Highlights from the Commissioner’s 2021-2022 annual report for public servants
October 5, 2022
Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.
The Privacy Commissioner of Canada’s annual report to Parliament was tabled on September 29.
In his message, Commissioner Philippe Dufresne describes the vision that will guide his mandate. He notes:
“(A)s Commissioner, I will be promoting and implementing a vision of privacy that recognizes:
- Privacy as a fundamental right;
- Privacy in support of the public interest and Canada’s innovation and competitiveness; and
- Privacy as an accelerator of Canadians’ trust in their institutions and a driver in their participation and contribution towards a robust digital economy.
This vision is based on the reality that Canadians want to be able to fully participate as active and informed digital citizens without having to choose between this participation and their fundamental privacy rights. Canadians should be able to benefit from the public interest and economic advances brought by the new technology with the reassurance that their laws and their institutions are there to appropriately safeguard and protect their personal information. In short, privacy is fundamental, it supports important public and private interests and it builds necessary trust.
Achieving this vision will require strong advocacy, enforcement, protection, promotion and education on an ongoing basis. This cannot be achieved by the Office of the Privacy Commissioner (OPC) alone and we look forward to building strong and effective relationships and to working with the privacy stakeholders and champions in the public and private sectors and with our counterparts in Canada and internationally.”
We encourage federal public servants to read the report and we highlight, below, a couple of issues of note for federal institutions.
Privacy Act breaches
During the last fiscal year, the OPC received 463 reports of breaches, most of which concerned the loss (278) or unauthorized disclosure (132) of personal information.
The majority of the breach reports, 93%, were due to human error, which includes email and mailing errors, mishandling of data/records using an inappropriate shortcut or workaround and losing or misplacing information, suggesting that the institution may have had policies or security procedures in place that were not being followed or enforced.
These types of breaches underscore that it is not enough to have policies and protocols in place to protect information, but that they also need to be implemented and followed faithfully to be effective. It is key that personal information is properly managed throughout its lifecycle, from collection, to use, to disposal. To this end, employee awareness and engagement is crucial. A moment of distraction can lead to a privacy breach. Employees need to remain vigilant when handling personal information.
We continue to have concerns about under-reporting of cyber-attacks, including malware and phishing attacks, by public sector institutions. In 2021-2022, we received 5 reports, down from 9 the previous year.
Through our breach reviews, we noted an increase in cyberattack breaches that bridge the private and public sectors. Three of the 5 cyberattack breaches reported to our office involved private-sector service providers of federal institutions.
One of our investigations involved a breach of licence plate images taken at border crossings. We invite you to read our Report of Findings for the full story. Here are some of the key takeaways related to personal information and contracting by institutions.
- Privacy obligations apply whether the data is processed by a government organization or a third-party contractor acting on its behalf – in such situations protecting privacy is a shared responsibility.
- This investigation highlights the value of program, contracting and privacy specialists working together to assess if the information being collected in the delivery of programs and services is considered personal information and to develop contracts with appropriate privacy clauses to protect it.
We also investigated a complaint related to disclosures made during a workplace violence investigation and have included some takeaways below. Please read our Report of Findings to learn more.
- Workplace violence and harassment are serious matters for alleged victims, alleged perpetrators, and organizations with important responsibilities for workplace safety. It’s therefore critical to ensure a clear alignment between how the limits on confidentiality are explained in policies and communications to individuals and when and how disclosures are actually made to carry out valid purposes.
- For a disclosure to be a permissible “consistent use” under the Privacy Act, it must have a sufficiently direct connections to the original purpose for which the information was originally obtained such that an individual would reasonably expect it to be used in a particular manner.
Want to know more?
You can find information on Responding to privacy breaches on our website.
Expectations: OPC’s Guide to the Privacy Impact Assessment Process will help you effectively manage privacy risks as part of the PIA process. You can also consult the OPC’s Government Advisory Directorate by contacting us at firstname.lastname@example.org.
Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.
- Date modified: