPC? What is the nature of your interactions with the OPC?

• Probe:
  • frequency of interactions
  • purpose/reasons for interactions
  • channels used

20. To what extent do you or others in your unit use resources or tools provided by the OPC? If so, what do you use? How useful is this to you? Anything else?
21. Thinking of the dealings that you or others in your unit have had with the OPC, what in your view has worked well? And what has not worked well from your perspective, and represent areas in need of improvement?
22. In general, what are your expectations with respect to the OPC? That is, what role do you think they should play in terms of providing support, education or guidance on privacy related-issues or challenges to you and others in your unit?

• Probe:
  • any expectations at all?
  • role OPC could/should play

23. Are there additional tools or services that the OPC could be providing to you that could enhance your privacy work? Anything else?

Conclusion

24. Do you have any other comments or suggestions to add about any of the issues we’ve discussed before we conclude the interview?

Thank you.

Confirmation E-mail

Thank you for agreeing to take part in this research that the OPC is conducting with Access to Information and Privacy (ATIP) coordinators. The research is designed to better understand the context in which federal ATIP organizations operate, as well as their needs and expectations.

As agreed, I will contact you at [time], on [day/date]. The interview will last approximately 30-40 minutes.

Attached to this e-mail is the interview guide which outlines the issues to be discussed during the interview. Please take a few minutes to review the guide prior to the interview. If useful, we invite you to consult with others in your organization beforehand if any have insight to offer on issues explored in the interview guide.

Once again, thank you for agreeing to participate in this study. If you have any questions, please do not hesitate to e-mail me or call me at [phone number].

Sincerely