A look at the Office's mission, challenges and priorities

Remarks at the Library of Parliament Seminar: Meet the Officers of Parliament

Ottawa, Ontario
February 19, 2016

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you and good morning.  

I want to welcome everyone here who is new to Parliament and to public service. 

Like my counterparts, I am glad to have this opportunity to explain the role and work of my office.

I will talk about how we go about protecting and promoting Canadians’ privacy rights, what we are seeing in our investigations, and an important exercise now underway in our audit and review area. 

I will also discuss the strategic privacy priorities that will guide our work over the next five years.

Protection and promotion

The mission of the Office of the Privacy Commissioner of Canada is to protect and promote the privacy rights of individuals.

To that end, my Office is responsible for overseeing compliance of two laws - the Privacy Act, which covers federal institutions, and the Personal Information Protection and Electronic Documents Act – or PIPEDA – Canada’s federal, private sector privacy law.

We protect privacy rights by, for example, investigating complaints, conducting audits and pursuing court action.

Our goal is to ensure both Canadians and organizations better understand that individuals have certain rights when it comes to the collection, use and disclosure of their personal information. For example, they have the right to access and correct their personal information, the right to know how the information will be used and the right to complain to my Office if there is a potential privacy violation.

We raise awareness and promote privacy rights by, for example, publishing our own research and funding independent research into privacy issues, engaging in public education and stakeholder outreach activities and by working with our provincial, territorial and international data protection counterparts.

It is worth noting that my Office does not have jurisdiction over political parties and Members of Parliament. That being said, MPs often contact my Office on behalf of constituents and make inquiries regarding their own privacy practices.

We are pleased to share best practices, to assist where we can and we encourage political parties and MPs to follow the spirit of the privacy principles set out in PIPEDA, which represent internationally accepted best practices in privacy protection.

Investigations and breaches

Personal information has become an increasingly valuable commodity in the digital age for both government and private sector organizations. But as trade in data grows, so too do the risks to privacy. As the amount of information being shared increases, the chances that that information may be compromised also increases. We have seen this reflected in our statistics.

Last year, complaints against private sector organizations increased significantly over the previous year. Complaints against federal institutions also rose. Many stem from data breaches which involve the unauthorized access to, or collection, use or disclosure of personal information, often as a result of loss or theft.

Over the last two years, we’ve seen a marked increase in federal government data breaches, likely in part because reporting of “material” breaches was made mandatory during this period.

This is a serious concern for Canadians who are required to provide highly sensitive personal information to government. It is incumbent on government to ensure proper procedures are in place to protect that information and rising numbers of breaches do little to inspire confidence.

We’ve also seen a rise in the number of private sector breaches, even though reporting has been voluntary. Like the public sector, that too is poised to change once the Digital Privacy Act is fully implemented, making breach reporting to my Office mandatory.

Between mandatory breach reporting and the proliferation of new technologies opening new avenues for the use of personal information, I expect my Office will stay busy! It is my preference, and theirs I suspect as well, that both public and private sector organizations take their duty to protect the personal information in their care seriously and do what is necessarily to prevent problems from arising in the first place.

Review of SCISA

Last year, the government of the day adopted the Security of Canada Information Sharing Act, part of Bill C-51.

Its purpose is to facilitate the sharing of information among federal institutions to better protect the safety and security of Canadians—a goal my Office shares. While we recognize that greater information sharing could lead to the identification and suppression of security threats, we raised concerns about the scale of the information sharing, the scope of the new powers and the safeguards protecting against unreasonable loss of privacy.

I maintain that a better balance must be struck. The new government has committed to consulting on possible changes to the law and we welcome the opportunity to share our views. 

Strategic priorities

Our four strategic privacy priorities were established to help achieve the ultimate goal of helping Canadians exercise greater control over their personal information. These priorities will guide our work over the next five years.

They are:

  • The Economics of Personal Information;
  • Reputation and Privacy;
  • Government Surveillance; and
  • The Body as Information.

Under the Economics of Personal Information, our goal is to enhance the privacy protection and trust of individuals so that they may confidently participate in an innovative digital economy.

To that end, we will be examining and consulting on the foundational issue of consent in today’s digital world. We are also working to help small businesses better understand their privacy obligations. 

Under Reputation and Privacy, our goal is to help create an environment where individuals may use the Internet to explore their interests and develop as persons without fear that their digital trace will lead to unfair treatment.

We recently launched a discussion paper and are currently seeking submissions on the privacy issues related to online reputation. We want to develop a position on issues such as the right-to-be-forgotten and to be able to better inform public and Parliamentary debate on related matters.

Regarding Government Surveillance, our goal is to contribute to the adoption and implementation of laws and other measures that demonstrably protect both national security and privacy.

As such, we are using our audit and review powers to examine how information sharing is occurring between federal institutions in light of Bill C-51 to ensure the new provisions respect the Privacy Act. We will also advise departments on preventing privacy breaches and work with organizations to establish appropriate standards for transparency and accountability reporting.

To this point, in June, we provided input into Industry Canada’s transparency guidelines, which establish standards for transparency and accountability reports from companies that share personal information with law enforcement.  We have also asked that federal institutions begin issuing their own transparency reports about requests they make to private sector organizations for customer information.

Finally, under the Body as Information, our goal is to promote respect for the privacy and integrity of the human body as the vessel of some of our most intimate personal information.

We want to raise awareness about the potential privacy risks associated with technology designed to read information from and about our bodies. In the short term, we plan to do an internal scan of current and emerging health applications and digital health technologies, such as fitness apps and heart rate monitors. We plan to test some of these products in our technology lab to better understand their privacy implications.

We are focusing our activities around five cross-cutting strategies:

  • Exploring innovative and technological ways to protect privacy;
  • Enhancing accountability and promoting good privacy governance;
  • Taking into consideration the fact that privacy knows no borders;
  • Enhancing our public education role; and
  • Paying special attention to vulnerable groups, such as seniors and youth, many of whom may require increased digital literacy.

Conclusion

In closing, I hope I have been able to give you a good sense of our role, our challenges, and the work ahead of us.

I thank you again for this opportunity and look forward to your questions later.

Thank you.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: