Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Additional questions and answers on the 2024-25 Main Estimates

Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI)

Table of Contents

Q 1: Hikvision technology and surveillance cameras

What are the OPC’s views/analysis of Hikvision cameras and underlying technology? Is your Office analyzing this technology?

Response / Key Messages

  • Following a request from a Member of Parliament, the OPC has initiated a comprehensive technical analysis of select Hikvision video recording equipment to identify any potential privacy and security risks.
  • Procurement of the HikVision equipment has recently concluded.
  • The OPC is now undertaking the analysis, with an estimated time to completion of approximately eight weeks.

Background

  • Motivation: In December 2023, MP René Villemure requested that the OPC undertake a privacy and security review of video recording equipment (e.g. security cameras, network video recorders, etc.) produced by the China-based company HikVision, following concerning media reporting about the risks posed by the use of their equipment.
    • An Order Paper Question (Q-2430) was also tabled by Villemure on March 14, 2024 to determine which federal departments had procured surveillance cameras produced by HikVision and if so, whether a Privacy Impact Assessment had been conducted.
  • (redacted)
  • Test plan: The OPC has created a detailed test plan which outlines the methodologies to be employed in assessing the privacy and security risks posed by the use of HikVision technologies.
  • Test subjects: The test plan targets three key components: the Network Video Recorder, network cameras, and companion applications for both desktop and mobile platforms.
  • Testing timelines: We believe it will take about eight weeks to complete the analysis, after which we will report our findings. These timelines could change depending on unforeseen technical challenges that may arise over the course of the analysis.

Prepared by: TA

Q 2: Hikvision technology – PIA and/or consultation

Was your office consulted on the use of Hikvision cameras and/or technology? Did you receive a PIA? Would you have expected to?

Response / Key Messages

  • Our office has not been consulted by any federal department related to the use of Hikvision, nor has it received any PIAs.
  • We have not reached out to the institutions identified as having procured Hikvision cameras, but encourage all institutions conducting potentially privacy invasive activities to proactively consult with our office. The OPC may also reach out proactively.
  • The OPC expects federal departments to adhere to the TBS Policy on Privacy Protection and engage with our Office prior to the deployment of programs or initiatives that could have an impact on privacy. This could be either through a formal consultation or in the context of a PIA review.
  • PIAs are not generally conducted on technological tools, but rather on programs and initiatives. However, the introduction of a new technology to an existing program can represent a significant modification and provide an opportunity for an institution to either conduct a whole of program PIA and assess privacy risks related to existing programs that may not have undergone a previous assessment or to update an existing PIA.

Background

  • The TBS Directive on Privacy Impact Assessment requires PIAs be undertaken for programs or activities that use personal information as part of a decision-making process that directly affects individuals. While departments must send completed PIAs to the OPC and TBS, we do not approve or endorse them.
  • TBS is responsible for monitoring compliance with the Directive. The OPC has the power to review compliance with sections 4 to 8 of the Act and could audit and report to Parliament on departmental PIA processes, but this would be through a separate process.
  • We are in regular contact with ATIP Offices from most institutions, but we can only provide advice and recommendations on the programs about which we are notified and based on the information that we are provided.

Prepared by: GA

Q 3: Order Paper question on the Hybrid Model

Further to the May 3 Order Paper question, was the OPC consulted by TBS on the hybrid workforce model, including on potential risks of privacy and data breaches? Have we received relevant breach notifications?

Response / Key Messages

  • TBS consulted the OPC on a previous version of the privacy guidance related to workplace presence requirements.
  • The OPC recommends that federal institutions consider the least privacy invasive means of enforcing the new directive.
  • We note that the updated guidance emphasizes respecting employee privacy and does not encourage the implementation of proactive monitoring regimes. Institutions that wish to implement any form of proactive monitoring of individual employees are required to complete a Privacy Impact Assessment.
  • While not directly related to the hybrid work model, my Office is investigating a cyberattack at Global Affairs Canada after unauthorized individuals accessed that department’s virtual private network (VPN). While there may have been more, no other privacy breaches were reported to the OPC that could be attributed to risks created by employees working remotely.

Background

  • The OPC provided TBS with recommendations aimed at ensuring that verification of employee presence respects employee privacy. For example, we recommended that the collection of personal information should be limited to what is necessary and that employees should be notified what personal information may be collected and used for the purpose of verifying their presence at the office.
  • Amongst potentially relevant breaches, the OPC is investigating a breach at Global Affairs Canada. The investigation is ongoing and we cannot yet conclude that the compromised VPN was directly caused by the hybrid work model or remote work.
  • Public sector breach reporting is done pursuant to a TBS directive, not legislation. We have recommended breach reporting be a legislative requirement.

Prepared by: GA/CIRD

Q 4: OPC use of emerging technology

How is the OPC using new and emerging technologies?

Response / Key Messages

  • Given that one of my Office’s key strategic priorities is addressing privacy during a period of rapid technological change, it is important that we establish ourselves as responsible adopters of technology.
  • Rapid technological evolution demands we take a vigilant approach to understand, identify and mitigate risks and to establish best practices in how technology is implemented and used.
  • Analysts in my Technology Lab develop and maintain expertise in this area to allow us to stay current with new and emerging technologies.
  • We also share experiences and expertise with our international partners on issues like artificial intelligence and age verification technology, for example.

Background

  • Some of our current uses of technology include:
    • the development and deployment of a portal for the online submission of Privacy Impact Assessments,
    • an electronic tool to assess the Real Risk of Significant Harm in the context of personal data breaches, and
    • leveraging of the Cloud to better meet our Information Management requirements and obligations.
  • We also plan to update our online complaint form to facilitate individuals’ submission of complaints to the OPC under PIPEDA and the Privacy Act.
  • We are reviewing our website to ensure it is user-focused and allows individuals and businesses to find relevant information for their needs quickly and easily.
  • We have not deployed generative AI but are evaluating the potential use of AI tools.

Prepared by: Corporate

Q 5: Bill C-70 Countering Foreign Interference Act

Was the OPC consulted in the development of C-70? What are our views?

Response / Key Messages

  • Bill C-70, which was tabled on May 6, 2024 addresses the issue of foreign interference in Canada. The Bill is complex and amends many other pieces of legislation; our analysis is underway.
  • I met with the Deputy Minister of Public Safety Canada in December 2023 to discuss the Foreign Influence Transparency Registry (the Registry).
    • Public Safety also consulted with the Government Advisory Directorate on the Registry in January 2024.
  • Public Safety has indicated that a PIA for the Registry is underway; my Office looks forward to reviewing it when completed.
  • I also met with the Director of the Canadian Security Intelligence Service (CSIS) in March 2024 to discuss a wide range of issues, including proposed changes to the CSIS Act.

Background

  • December 2023 - Public Safety presented a high-level overview of the registry and indicated a legislative framework proposal was complete.
    • The conversation primarily centered on the importance of considering necessity and proportionality, and considerations for the proposed Office of the Commissioner of Foreign Influence Transparency, including compliance mechanisms.
  • January 2024 – Discussion with Public Safety focused on personal information collected in investigations of cases of suspected non-compliance. Our advice included:
    1. Implementing measures to ensure personal information is obtained from a reliable source or verify or validate the accuracy of the personal information before use;
    2. Being cautious about the use of publicly available personal information to verify claims of non-compliance; and,
    3. Ensuring privacy-sensitive design of the Registry by including measures such as Information Sharing Agreements, technical safeguards and breach protocols.

Prepared by: GA

Date modified: