Canadian Access and Privacy Association (CAPA) Conference 2018
Remarks delivered at the CAPA Conference 2018
November 26, 2018
Address by Brent Homan
Deputy Commissioner, Compliance
(Check against delivery)
Good afternoon and thank you for the invitation to speak about the OPC and the issues our office has been tackling in the last year. I know someone from our Office has spoken at this conference every year since 1988, and I’m happy to carry on the tradition.
In terms of the ground I’d like to cover today, I’ll start off with an update on our organizational structure and our evolving enforcement approach. I’ll then move onto a discussion of public sector breaches and our compliance processes. I’ll close with a few comments on Bill C-58 and leave a few minutes at the end for questions.
For those of you who don’t know, I’ve spent the bulk of my time at the OPC on the private sector enforcement side of the house. Before I go on, I’d like to say that in the short time as Deputy Commissioner, I have been enlightened and excited by the rich tapestry of privacy issues and work on the public sector. Balancing access and privacy issues is challenging. Moreover, the privacy matters faced by the public sector intersect with fundamental issues of human rights, and increasingly overlap with areas of national security and law enforcement, that are top of mind when Canadians think privacy.
The answers to privacy questions are not always imminently clear. And yet, this is the challenging work that many of you in the audience deal with every day. ATIP shops routinely make tough calls on the same issues that our Office and others wrestle with in investigations, and before the courts. And as it relates to complexity and volume, privacy issues have never been more prominent, leading to daunting workloads in our Office that by extension and association, is equally reflected in your jobs. So for that, I express my sincere appreciation for the work that you do in this area for all Canadians.
Org structure overview
As my colleague Sue Lajoie, the Executive Director of Privacy Act Compliance, said last year in this forum, our Office has shifted its approach from a largely reactive complaint-based model to a more proactive one.
The scale and pace of technological advances and their use in business and government organizations are significantly straining the ability of individuals to protect their privacy. Innovation in the areas of data analytics, artificial intelligence, biometrics and the Internet of Things raises novel and highly complex privacy risks.
The objective for our Office is to have a broader and more positive impact on the privacy rights of a greater number of Canadians, which is not always possible when focusing most of our attention on the investigation of individual complaints.
In support of this philosophy, our Office has undergone an organizational review in the last year. We made changes to our program functions and internal reporting relationships, and became more forward looking by shifting the balance of our activities towards greater proactive efforts.
With that in mind, our work now falls into one of two program areas — Promotion or Compliance. Activities aimed at helping institutions and organizations proactively meet their obligations under federal privacy legislation will fall under the Promotion Program, while those related to addressing existing compliance issues will fall under the Compliance Program.
Structurally, our organization now has three Sectors, each of which is led by a Deputy Commissioner. I’ll describe them briefly now.
There’s the Corporate Sector, headed by Daniel Nadeau, which houses our internal operational functions such as human resources, finance, and corporate strategic planning.
Then there’s the Compliance Sector, headed by myself, which captures the enforcement-related work previously conducted under the PIPEDA and PA Investigation branches.
While we continue to investigate complaints, we also undertake proactive enforcement action under the Compliance Sector. They target systemic, chronic or sector-specific privacy issues that we believe may inflict significant damage to the privacy rights of Canadians.
The Compliance Sector houses a suite of both formal and informal enforcement tools, ranging from sweeps to investigations to audits. For context, a sweep conducts a high-level review of a selected privacy theme, and engenders positive privacy changes through non-formal enforcement. Historically, we’ve conducted sweeps only in the private sector, examining themes such as Children’s Privacy and Mobile Apps. That said, we see proactive concepts such as the Sweep as being fully transferable to our public sector oversight and are exploring related projects. For example, we are evaluating options to follow up on our public sector breach reporting study, which I will discuss in a few minutes.
Finally, we have the Promotion Sector, headed by Gregory Smolynec, which covers both business and government, and which includes policy, research, Parliamentary Affairs, communications and advisory services.
The Promotion Sector takes a broad-based approach to helping institutions and organizations meet their obligations under privacy legislation, with a focus on education and proactive engagement.
To give you an idea of what activities are being undertaken under the Promotion Sector, I’ll quickly go over certain responsibilities of the Government and Business Advisory Directorates.
The Government Advisory Directorate provides advice to, and undertakes various outreach initiatives with, federal institutions to encourage them to meet their obligations under the Privacy Act.
This includes our work reviewing Privacy Impact Assessments, Information Sharing Agreements, and disclosures of personal information in the public interest. We also host other outreach initiatives, such as topical sessions dealing with privacy risk management. Under the Government Advisory Directorate, we plan to do more outreach with institutions going forward, again with the philosophy of ensuring privacy is a core component of program design as institutions deliver services to Canadians.
Last year, the Government Advisory Directorate concluded a series of stakeholder engagement sessions with federal government ATIP and program area staff to help inform our efforts as we re-align our advisory services. We appreciated the frank discussion and open dialogue with institutions, and are keeping suggestions top of mind as we work on building on our outreach work, which will also include revising our PIA Expectations guide and developing a PIA e-tool.
Our Government Advisory Directorate is available to provide privacy advice early in program development, including outside of the formal PIA process so I encourage you to reach out to them for help if you need it.
The Business Advisory Directorate undertakes advisory consultations and proactive engagements with organizations to help businesses innovate in a privacy-sensitive manner. For example, we launched the first advisory project relating to Sidewalk Toronto earlier this year. As you may know, Sidewalk Toronto is a smart city endeavor between Waterfront Toronto and Sidewalk Labs, which is owned by Google’s parent company Alphabet.
Addressing privacy issues upfront and resolving matters cooperatively, outside formal enforcement, is our Office’s preferred approach. It avoids time-consuming and costly investigations, helps organizations mitigate against future privacy risks, and allows everyone to benefit from innovation.
Before I move on to privacy breaches, I’d like to speak quickly about something our Office has been exploring over the last year: privacy and online reputation.
Sites whose explicit purpose is to shame – or even blackmail – individuals are an obvious harm, and will often grab headlines. Online profiles are frequently used for key decisions about employment, credit, housing, or an individual’s personal life. However, the information contained within may be out-of-date, presented out-of-context, or even inaccurate.
In the Commissioner’s most recent Annual Report, which was tabled in Parliament at the end of September, we sought to answer the question: do we believe reputation deserves protection against the new risks posed by the online realm? And if yes, what form should it take?
Obviously, we think the answer to the former question is yes. We set out our initial answer to the latter in our draft position paper on Online Reputation, released last January.
We took the approach of applying existing law – PIPEDA – and did not set out to invent new law or justify importing solutions found in other jurisdictions. From this, we came to several conclusions, one of which is that Canadians have the ability to request that search engines de-index web pages. This draws parallels with the concept of “right to be forgotten” in the European Union.
We are aware that this position is not universal. We have received several complaints relating to Google search results under PIPEDA. Google has asserted that the Act does not apply and that, if PIPEDA did require articles to be de-indexed, it would be unconstitutional.
To get more clarification, we recently filed a Notice of Application with the Federal Courts in October, seeking a determination on the issue of whether PIPEDA applies to Google’s search engine.
In particular, we are seeking confirmation as to whether Google’s search engine collects, uses or discloses personal information in the course of commercial activities, and we are seeking direction as to whether Google might be exempt from PIPEDA because its purposes are exclusively journalistic or literary.
As this matter is now before the Court, investigations into complaints related to de-indexing will be on hold pending the result, and the OPC will wait until the process is complete before finalizing its position on online reputation.
Now let’s turn to the issue of privacy breaches.
What I want to focus on today is privacy breach reporting in the public sector, or the lack thereof. To speak frankly, we are deeply concerned and somewhat disappointed with the state of public sector breach reporting at the federal level.
As you know, the Treasury Board of Canada Secretariat’s Policy on Privacy Protection and the Directive on Privacy Practices require all federal institutions to notify our Office and TBS of all material privacy breaches. That is, a breach that involves sensitive personal information and could reasonably be expected to cause serious harm to individuals and/or affects a large number of individuals.
Our Office uses the breach reports we receive from federal institutions to ensure that Canadians’ interests are appropriately considered and to help institutions mitigate harm to Canadians flowing from breaches.
To paint a picture of mandatory breach reporting over the last ten years, I’d like us to take a look at the numbers.
- As you can see, there’s been a steady increase in the number of breaches reported since 2008/09.
- But around the time mandatory breach reporting was announced and came into effect, we saw a significant jump in our numbers.
- Then in 2016/17, the number of reports dropped to less than half what it had been the year before.
- In 2017-18, our breach reports were up again, but almost one quarter of those breaches are from a single institution whose reports were delayed by a year.
- As of mid-November, we are trending for 138 breach reports, once again representing a decrease in volume.
Considering the public sector environment where personal information is increasingly held and used in the service of Canadians, and based solely on the numbers, it appears that there is a growing systemic reluctance to acknowledge and report breaches.
It is up to federal institutions themselves to decide whether a particular data breach is a “material” breach, or whether a breach will be reported at all. While this is true, it’s clear to us that not all institutions comply.
We continue to learn about what appear to be serious breaches through other channels, including the media.
There is also a remarkable gap in the nature of breaches that are being reported. The overwhelming majority of public sector breaches reported to our Office are of non-malicious origin. In other words, reported breaches are most often related to lost or accidentally disclosed personal information. For example, the most common breaches reported to our Office are caused by human error – misdirected mail for example.
Almost none of the reported breaches are characterized as the result of a cyber-incident. This could be an indicator that government institutions have technological safeguards robust enough to prevent material cyber breaches.
Yet government has stated that “cyber-attacks are becoming more pervasive, increasingly sophisticated and ever more effective”Footnote 1.
Further, reports indicate that the Government of Canada blocks on average more than 600 million attempts each day to identify or exploit vulnerabilities against its networks. The latest data show that 2,500 state-sponsored cyber attacks are detected every year, and 2% of them are successfulFootnote 2. That’s one successful cyber-incident per week. How many of these implicated personal information?
There seems to be a big disconnect going on here.
As we committed to doing last year, we undertook an assessment of the overall public sector breaching reporting situation. Our review raised concerns about how seriously federal institutions take privacy. It is obvious that some material breaches go unreported and, more importantly, others likely go entirely unnoticed in many institutions.
We engaged a dozen federal government institutions and conducted an examination of their privacy breach procedures. We did not invoke any of our formal powers in the conduct of this review, meaning that institutions’ participation was voluntary. In that regard, we wish to acknowledge and thank these institutions for their time, efforts and frank comments.
Many of you represent the ATIP shops of your respective institutions. By extension, you are familiar with personal information and understand what constitutes a material privacy breach. But many institutions acknowledged that their front-line workers don’t fully grasp what constitutes personal information and their obligations under the Act. This suggests a critical knowledge gap.
We were alarmed to have even found some confusion over whether a Canadian pPassport itself, represented sensitive personal information. Quite odd given its marketable value out there!
Even though breach reporting has been mandatory for four years, we found that breach detection and review procedures are lacking, and some institutions don’t have any approved breach procedures.
Further, institutions claimed to not have proper tools to assess the risk of injury or harm to individuals, and were focusing instead on the reputational risk to the institution. We would agree with them wholeheartedly. Inadequate tools lead to sub-optimal outcomes.
Our review also confirmed that IT safeguards for new systems aren’t always what they should be. This was certainly evident in the findings of our Office’s investigation into the Phoenix pay system, which determined that the breaches were the result of a combination of inadequate testing, coding errors, and insufficient monitors and controls of the system.
We also heard that institutions were frustrated with a situation where direction and guidance around privacy breaches is inconsistently applied, sometimes ignored, and considered to be insufficient.
We shared our insights with the Treasury Board Secretariat, which in turn offered commitments on this front.
We await a TBS action plan that will set out specific steps and timeframes to strengthen the management of privacy breaches across Government. As part of this, TBS committed to reviewing its policies and tools for all employees related to privacy breaches.
TBS also committed to raising government employee awareness of what constitutes personal information and their responsibility for privacy breach reporting, with priority given to IT and security specialists.
As you know, there is no legal requirement to report privacy breaches beyond TBS policy. We have for many years advocated for the reform of the Privacy Act, calling for the inclusion of specific safeguard provisions and mandatory breach reporting. TBS also committed to working with the Department of Justice to ensure that mandatory breach reporting is considered as part of the Privacy Act review.
We call on government institutions, many of which are represented by you before me, to leverage the findings of this study and prioritize addressing these gaps. The protection of Canadians’ personal information is at stake.
It is understandable that institutions do not want to become the next big breach story. The reality is that institutions who do well, build their credibility and learn from breaches. Importantly, having sound breach policies and practices is key to the integrity of, and building citizens’ trust in, Government programs. Contrarily, the best way to destroy trust and credibility in your institution, is to not report a breach that eventually becomes known or public, and they often do.
Our Office continues to prioritize public sector breach management this year. In the coming months, our Office will roll out a new Breach Reporting Form to facilitate reporting and bring greater clarity to the process.
We will also pursue further initiatives, such as the creation of tips, and conducting deeper dives in areas of concern that we identified during the study, such as passport management.
In addition to prioritizing breach reporting, we are taking a critical eye to our processes to allow us to better serve Canadians.
We anticipate that our new online complaint form will make it easier for complainants to understand our process and the role of our Office in addressing privacy issues.
We are also looking at other ways to strengthen our compliance triage function. People who contact us with a specific concern, for example, are encouraged to speak first with the institution, in order to explore ways to resolve their concerns.
Once we accept a complaint, we will also continue to close many files through early resolution, an efficient investigation mechanism that results in the best possible outcome for all concerned. For individuals who lodge a complaint under the Privacy Act, it means getting their concerns addressed quickly. For government institutions, it means avoiding an often lengthy and resource-consuming process.
Our use of early resolution now accounts for approximately two-thirds of all complaints closed.
I would like to turn to another enforcement area where I urge you to take careful note. We are also changing our approach to addressing time limits investigations. These are complaints involving allegations that an institution has responded to a Privacy Act access request after the legislated time limits.
In the past, we generally did not consider these investigations closed until the complainant received their requested information. This often resulted in unreasonably lengthy delays. Going forward, we will look to empower complainants engaged in the time limit investigation process.
What does this mean for institutions? In instances where we have made unsuccessful attempts to have the institution provide the complainant a response to their Privacy Act request, we consider the institution’s non-response a deemed refusal of access. The next step is the issuance of a final report detailing this, which the complainant may then take to Court.
Pursuant to this approach, last week, we issued 14 deemed refusals, and will continue to do so where we determine it appropriate. To be clear, our preference is to work collaboratively with institutions where there is good faith, cooperation, and progress. But where there are unreasonable delays, our obligation is to enforce the law and empower Canadians in exercising their privacy rights. So I would urge you to review whether your offices have any outstanding time limits complaints, and work to resolve them accordingly.
To move to the management of privacy complaints in general, I’d like to assure you that in making use of the full spectrum of available compliance tools, our aim is to do so proportionally, picking the right tool for the right situation.
For example, in many cases, the usual representations from institutions are sufficient to conduct a sound investigation. Some of you in the audience may know this from having participated in an investigation firsthand.
However, in certain cases, we may deem that a site visit is necessary to fully and efficiently appreciate the matters at issue in an investigation. I’m sure you’re all familiar with long email chains spanning several weeks that you feel could have been replaced with a simple face-to-face conversation. I am a big fan of such in-person interactions and you may very well see an increase in their frequency.
Site visits are just one of the formal powers we have under the Privacy Act. A number of others are available, such as the ability to compel documents. We have begun to resort to the consideration and use of such powers with greater frequency on the private sector side of our business, and similarly we will look to deploy these other formal powers as appropriate and proportionate on the public sector side.
Before I wrap things up, I will make just a few comments about Bill C-58 – an Act to amend the Access to Information Act. We spoke about this at the conference last year.
Our Commissioner is pleased that the government is taking concrete steps to modernize the Access to Information Act. Transparency and openness are fundamental in allowing citizens to participate fully in a democratic system.
Nonetheless, there are concerns about Bill C-58 in its current form. While the Information Commissioner is the champion for access, the OPC has the central role for upholding the privacy rights of Canadians.
Part of the existing balance between access and privacy lies with the fact that the Commissioners have equal powers. As drafted, the Bill disrupts the current balance by giving order-making powers to the Information Commissioner.
Yes, Bill C-58 provides for formal notification of the Privacy Commissioner and legal recourse in the case of formal OIC orders to disclose personal information. However, privacy can also be impacted outside of formal orders.
For example, the OIC can recommend that personal information be disclosed without an order, or an institution can decide to disclose personal information to avoid an OIC order. In such cases, the Privacy Commissioner would not be notified or given the opportunity to intervene, even though the OIC and OPC may diverge on key legal issues relating to the balance of access and privacy.
The Information Commissioner and the Privacy Commissioner agree that the OPC should be consulted when both privacy and access are at play. As you may know, the Information Commissioner and our Commissioner have recommended changes that strike a better balance, and Minister Brison has indicated a willingness to positively consider these changes.
- First, our Office would like to be consulted when the OIC intends to make an order to disclose information that has been exempted under the personal information exemption, or section 19 of the Access to Information Act.
- Second, the Information Commissioner should have a discretionary ability to consult our Office at any stage of her investigation when she deems necessary or advisable.
- Finally, our Office would like to be provided with the final report of any investigation conducted by the OIC where the OPC was consulted.
Ultimately, access and privacy are parallel goals that can and should be reconciled. They are a seamless code of information rights and neither one should be given pre-eminence over the other. In other words, they are two sides of the same coin.
To conclude, by shifting our organizational structure and by ensuring we are proportionately applying the compliance tools available to the OPC, we hope Canadians may begin to feel more empowered and in control of what happens to their personal information.
There are many challenges ahead if the government and organizations are to maintain and regain Canadians’ trust in how they protect the personal information they collect and use, particularly in the digital age. The scale and pace of technological advances, while creating remarkable opportunities, is significantly straining the ability of individuals to protect their privacy.
Thank you for your time today. I’d like to open up the floor to take a few questions in the time I have left.
- Date modified: