ETHI Committee Meeting

    Order, please.

     This is the twenty-second meeting of the Standing Committee on Access to Information, Privacy and Ethics. Our orders today, pursuant to Standing Order 81(4,) are the main estimates for 2009-10, vote 45, under Justice, as referred to the committee on Thursday, February 26, 2009.

    Colleagues, as you know, we've been working through our commissioners. Today, from the Office of the Privacy Commissioner of Canada, we have with us the commissioner, Ms. Jennifer Stoddart, as well as Tom Pulcine, director general and chief financial officer, corporate services branch, to address the estimates.

    I'd also indicate that at the end of our review of the estimates it's my intent that we would go in camera to look at the draft of the report on the 10 quick fixes, or 12--and there may even be 13--for the Privacy Act, which has been previously circulated to members.

    Without further ado, Madam Stoddart, welcome.

    Welcome, Mr. Pulcine.

     I understand that you have some brief opening comments for the committee.

    Yes. Thank you very much, Mr. Chairman. It's a pleasure to be back here again at our committee. I have an opening statement of about 10 minutes, and then Mr. Pulcine and I will be pleased to answer your questions on the main estimates.

    I'd like to begin by talking about the constructive relationship that we have managed to build with this committee. I must say that I deeply appreciate the confidence Parliament has shown in my office in a number of ways over the past few years, including that of stabilizing our funding at an appropriate level.

     I also, I must say, appreciate that our opinions are being sought by various committees as parliamentarians debate issues that raise privacy concerns. Already this year, in 2009, we've appeared before committees some nine times. I've met with MPs from all parties in recent months and have provided a briefing for one caucus.

    I'd just like to mention that some MPs have suggested that their staff would appreciate information about privacy protection to help them manage their offices. We're looking for representatives from all parties to help us determine what would be more useful. That's one of our summer projects: giving you some information to help you manage the personal information that you, as MPs, receive from Canadians. We'd like an all-party committee or maybe just staffers from all parties that we could consult with.

    So overall, I think, it's a very constructive relationship with Parliament, and I thank you again for it.

    I would like to move on to the subject of innovative action. This is critical. Each day brings new risks for privacy as new information technologies develop and governments continue to react to the expanded threat of global terrorism.

    We have recognized the need for a focused approach if we are to have any hope of keeping up with constantly evolving issues. With this in mind, we have set five corporate priorities for 2009-2010: to continue to improve service delivery through focus and innovation; to enhance and sustain the organizational capacity; to provide leadership to advance our priority privacy issues; to strategically advance global privacy protection for Canadians; and to support Canadians, organizations and institutions in making informed privacy decisions.

    I will touch briefly on each of these priorities.

    First of all, there is service delivery. Improving our service delivery to Canadians continues to be our most important priority. In recent years, we've been challenged with increasingly complex investigations and a backlog of investigation files while at the same time facing major difficulties in recruiting experienced investigators.

     In response, we have adopted a proactive, multi-pronged approach. We've expanded our outreach efforts as a way to prevent and solve issues before they turn into complaints. We hired some 20 new investigators last year, who took part in an intensive two-month training program earlier this year. Also, we've launched what we call a major backlog blitz.

    We're also re-engineering our inquiries and complaint handling processes for greater efficiency. These changes include a new position of complaints registrar to apply a form of triage to the issues that come our way. Wherever possible, complaints will also be referred to an early resolution process to try to help individuals and companies resolve problems more expeditiously. I refer you to the handouts that we've brought, where you'll see not only some of the statistics on human resources but the complaint backlog strategy that I just mentioned.

    Secondly, there is organizational capacity. In a related vein, another corporate priority is to continue to build the required internal capacity to support our privacy protection and promotion activities. The focus here is on recruitment and training as well as robust technology and integrative tools to assist and increase information sharing between our branches.

     I was very pleased to see that Treasury Board Secretariat's recently released 2008 Public Service Employee Survey documented a high degree of commitment, engagement, and professional satisfaction among our staff, who overwhelmingly believe they are working in a supportive, service-oriented organization. I'm also gratified to note that with respect to the public service's designated groups--that is, women, aboriginal people, persons with disabilities, and visible minorities--their representation in our office exceeds the overall availability rate in the labour market.

     In the meantime, we continue to try to attract quality candidates for a range of positions in the organization, both from within the public service and from without. In fact, we recently prepared a recruitment video for posting on YouTube in the hopes of appealing to the tech-savvy younger generation.

    I'd like to move on now to summarize the work we're doing in our four privacy priorities.

     The next priority overall relates to a streamlining of our activities in order to focus on those of the greatest strategic importance and impact. As you may recall, we have identified four pressing privacy issues that will receive priority attention from my office: information technology, national security, identity integrity and protection, and genetic information. We have concluded that each of these areas is associated with significant risks for privacy now and in the future.

    Our fourth corporate priority relates to outreach efforts aimed at equipping Canadians with the information and tools they need to understand and protect their privacy rights. This includes a particular focus on youth privacy issues and social networking sites. We are also working with organizations and institutions to help them better understand their privacy obligations. For example, we worked with our counterparts in B.C. and Alberta to develop guidance for retailers on the appropriate collection of driver's licence information. And we worked with Google, CanPages and three of our provincial counterparts in order to better protect the privacy of Canadians in the face of new street-level imaging technologies.

    A final corporate priority is to strengthen our emphasis on international work. Given how much personal information now circles the globe, it is clear that protecting the privacy of Canadians demands that we work with partners to develop a basic level of privacy protection around the world. As such, we are taking part in numerous bilateral and multilateral efforts aimed at advancing global privacy protection.

    I was especially pleased to note that the proposed Electronic Commerce Protection Act includes amendments to PIPEDA, our private sector Personal Information Protection and Electronic Documents Act, which you all know. These amendments would promote greater collaboration with international authorities to better protect consumers from electronic victimization by e-mail, spam, phishing, and other attempts at fraud and identity theft.

    In conclusion, then, we've put in place a wide range of new initiatives, and I expect the coming year to be one marked by substantial progress on all of our priorities. Privacy challenges are constantly changing and increasingly complicated. I'm proud of the tenacious and creative way in which our talented team is working to fulfill the important mandate that Parliament has entrusted to our office.

    I welcome your questions on any of those subjects.

    Thank you very much, Mr. Chairman.

     Thank you very much.

    I think we'll go right to members, starting with Ms. Simson, please.

    Thank you for appearing before the committee again, Ms. Stoddart. I really appreciate it. I know the whole committee does.

    I was just reviewing the budget, and by far one of the biggest expenses of the commissions is in the human resources and employee contributions areas. We've heard testimony from two of the offices that staffing continues to be a challenge by virtue of the size of the office; there doesn't appear to be any room for promotion, or that contributes to a high turnover rate.

    Looking at the report you submitted, you say you have 163 employees. Is that the total complement attributed to your office, or is that the total number of people currently employed?

    The total complement for our office, starting in this fiscal year, is 178.

    So you're under.

    Yes, but we're significantly over what we used to be, so in our world we think we've made appreciable gains.

    You mentioned that you hired 20 investigators. Was that within the last year?

    That was over the whole year. At the end of the fall we hired...some were internal promotions. We had 15 new investigators, and then five over the year. We were able to provide them with consistent and comprehensive training.

    We've also heard testimony that in human resources one of the commissions was almost $1 million under budget because of this ongoing staffing issue; that it's a systemic problem and challenge that smaller offices face. Is that also attributable to a specific skill set you need for the job, or could it be a product of the current hiring practices we see and how a job is posted, as opposed to going public with the particular job?

    Yes. A lot of the turnover in the past and a lot of our historic challenges that have led to the unfortunate creation of a backlog in our complaint investigation are due to the tremendous demand within the public service, particularly in the national capital region, for investigators. Because of new legislation and perhaps the importance in recent years of accountability, investigators are hugely sought after, so it's hard to keep a lot of them for a long term in a small organization.

    As to the broader picture, I can only speak for my organization. I know that one of the reasons we've made some progress in the past year is that we've tried to have a mix of staffing practices. We've had different types of competitions--some inside the civil service and some outside the civil service. We've borrowed employees and joined in generic job competitions with other organizations. It has called for some creativity, but I don't know the source of the overall challenge.

    You say that the investigators in particular are in high demand. Could you maybe go over the skill set and educational background, or what is required to be an investigator?

    Generally it takes a university degree or the equivalent--writing skills, analytical capacity--

    What type of university degree is required? Can it be a BA?

    I believe we ask that it be related to the work, and in fact we currently have people with a range of skills, which is very important. Some are in criminology. People in information technology are extremely important now. So I think there can be a range of backgrounds, because we have many types of investigations, particularly in the private sector.

     So it would require a university degree.

    I guess what I'm trying to get at is, does your department ever try to recruit directly from one of the sources, such as a university? Or is a college degree, such as a community college degree, where a student has been pursuing criminology, or that type of thing, not something that you would look for?

    I believe a community college degree would be suitable for some of the junior officers or for our inquiries unit, where, as I mentioned, we're trying to solve issues before they become formal complaints, because the process then becomes much heavier and much more cumbersome, and the person still doesn't have their answer.

    So yes, college degrees are suitable for some of our more junior positions. Yes, we have tried to recruit on particular campuses. As I remember, it was via the Public Service Commission; it was sponsored by the Public Service Commission.

    I was only curious. I've been following this through a number of examinations, because it would just appear to me that in this current environment, it is a little bizarre that there are so many vacancies in so many areas.

    I know.

    It just somehow didn't make a whole lot of sense to me.

    But it's very encouraging to hear there is some recruitment going on of younger, right-out-of-university people, because I'm sure a lot of the students aren't aware that these types of jobs even exist. So that's very encouraging to me.

    Yes. And if I may add, this is why we're developing something to go on YouTube, because the demographic we need in order to deal with the technological and the social challenges now is the demographic who may not be reading the traditional sources of recruiting for the Public Service of Canada. So that's one of our innovations.

    Terrific.

    Thank you.

    Mr. Vincent, please.

    Thank you, Mr. Chair.

    Ms. Stoddart, I would like to go back to your 12 recommendations, specifically the fifth, which reads:

    Let me read you some other paragraphs:

    You also write: So, if I discover a serious problem with the protection of personal information in a department or an institution providing services to Canadians as a whole, it seems to me appropriate, in certain cases, to inform Canadians about it immediately instead of waiting 18 months. This might also encourage departments to pay more careful attention to the protection of personal information.

    I would like to hear a little more of what you have to say on that. Can you give us an example of a case that you would inform the public about as a matter of public interest?

    Before you answer, because everything is relevant in a review of your activities....

    But, Monsieur Vincent, presently we are looking at the estimates only. We are going to look at the report on the quick fixes in the second part of the meeting.

    But I think he's trying to get an idea of the resources that are necessary, and the implications of number 12, I believe it was. But you may want to respond generally to the concern the member has raised.

    Ms. Stoddart, we are not required to deal only with the estimates. You are the Privacy Commissioner and I can ask you questions about matters other than the estimates in order to get clarification.

    You are right.

    Go ahead, Ms. Stoddart.

    My annual reports contain many examples of matters involving the government, but the reports often appear 18 months after the events have taken place. A very common example, one that concerns me a great deal, is the security of personal information within the government. We know that there are failures in the requirement for personal information to be kept confidential and that the failures can occur in different ways. In my annual reports, I have described incidents of laptop computers containing taxpayers' information being left in some employees' cars.

    I have also reported on more structural matters in my audit reports, such as protection measures, or the lack of them. I reported, for example, on the passport office and our vulnerability, in some of our points of service overseas, with regard to the protection of personal information. It seems to me that the process, which is now instantaneous, could be updated a little. Everything is virtual now. There is something profoundly anachronistic about producing a report 18 months after the fact.

    I would like to talk to you about something more immediate, something that you are familiar with and have already touched on. On April 30, the federal government ended its online passport program. An internal document obtained by Canadian Press indicates that the program was abolished because of a breach of confidentiality.

    Earlier, you said that you have hired 20 new investigators. You were waiting to see Passport Canada's final report on the matter on March 31. That report has still not been submitted, has it?

    No, we still have not received it.

    Are we talking about 2007?

    We are still waiting for the second report, the one that followed our 2008 audit.

    The date is November 29, 2007. Someone from Ontario indicated that there had been a failure in the confidentiality requirement. Since that time, you have not received a report. Is the investigation still underway? Will you have the documentation? Will the change to your recommendation five make it possible for the public to be told what happened?

    We have received one part of the report. We are still waiting for the second part, dealing with the work that Passport Canada should have done.

    Yes, this is an example. If the act were amended as I recommend, I would be able to inform Canadians and Parliament. There has been talk of providing reports every three months—that remains to be seen—and of providing the public, through Parliament, with up-to-date information on security and confidentiality at Passport Canada.

    If I understand you correctly, you did a quick investigation when the matter came to light on November 29, 2007, and you could have come before Parliament and told Canadians there was a problem with online passport requests. Is that correct?

    Yes, we could have. Often, when a problem is pointed out to us, we cannot immediately say what caused it or how to solve it. We could certainly have provided information more quickly about what was happening at Passport Canada.

    With 20 new investigators, how come the report is not finished yet? This all started in November 2007 and it is now May 2009. Why have two years gone by between the incident being revealed and the report on it?

    We have made a number of approaches to Passport Canada, but I do not think that we have done a formal investigation of a breach of online confidentiality. We checked, though. We were able to find out that Passport Canada was addressing the matter. We received one report, if memory serves, and we are waiting for a second. There are a number of ways to supervise the legislation or make sure that it is being enforced.

    As you know, someone already got access to 23 people's information. A reporter was cross-checking that information and obtained access to the information of five others. We are talking about driver's licences, health cards and all the other personal information that we routinely give to Passport Canada. Then this kind of breach occurs. It seems to me that this could have been made public much sooner, before Canadian Press submitted an access to information request.

    Why did you not say anything about it? Why did it take Canadian Press looking for a document through access to information to make these things public as a result?

    Mr. Vincent, the case is two years and I find it difficult to give you an answer right now. From what I remember, we found out about the problem in the media and then got involved ourselves.

    Okay. Thank you.

    Mr. Siksay, please.

    Thank you, Chair.

    Thank you for coming back, Commissioner, with Mr. Pulcine.

    I want to ask a couple of questions that came out of your statement this morning and the documents you provided. In the chart on page 5 of the extra information you provided, you noted that in the analysis of complaints with regard to the Privacy Act, complaints are down and the backlog is down 42% over last year. With regard to PIPEDA, complaints are down by 40%. It sounds like good progress.

    What's your goal in that area? Is that progress continuing since the year-end in March?

    Yes. This is the number one operational priority for my office. Our goal is to get rid of the backlog as soon as possible, and in any case—in all cases—by the end of fiscal year 2010.

    Okay, 2010. When you talk about getting rid of the backlog, what's the timeframe for processing? I guess there are always going to be some complaints that take longer than others. What's your definition of getting rid of the backlog?

    Getting rid of the backlog means there are no active complaints over a year, certainly in PIPEDA; over a year or less in the Privacy Act; and in something called time complaints, where it's possibly simply to complain that you didn't get the information on time, I would say it's over eight months.

    I wonder if you could take us through the chart on the employment equity numbers for your office. You mentioned them, and they look interesting and positive. Maybe you could highlight for us what has happened there.

     Thank you. I'd be happy to do so, because we have made some progress over the years.

    Under the federal government employment standards, particular attention has to be given to these four employment groups because of either their historic under-representation or their historic negative situation in the labour market. You'll see with the first one, which is women.... In fact, I was joking that we should perhaps go the other way and have affirmative action for men, because we are a very feminine office. More than two thirds of our staff are women. That's probably because a large part of the support staff is feminine, traditionally. It remains traditionally feminine. But in the scientific, professional, and management categories, it's more evenly divided between men and women.

    In terms of the aboriginal group, we have managed to be above the labour market availability. That is parsed for the particular area in which we recruit. It's called a recruitment shed. So those would not be across Canada but those you could recruit in the national capital region.

    In terms of persons with disabilities, again we have above the representative share.

    And finally, in terms of visible minorities, we have a quite a few, which I think is very important as we talk to Canadians across the country, particularly in urban areas. They're very good spokespeople for us, and they represent the office well in terms of giving a diversified face to it.

    I think these statistics are based more on 2001 census data. With the more recent census data that we haven't yet received, the gap may diminish.

    Did this happen by accident or was it deliberate that you have what look to be fairly positive numbers?

    No. This is one of the questions this committee brought up quite a while ago, so particularly in the categories of aboriginals, persons with disabilities, and visible minorities, we made an effort to encourage those groups to apply and also to retain them when they worked for us as students, as contract workers, and so on, with their being qualified, of course. But we were particularly interested in them for that reason.

    Do you know of other workplaces in the public service or in similar commissions where a majority of women are in a particular workplace?

    I must say that I haven't had time to look into it. I don't know. I think it's probably fairly rare.

    Do you think that brings a different perspective to your work? Has anyone looked at that question in terms of what difference it would make to your workplace?

    We should. One of the things we're trying to focus on in terms of making the workplace respond to the needs of younger people is the issue of work-life balance. That is something that I think women have brought to the workplace more than the previous demographic, so I would think the importance of maintaining a healthy work-life balance, accepted by all employees, probably relates to the feminization of the office.

    You mentioned in your statement that you'd done a recruitment video for posting on YouTube. Has it been posted on YouTube or is it yet to be posted?

    Yes, I believe it has.

    Maybe you could send us the link so we can check that out. It would be interesting to see.

    You also mentioned the Electronic Commerce Protection Act, Bill C-27. Was one of the standing committees that you appeared before the one where they were considering that proposed legislation?

    No. I haven't appeared before that committee. I would be very happy to appear before it, because it's an important piece of legislation dealing with spam and the anti-spam initiative, and it's also giving important new discretionary powers to deal with complaints in a discretionary and, I think, a more productive manner.

    Can you say something about how the work of your office would be impacted by that legislation?

    I hope it would allow my office, certainly in PIPEDA--because it would change PIPEDA, not the Privacy Act--to have more discretion, to be exercised reasonably, of course, to focus on the issues that are new challenges to Canadians or issues for all Canadian.

     I would hope that it would allow us to be able to move away from what has seemed to us recently to be highly personalized issues, which often are family issues or issues with employers, and to refer them to a more proper venue, which might be either a court where family or matrimonial proceedings are taking place, or labour arbitration, so that we can concentrate on what would best serve the greatest number of Canadians rather than very particular, highly personalized cases that don't raise new issues.

    If that legislation went ahead, would you see it requiring greater financial support for the commission to do the work of the commission?

    No. On the contrary, I think that would help us to use our resources more effectively and so, with the same number of resources, give better and faster service.

    Thank you, Chair.

    Mr. Dreeshen.

    Thank you, Chair.

    Thank you very much for being here today, Commissioner Stoddart and Mr. Pulcine.

    I want to start off by going through the main estimates for salaries. I believe we have $13 million. I just want to ask if that is for the 163 or for the 178 you were speaking of.

    In this fiscal year, the amount of money that would be voted, as I understand, would be for a full complement or a full potential complement.

    So that would be for the 178, then?

    Yes.

    Is that the amount one would anticipate in other commissions? Do you think the staff would be getting that same type of salary? Have you any idea?

    It's hard for me to answer that question, honourable member. All the staff salaries, of course, go according to classification standards. The classification standards are always fixed with an outside review group so that the salary levels stay in line with what is acceptable public practice.

    I was going through the number of lawyers in here. Of course, I've always kind of lumped lawyers into the same category, but I notice that you have lawyers 1, lawyers 3A, and lawyers 2. I wonder if you could enlighten us on the differences.

    Like everybody, lawyers have a kind of scale of progression. I think one of the things the federal government wants to do as an employer is recruit bright young lawyers and then make sure they stay within the federal government by offering them possibilities to progress. So there is an entry level, which is 1A. I think it goes 1A, 1B, 2, 2A, 2B, and then 3. After that I've kind of lost track of it.

    But those salaries are also included in what we're talking about there.

    Yes.

    Are there more lawyers in your area than in some of the other commissions?

    Again, I haven't looked at it, but a lot of the commissions have a legal bent. We certainly need lawyers because we're interpreting two laws. One of the laws is very new and doesn't have a lot of interpretation, so the work of the lawyers is extremely important. Our work is subject to judicial review by the Federal Court, so we have to make sure we're doing everything legally. We may have more lawyers because of our function.

    I'll get off the lawyers' story now.

    In the 2009-10 report on plans and priorities you indicated that your office had four priority issues: information technology, national security, identity integrity and protection, and genetic information. How have you identified these priorities, and what specific actions do you plan to take on them in the coming year?

    We identified them through in-house debate and brainstorming based on a reading of not only what the public came to us for, but the challenges looming outside in our environment.

    We have quite a few different goals, such as a genetic privacy working group.

    On what we have done for the last year, maybe I'll go to this year, because we're on estimates for this year. We are going to meet with patient advocacy groups on issues relating to genetic discrimination. We have the assistant commissioner for the Privacy Act, who sits as a member of the National DNA Data Bank Advisory Committee. So for her to keep up to date and look at their files is something. We participate in the review of the DNA Identification Act. We will probably--we're just looking to make sure we have the money--organize a series of public policy workshops on various aspects of genetic information.

    Going back to the report, you spoke of some concerns about your own office keeping up with privacy and security infrastructure, and so on. You referred to this type of ongoing risk. Are there risks that all organizations face with the new electronic technologies and some of the challenges that are looming? Are there some serious shortcomings in your own technology capacity at the moment?

    I don't think there's anything serious. I'm going to ask the director of corporate services to speak to that, because we have initiated a very serious risk management program, and we annually update this risk management profile. We are very concerned about possible breaches and the impact they would have on Canadians' confidence in their personal information if our office couldn't withstand breaches. So we spend a lot of time on this, trying to keep up with the latest issues around information security and confidentiality.

    I'll ask Mr. Pulcine to complete my answer for me.

    Perhaps the only thing I will add is that we do a number of threat risk assessments, and there are different types of assessments one can do over a period of time. Because of the sensitivity of this issue to us, we take it very seriously. When you do a threat risk assessment, a vulnerability assessment is done to see how vulnerable we are to attack. We have it done by different firms to ensure we are not vulnerable. It's something we're very conscious of. So I don't think there are any issues within the Office of the Privacy Commissioner--any significant risk.

     So these are the techniques, then, that you go through to make sure everything is fine.

    Do you ever let others know what you're trying to do, so that other organizations might be able to protect their own privacy using these same techniques?

    Well, I think for those who know about this and are in the business of security, threat and risk assessments are something fairly standard. Now, as for exactly how they carry them out, the experts know.

    We don't talk about our own assessment to the private sector companies, for example, or the government departments, but we certainly do dwell on the principle, the importance of security to maintaining confidentiality and privacy.

    Data breach is a huge issue for Canadians. Data breach in the private sector is still an ongoing problem in Canada, as it is in the United States, and so on. I think we had something like 69 data breaches reported last year—and that's without mandatory legislation. Some of those were quite serious data breaches in the private sector. Now, had these organizations not done threat and risk assessment, they might have been better protected. But in fact we found out—and we'll talk about this in our next annual report—that rogue employees are a big cause of data breaches. That's a little harder to deal with.

    Okay, thank you.

    Okay, we're going on to the second round.

    Mr. Wrzesnewskyj, please, for five minutes.

    Thank you, Chair.

    We have a tremendous quality of life and we come together collectively, but we also have private or personal lives, our family lives. That privacy is an important component of our quality of life.

    We were just talking about these new technologies: real-time surveillance, personal genetic information gathering, etc. These technologies are rapidly evolving and posing threats.

    We just talked about the threat risk assessments you do, but when I look at your budget, I notice that for this coming year it's $22.3 million, and then it drops back down to $22 million basically, and you then have it going at $22 million over the next couple of years after that. The numbers seem conservative to me. I would have thought that with these threats to Canadians' privacy and the threats collectively, we would be ramping up the resources within your department to deal with these types of threats.

    Have we done a cost analysis of how to deal with these threats, to be proactive as opposed to being strictly reactive?

    We did in the past when we had a significant increase in our budget. The whole budget history of the office is not there in the estimates, but in fact our budget has been doubled over the last five years. So within that context, it certainly seems like there's been a major increase in our funds.

    The reason the budget drops in 2010 is that we asked for resources to deal with the backlog. We hope the backlog will be eliminated, that we'll be more efficient, and that we'll then come back to the status quo.

    Okay. So the increases over the past couple of years, or a significant portion of them, were primarily to deal with these new threats on the horizon?

    A significant portion of the increase was to deal with the increasing sophistication of privacy threats, the issues of new technologies, which are very hard to understand, first of all, and then hard to investigate or monitor, and for international cooperation on them, because they are technologies that usually come from outside Canada. It's for things like that.

    Your recommendation number 10 talked about the sharing of data and the problems with the sharing of Canadians' personal data with foreign governments. I note that we have 271 so-called agreements with some 147 countries in the world. Has your threat risk assessment group looked at these 271 agreements and done an assessment; and if so, could we see a report card on how you rank the threat risk of those 271 agreements with 147 countries?

    No, we haven't. The threat risk assessment was just to the Office of the Privacy Commissioner against spam attacks, electronic attacks, or spoofing; or people penetrating who are not employees, getting access to our computer network where people's complaints are and things like that. It didn't have to do with the information sharing agreements.

    So we really have no idea how stringent the rules are in these 271 agreements. If we're talking about agreements with 147 countries, that's a number that's significantly higher than the number of democracies that would subscribe to the same principles that we subscribe to. I would assume that also includes a large number of dictatorships, totalitarian regimes, and so on. So I think that would be a priority, and perhaps resources should be dedicated to that area.

    We talk about these new technologies and the threats. Have we done a costing? Once again, this is about being proactive as opposed to just responsive to individual complaints, to protect vulnerable groups within our society. None of us likes our credit information being shared and shared by credit card companies. That has received a lot of media attention.

    But what about children, for instance? A computer is a window into a child's life. Have we looked proactively to see what needs to be done in that area? Has your group looked at that?

    In terms of seniors and the telephone, these marketing companies that prey on vulnerable seniors, have we done that type of proactive work? What is the costing? Have you budgeted for that type of work?

    For seniors, we entertain several complaints that are made usually on their behalf. We try to operate a change in the practice of the company that's preying on them. I think we've been fairly successful in the complaints we've had.

    As for children, we have a whole new initiative on youth privacy, which was an issue we really brought to international attention when we hosted the international conference in 2005. We have a youth privacy website. We have a joint initiative with commissioners in several other provinces. We have a youth privacy blog. I don't know if we have that as a particular cost, but it's a major resource centre in terms of initiatives in order to educate this demographic and educate their parents on the issues of privacy online.

    I've just remembered: we have a campaign with, for example, stickers that you can put on your iPod that say, “Think before you click”. We're trying to do a lot of these things to reach down to youth.

    Thank you.

    We'll move on to Mrs. Block, please.

    Thank you, Mr. Chair, and welcome again to you, Ms. Stoddart.

    I remember way back in the beginning--I think it was at our first session when we met with you, or maybe it was even in January--you referred to the four priorities that your department had outlined. Those were information technology, national security, identity integrity, and protection. You referred to them again today in your remarks to us. Could you remind me how these priorities were identified for your department?

    They were identified in a number of ways: by looking at the complaints, certainly the phone calls and the letters, everything that came into the office as to what Canadians were concerned about, and polling that we do annually; by looking at the evolution of the outside environment in terms of new technologies about to be put on the market; by looking at the media; and by reviewing some of the work that has been done for us by various experts on some of these issues. In order to try to focus our energies, we said we thought many of the things we had converged to those four priorities.

    And what specific actions do you plan to take with respect to those priority areas in this coming year?

    There are quite a few. Let me refer to various things.

    I believe that I talked about the genetic information.

    Mrs. Kelly Block: Yes.

    Ms. Jennifer Stoddart: I mentioned that there are jobs not filled. In terms of information technology, one of the things we want to do this year is hire and train enough people within our office to better assess the privacy impact of new information technologies coming on stream every day.

    Another thing is to increase public awareness of technologies that have potential impacts on privacy, which means putting out information for the public.

    Another area is providing practical guidance to organizations and institutions, in both the private sector and the public sector, on the implementation of specific technologies. For example, how should we deal with RFIDs--radio frequency identification devices--which are being rolled out at the pallet level across Canada and which are also the components of the electronic driver's licence being adopted in several provinces that will supposedly help people pass a border checkpoint faster?

    Is that okay? That's an example. Would you like me to go on?

    No, that's okay.

    I have one other question related to the estimates and to one of the quick fixes you've recommended, which is a clear public education mandate. You indicated when we met with you at one point in time that educating the public was one of the most important roles--some would say the most important role--for the Privacy Commissioner. Is that contemplated in your estimates? You have 163 staff now, and you're moving to hire up to 178 staff. Are you hoping that you'll have an increased public mandate, and has that been contemplated in the numbers you've presented to us today?

    No, it hasn't been contemplated in those numbers, because the numbers are based on our legal responsibilities and obligations now. We don't have a specific public education mandate for the Privacy Act, which was adopted in 1983. We give information on it, of course, minimal information, but we don't undertake these public education campaigns with outside partners, such as organizations or provinces, because we're not specifically funded for that.

    If the government were to change the law, we would sit down with Treasury Board at that point, and there would be an estimate of the resources needed. I think it would come before the parliamentary panel for a recommendation as to what would be needed to fund it.

    Thank you.

    Thank you very much.

    Mr. Nadeau, the floor is yours.

    Thank you, Mr. Chair.

    Good afternoon, Ms. Stoddart and Mr. Pulcine.

    In recommendation four, you ask for a discretionary power that would allow you to decide whether a complaint is worth pursuing and working on. Are you recommending something like that because you have to accept all complaints that you receive as is, even though some, in your experience, could be set aside?

    Yes, that is more or less it.

    I come from teaching, where I sometimes worked as a vice-principal. Lord knows, I have had to set priorities in my time. Ten per cent of the students can take up 90% of our time, and vice versa.

    Let me look into the future. I understand that this is a one-year budget, but you have to come back to it each year. We often use the things that have been done to decide whether to approve more money, or less, in the future. With a budget of $22,300,000, how will you be able to meet needs that can only increase?

    We can also see a backlog. Of course, you will be able to tell me why and tell me how complicated the cases are. Perhaps there will not be an explosion of cases, but these sneaky people can use a number of ways that already exist to attack people's privacy.

    I do not want to be a prophet of doom, but can you handle all the possibilities with a budget of $22 million?

    As I told your colleague, the Privacy Commissioner's budget has increased significantly in the last five years. We are going to start by using all the resources we have been given to recruit and train 178 people, and keep them to the extent possible, given the extremely mobile labour market. We are going to do everything we can to meet our goals before asking for more resources.

    We have not yet exhausted everything we can do with our current resources. I feel that it is very important to be innovative, and not always be asking for more resources. We have plenty of resources and our role is to work strategically and creatively to face the new challenges.

    Those are wise words, but I know perfectly well that things can change. Demand can increase significantly. At the moment, there is no mechanism that would stop someone who knows how to make requests from messing up the system

    Not really, no.

    For the recommendation to be accepted and to help the budget, accepting that it could be subsequently changed by others, do we need to change the mandate of the commission as defined in the act, or could it be done more simply?

    The recommendation is quite straightforward because the powers that I am asking for are already in the legislation that is before a parliamentary committee. It is not a very bold request. It is something that I hope to see in the new legislation, something, in fact, that is already there.

    Because of the resources that I presently have, I hope to be able to spend less and less time dealing with the same complaints always coming from the same people, and everything you can imagine that goes with that, and more and more time on structural matters like the ones some of your colleagues have mentioned.

    Thank you very much.

    Thank you, Mr. Chair.

    Mr. Stanton, please.

    Thank you, Mr. Chair.

    Welcome, Madam Stoddart. It's good to see you back here.

    I too am returning to this committee from the last session, but I recall we had fairly considerable discussions at the committee in the last Parliament in respect to the review of PIPEDA. I notice in your RPP that you have been given considerable funding or, in the words of the report, “approval to stabilize funding for PIPEDA”.

    I wonder if you could give us an update on what in fact that translates to. What sort of changes in activities have taken place to stabilize that and to put in place the resources to respond to the demands of PIPEDA across your organization?

    That takes us, I guess, back into the history of the funding of the office. When PIPEDA was originally voted for in 2000, it didn't have permanent funding, because nobody knew how it was going to play out. So I think that's a comment that not only was the base stabilized, but also that there was a need for various things such as technological experts, and a need to communicate with our international colleagues in terms of the technological applications that are being rolled out throughout the world, and various things like that, including having technical advisers in a lot of the different branches to have a hands-on approach to doing either investigations or audits in an updated way.

    So all of that was rolled into our present budget, and it has been extremely useful.

    I know you made brief mention of the whole question of the requirements of industry to disclose any data losses. We spent considerable time debating the pros and cons of the best direction to go forward there.

    Have there been any changes to the experience your office has seen with respect to the voluntary approach and how that has been working? Are you finding that industry is participating well? Are they putting regimes in place to make sure those losses are disclosed, at the very least, to your office?

    We've seen a very positive take-up. The first year when we had voluntary data breach disclosure--and this may not be accurate, from memory--there were something like 25 self-reported disclosures. I think there were 69 last year. As always with such things, one wonders if there wasn't a lot of activity going on that wasn't reported, and what this reflects--more cooperation with my office, greater data breaches, it's hard to say.

    What I can say is that throughout the world in societies that resemble ours, we're moving to compulsory data breach disclosure. The European Union recently recommended this, and I believe President Obama is talking about a national data breach disclosure. There's some debate about that, because right now standards in some of the states are a bit higher than a possible national law. We follow up on all the cases to make sure that remedial action is taken.

    One of the key objectives of your office is to expand the outreach side. Could you comment on whether some of the outreach activities are in fact having some positive results in areas like reporting of data breach, and that type of thing?

    One of the things I'm very concerned about is taking the office out of Ottawa, which is not home to a great number of Canadians, and out to the places where people are living and working. On the money we've had for regional presence, we're not the size to have an office. But I think it's very important, because in all fields you have to maintain personal contacts. We have a regional presence in the Maritimes and in the west in Calgary. I think this has been very useful in developing our links and a trusted relationship with the private sector.

    As far as the public sector goes, we work extensively with the other commissioners. We have joint initiatives like the youth privacy website, youth initiative, children's privacy, electronic drivers' licences, and so on. It think it's an important part of our action.

    Thank you very much, Mr. Chair.

    Mr. Siksay, please.

    Thanks, Chair.

    Ms. Stoddart, in your remarks today you mentioned the Treasury Board Secretariat's 2008 Public Service Employee Survey, which showed a pretty happy workplace, by the sounds of it. Can you say a bit more about the results of that?

    They are happier, but again there are a couple of caveats. This is in contradistinction to the rather troubled history a while ago, which is well behind us, I think. Secondly, my office and the Office of the Information Commissioner, Mr. Marleau, are one reporting unit, so the answers are for double the reporting of a unit. But the answers have moved up, and 68% of our employees responded to the e-survey. That's very positive, because employees who are indifferent.... We're in the middle of reviewing the data to give you more detailed answers on that, but the participation of employees is seen as a positive trend.

    Last spring we were very proud of the Hill Times report that we were the 11th best place to work, along with the Information Commissioner. That was last June or July. We're in competition with a lot of large departments that can offer people career promotions for the rest of their lives. We try to emphasize that ours is a good place to work, not only because we try to balance work and family but because we try to run programs that ensure the wellness of employees at work.

    Your remarks today are based on the participation rate, rather than specific feedback on the workplace itself.

    That's right.

    Are you doing more analysis of that, and will there be more detail at some point?

    Yes.

    I want to go to the backlog issue again. Were privacy impact assessments part of the backlog? Is there a backlog of those? Is that a separate category of backlog? Do you have a plan to specifically deal with those assessments?

    Yes, that's a separate category of backlog, but I don't think it's as severe a backlog. We're dealing with privacy impact assessments also with organizations that we can phone up and say, “In the meantime, if we can't get to that, here's what you can do.”

    I believe there are about 20 of those assessments, and we have PIAs coming in from the public sector. I believe there are maybe 15 or 20 assessments in that backlog, compared to serving the public, which doesn't have the resources of a government department that should be able to do a lot of these things by itself, that should have the knowledge to do a lot of it by itself. They're two separate things.

    Thank you.

    The chair has a couple of questions that may help.

    Following on the PIAs, a PIA was to be done on a health-related bill on human pathogens and toxins. I think it's about two years old. Has that ever materialized? Is there any follow-up? What happened there?

    Yes. Following the time of the tabling of the bill and the bill going through Parliament, we were in touch with department and agency officials and gave them information on doing a PIA. We referred them to the Treasury Board website, where there's extensive information on doing that. We have not heard back from them. In the meantime, the bill is before the Senate.

    My recommendation was that you should get in touch with the Senate committee to make sure the Privacy Commissioner's office is well represented in those discussions.

    As far as transfers in from other government agencies or departments are concerned, do you have many of those?

    We do. I can't speak to the exact figure, but I think that's a major source of employment, people coming from other government departments or agencies.

    These are temporary transfers, people who are seconded for a little while and go back?

    There are both types. They can change for a permanent job, and some can come for a year or two.

    Yes, I understand. It's not detailed out in the statistics. I assume they're buried in the number of indeterminate employees.

    I'm sorry, the number of determinant and indeterminate employees...?

    You have casuals, term employees, and students, and everybody else is indeterminate. If you have someone who has just transferred in from another agency or department for a short-term secondment or something like that—

    There are only two.

    It's not recorded in the data. There are only two who are temporary transfers in, and I believe we have three temporary transfers out. So we have a net loss of one.

    I'm sure everybody is being paid, but it just adds to the list of turnover.

    Looking quickly at the bar charts, I found this one particularly interesting. A long time ago, somebody told me a story about a judge who was reading off a litany of offences that some person had committed over the years, and the lawyer said, “But your honour, the rate of occurrence is decreasing, so it's good news.” Well, no.

    Where are you right now? Last year, 40% of your staff had less than a year of experience--or 43%, to be a little more precise. We are still in this baby boom exodus, so do you have any idea or ballpark figure as to how many of your staff will likely retire over the next three to five years?

    I did see that figure, because we monitor this closely. It seemed to me that there were to be no more than 10 in the next five years, far fewer than we think.

    One of the interesting things that happened since we had our last major discussion on human resources is that the average age of the office has gone down, because we are trying to reach out for a new demographic in terms of interest in what we do, in terms of knowledge and skills, and also to try to counteract these retirements. So there wasn't a huge number of employees slated for retirement.

    That's encouraging, because the Auditor General has raised this a number of times over the years, that some 25% of the public service will be retiring in this five-year span. I wasn't sure what impact that might have on you.

    Who defined “backlog” as something over a year old?

     We did, perhaps after discussion with your committee, because at one point we had the term “unassigned files” as the definition of backlog.

    That's precisely where I was going. If members are interested, I'm looking at page 5 of the statistical handout, which shows that complaints over a year old represent only 42% of the outstanding files. That means there are 406 files that are not a year old. But are they assigned? I'm interested in the 403, because they are a lot of files we don't know anything about.

    It's really the aging of the thing. I think you're doing a review now of your reporting conventions, or whatever they might be, and I hope this gets standardized, because when I see backlogs of one year on anything—you name the subject matter—my antennas go up, and you have to ask why. I think it has to do with your staff turnover and the fact that your productivity rate can't possibly get up quickly enough. I am a little bit concerned because you have had a fairly high turnover rate in the Privacy Commission. It means that the cost per case has to be extremely high, simply because of the delays.

    I guess my question to you is whether this is way you see it. Do you have a plan to stabilize the turnover that's not due to retirement, so we can have people with a greater level of expertise and who can be more productive and, therefore, process files on a more timely basis?

    Yes, we have what you would call a multi-pronged approach. The issue of hiring and retention has been a major focus of our human resources department. We've been looking into things such as training employees to make sure they know what they have to do, that they're clearly doing a good job and are happy in the workplace. We have been conducting exit interviews to see why employees are leaving, to find out what it would be. Unfortunately, these weren't very, very helpful, because it just seemed they were moving on to a new job opportunity.

    Okay, and that's my next question. Of the people you lost, the 69 out of the 158 of your complement, how many of those went to other Government of Canada departments or agencies? What percentage?

    I couldn't speak to that accurately off the top of my head. I would think almost—

    But you did exit interviews.

    Yes. A majority of them went to other jobs. A very small minority—

     I hope they went to a job. How about transfers, or basically going to another place in the Government of Canada?

    That's my understanding, that a majority did that. A very small minority retired.

    This is not helpful, I think you would agree.

    No, it's not helpful.

    And members would agree it's not helpful when you pass on your problem to somebody else.

    No, we're all competing for the same employees. It's not helpful at all.

    I understand that. We have a problem. We throw money at it, we increase levels, and we start raising salary levels and start attracting people away from other people down the hall. People talk.

    This is a serious, serious problem.

    It is.

    We've seen that in virtually every department I've ever looked at. The Auditor General warned us of that a long time ago, when I was on the government operations committee.

    We need information commissioners, privacy commissioners, and other officers of Parliament to start talking to each other, because within that group they know exactly what's going on. If Canadians ever needed you to speak up about how to get a stable public service.... We need some inspiration as well as your efforts to try to clean up messes.

    This is a very serious problem, and I throw out the challenge to you to communicate with the other officers of Parliament--very esteemed people who are taking care of significant responsibilities. You know each other well, and you could do a great service to Canada by giving us some ideas on how to establish a public service that can grow within departments. There's something wrong here--if it can happen.

    Just to finish this terrible speech, when the Auditor General came up with this, the idea was that people weren't hiring anymore; they were bringing people on contract because they could get the person at the desk quicker than by hiring a full-time person and going through the whole process. So we allowed that to happen.

    I'm afraid we've fixed that problem, but now we have this other problem, and it's just shuffling the decks on the ship. It's just as bad and just as damaging to everybody who's trying to meet targets.

    What do you think?

    It's a challenge to manage in this environment, but I don't quite know what the solution is. I believe the Public Service Commission is looking at this issue. I don't want to comment on what one can do with the present legislation and structures, because I don't think I have enough knowledge on what causes the phenomenon. But I certainly know, as you said, that we suffer from the phenomenon.

    Yes. I think we do.

     I don't have anybody else on the list. Is there someone else? Otherwise we will close off this session and spend the last part of our meeting looking at where we are on the estimates. We'll talk about the estimates in camera, as we did with Mr. Marleau's estimates.

    Is Mr. Marleau here on Wednesday?

    Yes.

    I'd like to see if we can have that in a camera-equipped room and have it televised.

    That's to deal with his quick fixes, right? You understand it's not the estimates.

    Excuse me, Mr. Chair, are we dismissed?

    Yes.

    We'll suspend to deal with the rest of our business.

    [Proceedings continue in camera]