Working together as Privacy Champions

Remarks before the ATIP Community Meeting

December 10, 2014
Ottawa, Ontario

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Good morning and thank you for the invitation to be here today.

I know my predecessor developed a strong working relationship with the ATIP community and I hope to build on that in my new role as Privacy Commissioner of Canada.

As you may know, I have been a public servant for more than 30 years. During these years, I’ve worked on correctional, citizenship and national security issues. One constant has been my passion for human rights. That continues in my new role. I believe access to information and privacy are fundamental rights.

I know the work you do is not easy and may not always be fully appreciated. But I also know it is essential to our democracy.

Whenever there is a change in leadership, there are concerns about what, if any, new direction an organization might take.

I would like to take a moment to assure you that the Office of the Privacy Commissioner has been and will remain committed to working constructively with federal departments and agencies to ensure privacy rights are respected and that the personal information of Canadians is protected.

As you know, my job is in part to investigate complaints, examine breaches and conduct privacy audits that may involve your departments.

But while Agents of Parliament must operate independently from the government of the day, I think there are many, many ways in which we can also work cooperatively together in support of privacy protection.

On that note, I want to focus today on some of the key areas in which our interests overlap. My remarks will deal with: breaches; PIAs; and complaints.

Data Breaches

As you may know from our Annual Report which was tabled in October, the number of data breaches voluntarily reported to my Office this past fiscal year hit a record high of 228.

In fact, it’s the third consecutive year in which the number of breach reports brought to the attention of my Office has increased.

While reporting to the OPC has always been encouraged when the data breach was thought to be of a material nature, it had ultimately been voluntary.

This has led to some inconsistency in reporting and has not allowed for reliable statistics. It has been hard for us to tell whether the spike in reports is the result of greater awareness, or an actual rise in the number of breaches.

But we have been working with the Treasury Board Secretariat and in May of this year, it became mandatory for federal departments and agencies to report material breaches to both the OPC and TBS.

We are still working out the kinks. We’re trying to make sure everybody is on the same page when it comes to what constitutes a material breach. But we are optimistic this change will result in more accurate statistics going forward, and will assist both my Office and the Treasury Board Secretariat in targeting education and outreach efforts.

I don’t want to spend a lot of time on data breaches as Jean Plamondon, who is responsible for government breach reporting activities within my Office, and Barbara Dundas, who is with the Treasury Board Secretariat, will be discussing this at length. I encourage you all to attend their session. But before I move on, I do wish to stress one thing.

As you know, even my Office is not immune.

The OPC suffered a data breach during our move last winter from Ottawa to Gatineau. This event was a humbling experience for the OPC. It has made our Office wiser and given us greater insight into the challenges departments face when a breach occurs.

Because privacy breaches can erode the trust Canadians have in their institutions, it is imperative that we all take greater care when we are handling their personal information.

That means building adequate physical, technological, administrative and personnel security controls to minimize the risk of a breach.

Privacy Impact Assessments

I’m sure you would agree that it is far easier and less costly to address privacy issues proactively than to mop up a mess after the fact. It is also far more effective in protecting privacy rights.

That’s why we encourage departments and agencies to consider the privacy implications of any new policy or program at the earliest possible stage of development.

By completing a PIA, federal institutions can identify potential privacy risks tied to a planned activity, and explain to the Canadian public how they will be mitigated. They are an important public transparency tool.

My Office received about 84 new PIAs this past fiscal year which is on par with previous years. I understand my Office has noticed a significant improvement in the quality of PIA submissions over the past decade, which is obviously very good news.

It’s clear many departments and agencies recognize the value of this risk management tool. They understand that privacy is at the heart of their business decisions and they respect the privacy rights of individuals.

But while some departments are very diligent at doing PIAs, there are others for which we seldom, if ever, receive a PIA.

Occasionally, we learn about a new policy or program from the media that raises questions about why a PIA was not produced.

There are also times that we receive PIAs just days before the launch of an initiative, leaving virtually no time for any real assessment and feedback, let alone the implementation of any of our recommendations.

I can’t stress enough the importance of beginning PIAs early in the planning process for new or substantially changed initiatives.

I understand in the past you have raised concerns that completing PIAs required significant time and resources and that more guidance was needed.

The OPC has responded and in cooperation with the Treasury Board Secretariat, we have developed beginner, intermediate and advanced level PIA workshops for ATIP practitioners and others involved in drafting PIAs.

They are delivered in the form of lunch-and-learn sessions at our Office, which has the added benefit of allowing ATIP practitioners from different departments to connect.

In fact, we had one just last week. If this is something your institution would be interested in, we would be happy to arrange a session.

At the end of the day, we hope our guidance complements the training, as well as the standards, requirements and directives set by TBS, and encourages thorough privacy risk analysis.

The OPC website has a wealth of information about PIAs that you might find useful. That being said, my Office is also available to provide privacy advice to institutions early in the process of reviewing an initiative for risk.

But I also want to remind you that we do not approve PIAs or endorse projects or proposals, and we cannot be involved in drafting PIAs for institutions.

That is not our role.

We provide advice, offer recommendations and highlight potential risks to privacy, but it’s ultimately up to the institution to decide what form mitigation measures will take and what level of risk is acceptable. The OPC must remain independent from the departmental approval process, as we must then advise Parliament.

I would also like to encourage you, as ATIP practitioners, to get involved early in the PIA process. You are the in-house experts and there are many questions you can answer.

Also, some institutions have already implemented sound PIA processes and I would like to encourage you to connect, learn, and draw from each other’s experience and expertise.

For example, the Treasury Board Secretariat’s forum for ATIP professionals on GCconnex can be a great platform for sharing advice, training tools, tips and best practices. If you haven’t already, I encourage you to have a look at this forum.

It’s also worth mentioning the Temporary Resident Biometrics Project, which is a good example of interdepartmental collaboration and cooperation. CIC, the CBSA and the RCMP worked jointly on PIAs for this project, engaging our Office every step of the way.

On that note, I’d also like to stress that the PIA process does not end when the final report is developed and sent to the OPC and TBS.

Programs and initiatives typically evolve, so there is a need to continue to assess and mitigate privacy risk throughout the entire life of a program or initiative.

PIAs are in part about strategic risk management. I think it is crucial that departments and agencies see privacy as a strategic issue, not a technical one and not as an afterthought.

In that regard, and without wanting to impose any structure on departments, our Office believes some institutions would also benefit greatly from a Chief Privacy Officer and central committee or working group, through which decisions on conducting PIAs could be made.

A CPO can provide strategic leadership on a variety of privacy issues as well as oversee the privacy work of ATIP coordinators and managers who have privacy responsibilities.

CPOs should have a clear mandate and corporate role to promote privacy awareness and compliance with privacy legislation. They should be fully integrated and visible within the organization and have access to the senior leadership of the organization, so that privacy issues are addressed head on at the senior management table.

In fact, the OPC decided to walk the walk on this issue and since December 2013, our CPO reports directly to the Commissioner.

Complaints

With respect to complaints, the numbers reported to my Office are growing year-over-year both in volume and complexity.

Time limit and access to personal information under the Privacy Act-related matters still account for the bulk of complaints to our Office, but we are seeing more collection, use, retention and disclosure complaints today than we saw just a few years ago.

Collection, use, retention and disclosure complaints account for about a quarter of our closed complaint files. A decade ago, they accounted for just 10-15 per cent of overall complaints.

What’s important to note is that complaints relating to Sections 4 to 8 can be more difficult to investigate. For one thing, many departmental stakeholders may be involved and each of them may hold a different piece of the puzzle. It can be a challenge just finding the right person to speak with.

Another difficulty with these types of complaints is the link an issue might have to a department’s operating legislation. In order to determine whether a disclosure was authorized under the Privacy Act, for example, investigators may be required to analyse complex agreements and legislation, or the mechanics of major governmental programs.

Even the more traditional requests for information under the Privacy Act can be complex. As you well know, the information is not always in one neat paper file. In today’s digital age, personal information is recorded in a multitude of places and it can be difficult to track it all down.

You, as ATIP practitioners, are often our first point of contact but since you are not always directly involved, it is often difficult for you to answer all of our questions. It is important for us to be able to speak with program officials directly and we hope you can help to facilitate that.

During the last fiscal year, my Office accepted 1,777 complaints under the Privacy Act. It is lower than the previous year, but that’s only because of two significant breaches at Employment and Social Development Canada in 2012-13, that alone resulted in more than 1,200 complaints to my Office.

In fact, we are still seeing more and more complaints from large numbers of individuals arising from a single event.

For example, my Office is currently investigating 339 complaints over a mass mailing by Health Canada that allegedly exposed the names and mailing addresses of some 40,000 people involved in the marijuana medical access program.

There are also more complaints related to events that happened years earlier.

This presents particular challenges as evidence often no longer exists and witness are no longer available. Such situations are forcing us to re-examine some of our approaches and dispositions.

As such, complaints and complainants are becoming more and more complex and sophisticated.

We are now receiving many complaints about practices that directly affect an individual’s control over his or her personal information in terms of how it is being used by others.

For instance, last year we investigated a complaint from a First Nations activist who alleged she was the target of excessive government attention.

After her organization launched a complaint against the government under the Human Rights Act, she said government officials began monitoring her speaking engagements and collecting information from her personal Facebook page.

We concluded that just because personal information may be publicly available on the internet, it doesn’t render it non-personal.

We recommended that both departments involved stop accessing such information from social media sites, unless they could demonstrate a direct connection to legitimate government business. This touches directly on an institution’s authority to collect personal information.

The monitoring of social media and the government’s use of it to engage and interact with the public was identified several years ago as an emerging trend that could raise privacy concerns.

As privacy champions, we must remain vigilant.

In this era of government reductions, I know your institutions are struggling to keep up with operations.

Responding to our questions and requests for documentation in the course of our investigations can sometimes take a backseat to other pressures.

In this context, we must continue to work together to make this as smooth and efficient a process as possible.

Conclusion

According to a study my Office did back in 2011, many of you indicated you were spending more time dealing with access to information issues than privacy. In some cases, privacy accounted for just 15 per cent of your workload.

Since 1983, Treasury Board figures show ATIP operations have cost nearly $1 billion, 61 per cent of which can be attributed to the administration of the Access to Information Act.

That said, the number of individual privacy requests has far outweighed access requests. Since 1983, there were more than 1.3 million requests under the Privacy Act compared to fewer than 600,000 under the Access to Information Act.

And these figures don’t take into account all the other privacy responsibilities you have. The responsibilities I’ve been speaking about here today: PIAs, breaches, and collection, use, retention and disclosure activities outlined in the Privacy Act.

Revelations about state surveillance, the ongoing push for lawful access to subscriber information from telecommunications companies and the massive expansion of the Internet have all thrust privacy issues into the spotlight in recent years.

I think the pendulum may be swinging back and that you, the ATIP community, may be starting to see more of a balance between your two chief responsibilities.

Your role with respect to privacy goes beyond just processing requests.

My Office sees you all as the privacy gatekeepers – the privacy champions, in fact – within your departments and we encourage you to continue this fundamental work.

Canadians expect their government to treat their personal information with care and you have a tremendous role to play.

Privacy and access to information are certain to remain in the spotlight.

But let’s not forget the “P” in ATIP.