Making an impact – the OPC’s new strategic priorities

Remarks at the ATI and privacy communities meeting (virtual)

January 25, 2024

Address by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Thank you for your kind introduction. Good morning, everyone, I am honoured to be part of this ATI and privacy communities meeting as part of Data Privacy Week activities. A very big thank you to Stephen Burt for the invitation to join you today.

As the bridge between the OPC and program areas in your departments, the ATIP community plays a critically important role.

Being privacy champions in your institutions is not an easy task, but this work, and your collaboration with my Office, are crucial to ensuring that the fundamental right to privacy is protected.

Data Privacy Week highlights the impact that technology is having on our privacy, and underlines the importance of valuing and protecting personal information.

Today, I want to focus my remarks on my new strategic priorities for the OPC that will support our mission to protect and promote privacy rights – and discuss how these priorities relate directly to your work.

Earlier this week, I released a strategic plan that will guide our work over the course of my mandate. It outlines 3 strategic priorities:

• Protecting and promoting privacy with maximum impact;
• Addressing and advocating for privacy in this time of technological change; and
• Championing children’s privacy rights.

These priorities emerged from discussions with a wide range of stakeholders, including privacy leaders in the federal public service, over the first year of my mandate.

The privacy issues and risks that we collectively face as a society, in both the public and private sectors, are vast and, at times, can seem challenging. Indeed, your jobs are ever-more complex in the face of rapid technological change.

I believe that these three priorities are where the OPC can have the greatest impact for Canadians, and that these are also where the greatest risks lie if the issues are not addressed.

When I spoke at this event last year, I talked about the pillars of my vision for privacy: that privacy is a fundamental right; that privacy supports the public interest and Canada’s innovation and competitiveness; and that privacy accelerates Canadians’ trust in their institutions and their participation as digital citizens. The strategic priorities are built on this vision.

I am optimistic that by acting on these priorities together now, and over the coming years, we can make significant progress towards a society where the fundamental right to privacy is appropriately recognized and respected.

We are inviting stakeholders to provide input on the plan to help inform how the priorities are implemented. So, as I speak about the priorities, I ask you to consider this, and invite you to share your thoughts with me today during the Q and A session, or later, in a written submission to my Office.

For each priority, one of the ways that we intend to achieve the stated goal is through engaging with stakeholders and forming strategic partnerships to amplify our message and increase our impact. I see the federal privacy community as a key stakeholder in the enhancement of privacy protection in Canada.

Protecting and promoting privacy with maximum impact

The bedrock for fulfilling our existing mandate in a landscape that is constantly evolving is to strive to maximize our impact in fully and effectively promoting and protecting the fundamental right to privacy.

This first priority emphasizes greater efficiency, adaptability, and preparedness for the OPC. And to maintain our commitment to excellence and innovation, we will continue to strengthen governance and capacity, foster internal communications and collaboration, and nurture partnerships and networks.

Some of the ways that we plan to do this include focusing on updating our approach to governance, risk management, and internal capacity, as well as refining tools and processes to effectively adapt to an evolving mandate. We will continue to influence and help shape federal privacy laws and regulations.

This priority is also relevant to the work that you do.

I said earlier that the ATIP community is the bridge between the OPC and program areas of all federal government organizations. We encourage you to leverage this role to make exchanges between your respective department and my Office more efficient – by consulting us early on initiatives with privacy implications; by undertaking PIAs; by reporting breaches in a timely manner; and by collaborating with our investigators, and by working to implement agreed-upon recommendations.

When you engage with my team and give us a more complete vision of the privacy-impactful developments at your institutions, we can help you to better serve Canadians.

I would like to take a moment here to talk a little about breaches, which also includes ransomware and inappropriate access.

In fiscal 2022-23, approximately 300 breaches were reported to my Office under the Privacy Act – representing a drop by more than a third from the previous year. Unfortunately, we do not believe that this is because there were fewer breaches.

Most of the breach reports we receive come from the same federal institutions every year. But to date, many institutions that are subject to the Privacy Act and handle sensitive personal information have never reported a breach.

One reason that we suspect that breaches might be under-reported is due to uncertainty about whether a breach has resulted in what the law calls a “real risk of significant harm.”

There are several factors that inform this assessment of the risk of significant harm of a breach. To facilitate this analysis, my Office has recently developed a desktop app that will help organizations determine whether it is reasonable to believe that a privacy breach creates a risk of significant harm.

While the app does not replace human judgment, it will provide data to inform that judgment. We plan to launch an external version of the tool later this year.

The strategic plan commits us to refining our tools and processes as a way of maximizing our impact, and this is an example of how our internal modernization may also benefit your work.

Reporting material privacy breaches to both my Office and the Treasury Board Secretariat is a TBS requirement.

Reporting as soon as you are aware of a breach enables your institution to benefit from our expertise in responding to these incidents, as well as mitigating future breaches involving personal information.

Reporting incidents also gives my organization a clearer picture of ongoing and emerging risks that are facing government organizations – which allows us to be better positioned to help all of you prevent them.

While those of you who work in the privacy community are well-versed in the requirement for privacy impact assessments and the utility of the process, it is important to raise awareness about requirements for PIAs and privacy risk analysis beyond the privacy community.

My Office’s Government Advisory Directorate is ready to support you. I encourage you to contact this team to schedule an outreach session or consultation.

It comes down to this: the more you work with my Office, the more effective we can be to support and respond to the context of the federal privacy community. Let us continue to work to strengthen our relationship.

Addressing and advocating for privacy in a time of technological change

The second strategic priority focuses on addressing the privacy impacts of the fast-moving pace of technological advancements, especially in the world of AI and generative AI, which has been at the forefront of the privacy conversation since ChatGPT was launched in November 2022.

We have all seen that data-driven technological advancements can bring both potential benefits and increased risks to privacy.

This priority is relevant to the work that you do because government, like many other sectors, is leveraging technology to find innovative solutions to better serve clients and use resources more efficiently.

This also requires bolstering our collective knowledge and capacity to support the work of the privacy community in a digital era. For example, we will continue to work to establish ourselves as technology adopters so that we can serve as a model for how technology can be leveraged without risking privacy.

By fostering a culture of privacy, encouraging the use of the principles of privacy-by-design and privacy-by-default, and modelling privacy standards, we aim to encourage innovation while protecting the fundamental right to privacy.

In prioritizing this approach, we will be able to better support you when you have questions or face challenges related to privacy and technology.

At the same time, it remains important for you all to keep building a culture of privacy in your departments, that underscores the benefits of privacy-by-design, for example, when you are onboarding new technologies, and designing and modernizing programs and services that involve personal information.

Prioritizing and embedding privacy considerations within government planning, program, and service delivery will be an important factor in maintaining trust and confidence in your programs and services, and best position the Government of Canada for the future as it continues to innovate and modernize.

Canadians will benefit from technology-enabled services with a reassurance that their government is appropriately safeguarding and protecting their personal information.

I note that this is also emphasized in the 2023–2026 Data Strategy for the Federal Public Service, which highlights that “The public service must lead by example in the management, security and use of the data that Canadians entrust to them.

As such, it is essential to build and maintain public trust through transparent data practices and the protection of privacy in accordance with policies and legislation.”

I encourage you to work with my Office to identify and resolve privacy concerns as your department considers adopting generative AI tools – or other new technology or approaches.

In September, the Treasury Board Secretariat released a guide on the use of generative AI within the Government of Canada. The guide emphasizes caution while saying that federal institutions should explore how they could use these tools to support their operations. It outlines risk considerations and mitigation approaches, and encourages organizations to restrict their use to activities where they can manage those risks effectively. I agree with a thorough and cautious approach as organizations explore increased adoption of AI.

The proliferation of generative AI in recent years has created increased concern regarding regulation and legislation. While I strongly believe that Canada’s privacy laws do need to be modernized, our current laws are technology neutral and do apply to the use of AI technologies, and I am committed to their application in this space.

Last spring, I, along with my provincial counterparts, launched a joint investigation into OpenAI, the company that developed and launched ChatGPT, to determine whether its practices comply with Canadian privacy laws.

That investigation is ongoing, and we are continuing to monitor these and other new technologies so that we can anticipate how they may impact privacy, recommend best practices to ensure their compliance with privacy principles, and promote the use of privacy-enhancing technologies.

But I also believe much more is needed to address the unique challenges and opportunities that accompany this technology, so that we may determine how to derive the benefits promised by generative AI while mitigating as many of the potential risks as possible.

Over the past year, I have been working closely with privacy regulators in Canada and around the world to identify ways to promote and protect the fundamental privacy rights of our citizens while at the same time allowing innovation to support the public interest and a strong economy.

We have done so as a privacy community but also in collaboration with industry, business, government, and regulators in other fields such as competition and broadcasting to develop an appropriate regulatory response.

One of those engagements took place last month, when I hosted an international symposium on privacy and generative AI, which included domestic and international data privacy authorities, academics, and experts in the field of generative AI.

The symposium was also the launching pad for a set of principles for the responsible and trustworthy use of generative AI that my Office developed jointly with our provincial and territorial counterparts.

I invite you to read the principles and to follow these developments. They can support your consideration of approaches to new technologies and how they can be integrated in a privacy-protective way.

Another issue related to technology and privacy that I would like to draw your attention to is the growing use of biometrics, such as facial recognition and genetic information. In October, my Office released two draft biometrics guidance documents for consultation, one for each private sector and public organizations.

We are also seeking input to ensure that organizations use these technologies in a privacy-protective way. The consultation period has been extended until February 16.

I welcome during the discussion period to hear if you have any questions related to use of AI and new technologies within your departments.

Championing children’s privacy rights

Championing children’s right to privacy is my third strategic priority for the OPC, and this is relevant to departments that collect, use, and retain sensitive personal information for programs directed at or involving children.

Our focus in this domain may also be of particular interest to those who are addressing technology related risks, including online safety, security, and online harms.

The online world offers young people opportunities for innovation, creativity, and self-expression. However, it also poses unprecedented challenges to the privacy of our youngest citizens. We must uphold the fundamental right to privacy for children so that they can benefit from technology without it having serious impacts on their immediate and longer-term security and wellbeing.

The OPC has been advocating for laws that explicitly acknowledge children’s rights and compel organizations to embed privacy into their products and services by design and as a norm.

Our strategic plan commits us to increase our own knowledge regarding key children’s privacy risks, issues, and gaps, and to seek a better understanding of how and where they consume content and how their personal information is being collected and used.

We will also be working to expand partnerships with organizations across the country and internationally to amplify information, resources, and advice, and to advocate for greater privacy protections in products and services that target children.

Last fall, at our annual meeting of federal, provincial and territorial privacy regulators, my colleagues and I issued a joint resolution calling on organizations in both the private and public sectors to put the best interests of young people first when dealing with that group’s sensitive information.

Federal institutions should consider this group’s vulnerability and specific needs when collecting and managing their personal information, and to take steps to ensure that their privacy is adequately protected.

Some of the ways that you can do that include thinking about young peoples’ best interests and potential immediate and longer-term risk scenarios of the programs and services that your organization delivers. This includes considering the age and maturity level of your users or audience.

When you are collecting personal information, you should be transparent about why you are collecting their information and how it will be managed. For example, write clear privacy statements, using plain language to explain services in a way that anyone will understand.

Last fall, my Office published a Privacy Act Bulletin with key takeaways for federal institutions on how to design and deliver programs with the best interests of the child in mind. You can find the Bulletin and the resolution on our website.

I will quickly draw your attention to another investigation that my Office commenced last year jointly with Québec, Alberta, and British Columbia. It is examining the privacy practices of TikTok, an app that is particularly popular among young people. I expect that our findings will be informative for many organizations that collect and handle children’s sensitive personal information.

Conclusion

In closing, protecting privacy is one of the paramount challenges of our time. My Office is poised to meet this challenge through strong advocacy, collaboration, education, promotion, and enforcement.

My strategic priorities for the OPC further reflect our commitment to building a future where innovation can flourish and where the fundamental privacy rights of Canadians are upheld.

I repeat my invitation to you to read the new strategic plan and provide your valuable input on the best ways to reach these objectives.

Our success as a privacy community will rely on strong commitment, collaboration, and continued capacity building to address the many unique scenarios, challenges, and opportunities of this time, to protect the fundamental right to privacy.

Data Privacy Week is a good time to consider what we do and why. I hope that by sharing my priorities with you today that I have given you some considerations and opportunities in your own roles that may advance your work as well.

Yours is a difficult job. You should feel proud about the important work that you do every day.

Thank you for listening. I believe there is time for questions or comments.