Key Operational Activities

Contributions Program

Lead Directorate: Policy, Research and Parliamentary Affairs Directorate

Background

• The OPC funds independent privacy research and public education initiatives through its Contributions Program. The Program was launched in 2004 and has an annual budget of $500,000. Annually, a maximum of $50,000 is granted to each project and a maximum of $100,000 is granted to each recipient organization.
• The Program terms and conditions were renewed by the Minister of Justice in 2020 and are effective until March 31, 2025.
• The Program was established under the legislative authority granted to the OPC in section 24 of PIPEDA. As the Program stems from PIPEDA, it funds research and education projects tackling privacy related issues in the private sector only.
• Only not for profit organizations, such as universities, civil society groups and industry or professional organizations, are eligible for funding.
• The Program is structured to fund projects that are initiated and completed within a single fiscal year (from April 1 to March 31).
• The call for project proposals is launched in the fall. Approximately 45 proposals are submitted each year.
• Proposals are evaluated exclusively on merit by employees from across the OPC. As necessary, external evaluators may be solicited for a second opinion.
• This year, the Contributions Program was used to pilot the implementation of Gender Based Analysis Plus at the OPC.
• Every year, a different theme is selected for the call for proposals. This year’s theme, in connection with the implementation of Gender Based Analysis Plus, was, “Who is impacted and how: assessing and mitigating privacy risks, barriers and inequalities.” However, projects need not be limited to the annual theme and proposals are accepted for projects addressing other cutting edge issues.

Current status

• On April 27, Commissioner Therrien approved the funding recipients for the 2022–2023 fiscal year. A public announcement is planned for the end of June.
• Eleven organizations will receive funding this year.
• The OPC’s Communications Directorate is currently drafting a news release to publicly announce the new recipients. This news release will likely be published in May or June.

Further reading

• Funding for privacy research and knowledge translation
• Briefing Note, Contributions Program 2022-2023, April 27 2022. Version signed by Commissioner Therrien.

---

Privacy Clinics

Lead Directorate: Business Advisory Directorate

Background

• The Business Advisory Directorate (BA) developed the Privacy Clinic platform to enhance the reach and accessibility of its outreach and advisory services. These Clinics facilitate initial contact between the OPC and businesses subject to PIPEDA. BA builds the value proposition on this initial foundation to voluntarily engage specific businesses in Advisory Consultations on their particular privacy-impacting initiatives and practices.
• Privacy Clinics typically involve scheduled sessions that take place over the course of one or more days, in-person or virtually, with individual businesses to discuss their personal information management practices. This enables BA employees to understand the businesses’ particular realities, and to provide advice and resources to bring them towards compliance with PIPEDA.
• BA’s Privacy Clinics are well-suited to engage Small and Medium Enterprises (SMEs), as the platform offers remote accessibility to the OPC’s promotional and advisory services to businesses across the country. SMEs are typically resource-constrained while they are increasingly adopting new technologies and data-intensive business models that present privacy challenges.
• The success of the Privacy Clinics platform is largely based on intermediary partners, who facilitate the OPC’s connection with their member businesses. Key intermediaries include innovation and acceleration hubs, Chambers, Industry Associations, and other similar organizations.
• Setting-up Privacy Clinics generally involves:
  1. Identifying intermediaries and conducting initial conversations with them to understand their membership and its needs;
  2. Introducing the value proposition for proactive engagement;
  3. Event and content planning, including presentations on the OPC and PIPEDA to intermediary leadership and member businesses;
  4. Screening businesses interested in Privacy Clinics; and
  5. Organizing and conducting the Privacy Clinic meetings.
• BA has held four virtual Privacy Clinics since the platform’s inception in 2020, in collaboration with business development organizations and Communitech, an innovation hub/accelerator in the Toronto-Waterloo innovation corridor. These Privacy Clinics generated seven specific Advisory Consultations with scale-up organizations.

Current status

• BA has ongoing conversations with a number of potential intermediaries, and planning is underway to offer virtual Privacy Clinics this year.
• To foster new contacts for Privacy Clinics and to diversify regional representation, BA has held introductory meetings other facilitators and hubs across Canada.

Strategic considerations

• Privacy Clinics sessions have often led to in-depth Advisory Consultations, involving the detailed review of policies and practices, in-person or virtual demonstrations, and occasional site visits, resulting in advice letters aimed towards improving PIPEDA compliance.
• The Privacy Clinic platform has been instrumental since the onset of the COVID-19 pandemic, as it has helped the OPC to virtually engage with businesses. The existing approach to Privacy Clinics will be evaluated as the operating environment normalizes and evolves.

Next steps

• BA plans to explore other avenues and intermediaries for Privacy Clinics, such as chambers of commerce, business development lenders, and other entities.

Further reading

• Briefing Note, Virtual Privacy Clinics (May 2020), June 15, 2020.

---

Privacy Impact Assessments

Lead Directorate: Government Advisory Directorate

Background

• The Government Advisory Directorate (GA) reviews Privacy Impact Assessments (PIA) received from federal government institutions pursuant to the Treasury Board of Canada Secretariat (TBS) Directive on Privacy Impact Assessment.
  • The Directive outlines the circumstances under which federal institutions subject to the Privacy Act are required to undertake a PIA exercise.
  • The Directive also requires institutions to send a copy of the completed PIA to the OPC, with any further documentation that the OPC may request.
• GA reviews all submitted PIAs to assess the level of risk, and to assess the risks in accordance with the OPC’s Strategic Privacy Priorities.
• GA then determines, based on this initial assessment, whether to conduct an in-depth secondary review of a PIA. GA prioritizes the secondary review of PIAs according to both the relative risk of the activity and the anticipated level of impact of the OPC’s advice. GA issues written recommendations to the submitting institutions following secondary review.

Current status

• GA is currently reviewing PIAs on privacy-impactful activities such as the use of body-worn cameras, the use of Cloud Technology, the use of facial recognition technology for employee verification, the Medical Assistance in Dying Program, and the Zero Emission Vehicle Incentive, among others.
• GA issued written recommendations in response to 39 PIAs in Fiscal Year 2021-2022. Institutions are generally receptive to this advice; based on written responses, 71 per cent of GA’s recommendations were accepted.
• GA has received 18 PIAs to date in Fiscal Year 2022-2023.

Strategic considerations

• GA received a greater volume of PIAs in Fiscal Year 2021-2022 than in years past, with 111 submitted as compared to an average of 82 PIAs annually in the previous four years.
• There is currently no legislated obligation for institutions to undertake PIAs. Similarly, there is no legislative requirement for the OPC to review the PIAs that it receives or to provide comments on submissions. This is currently a discretionary function.
• The Department of Justice Privacy Act reform discussion paper proposes making PIAs a legislative obligation for institutions, with a new requirement for OPC to review PIAs and to provide recommendations within a prescribed timeline. The OPC supports a legislative obligation for PIAs, but believes the OPC should retain the discretion as to whether to do in-depth reviews and issue recommendations.

Further reading

• Expectations: OPC’s Guide to the Privacy Impact Assessment Process
• OPC privacy impact assessments

---

Advisory Consultations with Government Departments

Lead Directorate: Government Advisory Directorate

Background

• Through advisory consultation meetings, the Government Advisory Directorate (GA) provides informal, proactive advice and guidance to federal government institutions in response to information provided by institutions on their specific programs and activities that may impact privacy.
• GA conducts these consultations early in the development and throughout the lifecycle of programs and activities, which helps GA to maintain fruitful contacts, dialogue and relationships with program officials across government institutions.
• The Treasury Board of Canada Secretariat (TBS) Policy on Privacy Protection requires federal government institutions to notify the Privacy Commissioner of any planned initiatives relating to the Privacy Act or any of its provisions, or that may have an impact on the privacy of Canadians. While there is no requirement to consult the OPC, GA’s preference is that these notifications take place in the form of a consultation meeting. See: Consulting with the Office of the Privacy Commissioner’s Government Advisory Directorate.
• GA meets on a recurring, regularly-scheduled basis with institutions that collect and use large amounts of personal information (e.g., Statistics Canada) and/or use personal information in high-impact areas, such as law enforcement or national security (e.g., the Royal Canadian Mounted Police), enabling consistent communication with these institutions.
• GA is responsible for coordinating the OPC’s regular meetings with TBS’ Privacy and Data Protection Division, through which the OPC provides input on its development of central agency guidance and policies that impact privacy.

Current status

• GA opened 105 new consultation files in the fiscal year 2021-2022 on a wide range of programs and activities. GA has noted an increase in consultation requests from national security agencies over the last two years. Due to classification, these engagements must generally be performed in-person.
• The OPC has engaged with the Royal Canadian Mounted Police since 2010 to discuss the privacy implications of body-worn cameras. Since 2020, GA has increased the frequency of consultations on this file and has provided advice on national implementation.
• Institutions have also consulted GA on the collection of employees’ gender and race-based personal information, activities carried out pursuant to the Government of Canada’s Gender-Based Analysis Plus and diversity policies.

Strategic considerations

• While TBS is responsible under the Privacy Act for providing the Government of Canada and its institutions with direction and guidance on its operation and regulations, authority for GA’s consultation activities may be found in the Commissioner’s implied power to engage in educational activities, as necessary to effectively carry out his mandate and to increase the level of compliance of government institutions with the PA.
• Federal institutions sometimes seek GA’s input and advice on complex and highly-technical files with short notice and without providing comprehensive details. This can lead to situations where institutions indicate publicly that the OPC has been consulted on an initiative but GA has been unable to provide meaningful input. This gap is noted in the Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the Collection and Use of Mobility Data by the Government of Canada and Related Issues. The report recommended full and meaningful consultations by institutions with our office.
• GA is often a federal institution’s first point of contact with the OPC. As a result, institutions sometimes consult GA on complex issues on which our office has not yet developed a policy position (e.g., use of genetic genealogy by law enforcement). Significant internal consultation is needed in these cases to provide advice while maintaining flexibility to develop a position.
• GA may cease consultation if OPC receives complaints on the same subject matter or initiative, which has become increasingly common and impacts the timeliness of GA’s advice to institutions.

Further reading

• [Redacted]

---

Outreach Activities with Government Institutions

Lead Directorate: Government Advisory Directorate

Background

• To enable the OPC to effectively and efficiently carry out its mandate to oversee compliance with the Privacy Act and to raise awareness of privacy issues, the Government Advisory Directorate (GA) provides outreach sessions to federal government institutions on undertaking Privacy Impact Assessments (PIAs), on common or systemic privacy issues, and on privacy risks of new technologies.
• Outreach sessions raise awareness among government employees of these issues, and cover both legal and policy requirements, as well as privacy best practices.
• GA provided 39 outreach sessions in Fiscal Year 2021-2022 at the request of different federal government institutions. GA estimates that 700 federal employees from program development and policy areas, as well as from Access to Information and Privacy (ATIP) teams, attended these sessions.
• To develop outreach materials, GA consults internal OPC experts on specific subject matter areas and with the Canada School of Public Service (CSPS) on best practices for developing training and materials.

Current status

• The outreach sessions that GA currently offers are:
  1. PIA 101;
  2. Artificial Intelligence and Automated Decision-Making;
  3. Biometrics;
  4. De-identification;
  5. Digital Government;
  6. Gender-Based Analysis Plus and Diversity Initiatives;
  7. Information Sharing Agreements;
  8. Necessity and Proportionality;
  9. Non-Administrative Uses of Personal Information;
  10. Privacy Breaches;
  11. Privacy Management Programs;
  12. Public Interest Disclosures;
  13. Social Media Monitoring and Publicly Available Information;
  14. Transparency and Privacy Notices; and
  15. Video Interviews.

Strategic considerations

• The OPC currently has no explicit mandate under the Privacy Act to provide outreach and training to government departments, and the Treasury Board of Canada Secretariat (TBS) is responsible for developing central guidance on operationalization of the Privacy Act and its regulations. Authority for GA’s consultation activities, however, may be found in the Commissioner’s implied power to engage in educational activities and issue guidance, as necessary to effectively carry out their mandate and to increase the level of compliance of government institutions with the Privacy Act.
• GA is working collaboratively with TBS to ensure clarity in outreach materials regarding our respective roles under the Privacy Act, and is discussing the possibility of co-presenting outreach sessions.
• A new and more specific authority for the OPC to conduct public education related to the Privacy Act is proposed in the Department of Justice’s discussion paper on Privacy Act reform.

Further reading

• [Redacted]

---

Guidance Modernization

Lead Directorate: Policy, Research and Parliamentary Affairs Directorate

Background

• The OPC has over 140 guidance documents online, over half of which are more than seven years old. In advance of law reform, the OPC hopes to formalize its guidance development processes and to better use internal and external intelligence sources to identify future guidance topics.
• Guidance development is generally a shared responsibility across the OPC. Recent guidance has been developed by multidisciplinary horizontal project teams.

Current status

• PRPA is undertaking a guidance modernization exercise focused on the development of numerous products and processes, including:
  • A process for identifying subjects requiring new guidance, primarily informed by new legislative requirements and leveraging the OPC’s business intelligence;
  • A standardized format for guidance publications for more effective messaging to audiences;
  • A process for conducting public consultations and stakeholder engagement for future guidance in order to comply with potential forthcoming legislative requirements and to respond to stakeholder feedback; and
  • Processes to evaluate the impact of law reform on our existing guidance suite, including the prioritization of guidance to update and the identification of opportunities for guidance consolidation as appropriate.
• To date, the Policy, Research and Parliamentary Affairs Directorate (PRPA) has developed draft overall principles and processes, a guidance typology and tools for employees developing guidance, a template, information on prioritizing and evaluating existing guidance, as well as a rubric and playbook for consultations. PRPA has also met with other Data Protection Authorities to explore how the OPC could incorporate strategic foresight into its process to interpret these signals and information.
• PRPA and the OPC’s Business Intelligence Analysts are working to develop a survey tool intended to help collect information and signals from across the OPC to inform guidance work.

Strategic considerations

• Anticipated new privacy legislation may increase the OPC’s responsibility to develop guidance; the former Bill C-11 proposed a provision that the OPC must develop guidance materials for organizations in relation to their compliance with the proposed Consumer Privacy Protection Act, including any guidance materials that are requested by the Minister responsible for the Act, in consultation with affected stakeholders.
• Additionally, the Department of Justice has proposed that the OPC have the authority under a reformed Privacy Act to engage in public education and issue guidance on the interpretation and enforcement of the Act, ensuring consultation with the Government in its development.

---

Real Risk of Significant Harm (RROSH) Tool

Lead Directorate: Compliance, Intake and Resolution Directorate

Background

• Businesses subject to PIPEDA are required to report breaches involving personal information that meet the real risk of significant harm (RROSH) factors, such as the sensitivity of the information and probability of misuse.
• The RROSH Tool, developed by the Compliance, Intake and Resolution Directorate’s (CIRD) Breach Response Unit (BRU) with the aid of an expert consulting firm, is an innovative solution to assess whether a privacy breach presents a real risk of significant harm to Canadians. It is rooted in risk science principles to withstand scrutiny and potential challenges.
• The OPC developed the RROSH Tool recognizing that privacy breaches were increasing in volume and complexity, and that stakeholders were noting the challenges associated with determining and assessing risk. The Tool will also introduce efficiencies for the BRU’s assessment of public sector privacy breach reports.

Current status

• The BRU launched the first phase of the RROSH Tool for internal use in March 2022, and introduced it to external stakeholders in May 2022 and the IAPP Canada Conference, where it received favourable comments.
• Given stakeholder demand and to further promote compliance and consistency, BRU and the OPC’s IM/IT team are now focusing on the creation of the public version of the Tool.

Strategic considerations

• There is significant value in creating a public version of the RROSH Tool that will promote both compliance and transparency. Stakeholders have expressed a strong interest in the OPC providing additional guidance for assessing RROSH, and we expect that many will gravitate toward the RROSH Tool, particularly privacy lawyers, small and medium enterprises.

Next steps

• BRU will consult with the OPC’s Legal Service Directorate, with respect to Tool’s external use in general, and to discuss algorithmic transparency considerations, noting that the OPC has been calling for greater algorithmic transparency from private sector entities.
• BRU will continue working with IM/IT to develop the public-facing Tool, with a targeted release in the third quarter of Fiscal Year 2022-2023. The Tool may require validation and recalibration as it moves from its internal implementation phase to the development of a public-facing Tool.

---

National DNA Databank Advisory Committee

Lead Directorate: Government Advisory Directorate

Background

• The National DNA Data Bank (NDDB) was established by the DNA Identification Act (DNAIA) and has been in operation since June 2000 under the stewardship of the Royal Canadian Mounted Police (RCMP).
• The NDDB maintains forensic DNA testing analyzes bodily substances taken under court order from suspects, convicted offenders, or from volunteers against bodily substances found in connection with a crime or a missing person. There are over half a million DNA profiles in the databank, which are used to help identify suspects, including serial offenders, link crime scenes across jurisdictional boundaries, and assist investigators, coroners and medical examiners to find missing persons and identify human remains
• The National DNA Databank Advisory Committee is established by regulations under the DNAIA to provide the NDDB with guidance and direction on scientific advancements, matters of law, legislative changes, privacy issues and ethical practices. The Advisory Committee advises the Commissioner of the RCMP.
• The DNA Databank Advisory Committee Regulations stipulate that membership of the Committee must include a representative of the OPC. The Director of GA currently fulfills this obligation.
• The role of the OPC is to bring forward privacy concerns for discussion, while monitoring implementation of the DNAIA to ensure privacy rights are not being infringed upon.

Current status

• Bill S-231, the Increasing the Identification of Criminals Through the Use of DNA Act, proposes changes to expand the list of eligible DNA designated offences and to make DNA sampling orders automatic upon conviction. The bill is at second reading in the Senate.
• The National DNA Databank Advisory Committee, with the sole abstention of the OPC, supports Bill S-231. The OPC wrote to the Chair of the Advisory Committee indicating that, as the Commissioner might be called upon by Parliament to comment this legislation in the future, the OPC would reserve detailed commentary. However, the OPC stressed that any expansion of the collection and use of DNA profiles must be shown to be necessary, proportionate, likely to be effective and minimally intrusive.

Strategic considerations

• The OPC supports using forensic DNA evidence where appropriate, for identifying criminals, eliminating suspects, and aiding the wrongfully convicted. However, the OPC has expressed concerns about potential “function creep” from the activity.
• The OPC traditionally comments on proposed legislation first to Parliament; this position may limit the OPC’s impact and influence as a member of the Advisory Committee.

Next steps

• The OPC’s Parliamentary Affairs unit in the Policy, Research and Parliamentary Affairs Directorate is tracking Bill S-231.

Further reading

• RCMP, National DNA Data Bank Advisory Committee
• RCMP, Privacy implications of forensic DNA analysis
• RCMP, The National DNA Databank of Canada – Annual Report 2020-2021
• Correspondence, National DNA Data Bank Advisory Committee Recommendation Letter to RCMP Commissioner on Bill S-231, January 26, 2022
• Correspondence, OPC Response to Recommendation 6, February 21, 2022

---

Joint review by the National Security and Intelligence Review Agency and the OPC and the Joint Report on disclosures under Security of Canada Information Disclosure Act

Lead Sector: Compliance Sector

Background

• In 2019, the Privacy Act was amended to permit the National Security and Intelligence Review Agency (NSIRA) and the OPC to share confidential information with each other in the context of conducting reviews of institutions’ activities, subject to certain limitations. The OPC entered into a Memorandum of Understanding (MOU) with NSIRA in July 2021 in support of these activities (Memorandum of Understanding Regarding Coordination of Activities Between the Office of the Privacy Commissioner of Canada and the National Security and Intelligence Review Agency).
• In 2021, the OPC conducted a first joint review with NSIRA, the results of which were published in February 2022 (NSIRA and the OPC’s review of federal institutions’ disclosures of information under the SCIDA in 2020).
• The 2021 joint review was a review of disclosures made under the Security of Canada Information Disclosure Act (SCIDA) in 2020. NSIRA is mandated to conduct this review annually (beginning in 2019) [redacted]

Current status

• [Redacted]
• [Redacted]

Strategic considerations

• Collaboration with NSIRA is a relatively new and important component of OPC’s approach to promoting compliance with Privacy Act in the federal government national security field.
• [Redacted]
• [Redacted]

Additional Information

• NSIRA is subject to the Privacy Act [redacted].
• [Redacted]
• [Redacted]
• [Redacted]
• [Redacted]
• [Redacted]
• [Redacted]