Good morning, colleagues. We have a very important meeting ahead of us today. Pursuant to Standing Order 81(4), we have the main estimates, vote 1 and so on, that we have to get through.
For those of you who are new to this, it is a parliamentary procedure that we must do in order to approve funding for various departments and agencies, and this committee is responsible for the various commissioners and their offices.
We're very glad to have with us this morning Mr. Therrien, the Privacy Commissioner, who is here again, for I think the third time since this committee resumed after the last election.
Commissioner, I'll get you to introduce Mr. Nadeau and Ms. Kosseim as we go on.
Colleagues, at some point today we might have to take some time for committee business. What I would suggest is that we do about 50 minutes with each commissioner, if that's okay, and leave about 15 or 20 minutes at the end in order to deal with committee business.
If we do 50 minutes with each commissioner, that should work, as long as the other commissioner comes 10 minutes early. We can let Ms. Dawson know that.
We'll turn it over to you, Commissioner. Give us your opening remarks on the estimates and let us know what's going on. Then we'll move to questions. Thank you, and welcome.
Thank you very much, Mr. Chair.
I am very pleased to be here again, this time, to talk about our office's main estimates. With me today are Daniel Nadeau, our chief financial officer, and Patricia Kosseim, senior general counsel and director general, legal services, policy and research.
In my allotted time, I will discuss the technological evolution of the digital economy and its impact on privacy; our plans for the year ahead; and the challenges we face going forward given our current level of funding.
As you may know, our funding has remained stable in recent years at approximately $25 million annually, and no increase is expected in the near future. Yet our investigations workload is increasing and we have a number of new responsibilities relating to advances in technology.
The digital economy is evolving quickly as a result of constant technological innovation. This is a reality that affects many government regulators. This trend, however, has had a disproportionate, indeed revolutionary, impact on the field of privacy. When the Privacy Act came into force in 1983, computers were not mainstream. When the Personal Information Protection and Electronic Documents Act came into force in 2001, Facebook did not even exist.
Smart phones, cloud computing, big data and the Internet of Things, to name but a few data-rich technologies, all raise significant and highly complex privacy issues. Keeping up with all these changes has been a real struggle.
Despite its limited resources, my office has nonetheless effected much positive change for Canadians. Through sound management practices, we have optimized our resources and restructured our activities. Even though this has allowed us to realize significant efficiencies, we are unable to keep pace with demand. For example, despite our best efforts, by the end of fiscal 2014-15, a total of 291 out of an inventory of 759 active Privacy Act files were already more than a year old. In other words, 38% of complainants had not received a reply a year after filing a complaint. Our surveys show that 90% of Canadians feel they are losing control of their personal information. They expect to be better protected.
Turning to the year ahead, technology allows businesses and governments to collect and analyze exponentially greater quantities of information. But with great reward comes great risk. I am referring to government and corporate surveillance and massive data breaches, which occur on a regular basis.
As you know, breach reports to my office are growing year over year, particularly since 2014, when federal government reporting of material breaches was deemed mandatory under Treasury Board policy. Moreover, Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, known as the Digital Privacy Act, will soon make reporting by private organizations a legal obligation. Unfortunately, we have not received any additional funding to address these new responsibilities.
At this time, we are only able to cursorily review, advise, and follow up on all but a few of the breach reports we receive. We expect this problem to continue in the years ahead.
The increased complexity of Privacy Act investigations, owing to technology and the interconnectedness of government programs, is also putting added pressure on our compliance activities, with the result that too many are not completed in a timely way.
That being said, looking ahead, my office will try to confront these realities head-on as we embark on a number of ambitious initiatives related to the new privacy priorities, which I've spoken to you about before.
As part of our government surveillance priority, we are carefully reviewing how information-sharing is occurring between federal institutions for the purposes of national security following the passage of Bill, the Anti-terrorism Act, 2015. We hope our review will inform the upcoming public debate on how to amend that legislation.
In keeping with our reputation and privacy priority, we are consulting widely on matters related to online reputation as we work to establish a position on such things as the “right to be forgotten” in the Canadian context.
Under our economics of personal information priority, we are examining the current consent model, the efficacy and even viability of which many are now questioning in the context of modern technologies. Our aim there is to identify potential improvements, to implement those that fall within our legal framework, and to recommend legislative changes where necessary.
We will also offer new guidance to businesses and individuals on privacy protection, paying special attention to small and medium-sized businesses, as well as vulnerable groups such as children and seniors.
We also look forward to working with Parliament in the year ahead to update the Privacy Act.
That Canadians would feel uninformed about their privacy rights and not able to control their personal information is hardly surprising given the speed and breadth of technological change. In my view, improving public education and regulatory protection through OPC guidance and industry codes of practice, in addition to completing investigations in a timely way, are all critical to meeting public expectations and maintaining trust in the digital economy.
For example, we've been unable to fulfill our statutory role to encourage private sector organizations to develop industry codes of practice. We would also like to be able to offer timely guidance to Canadians on fundamental issues such as big data and the Internet of things. We're also concerned about our ability to invest in key public education tools, such as the web, and in drawing the public towards these tools to help address privacy knowledge gaps amongst Canadians.
Furthermore, it is critical that we increase our capacity to monitor and research technology in order to better understand how it affects privacy, and that we promote privacy-enhancing technologies.
In closing, it is clear that technology has fundamentally changed the privacy landscape, and for us as a regulator, it is imperative that we stay ahead of these changes. I'm confident that the strategic priorities we have chosen position us well for this task. Still, new regulatory responsibilities and an ever-growing investigative workload have added to expectations of my office. Ensuring we can continue to provide Canadians with the level of privacy protection they expect while also maintaining their trust in government and the digital economy remains our primary goal, but it is one that is increasingly challenging to achieve, given our current funding levels.
I would, therefore, welcome a discussion on whether additional funding for my office would be appropriate to do what is expected of us by organizations, by Canadians, and of course, by Parliament.
I look forward to your questions.
Sure. I would start with the fact that very few of these cases lead to court action. I'll distinguish between the public and the private sector again.
Under the public sector rules, there is now a directive from the Treasury Board that mandates departments to notify my office and the Treasury Board when there is a significant or material breach in a department. We've not been funded to do that work, so we had to reallocate from other places. Essentially there is one person in the office who deals with these cases.
We receive reports from departments. In the public sector there are roughly 300 of these breach notifications every year. There is one person to review these reports at the office. We look at what the department tells us in terms of the nature and the potential impact of the breach. We give some advice, but with few resources the examination is relatively superficial.
On the private sector side, there is no obligation at this point for companies to notify us. Some companies notify us voluntarily. Under Bill , which was adopted by Parliament last year, when regulations are adopted, there will be a legal obligation for companies to notify us, but again, there will be no funding. We're talking about hundreds of notifications per year given to our office. We have one person on the public sector side and one on the private sector side to look at these. By necessity we review fairly superficially what the departments tell us or what the companies tell us.
To add to this, as you know, there are other statistics out there that suggest there are many more breaches than those our office is actually notified about.
I think the issue of breaches is a significant problem. We do what we can with these two people who are devoted to these analyses. Given the importance of the issue of breaches, it's a concern for me that we have as few resources as we do to devote to these issues.
I would add that we share things on three levels. One level is from a facilities perspective. The second level is from a systems perspective. The third level is from a knowledge perspective.
On the knowledge side, as agents of Parliament, we get together at minimum on a monthly basis. As CFOs, for example, we have a conversation on a monthly basis as to what is going on, what the areas are where we could share certain things, either intelligence or resources, and things of this sort. There is an ongoing conversation at that level, which is quite useful.
On the facilities side, as the Commissioner mentioned earlier, two years ago four of us, four of the seven agents, moved into the same building. We have started sharing a number of things, whether a common mailroom, a common knowledge centre, or a library. We share boardrooms, for example. There are a number of things we share from a facility perspective.
From a systems perspective, again, we are always looking for efficiencies that can be made. We share the same financial system with the Office of the Information Commissioner. There are a lot of conversations that happen at that level.
We are web-hosting the platform for the Lobbying Commissioner, whom you will be talking to shortly as part of these sessions, I am guessing. We are always on the lookout for things that may be beneficial for the organization.
When we look at these things, I would say that our lens is threefold. First, are there cost savings to be made? Second, can we improve the services to one another? Third, can we reduce our exposure risk? Again, it is not easy having a small amount of resources dedicated to some of these key functions.
Often what we'll find is that the service level will improve or the risk will be reduced as a result of that. Cost savings, not so much...but as a result of it often we are better served, or we can at least have a decent level of service for our clients within our respective organizations.
All right, I appreciate that. That's good advice.
I have a few more things that I want to get off my chest.
I'll just leave with the one quote that I've left many different times. I'm sure you all know who Oscar Wilde is, and one of my favourite quotes of all time is, “The bureaucracy is expanding to meet the needs of the expanding bureaucracy”. It sounds to me like the Shared Services and the internal services are doing as well as can be expected. I'm hoping that we can find that.
Mr. Blaikie, I'll get to you before we go. I think you have one more question.
One thing I'll leave you with, and one thing that I can't believe didn't come up in this committee, is that we've been hearing from virtually every province that they have actually a dual role between the privacy commissioner and the information commissioner. When we take a look at the fact that your budget is rolled in with the Information Commissioner's and we have internal services for both organizations and so on, we've never had that conversation. I know it probably isn't a comfortable conversation, but I know it's probably one that's going to come up at some point in time as a conversation. I have no idea what the government of the day is going to do on that, but it would have nice to have some time to pursue that.
Mr. Commissioner, we thank you very much.
Thank you, Mr. Nadeau and Madam Kosseim, for coming again today.
We are going to have a discussion later on today about resuming the privacy study, I think, as we go through some of the scheduling. I know that you've made yourself available to come in. I'll share that information with the committee. We look forward to resuming that very important piece of work.
We thank you for your time, sir.
We're going to suspend for a few minutes and then we'll bring the Ethics Commissioner forward. Thank you.
Mr. Chair, honourable members of the committee, thank you for inviting me to appear before you today as the committee considers my office's budgetary submission for the 2016-17 main estimates.
With me today is Lyne Robinson-Dalpé, director of advisory and compliance, and Denise Benoit, director of corporate management.
When I appeared before you last February, I reviewed the mandate and activities of my office and our interactions with the committee. Today I will briefly describe my office's organization and operations, and the accountability framework within which it operates, before discussing our current budgetary requirements and highlighting some of our activities in the past year.
I've organized my office into five divisions to best support my mandate to administer the act for public office holders and the code for members of the House of Commons.
Advisory and compliance is the largest division, reflecting my primary goal of helping members and public officer holders meet their obligations through education and guidance. This division provides confidential advice to public office holders and members, reviews their confidential reports, maintains internal records of that information, and administers a system of public disclosure. In 2015-16 our advisory and compliance staff had close to 4,000 communications with members and public office holders.
The communications, planning, and outreach division coordinates education and outreach activities. It also contributes to policy development, compiles research, conducts public communications and media relations, and coordinates my office's interactions with Parliament and external organizations. Although the major focus of my office is on the prevention of conflicts of interest, we also investigate possible contraventions of the act and the members' code.
The investigations division has a leading role in this area. In 2015-16 my office dealt with 36 investigation files. I initiated most of those files myself, many on the basis of communications from the general public.
The legal services division also plays a critical role in our examinations and inquiries, and provides strategic legal advice on all facets of the work of the office.
The corporate management division oversees the development and implementation of internal management policies and the delivery of services and advice on human resources, finance, information technology, information management, and the management of office facilities. It also administers our shared services agreements.
Finally, my own team in the commissioner's office provides general administrative and logistical support for the office. The number of staff provisions in my office totals 49 across all divisions. Two vacant positions remain. My office is an entity of Parliament, and is therefore not generally subject to legislation governing the administration of the public service or to Treasury Board policies and guidelines. I've ensured, however, that our resource management practices are informed by the principles followed in the public service and in Parliament. Those principles are reflected in an internal management framework that I will discuss in a few moments.
In order to provide some context for my current budgetary submission, I note that after its first year of operation, my office was allocated an annual operating budget of $7.1 million. That remained unchanged for five years. We have returned some funds to the federal Treasury at the end of each year. Those surpluses have resulted, in part, from such cost-saving practices as not always staffing vacant positions immediately, and maintaining a budgeted reserve. I maintain a reserve to cover unexpected operational pressures and to internally fund projects and initiatives that lead to greater efficiencies.
There were lapsed funds again in 2015-16, mainly because certain positions were vacant for a period of time and because there were no major projects that needed to be funded from the reserve. I was able to proactively offer an overall budget reduction of 1.4% in 2013-14, and the same in 2014-15, when a budget of $6.94 million was approved for my office.
Last year, I sought and received a slight upward adjustment of $6.95 million to cover an increase in contributions to the employee benefit plans as determined by the Treasury Board.
For 2016-17, I am seeking a budget of $6.97 million. Again, the slight variance compared to last year is directly due to an increase in contributions to the employee benefit plans. This amount will enable me to continue to fulfill my mandate and further strengthen the effectiveness of my office by implementing strategic priorities in key areas such as client service, outreach, and information management.
I have again budgeted a reserve, but a smaller one than last year. In 2016-17, my office could be asked to help to pay for the implementation of a new financial system, and this project would be funded from the reserve.
Given the nature of my mandate, salaries are by far the largest expenditure. Non-salary expenditures are mostly related to the standard costs of running an office and the costs of our shared services agreements with external partners. Through such agreements, we benefit from the expertise of the House of Commons, the Library of Parliament, and Public Services and Procurement Canada in various areas, resulting in greater efficiency.
In 2015-16, my office continued to strengthen the internal management framework that helps to ensure the effective, efficient, and economical use of public resources. Among other measures, we implemented a policy on internal control and a directive on account verification.
We also continued to follow good management practices in other areas of our operations, including information management and information technology. We implemented an internal policy on information management and a related guide. Working with the House of Commons IT team, we launched an online portal for reporting public office holders and members of the House of Commons to submit their public declarations electronically.
Although we're not bound by Treasury Board policies on performance measurement, as a good governance practice we have developed a performance measurement framework that we are now starting to implement.
We continue to be transparent. We publish detailed financial information on our website, and our annual financial statements are audited by an independent auditor.
The workload of my office increased significantly as a result of last fall's federal election, which resulted in a large turnover of ministers, parliamentary secretaries, ministerial staff, and members of the House of Commons.
We communicated with departing reporting public office holders about their post-employment obligations under the act and worked with incoming reporting public office holders and members to help them complete the initial compliance process under the act and the members' code. Just over a third of the members have completed this process. All new ministers and parliamentary secretaries have completed the process within the timeline set out in the act, and we are processing the ministerial staff as they continue to be appointed.
My office participated in the members' orientation program, the House of Commons service fair, and a Library of Parliament seminar. I also offered presentations to all caucuses in the House of Commons and made presentations to the Liberal and Conservative caucuses.
I have touched on some of the activities and initiatives undertaken by my office in the last fiscal year. Later this spring, I will release my annual reports under the Conflict of Interest Act and the members' code, which will provide detailed information about these activities and initiatives. I will be pleased to discuss my annual report under the act with the committee, if it so wishes.
In closing, I wish to thank the committee again for inviting me to discuss my office's budgetary submission for 2016-17.
I will now be pleased to answer your questions.
In her opening remarks, the commissioner noted that we are implementing a performance management framework. We have in fact established the main roles and priorities for our organization.
We have started gathering data, which is largely quantitative for now, but we hope to gather qualitative data. We have just started doing this, but once we have gathered data for over a year, we will be able to identify ways of improving performance, for instance, in response times when a member contacts our office.
We record the number of requests received, but we know we have to do more. We have to look at our record on meeting deadlines. My colleague has in fact established client-service standards.
We need to gather sufficient data over more than a year in order to produce a report. At our management meetings, we have started receiving reports and are able to identify trends and weaknesses.
We recognize the importance of performance management. In the initial years, the commissioner's office established a framework, policies, and procedures. After eight years, we know what we need to improve our performance.
That's all I wanted to know. Thank you very much.
Madam Commissioner, and your colleagues, thank you very much for coming.
We will not be taking a decision on the estimates until we've heard from the other two commissioners next week. We'll be reviewing the votes and deciding whether we're going to fund you for another year, but your chances are looking good.
We'll leave you with that.
Thank you very much, colleagues. We can go straight into committee business, if that's okay with you.
I wanted to advise you on the upcoming schedule, and remind you this Thursday we have the Honourable coming here with Jennifer Dawson to talk to us about access to information and other items.
This time next week, starting on Tuesday, we have Madam Legault and Madam Shepherd, the last two commissioners we haven't heard from yet, in regard to the estimates. We're only going to do one hour for those two commissioners.
We also have Jennifer Dawson and Sarah Paquet to come in for one hour to give a presentation on the access to information review.
Next Thursday, we have three witnesses coming in to testify on access to information.
On May 17, we have the ATIP coordinators panel and Shared Services Canada coming in. That will be our last meeting with regular witnesses.
On May 19, we'll hear from Madam Legault. She'll be our last witness to wrap up the testimony. We'll spend one hour with her, and then we will have instructions to the analysts for an hour. That will take us up to the May long weekend break.
When we come back on May 31, we have the Independent Statutory Review Committee from Newfoundland, with Mr. Clyde Wells, Jennifer Stoddart, and Mr. Letto. They will be talking to us about aspects of both because their study dealt with the privacy and access to information commissioner for Newfoundland. They can provide us with any new information on how they went through their review, and the analysts can simply alter their report then.
That would be a nice segue into moving toward the Privacy Commissioner.
I would like to leave the 2nd, 7th, and 9th free for discussions and deliberations on the report. If we're done earlier, then we can move to the privacy, probably as early as the 9th. The Privacy Commissioner has made himself available on the 14th, 16th and the 21st. Sorry, from the 21st to the 23rd I think he's going to be away at a conference.
He said to me he would be willing to change his schedule. I would suggest to you colleagues, we always want to have the commissioner as a last witness to wrap things up.
Is it the intention of the committee to try and wrap up the Privacy Commission study before we rise as well? Is there any rush on this? I'm trying to get a sense around the room.