:
Thank you very much, Mr. Chair.
I want to begin by congratulating you on your recent election as chair of this committee.
[English]
Mr. Chair and honourable members, good morning. I'm very pleased to have the opportunity to speak with you first about the two annual reports that we lay before the House of Commons every year.
I'm joined here today by Assistant Privacy Commissioner Chantal Bernier. Madam Bernier is in charge of our day-to-day operations, and she's also a specialist on national security questions, so I appreciate her presence with me today.
I will focus my opening remarks largely on our public sector work, although there were certainly interesting developments on the private sector side as well. The principal focus of our annual report on the Privacy Act for the 2010-11 fiscal year was the federal government stewardship of the personal information of Canadians. In particular, we looked at privacy in the context of law enforcement and aviation security. The report examined whether departments and agencies collected, used, and disclosed personal information in a way that complies with the Privacy Act. This is of overwhelming importance, given the highly sensitive nature of so much of the personal data that the state needs in order to govern. Indeed, we're talking here about information related to people's income, their taxes and benefits, their travel patterns, and so many other aspects of their lives. This is not information that individuals would necessarily want to turn over. It is simply collected to fulfill the requirements of various government programs or activities.
In the main, I'm happy to say that we found that the Government of Canada has solid policies and practices in place to safeguard the privacy of Canadians, but we also said that the government is obliged to handle the personal information of Canadians with an uncompromising level of care, not some of the time or even most of the time, but all of the time. The fact is that over-collection, misuse, or inappropriate disclosure of sensitive personal information could carry grave consequences for individuals.
Our annual report summarizes two audits that our office conducted during the year. I'm going to summarize them briefly.
[Translation]
In terms of the auditing, we assessed whether the policies and practices of the Canadian Air Transport Security Authority, better known as CATSA, complied with the Privacy Act.
That audit concluded that the agency collects too much information about air travellers and does not always safeguard it properly. In particular, we found that CATSA collected personal data about traveller activities that do not relate to aviation security and that, in some cases, are perfectly legal and legitimate.
For example, CATSA will note when a passenger on a domestic flight is found to be carrying large sums of cash, even though there is no law prohibiting that. The over-collection of data is worrisome because it can result in undeserved suspicion being cast on an innocent person. In addition, our audit turned up gaps in the measures used to safeguard such records.
Indeed, in our spot checks of several major Canadian airports, incident reports were found on open shelving units and on the floor, in the same location where passengers are taken for further screening.
[English]
I'll talk a bit now about the RCMP audit. Our other audit looked at the Royal Canadian Mounted Police's management of two operational databases that are widely shared with other police agencies, government institutions, and other organizations.
You may have heard of CPIC, the Canadian Police Information Centre, and PROS, the police reporting and occurrence system. CPIC has been described as the backbone of the criminal justice system. It provides computerized storage and retrieval of information on crime and criminals and is widely used by the law enforcement and criminal justice community. PROS, meanwhile, is the RCMP's police records management system. It contains information on individuals who have come into contact with police, as a suspect, a victim, a witness, or an offender.
Our audit found that, in general, the RCMP has policies and procedures in place to properly govern access to and use of data in CPIC. However, one-third of the agencies that use CPIC were unable, for technical reasons, to implement the necessary protocols that ensure CPIC is accessed only by authorized users.
With respect to the PROS database, we also discovered that some outdated and erroneous personal information was being retained when it should have been sequestered or purged. Specifically, we found that police and other agencies with access to PROS could continue to view records related to cases that had resulted in a wrongful conviction or a conviction for which a pardon had been granted. This contravenes the data retention provisions of the Privacy Act. It also makes it harder for people to get on with their lives, free from the taint of unfair suspicion.
Both CATSA and the RCMP agreed to address our recommendations. We'll follow up to see how these recommendations will be implemented.
Our last annual report to you discussed follow-up work on three audits we conducted during 2008 and 2009. We wanted to see how many of the 34 recommendations we made in those audits had been implemented. We were happy to find that 32 of those recommendations had been fully or substantially implemented in the intervening years.
The results were, in some cases, significant. For instance, a follow-up to an audit on the RCMP's exempt data bank found that tens of thousands of surplus files had been purged to comply with our recommendations.
[Translation]
I will now turn to our 2010 annual report on the Personal Information Protection and Electronic Documents Act, the PIPEDA. The major issues in that report were online privacy and the disposal of personal information.
We highlighted our audit of a major retailer, Staples Canada Inc.—Bureau en Gros Ltée.
What we found was that Staples Business Depot stores fail to fully wipe customer data from returned devices such as laptops and USB hard drives, which were destined for resale.
That was a particularly disappointing finding, as we had already conducted two earlier investigations involving returned data storage devices at Staples and received assurance that the company would fix the problems we identified.
Although some steps have been taken, the audit showed that those procedures and controls were not consistently applied, nor were they always effective.
As a result, consumers' personal information was at serious risk.
At the end of our audit, we asked Staples to provide a report from an independent third party confirming compliance with the recommendations by the end of this June.
We look forward to hearing about how the company has addressed our recommendations.
[English]
The report also describes our investigation into Google's collection of highly sensitive data from unsecured wireless networks in neighbourhoods across Canada. The investigation found that Google's Street View cars had inappropriately collected personal information, such as e-mails, user names, passwords, phone numbers, and addresses.
Google's explanation for this serious violation of Canadians' privacy rights was that an engineer had developed code that included lines allowing for the collection of payload data, but failed to flag this to the company lawyer reviewing the project.
We were concerned about Google's lack of control over processes to ensure that necessary privacy protections were followed. We recommended that Google ensure it had a governance model in place to comply with privacy laws. We also recommended enhanced privacy training for Google employees.
There have been significant developments on that file since we published our annual report. Last year we examined the remedial measures Google had put into place following the investigation. We found the company was well on its way to resolving serious shortcomings. However, we did request that Google undergo an independent third-party audit of its privacy program.
We asked Google to share the audit report with our office within a year. We look forward to reviewing the results in the near future.
We've also started to use the approach of requesting third-party audits of companies with other organizations as well.
In conclusion, I've touched on only a very few of the many issues discussed in our two annual reports. I think both reports illustrate the very broad range of privacy issues that can have significant consequences for all Canadians, and the importance of having strong legislation in Canada to protect our privacy rights.
I thank you very much for your attention. I and any members of my staff who may be able to assist me look forward to answering your questions.
:
I am ready, Mr. Chair. Thank you very much.
[English]
Honourable members, Mr. Chairman, I'm very pleased to be able to have a second hour with you to talk about some of our key priorities now for the coming year. We go into the future, having done the annual reports, and once again will attempt to answer your questions.
For this particular phase, I'm joined not only by the assistant commissioner, whom you've already met, but also with Daniel Nadeau, our chief financial officer and director general of corporate affairs. We were very pleased to have him join us in August, following the retirement of a gentleman some of you may have previously met, Tom Pulcine. It's been a wonderful, seamless transition. I'm very happy that Daniel is with me today.
I would like to begin by explaining the evolving landscape of privacy issues and how public concern with them affects our office's work and choice of priorities. So for starters, as I think everyone around this table can appreciate, personal information protection is an issue of growing importance here in Canada and around the world. Canadian businesses need to be informed about how privacy law applies to their operations, and federal departments and agencies are constantly challenged to balance social benefits associated with initiatives that gather personal information on the one hand with the privacy rights of individuals on the other. As an agent of parliament, my office, of course, has the task of advising on such issues.
Individuals today face a reality of complex information technology. People enjoy the fact that these tools connect us like never before, and they bring valuable services to our fingertips. At the same time, Canadians fear the consequences of being tracked by data mining marketers and being surveyed by governments. As a result, Canadians turn to us to investigate their complaints and for information to protect and assert their rights.
[Translation]
I will now talk about the key areas of the OPC's mandate.
As you know, our office is mandated with overseeing compliance with both the Privacy Act, which applies to the government, and the Personal Information Protection and Electronic Documents Act, which applies to the public sector.
We also provide guidance to organizations on the application of privacy law, and to individuals on how they can protect themselves and assert their right to privacy. As in past years, we will be pursuing these objectives through actions under the following three key areas: compliance activities, research and policy development, and public outreach.
Before we get to your questions, I would like to highlight some of the key priorities we are pursuing over the coming year for each of those areas.
[English]
First of all, I'll start with compliance activities, where we are continuing our work to update and strengthen our complaint intake and investigation processes. In particular, we are in the midst of an effort to develop and adopt more innovative practices in the Privacy Act investigation process. Our goal is to continue resolving complaints thoroughly with a view to providing service to Canadians in a more efficient, effective, and timely manner.
We are also taking action to better deal with the fact that an increasing number of privacy issues are tied to information technology. For this reason, we are taking steps to ensure that we have the right expertise and tools to evaluate the privacy impact of various technologies. On top of improving ways to do our existing work, we are also focusing on the best approach to fulfilling new responsibilities.
As you know, it's expected that Canada's anti-spam law will come into force sometime next year. We are working alongside Industry Canada, the CRTC, and the Competition Bureau to develop the processes and systems to fulfill our respective roles under this legislation.
In addition, we're also gearing up to review the privacy impact assessments tied to the many initiatives being developed across government, to realize the vision outlined by the Canada-U.S. perimeter security and economic competitiveness action plan. Our office and our provincial and territorial counterparts have underlined the fact that many of the planned initiatives in this plan contain privacy risks.
Our office is ready to examine the assessments to come in order to make recommendations to departments on how to mitigate such risks. With respect to audits, as the assistant commissioner said, we will lay before you the audit of Veterans Affairs Canada this fall, and we have just commenced our second mandated audit of FINTRAC.
[Translation]
I will now discuss research and policy development.
As an agent of Parliament, we will continue to devote our expertise to analyzing legislation and sharing our observations with parliamentarians. We will also be paying special attention to the upcoming parliamentary review of the private sector act. That review is mandated every five years—and for good reason, as we have already mentioned.
Another way we help meet Canadians' privacy needs is by working with leading academic researchers in the field. One important way we do this is by supporting independent, non-profit research through our Contributions Program. Over the course of this year, we look forward to supporting further research, which can lead to new ideas and insights on privacy protection issues.
[English]
I'll talk now a bit about public education.
Public education is vital as privacy issues continually evolve. Very few of us can grasp the technological intricacies of what's happening on the other side of the screen. It's therefore more and more important I think to assist Canadians in protecting their personal information online. The generation growing up today is really the first to grow up online. This is why our outreach efforts to youth, to parents, and to educators remain among our top public education priorities.
We've already developed presentation materials for grades 7 through 12 to help adults engage youth about the privacy challenges of today's online world. This year we will be promoting education materials for grades 4 through 6. In addition to individuals, we know that businesses, especially small ones, have specific needs. In general, small businesses lack the resources to have dedicated in-house chief privacy officers and legal counsel. As a result, we're dedicated to providing guidance materials and making outreach efforts to help small businesses learn about and comply with their privacy obligations. Included as part of this we will be spreading the word about the importance of cyber-security and the steps small businesses need to take to protect customer and client data in the online age.
In relation to the public sector, significant changes in our public safety context, as well as in government interaction with citizens online, call for us to educate Canadians on the privacy implications of measures resulting from these changes.
In closing, Mr. Chair, let me underline that we will carry out our work in a way that will continue to see Canadians both well respected as taxpayers and well served as citizens. While not mandated to make reductions under the deficit reduction action plan, our office answered the call to adhere to the exercise's spirit and intent. As a result, we proposed to the government that we would find savings of 5%, or $1.1 million per year, within our operations by fiscal year 2014-15, while maintaining the best possible level of service for Canadians. This proposal was accepted and reflected in our budget for 2012.
To deliver on this, we have planned the following reductions: $676,000, or 2.8%, starting this year, will come from funding that had been allocated to my office in support of the implementation of the Federal Accountability Act. This funding was never accessed by the Office of the Privacy Commissioner. Then, an additional $430,000, or some 2.2%, starting in 2014-15, will be absorbed through general efficiencies from across the organization. Efforts to improve the use of technology and available tools, to take on a greater risk management approach, to better target public education activities, and to seek out partnering opportunities will help OPC generate these savings.
In addition, I also want to note a looming cost pressure that poses a challenge to our quest for a workable balance between quality services and lower costs. A forced move out of the OPC's present location to new offices in 2013 will result in additional costs of up to $5 million. Right now we cannot absorb this without significant impact on our core program. We're currently negotiating with the Treasury Board Secretariat to address this pressure, and I'm hopeful this issue will be settled adequately in the very near future.
With that, I look forward to your questions. Monsieur Nadeau will help me with any detailed questions on our finances.
[Translation]
Thank you very much, Mr. Chair.
Thank you, Ms. Stoddart, for being here today. I appreciate the opportunity to ask you some questions. I have a number of questions that don't relate to what we're talking about this hour, but from the previous hour as well. I'll probably be jumping around a little.
I wanted to ask you about the cash on the domestic flights that CATSA was reporting to other law enforcement agencies or keeping information on. When I went through the report, I saw it was quite disturbing. It seemed as if over 50% of the information in the incident reports they were keeping was beyond their mandate.
I travel. I fly internationally several times a year and domestically every week, it seems. I have never been asked by any CATSA security screener if I have any cash, if I have anything at all. They sometimes look through the bags. Sometimes they just look through the scanner. Sometimes they'll ask me for permission to look inside the bag. I don't see anybody recording anything. So I'd like to know, when my bag goes through a screening device and it takes a picture or whatever, do they keep that? How is it that they find out that somebody is even carrying a large portion of cash? If my wallet goes through, all they see is my wallet. I can see the screen too.
A voice: It's pretty skinny.
Mr. Blaine Calkins: Yes, things are a little tight. But the reality is, I'm quite dumbfounded as to how they would even get that information in the first place, because the question is never asked. It would seem to me that even the collection of information...I don't know how they would possibly do it.
Could you enlighten this committee on how that happens?
I'm glad to have the opportunity to address you, Commissioner, and your colleagues and I thank you for being here today.
As I've listened to your testimony and read the reports, I have to admit I marvel at the scope of your mandate. It's a big job and I commend you on the work you do. I think we're all thankful to have you in the role of carrying out the tasks at hand.
You've spoken today after eight years in your job and the changes you've witnessed, certainly in technology, which affects your role every day just as it affects our lives. We see it in the Internet and all the different spots. My colleagues opposite like to reference Bill , a bill that's coming before this House and one that has raised intense concern on their side.
You mentioned that you have some concerns with that legislation and, I presume, with its predecessor legislation as well, going back to the previous Liberal government. I'm sure you'll be attending committee and will bring your thoughts forward. I look forward to that because I think you'll bring productive and beneficial input into that debate; that's something that I hope you will do.
As an aside, or as an extension of that, in the report on plans and priorities, one of the concerns I had was how you manage the change, day to day, in your organization. I notice that you mitigate some of the risk by implementing your change management strategy or talent management program. Is it enough to keep pace?
Additionally, because this is probably the last question you're going to hear today, as you think about the change management strategy, are you able to do enough to keep pace with the change that's coming at you? In addition, in the short and medium term, what major issues do you see facing your office, and again, coping with those within your department?