Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Remarks by the Privacy Commissioner of Canada at the Privacy Responsibilities in HR event

February 5, 2026
Ottawa, Ontario

Address by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

Good morning and thank you to everyone for joining us here today.

A special thank you as well to our guest Jacqueline Bogden, the Government of Canada’s Chief Human Resources Officer, joining us from the Treasury Board Secretariat.

I understand that we have more than two dozen departments and agencies represented, and I thank you for making the time to take part in what promises to be an interesting exploration of privacy as it relates to human resources.

As Privacy Commissioner of Canada, I am an Agent of Parliament, and my mission is to protect and promote the privacy rights of individuals.

To achieve this mandate, I oversee compliance with the Privacy Act, which governs the personal information handling practices of federal government institutions, and with the Personal Information Protection and Electronic Documents Act, Canada’s federal private-sector privacy law. This is achieved in many ways, including through enforcement, as well as through promotional activities to increase awareness and understanding of privacy among individuals and organizations across Canada.

Part of this role is to help federal institutions improve how they manage the personal information that is in their care. This includes advice and engagement with federal organizations and sharing resources and tools that can assist in this area.

I am also pleased to participate in events such as this – a great collaboration with the Treasury Board Secretariat’s Office of the Chief Human Resources Officer and Office of the Chief Information Officer, and my team at the Office of the Privacy Commissioner of Canada.

Engaging with leaders such as yourselves – who play a significant role in the safe-handling of personal information across the federal government – is important.

Especially at a time where federal institutions are increasingly leveraging technologies and collecting data to better serve the Canadian public.

This includes within HR functions as well, for example expanding the use of third-party software for staffing, and exploring the use of artificial intelligence (AI) to create efficiencies.

These technologies can offer significant benefits, but also present new considerations for privacy and the protection of personal information.

This is why collaboration between privacy and HR professionals is so important, as working together can help to ensure that personal information is collected and handled appropriately.

The federal government is Canada’s largest employer, and can set the best example for how employers should treat their employees’ personal information.

Your role is vital to advancing privacy across your institutions – both in terms of protecting personal information, and, more broadly, in promoting modern competencies for public servants through learning.

Individuals who trust that their information is being protected will have greater confidence in their public institutions. This is good for Canada and good for Canadians.

I would like to take this opportunity to share some of the reasons why privacy is an important factor in human resources.

Why privacy matters

While confidentiality is already a foundational tenet for HR professionals, integrating privacy considerations into your operations can provide further protections for the personal information that is held by the organization.

Like most employers, the federal government collects personal information about its employees.

Applying key privacy principles can be beneficial for your organization. For example, limiting collection to what is necessary for the purpose.

You should also consider how the information will be stored, who will have access to it, how long you need to keep it and how you will dispose of the information once it is no longer required. A session later this morning will explore the privacy principles in greater depth.

It is essential that institutions ensure that HR personnel and other employees prioritize privacy, provide training, and engage on an ongoing basis with employees about privacy, privacy obligations under the Privacy Act, and related TBS policies.

Some of the investigations that my Office has carried out in the past few years have demonstrated how privacy transcends many different areas. For example, in one investigation, we found that a department was using building security footage to determine when an employee was leaving work. The investigation concluded that the use of the footage was inconsistent with its purpose – security – and that employees had not been informed about the cameras or that they would be used for this purpose.

Another example was a breach of information by a department that had two employees with the same name. We received a complaint that one employee’s personal information had been repeatedly disclosed to the other employee, and that both files contained inaccuracies because of the confusion. The institution did not take steps to confirm the identity of the employee in question before making changes to the files, by, for example, checking their PRI number.

In another case, an employee’s fitness to work evaluation, including sensitive medical information, was shared with their management team without their consent and for no reasonable purpose.

The digital age has introduced new capacity to amass and retain enormous volumes of personal information.

With more personal information being collected and retained, the risks and consequences of a potential data breach increase.

In the first half of this fiscal year, my Office received reports of 245 breaches under the Privacy Act, affecting more than 37,000 individuals. That is approximately 41 breach reports per month, more than one per day.

The number of cyber breaches reported by government organizations is rising. In the last fiscal year, we received 55 reports, up from 37 the previous year.

In its 2025-2026 risk assessment, the Canadian Centre for Cyber Security indicated that “cybercrime remains a persistent, widespread, and disruptive threat to individuals, organizations, and all levels of government across Canada,” and that state-sponsored threat actors “persistently conduct cyber espionage against” government networks.

The volume of personal information that government organizations hold about employees and others makes them a valuable target for cybercriminals and other bad actors. So, it is important to be especially careful not to collect or keep more information than you need.

Staffing and decision-making

Virtual hiring tools and activities have become popular, particularly since the pandemic, offering services such as video recruitment, applicant screening, scheduling of candidate interviews and a platform for both live and recorded interviews and reference checks.

Recruiting platforms will be discussed later this morning, as they also introduce new privacy considerations for federal institutions to ensure that privacy obligations are respected.

Organizations that are adopting such technologies should conduct a privacy impact assessment. When it comes to contracting and procurement, privacy officials need to be at the table to ensure that privacy is entrenched from the beginning.

Another new practice in HR is the use of AI or technology-enhanced decision-making software to facilitate hiring processes, for example to triage and sort through applications to screen candidates, or potentially to assess candidates and categorize them by personality traits, such as “leader” or “innovator.”

The Principles for responsible, trustworthy and privacy-protective generative AI technologies that I developed with my provincial and territorial counterparts notes that some AI training sets can amplify historical biases, and subject traditionally vulnerable groups to discriminatory outcomes.

As such, it is important to establish additional oversight when using these tools, including human review of outputs and monitoring for discriminatory outcomes based on race, gender, sexual orientation, disability, or other protected characteristics.

The principles call on users to clearly communicate when a generative AI tool will be used as part of a decision-making process, and if so, in what capacity. It is also important to let individuals know what recourse is available if they disagree with the decision, particularly where a decision may have a significant impact on them.

Best practices: Privacy by design, PIAs

To that end, a best practice that can benefit organizations is to integrate privacy by design into your initiatives. This approach involves creating a culture within your organization that prioritizes data protection by considering, addressing, and protecting risks to personal information at the outset of any initiative.

One way to implement this culture is through PIAs, which help to identify, mitigate and monitor privacy risks in any new, or substantially modified program or activity.

The TBS Directive on Privacy Practices requires that federal institutions conduct PIAs in certain instances, such as when personal information may be used as part of a decision-making process that directly affects an individual.

I invite you to visit the OPC website for more information on PIAs. Organizations can also now securely submit PIAs to the OPC and TBS simultaneously through our website. An updated online form accepts documents up to Protected B and makes it easier for institutions to later add documents and link them to previous submissions.

Conclusion

To conclude, HR professionals, as a collective, are known to embrace new technologies and modern ways of doing things. You are often at the forefront of innovation, and you also play an important role in organizational culture and values.

It is more important than ever to be diligent in prioritizing privacy.

I would encourage continued collaboration between HR and privacy professionals, who can help you to navigate today’s complex technological landscape, to strengthen how information is managed and to be able to address new issues as they emerge.

By prioritizing privacy in your programs and processes and by promoting privacy by design and responsible innovation, you will help nurture a culture of privacy across your institution and “future proof” it for success.

With that, I look forward to hearing from Chief Human Resources Officer, Jacqueline Bogden, and getting a chance to speak with her more about privacy and human resources.

After that, it will be our pleasure to answer any questions that you might have.

Date modified: