Remarks by the Privacy Commissioner at Access to Information and Privacy Communities meeting for Data Privacy Week

January 26, 2026
Virtual

Address by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

Good morning. I am delighted to be able to join you today.

I can think of no better way to kick off Data Privacy Week than to be here amongst fellow privacy champions!

I look forward to discussing the data protection opportunities and considerations that lie ahead in what is shaping up to be another important year for privacy.

As the privacy professionals within your organizations, you are at the forefront of helping to promote a culture where data protection is prioritized as an enabler and strategic benefit for an organization.

In this increasingly digital world, your collective expertise and shared values as public servants are key to preserving the trust that Canadians hold in their federal government institutions, programs, and services.

Strong data-protection frameworks help Canadians to know that their information is protected – today and into the future.

My Office has chosen Prioritize privacy by design as its theme for Data Privacy Week this year.

We want to emphasize the importance of integrating privacy from the very outset of any new initiative or program and building in privacy protections at the foundation instead of having to retrofit later.

Creating a culture that prioritizes data privacy and security from the outset can help “future proof” your organization, your services, and your information management and information technology systems.

Data Privacy Week is an opportunity for organizations to reflect on how to best manage and protect personal information. This will ensure that individuals can confidently reap the benefits of innovation and contribute to the digital economy, secure in the knowledge that their data is protected.

In my remarks today, I will focus on some of the things that my Office is doing to help foster this culture of privacy through our work to advance my strategic priorities, and how you can promote privacy by design within your organizations.

Update on strategic priorities

In the past year, my Office has made significant progress on my three strategic priorities, which are: maximizing the impact of the OPC, addressing the privacy implications of technologies such as artificial intelligence (AI), and championing children’s privacy.

Maximizing the impact of the OPC

With respect to my first priority, when I spoke at this event last year, I talked about the implementation of a new transformation plan to streamline OPC processes, making them more integrated, agile, and strategic in order to maximize the impact of our work for Canadians.

A year later, I can say that, while efforts are ongoing, I have already seen great ideas emerge and being implemented, more synergies in our work, and many creative solutions to the pressures that we face in light of growing complaint volumes and limited resources.

For instance, we are modernizing the complaint intake and online form and finding faster and more efficient ways to resolve matters.

Not every case requires a full, resource-intensive investigation. Sometimes, there are more efficient ways of achieving a desired result, such as through early engagement and resolution, compliance letters and ongoing interactions and monitoring.

Learning from others and identifying best practices also help shape the advice and guidance that we provide to organizations.

For example, my Office is currently seeking input on our consultation and guidance processes. While this exercise is aimed at the private sector, it will also inform our advice to public institutions.

I am a strong advocate for collaboration with stakeholders at all levels – nationally, internationally and across regulatory jurisdictions – to better protect and promote privacy.

In October, I became co-chair of the Federal, Provincial and Territorial Information and Privacy Commissioners and Ombuds group alongside Information Commissioner of Canada Caroline Maynard.

Last June, I hosted the G7 Data Protection and Privacy Authorities Roundtable here in the National Capital Region, in the context of Canada’s G7 presidency.

And in September, I was honoured to be elected Chair of the Global Privacy Assembly, an international forum that brings together more than 130 data protection and privacy authorities from around the world.

My election as Chair is a recognition of long-standing Canadian leadership on the global privacy stage. Having Canada at the table of leading international privacy forums such as the GPA contributes not just to protecting privacy and throughout the world, but also helps to promote Canadian interests in the global economy.

Recognizing the global nature of data protection, strategic cooperation among privacy and other regulators, along with engagement with external stakeholders, including civil society, industry, and public institutions, will allow members of the Global Privacy Assembly to maximize our collective voice, impact, and capacity in providing global leadership on data protection in support of individuals and organizations.

Addressing the privacy implications of technologies, such as AI

Addressing the privacy implications of technologies, such as AI, has also been a focus of our domestic, international and cross-regulatory work.

Through joint statements, resolutions, research, an ongoing joint investigation into OpenAI and a recently expanded investigation into social media platform X following reports of AI-generated sexualized deepfake images, we continue to broaden our understanding of the technology and promote its responsible development and use.

Of particular note on the matter, as a member of the Global Privacy Assembly’s Working Group on Ethics and Data Protection in AI, I was the authoring sponsor of a resolution on human oversight of decisions involving AI that was adopted in September 2025.

The resolution calls on organizations that use AI to make decisions to adopt technologies and processes that allow for meaningful human oversight, particularly when those decisions could impact an individual’s fundamental rights and freedoms.

In addition, I was also one of 20 signatories of an international joint statement on trustworthy data governance for AI, which calls for data protection principles to be incorporated into the design of AI systems and for the establishment of robust data governance structures.

Like many federal organizations, my Office has been exploring potential ways to use AI in our work. In doing so, we are also seeking to lead by example in demonstrating how privacy can enable safe, secure, and responsible innovation.

Embracing privacy by design principles, our technology team has developed an in-house AI called PrivIA that we began piloting across the Office in the fall.

I am quite excited about our internal AI solution and the opportunities that this will enable. This is important for many reasons, including deepening our understanding of this technology that we regulate, while also helping to optimize our work.

Championing children’s privacy

Prioritizing privacy by design and collaboration also underscores much of our work under my third priority – championing children’s privacy.

During last summer’s G7 Data Protection and Privacy Authorities Roundtable, we released a joint statement on responsible innovation and the importance of prioritizing privacy to protect children.

It stressed the importance of privacy by design as a driver of public trust, economic success and societal growth, and emphasized that the protection of children’s best interests as a primary consideration be a key element of responsible innovation.

Immediately after hosting the G7 privacy roundtable, I welcomed Canadian youth leaders, academics, government officials, civil society representatives, industry stakeholders, and data protection authorities from around the world to a symposium that explored key issues related to the protection of children’s privacy, now and into the future.

It featured a panel with young Canadians who spoke candidly about their privacy experiences and concerns, and informative discussions on the impact of AI on young persons, deceptive design, and educational technologies.

During the meeting, I launched a Youth Council as a space for young people to share their insights, experiences, and solutions to the privacy challenges they face, in part to help inform our own efforts to better protect children’s privacy in the digital age.

The Council is now established, and I look forward to meeting the members in person in February, when they will develop their work plan.

In November, I issued a joint resolution with my provincial and territorial counterparts on protecting children’s privacy in the classroom through responsible educational technologies.

My Office is also working on age-assurance guidelines, as well as a children’s privacy code to offer organizations legal and practical advice on how to handle children’s personal information. In September 2025, we released the results of our joint investigation into TikTok with Quebec, British Columbia and Alberta.

Prioritizing privacy by design

As you are the privacy champions within your organizations, I want to take this opportunity to also talk about the tools at your disposal that can help you prioritize privacy by design, support innovation, and advance a culture of privacy within your institution.

Privacy impact assessments

Privacy impact assessments (PIAs) are one of the best tools for considering and mitigating against privacy risks at the outset of any initiative. A PIA can help reduce risks, lower costs, foster trust, and drive innovation, positioning your organization as a leader in a rapidly evolving digital landscape.

I am pleased to see that the number of PIAs that my Office receives from government organizations has been growing steadily each year. For example, from 81 in 2020-2021, to 138 PIAs in 2024-2025.

This fiscal year, between April and December 2025, we received 123 PIAs. Importantly, we are seeing an increase in PIAs from smaller institutions, which is good news.

Carrying out PIAs and following through on mitigation measures will help to strengthen your initiatives by identifying where problems could arise – and by giving you the opportunity to fix them before they do.

We have made it easier for you to securely submit PIAs online to the OPC and Treasury Board Secretariat (TBS) simultaneously through our website. The updated form accepts documents up to Protected B and makes it easier for institutions to later add documents and link them to previous submissions.

Third-party contracting

Another area where privacy by design is important is third-party contracting. When a contract involves the collection of personal information, considerations should include an analysis of the Privacy Act and TBS privacy policy instruments. Embedding privacy considerations at the beginning of an initiative with a third party makes it easier to address privacy issues that may arise.

When it comes to contracting and procurement, privacy officials need to be at the table to ensure that privacy is entrenched from the beginning.

It is important to consider issues such as how a contractor will protect the personal information that they hold, how they would handle a data breach, and what powers your institution needs to conduct audits of a third party’s privacy practices.

It is also important to establish that personal information will be retained only for the period necessary to fulfill the purpose for which it was collected.

Additional considerations, depending on the circumstances, include other applicable laws, international trade agreements, and the introduction of novel technologies.

We would also encourage institutions to communicate with third-party vendors about what privacy assessments they may have conducted themselves on their products and what assurances they can share about their products’ legal compliance. These precautions are especially important for new technologies and for programs that use highly sensitive information.

Complaint and breaches trends

Before I conclude, I will say a few words about complaint and breaches trends.

In just the first half of this fiscal year, the OPC has received 40 percent more complaints under the Privacy Act compared to the same period last year, and 62 percent more than the average of the last two fiscal years.

Time limit complaints are up 129 percent, more than any other type of complaint.

This includes a 138 percent increase in complaints related to Extension Order #3, which allows foreign nationals to make access requests for personal information held by government departments.

During the same period, my Office received 245 reports of breaches, affecting nearly 38,000 individuals. That translates into approximately 41 breach reports a month.

Consistently over the past three years, the most common type of breach is loss of personal information.

The OPC conducted a review of privacy breach activities in federal institutions last year. We found that some material breaches go unreported and, more importantly, that others likely go entirely unnoticed at many institutions.

Many institutions acknowledged that their employees, particularly front-line workers, do not always fully grasp what constitutes personal information or their obligations under the Privacy Act.

While breach reporting has been mandatory for many years, we found that breach detection and review procedures could be improved at many institutions, and that some had none in place at all.

We also found that some institutions did not have proper tools to assess the risk of injury or harm to individuals, focusing instead on risk to the institution. Moreover, our review confirmed that technology safeguards for new systems are not always as robust as they could be.

I would encourage you to take advantage of the tools that can assist you in this area.

For example, the privacy breach risk self-assessment tool that is available on the OPC website can support institutions in assessing whether a breach is likely to create a real risk of significant harm to individuals, thus triggering the requirement to report the breach.

The TBS Privacy Breach Management Toolkit is another practical resource for managing privacy breaches.

And I will just remind you that on Wednesday, January 28, TBS is hosting a Data Privacy Day event with the participation of the OPC and the Canadian Centre for Cyber Security. They will be discussing how to navigate privacy breaches, from prevention and response to building trust. It will be an informative session with lots of practical advice for institutions, and I encourage you to attend!

Conclusion

Privacy by design is a team sport. To do it effectively, we all need to work together.

For the privacy community, this includes collaborating with legal teams, IM and IT colleagues, and procurement and contracting specialists.

It also means engaging regularly with colleagues who are developing new programs and services, modifying existing ones, or introducing new innovations.

By sharing privacy expertise, you can help everyone in your organization better understand and address privacy considerations, risks, and obligations at the outset.

This will help build a culture of privacy and promote privacy by design and responsible innovation across organizations.

As the privacy champions in your organizations, you are at the forefront of leading, developing, and safeguarding the government systems that hold Canadians’ sensitive personal information.

In today’s data-driven digital environment, the work that you do is more important and valuable than ever.

As we mark Data Privacy Week, I want to thank you for your work and for your commitment to protecting Canadians’ fundamental right to privacy.