Highlights from the Commissioner’s 2022-2023 annual report for public servants
September 19, 2023
Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.
The Privacy Commissioner of Canada’s annual report to Parliament for 2022-2023 was tabled on September 19.
In his message, Commissioner Philippe Dufresne identifies his office’s strategic priorities, developed in the first year of his term:
- keeping up with and staying ahead of technological advancements and their impact on privacy, particularly with respect to artificial intelligence (AI) and generative AI;
- protecting children’s privacy so that they can benefit from technology and be active online safely and free from fear that they may be targeted, manipulated, or harmed as a result; and
- preparing for potential law reform should Bill C-27, the Digital Charter Implementation Act, be adopted by Parliament.
The Commissioner notes that the OPC’s latest poll of Canadians suggests that Canadians are concerned about the impact of new technologies on their privacy – 93% have some level of concern about protecting their personal information, and half do not feel that they have enough information to understand the privacy implications of new technologies. Yet they want and need to trust that their privacy rights are being protected so that they can feel confident about participating freely in the digital economy.
Privacy Act investigations
The Annual Report gives a capsule report of a number of investigations. Those summarized in the report include:
- Investigation of the Canada Post Corporation’s collection and use of personal information for the Smartmail Marketing Program
- Investigation into the Canada Border Services Agency’s use of genetic genealogy to try to determine country of origin for the purpose of removing a long-term detainee
- Investigation of a disclosure of personal information by Canada Border Services Agency to the Information Commissioner of Canada in support of a request pursuant to section 6.1 of the Access to Information Act (ATIA), to decline to act on 2 ATIA requests
- Investigation into Transport Canada’s processing of personal information under the iZEV Program, and the Treasury Board Secretariat’s pending approval of the program’s personal information bank
- Investigation of Correctional Service Canada’s collection and disclosure of an individual’s personal information from Facebook related to an employee’s 699-leave
- Investigation of a disclosure of the complainant’s fitness to work report, including intimate personal and sensitive medical information, to their management team within the Immigration and Refugee Board of Canada
- Investigation into a privacy breach at IRCC
- Investigation into a privacy breach at the Treasury Board Secretariat which found that a proper assessment of harm needs to be holistic, taking into consideration a broad range of material factors, including, the recipient(s) of the breached personal information, the sensitivity of the personal information involved, and the probability that the personal information has been, is being, or could be misused.
- Special Report to Parliament: Protecting Privacy in a Pandemic
Privacy Act breaches
In the past fiscal year, the Office received 298 reports of breaches, down from 463 the previous year.
The breaches primarily related to the loss of personal information (44%). Another 33% were related to unauthorized disclosure, the majority of which were caused by employee error – for example, using “CC” instead of “BCC” when sending out a mass email. Unauthorized access was a factor in 22% of the reported breaches, and involved employees accessing information without privileges, misusing privileges, or falling for social engineering ploys.
Takeaway: These kinds of errors demonstrate the need to strengthen the implementation of privacy policies by ensuring that employees who deal with sensitive personal information are properly trained and that technological safeguards are implemented in a timely manner.
As in past years, the OPC continues to receive most of the reports from the same federal institutions, with the number of breaches reported by the public sector fluctuating year to year. Our Office remains concerned about under-reporting, as many of the government institutions subject to the Privacy Act that handle sensitive personal information have never reported a breach to us. Equally concerning is the likelihood that individuals whose personal information has been compromised have not been notified and are, therefore, unable to take timely measures to reduce potential further harms, such as changing passwords, being aware of possible email scams, etc.
Only 1 reported public-sector breach involved a cyber-attack – compared with 278 cyber-breaches reported in the private sector. In light of the Communications Security Establishment reporting that it blocks billions of cyber attempts per day against Government of Canada networks, the OPC continues to be concerned that cyber-attacks, including malware and phishing attacks, are being under-reported by public institutions.
Takeaway: It is important to be alert to the possibility of cyber-attacks, to protect against them and to report them promptly to affected individuals as well as the OPC, which has the expertise to help federal institutions deal with the issue.
The OPC continues to receive a high volume of PIAs and consultation requests from federal institutions with 180 PIAs and consult requests received this past year.
Want to know more?
You can find information on Responding to privacy breaches on our website.
Expectations: OPC’s Guide to the Privacy Impact Assessment Process will help you effectively manage privacy risks as part of the PIA process. You can also consult the OPC’s Government Advisory Directorate by contacting us at email@example.com.
Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.
- Date modified: