Main Estimates Issue Sheets
OPC Budget Resources
Key Messages
- As an Agent of Parliament, the OPC is funded to work independently of government to protect and promote privacy rights. This ensures Canadians have an advocate for privacy rights and an independent voice on privacy issues, a key value of democratic societies.
- The OPC has received $30.2M in fiscal year 2021-22 including $500K for its Contribution Program to achieve those objectives.
- With this funding, the OPC works to protect and promote privacy rights by: investigating complaints, taking action in court, advising government on privacy risks, and promoting public awareness.
- The OPC’s resource allocation reflects our efforts in recent years to become more forward-looking, by shifting the balance of our activities towards greater proactive efforts.
Background
Main Estimates: The table below shows planned spending and planned full-time equivalents (FTEs) for each core responsibility in the OPC’s departmental results framework and to Internal Services. The OPC’s Main Estimates for 2021-22 of $30.2M:
- Personnel expenditures including EBP = $24.6M (or 81%)
- Operating expenditures = $5.1M (or 17%)
- Contributions program = $0.5M (or 2%)
The allocation of the $30.2M by program is:
| Program | $M | FTE |
|---|---|---|
| Promotion Program | 11.46 | 79 |
| Compliance Program | 10.80 | 79 |
| Internal Services | 7.97 | 54 |
| TOTAL REFERENCE LEVELS/ME | 30.23 | 212 |
Core funding: The OPC received $30.2M in fiscal year 2021-22 including $500K for its Contribution Program. Of this amount, $27.1M requires approval by Parliament. The remaining $3.1M represents statutory forecasts for employee benefits that do not require additional approval and are provided for information purposes.
Prepared by: Corporate Services
Resource Allocation
Key Messages
- The OPC’s resource allocation reflects our efforts in recent years to become more forward-looking, by shifting the balance of our activities towards greater proactive efforts.
- Our objective is to have a broader and more positive impact on the privacy rights of a greater number of Canadians, which is not always possible when focusing a large part of our attention on the investigation of individual complaints.
- Funds were almost equally allocated between the promotion and compliance programs to balance the need to be proactive with the need to enforce compliance.
Background
The OPC’s Main Estimates for 2021-22 of $30.2M are as follows:
- Personnel expenditures including EBP = $24.6M (or 81%)
- Operating expenditures = $5.1M (or 17%)
- Contributions program = $0.5M (or 2%)
The allocation of the $29.7M by program is:
| Program | $M | FTE |
|---|---|---|
| Promotion Program | 11.46 | 79 |
| Compliance Program | 10.80 | 79 |
| Internal Services | 7.97 | 54 |
| TOTAL REFERENCE LEVELS/ME | 30.23 | 212 |
Breakdown of Budget 2019 funding allocation:
| Program | 2021-22 $M |
|---|---|
| Compliance Program | 0.68 |
| Promotion Program | 1.97 |
| Internal Services | 0.53 |
| Centrally withheld funds (EBP and Accommodations) |
0.82 |
| Total funding | 4.00 |
Prepared by: Corporate Services
Results of Additional Funding (Budget 2019)
Key Messages
- The OPC received a 15 % (or $4M) permanent funding increase and an additional $1.1M in temporary funding for two years (2019-20 & 2020-21) to improve mandated obligations within the current legislative framework.
- These new resources have helped us bridge the gap between our capacity and delivering what Canadians need to protect their privacy. However, a very significant gap remains.
- Despite our best efforts and the infusion of resources, a large number of privacy issues continue to not be subject to up-to-date guidance or any guidance at all and only a small percentage of breaches reported to our Office are subjected to a thorough review.
Background
Allocation of funding received for delivering Budget 2019 measure
| Program | 2020-21 ($M) | 2021-22 ($M) |
|---|---|---|
| Compliance Program | $1.46 | $0.68 |
| Promotion Program | $2.06 | $1.97 |
| Internal Services | $0.53 | $0.53 |
| Centrally withheld funds (EBP and Accommodations) |
$1.05 | $0.82 |
| Total funding | $5.10 | $4.00 |
Funds were used to enhance our capacity to:
- Reduce our backlog of complaints older than 12 months
- Achieved 91% in March 2021 (target is 90%)
- Improve investigations timeliness
- closed approximately 51% of our complaints within our service standards in 2020-21, and 61% in 2019-20 (target is 75%) (closing older files affects result)
- Increase the proportion of breaches reports more thoroughly reviewed by our Office
- 4% for PA and PIPEDA breaches (target is 15% for PA and 40% for PIPEDA)
- Inform Canadians of privacy issues, their rights and how to exercise them and to guide organizations on how to meet their privacy obligations
- issued 5 pieces of guidance on our list of 30 key privacy issues
- updated 30 guidance documents
- Produce 29 additional guidance documents of various forms (blogs, videos) to respond to an emerging need (e.g. guidance on privacy and the COVID-19 outbreak)
- Support our work with industry proactively in an advisory capacity
- We initiated 32 consultations and 93 engagements since April 2019
Prepared by: Corporate Services In Consultation With: PRPA
Sufficiency of C-11 Additional Funding (2021)
Key Messages
- The 2020 Fall Economic Statement set aside $62M over 5 years and $18M ongoing, for the implementation of the Consumer Privacy Protection Act. The OPC will receive a portion of these funds.
- In a letter to this Committee in May 2018, I indicated that a budget increase of $23M annually may be required to have a true impact in protecting Canadians’ privacy rights under PIPEDA.
- Considering that the CPPA introduces a number of new responsibilities for the Office and little flexibility to manage our priorities and workload, we expect the funds that have been set aside will be insufficient for the Office to adequately implement its new responsibilities, as currently proposed in C-11.
Background
- You wrote to ETHI on May 29, 2018 to provide additional information on the 2018-19 Main Estimates. In your letter you noted that in order to have a true impact in protecting Canadians’ privacy rights, my Office would require a budget increase of $23M (90%) annually. This is comparable to what had recently been granted by the UK government and Parliament to the Information Commissioner’s Office.
- The OPC ended up receiving $4M in ongoing funding as part of Budget 2019.
- The 2020 Fall Economic Update allocated the following total funding under the CPPA for the OPC to “support the implementation and enforcement of private sector legislation”:
| 2020-21 | 2021-22 | 2022-23 | 2023-24 | 2024-25 | 2025-26 |
|---|---|---|---|---|---|
| 0 | 9M | 16M | 19M | 18M | 18M |
Prepared by: Corporate Services
People Management
Key Messages
- We continue to invest in our people management strategies to make sure we have the right people doing the right job to be successful as an organization.
- We are working to ensure that we maintain and enhance our capacity to deliver services to Canadians in both official languages, setting high standards for bilingualism within the organization.
- Investing in our employees and supporting them through these uncertain times is a priority for the coming year.
Background
- Human Resources Strategic Plan: In April 2020, the Human Resources Strategic Plan 2020-23 was launched, which outlines the actions the OPC will take to remain an employer of choice that attracts and retains the skills, inclusiveness and diversity needed.
- Our priorities for the first year focused on competency profiles, a developmental program, review of the staffing framework, strategies to maintain functional bilingualism, ways to recruit and retain employees from Employment Equity Groups and diversity and mental health awareness.
- In 2021-22, we will implement the second year of our HR Plan to ensure that the OPC has an agile and diversified workforce.
- People Management Government of Canada-wide Initiatives: In 2021-22, the OPC will actively respond to the Privy Clerk’s Call to action on anti-racism, equity, and inclusion in the Federal Public Service and also reinforce its commitment to reduce the Linguistic Insecurity at work following the OCOL’s Report.
- Official Languages: In 2020-21, the OPC continued to invest in the Linguistic Training Program to maintain standards of excellence while supporting career development of employees. Also, the OPC exercised its leadership in managing the pandemic response in both official languages and supporting employees ensuring their OL rights were upheld.
Prepared by: Corporate Services
Impact of COVID-19 on OPC
Key Messages
- Our Office responded quickly and effectively to the challenge brought on by the pandemic by shifting almost all staff to remote work as they maintained operations.
- We’ve kept our IT system running smoothly so that we can continue to offer our services to Canadians.
- We have seen a considerable increase in our interactions with public sector and government institutions as they seek our advice on the privacy implications of initiatives related to the pandemic.
- The ongoing pandemic will require that the OPC continue to operate in a remote work environment for some time but we are also reflecting on, and preparing for what the working environment will be like in a post-pandemic context.
Background
- Telework guidelines: OPC released guidelines in February 2020 which enabled the OPC to switch easily to working remotely when the pandemic hit.
- Effective communications: given communication is key during these uncertain times, we have frequently communicated with employees in both official languages simultaneously, and had constructive discussions with management and Audit Committee members. We maintain an open communication channel with Employee representatives (e.g. OHS members and Unions) with positive feedback.
- Workplace protocol: In response to the COVID-19 pandemic, we implemented a workplace protocol, developed in accordance with guidance provided by the PHAC and central agencies, to ensure the continued health and safety of staff and visitors.
- COVID-19 Response – Expenditures: In response to the COVID-19 pandemic, we have reported $2.7M in expenditures related to focused efforts from staff to address privacy issues and from staff to address corporate matters related to COVID-19.
- Return to the Office: The OPC continues discussions with many partners such as public health authorities and central agencies in the management of the pandemic and a safe return to the Office. We are preparing ground work and have consulted with employees to envision what the workplace of the future might look like.
Prepared by: Corporate Services
Finding Efficiencies
Key Messages
- In recent years, we’ve undertaken a number of important initiatives to ensure our limited resources and activities are optimally used to deliver results for Canadians.
- These included restructuring the OPC, introducing the Departmental Results Framework in 2018-19 and using our powers more strategically.
- We continually look for ways to leverage technology to deliver services to Canadians and increase the efficiency of our operations.
Background
- Results focus: We introduced our Office’s new Departmental Results Framework in 2018-19, redefining our desired outcomes and how we measure results achieved. We shifted our approach to privacy protection, putting greater emphasis on citizen empowerment and proactively and constructively engaging with public and private sector organizations.
- Use of powers: We made strategic use of our formal powers, including our powers to conduct Commissioner-initiated investigations, which allow us to achieve better protection of Canadians’ privacy rights within the current legislative framework.
- Restructuring: We did a full review of our organizational structure to ensure our limited resources and our activities are optimally aligned to deliver results for Canadians. We also developed a business intelligence capacity.
- Digital transformation: We continued the implementation of our digital strategy, including leveraging cloud services where possible and enabling teleworking.
Prepared by: Corporate Services
Departmental Results Framework (DRF) Results
Key Messages
- We recently completed our third year of measuring our achievements against our Departmental Results Framework. Results for 2020-21 will be available upon the publication of our 2020-21 Departmental Results Report later this year.
- We have deliberately set the bar high. Our objectives are ambitious as we feel we must be bold in our aspirations given the interests at stake for Canadians.
- We have made progress overall, but despite best effort, and the infusion of resources, the Office cannot meet all of its targets.
Background
- OPC DRF: details what the OPC does, what results we are trying to achieve for Canadians, and how we assess progress and measure success. The most recent results publicly available are for 2019-20 (Full DRF in Annex):
- Exceeded 3 targets: Percentage of Canadians who read OPC information and find it useful 71% (target 70%); percentage of OPC recommendations on privacy-relevant bills and studies that have been adopted 68% (target 60%); percentage of federal and private sector organizations that find OPC’s advice and guidance to be useful in reaching compliance 71% (target 70%).
- Met 1 of target: Percentage of private sector organizations that have good or excellent knowledge of their privacy obligations 85% (target 85%).
- Missed 2 targets: Percentage of complaints responded to within service standards 61% (target 75%); percentage of formal OPC recommendations implemented by departments and organizations 80% (target 85%).
- Made little progress on 2 targets set for 2021: Percentage of key privacy issues that are the subject of information to Canadians on how to exercise their privacy rights 27% (target 90%); percentage of key privacy issues that are the subject of guidance to organizations on how to comply with their privacy responsibilities 27% (target 90%).
- Program-level results are published and available on GCInfobase. Note that many of the program-level indicators did not have specific targets prior to 2020-21. Since many of the indicators were new, the OPC needed baseline data from 2018-19 and 2019-20 to set targets. (Summary in Annex)
Prepared by: Corporate Services
Compliance Backlog
Key Messages
- We received temporary funding in 2019 to help us reduce our investigative backlog of complaints older than a year. We surpassed the target we set in 2019 and reduced the overall backlog of complaints older than 12 months by 91%.
- The results we were able to achieve when entrusted with extra funds, notwithstanding the disruption of the global pandemic, speak for themselves.
- Notwithstanding this success, absent the discretion to investigate matters, backlog pressures will persist. This is not sufficiently addressed by C-11.
Background
- Backlog Progress
Fiscal Year Backlogged cases
under PABacklogged cases
under PIPEDATotal
backlogged casesReduction from
2018/19 (%)2018/19 260 64 324 - 2019/20 115 52 167 48% 2020/21 15 14 29 91% - We reduced the backlog of complaints by implementing measures including:
- Enhancing procedural efficiencies, notably at the front-end of the complaint handling process, such as the launch of an enhanced online complaint form that streamlined and automated processes for receiving and triaging complaints.
- A temporary increase to our Office’s resources in the 2019 federal budget. We hired contracted staff and redistributed files, which increased capacity and allowed us to focus on aging files and those at risk of becoming backlogged.
- Issuing deemed refusal findings where departments fail to respond to access requests, empowering complainants to pursue matters through Federal Court.
Prepared by: Compliance
Breach Statistics and Trends
Key Messages
- Combined, the federal public and private sectors submitted over 1,000 privacy breach reports last year (with PIPEDA breaches accounting for 74% of the total).
- Timeliness is an ongoing challenge, with approximately 40% of private sector reports submitted 3 months + after a breach occurred. This, and other trends we’ve noted, has informed our analysis of law reform.
- We have advocated for many years that privacy breach reporting be made mandatory under the Privacy Act to help combat systemic under-reporting in the federal public sector, which continues to be an issue. We are pleased to see this as part of Justice’s proposals for Privacy Act modernization.
- Breach reports are important tools - they allow my Office to ensure that appropriate mitigating measures to protect Canadians are applied following a breach, and are a valuable source of business intelligence.
- We have and continue to investigate major privacy breaches, such as Desjardins, Capital One, and GCKey.
Background
- PA and PIPEDA breaches reported 2015-16 to 2020-21
FY PIPEDA PA 2020-21 795 280 2019-20 678 341 2018-19 315 155 2017-18 116 286 2016-17 95 147 2015-16 115 298
Prepared by: Compliance
Enforcement Collaboration
Key Messages
- In an increasingly digitized world, the challenge of protecting privacy as personal information flows across borders stands as an elevated common goal of many data protection authorities.
- Our office is a leader in international and domestic enforcement collaboration, playing a key role in fora such as the Global Privacy Assembly, the Global Privacy Enforcement Network, and the Asia Pacific Privacy Authorities network.
- On the domestic front, our Office has been involved in more collaborative investigations than at any point in OPC history, with the investigations of Desjardins, Clearview, and Tim Hortons just to name a few.
Background
- GPA: We are co-chairs of two working groups: (i) the Digital Citizen and Consumer Working Group, which advocates for greater cross-regulatory cooperation concerning the intersections between the privacy, consumer protection, and competition regulatory spheres; and (ii) the International Enforcement Working Group, which focuses on enforcement collaboration.
- GPEN: Sit on Executive Committee and introduced its annual Global Privacy Sweep, now in its 8th year.
- APPA: Active membership; we develop partnerships, discuss best practices, and share information on emerging technologies and changes to privacy regulation.
- DECF: We chair the Domestic Enforcement Collaboration Forum, which facilitates collaboration between our office and authorities for AB, BC and QC.
- Enforcement examples: We investigated the Desjardins’ privacy breach alongside our counterparts in Quebec. Our investigation into Cadillac Fairview was carried out jointly with Alberta and British Columbia. Our joint investigation into Clearview AI was our first involving all three provinces with private-sector privacy legislation: Alberta, British Columbia, and Quebec. Our investigation of Facebook and AggregateIQ was also conducted jointly with BC.
Prepared by: Compliance
Privacy Act - Ongoing Investigations
Key Messages
- CRA and GCKEY Breaches: We launched investigations after TBS publically disclosed credential stuffing attacks earlier this year against both the GCKey service, used by approximately 30 federal institutions across the government, and CRA accounts.
- WE Charity / ESDC: We received complaints against WE Charity and ESDC related to personal information collected for the Canada Student Service Grant and are investigating the complaints.
- Clearview AI and RCMP: We are pleased that Clearview AI has, in response to our joint investigation, ceased offering its facial recognition services to the Canadian market. This step includes the indefinite suspension of Clearview AI’s contract with the RCMP, which was its last remaining client in Canada.
Background
- CRA and GCKEY Breaches: As these are active investigations, no additional details are available at this time.
- WE Charity / Employment and Social Development Canada: We are investigating complaints received against ESDC under the Privacy Act and WE Charity under PIPEDA.
- Clearview AI and RCMP: Our investigation of the RCMP’s use of Clearview AI’s facial recognition technology under the Privacy Act is nearing completion.
Prepared by: Compliance
PIPEDA Ongoing Investigations
Key Messages
- Tim Hortons: Alongside privacy commissioners in Quebec, BC and Alberta, we launched a joint investigation into Tim Hortons’ mobile ordering app after media reports noted the app may be collecting and using data about people’s location and daily movements.
- Capital One: We opened an investigation into a data breach at Capital One after receiving complaints from Canadian customers. Capital One notified OPC about the breach affecting 6M Canadians whose personal information — including, in some cases, Social Insurance Numbers — had been accessed without authorization.
- WE Charity / Employment and Social Development Canada: We received complaints against WE Charity and ESDC related to personal information collected for the Canada Student Service Grant and are investigating the complaints.
Background
- Tim Hortons: This is an active investigation, no additional details are now available.
- Capital One: This is an active investigation, no additional details are available.
- WE Charity / Employment and Social Development Canada: We are investigating complaints received against ESDC under the Privacy Act and WE Charity under PIPEDA.
Prepared by: Compliance
Guidance Development
Key Messages
- The 15% permanent funding increase in 2019 has allowed the OPC to expand its capacity to protect the privacy of Canadians in the face of the exponential growth of the digital economy.
- In 2020-2021, we completed the following guidance: advice for individuals on privacy breach notifications; an extensive update on our guidance to federal institutions on PIAs; pandemic-specific guidance and guidance for manufacturers of IOT devices.
- We continue to focus on developing guidance on key privacy issues, and this year intend to publish guidance on biometrics as well as on the use of facial recognition by law enforcement jointly with our provincial and territorial partners.
Background
- Guidance released in 2019-2020 fiscal year:
- Privacy and the COVID-19 outbreak: Guidance on applicable federal privacy laws (March 2020)
- Expectations: OPC’s Guide to the Privacy Impact Assessment Process (March 2020)
- Guidance for businesses doing e-marketing (January 2020)
- Joint guidance with the Chief Electoral Officer on guidance to political parties to protecting the personal information of Canadians (April 2019)
- Receiving a privacy breach notification (September 2019)
- Status of key pieces of guidance:
- We are currently working on guidance on Biometrics for both the public and private sectors. Other guidance in progress but delayed due to C-11 includes guidance on Financial Technologies (FinTech), In-Store Tracking, connected cars and for developers of Educational Apps for K-12 schools.
- We will also be consulting publically on our joint guidance on the use of Facial Recognition by Law Enforcement Agencies in collaboration with our provincial and territorial counterparts and expect to publish a draft this Spring.
Prepared by: PRPA
Parliamentary Affairs
Key Messages
- We are called on frequently to provide privacy expertise to Parliamentary Committees and individual MPs.
- Because of COVID, the last Parliamentary year was an usual one, resulting in far fewer appearances than is usually the norm.
- In fiscal year 2020-2021, we:
- Appeared three times before standing committees, one of them at the National Assembly of Quebec;
- Monitored and reviewed seventeen bills and parliamentary studies;
- Responded to twelve individual requests from MPs.
Background
- Key appearances in 2020-2021:
- PROC Committee: Parliamentary Duties and the COVID-19 Pandemic (issue of Internet safety), April 29, 2020;
- INDU Committee: Canadian Response to the COVID-19 Pandemic (issue of contact tracing), May 29, 2020;
- Quebec National Assembly, Committee on Institutions: Bill 64, An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, September 24, 2020.
- Privacy issues brought to our attention by the Parliamentarians over the last fiscal year:
- Potential privacy law reforms (Bills C-11 and 64 in Quebec), internet safety, contact tracing, open banking and identity theft.
Prepared by: PRPA
International (General)
Key Messages
- Working collaboratively with other regulators helps to better protect Canadians in a borderless world.
- Stronger global privacy rights, and partnerships with international privacy enforcement authorities, helps ensure Canadians’ personal information remains protected when it is sent outside of Canada’s borders for processing.
- Our office has long been cooperating with international counterparts to leverage resources, develop common policy positions, share best practices, and more effectively enforce privacy laws, in Canada and abroad.
- We achieve this by taking part in international working groups, adopting joint resolutions, issuing joint statements and through enforcement collaboration with our counterparts.
Background
GPA:
- Chair of Policy Strategy Working Group Three (Privacy and Other Rights and Freedoms) – focusing on developing a narrative about privacy and human rights
- Co-chair of the Digital Citizens and Consumers Working Group (DCCWG)
- Co-chair of the International Enforcement Cooperation Working Group (IEWG)
- Member of other GPA working groups such as: Ethics and AI, Digital Education, the Future of the Conference, Metrics, Covid-19 and Facial Recognition.
- Co-sponsor of 2020 resolutions on greater accountability in the development and use of facial recognition technology, AI, and privacy challenges arising from COVID-19.
Other regulator networks: 1) Asia Pacific Privacy Authorities (APPA) Forum; 2) Association francophone des autorités de protection des données personnelles (AFAPDP); 3) Common Thread Network (CTN); 4) Berlin Working Group.
Participation in International Government fora: 1) OECD Working Party on Data Governance and Privacy in the Digital Economy (DGP) ; 2) APEC Data Privacy Subgroup (DPS).
Prepared by: PRPA
Contributions Program
Key Messages
- The Program funds independent research and knowledge translation initiatives to cultivate expertise and understanding on a broad range of privacy issues related to PIPEDA.
- These projects generate new information and understanding to help organizations better safeguard personal information and assist Canadians in protecting their privacy. Last year most of the funded projects related to AI. For instance, one project (by the CSA Group) looked at the implications of AI on the privacy rights of children, and another (by UQAM) examined the responsible development of machine learning from a privacy perspective.
- The Program was created in 2004 and since then it has allocated approximately $7 million to some 160 projects.
- Last year 11 projects out of 43 proposals were selected for funding; this year’s recipients will be announced shortly.
Background
- Program Focus: Funded projects help advance the Office’s privacy priorities, which focus mainly on responding to Canadians’ concerns about privacy. All projects must be PIPEDA focussed, as the Program derives its existence from that Act.
- Funding: All projects are evaluated on the basis of merit by OPC subject matter experts and occasionally, when required to validate our assessments, by external peer reviewers. The annual budget for the Program is $500,000. Most years up to $50K is allocated per project and a maximum of $100K per recipient organization.
- Program terms: The Terms and Conditions of the Program were renewed by the Minister of Justice in 2020-21 for five years. The full list of projects that have received funding can be seen on the OPC website, as well as summaries of all completed projects funded over the years.
Prepared by: PRPA
Government Advisory - Statistics and Trends
Key Messages
- The Government Advisory (GA) Directorate was established to increase consultations with institutions and provide proactive advice to help mitigate privacy risks associated with government programs and activities through early and frequent engagement.
- Institutions have been very receptive; we were consulted 109 times in 2020-21, compared to 66 times in 2019-20 and 48 in 2018-19.
- This indicates institutions find value when they engage with GA and underlines the need for privacy expertise which may be lacking at the institutional level.
- Over the past year, we prioritized efforts to support activities in response to the COVID-19 pandemic. This included our review of the COVID Alert App, and advisory consultations on telemedicine and temperature scanning, among many others. In particular, Health Canada, PHAC and ESDC have relied heavily on GA for advice on COVID files during the pandemic.
- Institutions consult GA for advice on complex and technically challenging files within short timelines in all areas, including law enforcement and public safety.
Background
- Advisory Consultation Statistics: In FY 2020-21, we opened 109 new consultation files, including 28 for programs and activities related to COVID-19.
- PIAs: In 2020-21 we received both PIAs and Privacy Compliance Evaluations (PCEs), a less rigorous assessment allowed by TBS interim policy for urgent, COVID related initiatives. We received 81 assessments in total: 65 full PIAs, and 16 PCEs.
- Notifications: GA received 491 notifications of disclosures of personal information in the public interest, or in circumstances that benefited the individual, compared to 611 in FY 2019-20. This is a slight decrease, but continues the trend we’ve seen of large numbers of public interest disclosures over the past few years.
Prepared by: Government Advisory
Government Advisory – Key Activities
Key Messages
- The Government Advisory (GA) Directorate provides advice and recommendations to institutions through reviews of PIAs, ISAs, and increasingly, by even earlier consultations with federal bodies as initiatives are conceptualized and developed.
- Files are complex, varied, and increasingly involve emerging technologies and links with the private sector
- GA also regularly consults with TBS on development of government-wide policies, directives, and standards.
Background
- COVID-19 Alert App: consulted with Health Canada during App development to ensure privacy risks were addressed. Work is ongoing as the app is updated.
- RCMP Remotely Piloted Aircraft Systems (Drones): advised on RCMP training for use of drones to ensure necessity, proportionality and minimal intrusiveness and to ensure accountability for any PI collected. The RCMP updated their policies based on our advice. Our work is ongoing.
- RCMP National DNA Databank: is being modified to allow family members to voluntarily contribute DNA to help find missing persons and identify human remains. On our advice, the RCMP revised voluntary donor consent forms for clarity, and included privacy protections in agreements for sharing DNA profiles and other sensitive PI with foreign jurisdictions.
- Canadian Framework for Collaborative Police Response on Sexual Violence: On our recommendation, the Canadian Association of Chiefs of Police included provisions for reporting privacy breaches to the confidentiality agreements signed by members of the sexual violence case review committees.
- VidCruiter: with the increased use of digital remote interviewing platforms for staffing, we made several privacy-specific recommendations to Justice, the Canadian Space Agency, HC, DFO, Infrastructure Canada and ESDC, to protect privacy.
Prepared by: Government Advisory
Business Advisory Directorate
Key Messages
- The Business Advisory Directorate engages proactively with companies to assist in their assessment of the privacy implications of their work, and to consider how new technologies and business models impact privacy before they are deployed in the marketplace.
- Addressing privacy issues upfront helps mitigate privacy risks, avoid compliance issues, and provide regulatory predictability.
- 70% of the organizations engaged over the last year were SMEs. Most businesses using our advisory services were developing data and technology-intensive initiatives.
- Our engagement with SMEs is critical given many do not have the resources to consider privacy issues proactively.
Background
Outreach: Despite COVID-related disruptions, BA carried out its existing consultations, initiated 13 new advisory engagements, and conducted 33 virtual events, including exhibits, presentations, stakeholder meetings and dedicated advisory sessions for start/scale-ups under an innovative outreach initiative:
- Privacy Clinic – an innovative engagement platform created to provide privacy advice to SMEs. In 2020-21, BA hosted a Privacy Clinic in collaboration with an Innovation Hub in Waterloo, Ontario, and provided privacy advice to 7 scale-up organizations.
- ORSMEN – in 2020-21 BA continued its long-standing partnership with the Ontario Region SME Network to reach out to SMEs and provide helpful privacy guidance.
Key Consultations:
- MILA COVID app: some measures adopted after our consultation included: using personal information for the narrowly defined, limited purpose of alleviating the public health crisis; limiting the use of the application over time, that is until the pandemic recedes; only sharing aggregated, de-identified data with government, if adopted.
- HealthTech org: BA made 24 recommendations to a Canadian company with a cutting-edge product which voluntarily sought advice for the next-generation design.
- Temperature checks: In response to a retailer’s proposal to introduce temperature checks at their establishments in order to minimize spread of COVID-19, BA provided advice on proposed design and implementation.
Prepared by: Business Advisory
Communications Statistics and Trends
Key Messages
- The Communications Directorate supports the Office’s efforts to promote public awareness and understanding of privacy issues by implementing multi-year strategies to raise awareness of privacy rights among individuals, and of obligations among public servants and businesses.
- Some of our activities include public opinion polling, media relations, developing publications, videos and infographics, attending events, and publishing content on our website and through social media.
- We also reach vulnerable groups such as seniors and youth. For example, we developed a graphic novel for youth, our most popular publication, which was translated by organizations in Mexico, Italy and Switzerland. We also run campaigns in libraries and have spoken with seniors groups about privacy protection.
Background
Key stats: In 2020-21, we gave 35 speeches/presentations, published 33 news releases and announcements, and distributed 1,452 publications. There were 2.5 million website including over 26,000 blog visits, and we answered 300 media requests.
Information Centre:
- Number of requests: Last year we received 7090 information requests, and cannot keep up with demand for information and advice on privacy rights and obligations.
- Types of requests:
- The majority of requests are from individuals on issues such as whether organizations are over-collecting information or using it without consent and also express concern about breaches.
- 8% of requests are from private-sector organizations on topics such as COVID screening measures, inter-border transfer of personal information, safeguarding personal information and breach notification requirements.
Biannual Survey of Businesses Results: Our biannual survey of businesses showed larger companies are more likely to have policies/procedures in place to assess privacy risks. Other results pointed to the need for more attention to privacy.
Prepared by: Communications
Technology Analysis Directorate (TAD)
Key Messages
- TAD supports the OPC’s work to assess the privacy impacts of technology, helping us to ensure that Canadians can enjoy the benefits of digital technologies safely.
- Recent work of this group has included assessments of emerging global contact tracing technologies, the COVID Alert App, and support toward the Cadillac Fairview and Desjardins investigations.
- To improve our capacity, TAD is working on an expansion and modernization of our technology laboratory.
Background
- Analytical requests: From April 2020 to March 2021, 159 requests for support were opened or filed with TAD.
- Forty-five percent (45%) of requests came from Policy and Promotion
- Forty-six percent (46%) came from Compliance
- Nine percent (9%) allocated to other technical internal support activities
- Sixty-seven percent (67%) of those requests were completed and closed; the remainder remain active files and are still being supported.
- Expansion and modernization of the technology laboratory: Expansion and modernization of our technology laboratory will better support the activities of the two program areas – Compliance (including CASL activities) and Policy & Promotion
- New capacity will promote appropriate protections, support investigative activities, research development, and the promotion of general information and guidance.
- Innovative Solutions Canada program: TAD recently entered a formal partnership with ISED, under the Innovative Solutions Canada program, and tested an AI-powered software platform that offers novel ways to empower care for people who have an intellectual or developmental disability (I/DD), including autism.
- The Innovation is a convenient tool for each member of a care team that supports a person with I/DD - including parents, educators, therapists, direct support professionals, and care managers – to share information, engage with each other, develop personalized interventions, and improve long-term outcomes. The components of the Innovation are a mobile app, a wearable device and the supporting Python-based backend environment.
Prepared by: TAD
Privacy Act Reform
Key Messages
- We are pleased to see that the law reform process appears to be truly underway with Justice’s recent public consultation on the modernization of the Privacy Act.
- A number of Justice’s proposals on Privacy Act reform would bring positive changes to the law to deal with the privacy risks posed by emerging technologies, particularly the inclusion of rights-based language in a revised preamble.
- It also includes enhanced obligations for privacy-by-design and PIAs, and meaningful oversight measures like proactive audit powers, a guidance role for OPC, and simple and effective order-making powers (though limited in scope). These are all necessary mechanisms to promote and enforce compliance.
- In our submission, we propose some modifications to enhance the collection threshold, and the framework for publicly available personal information, and recommend that key elements for regulating AI be included in a modernized Privacy Act.
Background
- Framework for “Publicly Available” Personal Information: We propose the definition could be enhanced by explicitly stating that publicly available personal information does not include information in respect of which an individual has a reasonable expectation of privacy.
- Artificial Intelligence: We recommend the Act include a definition of automated decision-making, as well as a right to meaningful explanation and human intervention related its use, a standard established for the level of explanation required, and obligations for logging and tracing.
- Collection Threshold: We believe the collection standard of “reasonably required” generally strikes the right balance, but have proposed key modifications to add clarity (such as that identified purposes be specific, explicit and lawful, and to include an explicit proportionality assessment, among others).
Prepared by: PRPA
PIPEDA Reform (Bill C-11)
Key Messages
- Bill C-11 represents a serious effort to realize the reform we all recognize is badly needed. However despite its ambitious goals, our view is that in its current state, the Bill would represent a step back overall for privacy protection.
- One of the key issues is that the new law does not provide for quick and effective remedies for individuals – due to severely restricted AMPs, the tribunal, and lack of discretion for the Commissioner.
- Bill C-11 would impose several new responsibilities without added discretion, reducing our ability to make strategic use of resources and to prioritize our activities based on risks to Canadians.
- Even if these new functions were appropriately resourced, the OPC should have the legal discretion to manage and prioritize activities based on risk, maximizing finite resources to produce the most effective outcomes for Canadians. This discretion exists in privacy laws in other jurisdictions.
Background
- Adopting a strategic, risk-based approach is a key practice for effective regulation.
- New non-discretionary responsibilities introduced in Bill C-11 include requiring OPC to approve codes, provide advice to organizations on privacy management programs at their request, and consult with affected stakeholders on all guidance.
- Other jurisdictions provide greater discretion to data protection agencies to manage their work, enabling them to prioritize activities and engage more constructively with stakeholders. E.g. this discretion is provided for in Alberta and British Columbia, as well as internationally in the European Union and New Zealand.
- The benefits of proactive engagement can be achieved without being mandatory and demand-led, which is resource-intensive to the detriment of other functions.
Prepared by: PRPA
COVID Alert App
Key Messages
- Our engagement with Health Canada on the COVID Alert App helped its design respect all the key privacy principles from our Framework.
- Despite this, the government asserted at the time that privacy laws do not apply given it was unlikely that personal information was being collected by the app.
- We recommended that use of the app remain voluntary and that information collected for contact-tracing not be used for unrelated purposes.
- Other jurisdictions have taken legislative and regulatory measures to ensure contact-tracing remains voluntary, and information used is limited to the purpose for which it was collected.
Background
- Provincial use: The app can be used to report a diagnosis in 8 provinces: Ontario, Manitoba, Newfoundland and Labrador, New Brunswick, Nova Scotia, Prince Edward Island, Saskatchewan, and Quebec. Alberta has decided against using the federal app. Voluntary use is a key principle of the Joint Statement by Federal, Provincial and Territorial Privacy Commissioners on principles for contact tracing and similar apps.
- Ongoing engagement: GA communicates regularly with Health Canada on the app and Portal. Health Canada has committed to consulting with our office on changes to the app. OPC will participate in a joint audit (evaluation) with Health Canada of the app to assess effectiveness, details yet to be determined.
- Current status of program evaluation: GA is working with HC on a joint evaluation of the App that is scheduled for completion by the end of 2021. The evaluation will specifically examine necessity and proportionality, effectiveness and continued adherence to FPT principles.
Prepared by: GA / PRPA
In the courts - Facebook
Key Messages
- Our investigation found that Facebook failed to obtain meaningful consent and contravened the fair information principles relating to consent, safeguards, and accountability in PIPEDA.
- Because Facebook refused to implement our recommendations, we are seeking a binding order from the Federal Court to require Facebook to take action to correct its privacy practices and comply with PIPEDA.
- We are waiting for the Court’s decision on two preliminary challenges before it can hear the case on its merits.
- We cannot comment further at this time.
Background
- Investigation: On April 25, 2019, the OPC released its Report of Findings on its investigation into FB’s compliance with PIPEDA, in relation to the “This is Your Digital Life” (“TYDL App”) and Cambridge Analytica, a UK political consulting firm. The OPC found that Facebook contravened the fair information principles relating to consent, safeguards, and accountability contained in Schedule 1 of PIPEDA. We also found that, with respect to Users’ downloads of the TYDL App after June 18, 2015, Facebook failed to obtain meaningful consent per s. 6.1 of PIPEDA.
- Outcome of investigation: Facebook disputed the findings of the investigation and refused to implement the OPC’s recommendations to address the deficiencies identified. Therefore, OPC initiated an application pursuant to s. 15 of PIPEDA in Federal Court against Facebook.
- Judicial review: Facebook has brought a separate judicial review application challenging our decision to investigate, to continue to investigate, as well as the investigation process, and seeks to quash the report of findings. We have brought a motion to strike that application. At the same time, FB has asked the Court to strike portions of the OPC’s affidavit evidence in our s. 15 PIPEDA application. The Court heard these preliminary challenges on January 19 and 21, 2021. We await the Court’s decision.
Prepared by: Legal
In the courts / Google Reference
Key Messages
- In 2018 OPC asked the Federal Court to consider whether Google’s search engine is subject to PIPEDA when it indexes web pages and presents search results in response to queries of a person’s name.
- This matter arose in the context of a complaint in which an individual alleged Google contravened PIPEDA by prominently displaying links to articles about him when his name is searched, alleging the articles are outdated, inaccurate and disclose sensitive information.
- Google asserts that PIPEDA does not apply in this context.
- Following public consultations, the OPC took the view in its draft position paper on online reputation that PIPEDA provides for a right to de-indexing – which removes links from search results without deleting the content itself – on request in certain cases. This would generally refer to web pages that contain inaccurate, incomplete or outdated information.
- The Federal Court heard the matter on January 26-27, 2021; the Court has not yet issued its judgment – we cannot comment further on this issue at this time.
Background
- Complaint: In 2017 we received a complaint from an individual alleging that Google is contravening PIPEDA by prominently displaying links to online news articles about him when his name is searched. The complainant alleges the articles are outdated, inaccurate and disclose sensitive information (eg: sexual orientation and a serious medical condition). He argues Google has caused him direct harm by linking the articles to his name.
- Draft Position Paper: In 2018, the OPC published a Draft Position Paper on Online Reputation as part of an ongoing consultation on how privacy law could address harms to individuals resulting from the increased exposure of personal information online. In it, we stated that we believe that PIPEDA applies to search engines. The Paper remains a draft and will not be finalized until the conclusion of the reference proceeding.
- Litigation: In 2018, Google disagreed with our Office’s position that PIPEDA applies to its search engine. In October 2018, we asked the Court to determine the preliminary issue of whether PIPEDA applies to Google’s search engine.
Prepared by: Legal
Vaccine Passports
Key Messages
- Use of vaccine passports must be necessary and proportionate; that is, evidence-based and necessary for the specific purpose identified. At the core of the vaccine passport discussion is the need to demonstrate effectiveness i.e. that vaccinated individuals are indeed less likely to transmit the virus.
- For businesses to collect vaccination status from an individual as a condition of entrance, the collection would need to be authorized under PIPEDA. Among other things, collection would need to pass muster under s. 5(3) of PIPEDA.
- There is considerable evidence that a vaccine certification system may disproportionately affect vulnerable populations and certain groups of individuals. For example, access to digital technology, forms of identification, tests and vaccines is already unequal and vaccine passports may reinforce existing inequalities without wider initiatives to address these inequalities
Background
- Many countries have explored various vaccine passport/certificate regimes as a result of the COVID pandemic, in efforts to facilitate return to normalcy, including but not limited to Estonia, Iceland, Spain, Israel, US, UK.
- As of April 6, 2021, the WHO declared that “we would not like to see vaccination passports as a requirement for entry or exist because we are not sure at this stage that the vaccine prevents transmissions.”
- On April 16, 2021, Dr. Nemer, the Chief Science Advisor to the Prime Minister noted that vaccine passports could facilitate a return to normalcy, and commented more on their potential use to facilitate travel, but also noted that a domestic solution would require harmonization between all levels of government.
- Dr. Nemer further noted that evidence of effectiveness of vaccines at preventing further transmission had not been demonstrated.
Prepared by: Government Advisory
Mandatory Isolation Order and ArriveCAN
Key Messages
- We have received several Privacy Compliance Evaluations (PCEs) from PHAC for measures supporting the Mandatory Isolation Order, including the ArriveCan app. We have assessed these measures against the OPC Framework and are satisfied that the approach is in line with PHAC’s authorities under the Quarantine Act, and limited to the purpose of preventing the importation of COVID-19 into Canada.
- PHAC has been receptive to our advice on Information Sharing Agreements with its partners, and on the importance of clear privacy notices. We continue to consult with PHAC on safeguards and limitations on the use of the personal information collected.
- We anticipate receiving and reviewing further PCEs from PHAC on additional border measures that it has introduced, including mandatory testing and hotel stays at airports, among others.
Background
The Mandatory Isolation Order (MIO): The Quarantine Act and MIO require travelers entering Canada to quarantine for 14 days and provide contact information, quarantine plans, and symptom self-assessments upon arrival. Additional personal information is collected during the 14-day quarantine period through the ArriveCAN app or web portal.
Purpose of the app: The ArriveCAN app supports MIO compliance by enabling travelers to provide information both before and after arrival to Canada in a digital format, reducing reliance on paper forms, which caused inefficiencies for the government in following up with travelers during their quarantine period. Specifically, the app reduces the average time between an individual’s date of entry to Canada and the date of PHAC’s disclosure to public health authorities to begin contact tracing from 9 days to 2 days.
Additional PCEs anticipated: PHAC had indicated that it will submit 8 (6 new and 2 updated) additional PCEs on various aspects of this initiative in the coming months.
Information sharing: PHAC shares information with public health authorities in the province or territory where the person quarantines. Information may also be disclosed to the RCMP and other law enforcement bodies in Canada for quarantine enforcement purposes.
Prepared by: Government Advisory
Facial Recognition
Key Messages
- Recent investigations conducted by my office have shown that FR is a powerful technology that poses serious risks to privacy.
- These risks include intrusions on individuals’ basic right to navigate public and private spaces, including online spaces, without the fear of being identified, monitored, and tracked at every turn by corporate and government entities.
- FR use also creates risks of bias and discrimination towards certain groups, and can limit individuals’ ability to exercise other democratic rights and freedoms.
- The global privacy community has acknowledged these risks by passing a resolution on FR use at the last annual conference of the GPA. My office is participating in a working group, formed under this resolution, to develop a set of global policy principles and expectations for the use of FR.
Background
- Complaints: OPC recently completed two investigations into use of FR under PIPEDA: Clearview AI, and Cadillac Fairview. OPC is also currently investigating the RCMP’s use of FR under the Privacy Act.
- Guidance: OPC is currently working with our provincial and territorial counterparts to prepare joint guidance on FR use by police agencies. We plan to open a public consultation on a complete draft of the guidance in the coming months.
- International: On October 15, 2020 at the Annual GPA Conference, a Resolution on FR was unanimously passed, which commits the GPA to working to develop a set of agreed upon principles and expectations for the use of personal information in facial recognition technology, including signalling where it poses the greatest risk to data protection and privacy rights, and recommend how those risks can be mitigated.
Prepared by: PRPA
Transborder Data Flow
Key Messages
- PIPEDA does not adequately address risks to privacy posed by global data flows and Bill C-11 in its current form would not resolve those weaknesses.
- Most modern privacy laws explicitly and separately address trans-border data flows, including those in Australia, New Zealand and the GDPR.
- Bill C-11 does not establish a comprehensive scheme to govern trans-border data flows. It should be amended to contain such provisions, so that rights and obligations are clear and accessible.
- Similarly to laws in Australia, New Zealand, the GDPR and Quebec’s Bill 64, the Bill should also be expanded to capture “disclosures” outside the country. As well, it should extend transparency obligations to foreign organizations that move Canadians’ personal information outside the country and expose that information to privacy risks.
Background
- Section 11(1) of Bill C-11 would require transferring organizations to ensure that the service provider provides substantially the same protection as that which the organization would be required to provide under the Act. Principle 4.1.3. of PIPEDA requires transferring organizations to ensure a “comparable level of protection”.
- Bill C-11 relies on the use of contractual means (or otherwise) to ensure “substantially the same” protections, as opposed to PIPEDA’s “contractual or other means”. Other jurisdictions provide a number of options in this regard, including mechanisms such as adequacy rulings, Standard Contractual Clauses, codes of conduct or other binding schemes such as binding corporate rules.
- The OPC recommends that a separate scheme for tbdf address the considerations identified in Teresa Scassa’s paper relating to: 1) to whom the obligations apply; 2) accountability; 3) conditions to be met and 4) protections in the destination State.
Prepared by: PRPA
Artificial Intelligence (AI)
Key Messages
- AI has immense promise, but must be implemented in ways that respect privacy, equality and other human rights.
- In our view, an appropriate legal framework for AI would:
- Allow personal information to be used for public and legitimate business interests, including for the training of AI; but only if privacy is entrenched in its proper human rights framework;
- Create provisions specific to automated decision-making to ensure transparency and fairness (explanation and contest); and
- Require businesses to demonstrate accountability to the regulator upon request, ultimately through proactive inspections and other enforcement measures to ensure compliance.
- PIPEDA does not contain any of these measures, and is ill-suited to the AI environment. C-11 only contains an explanation requirement for automated decisions, but without any standard for what such an explanation should entail.
Background
- OPC launched a public consultation in January 2020. We received 86 submissions, and held two in-person consultation sessions in Montreal and Toronto.
- The wrap-up report, A Regulatory Framework for AI, contains our key recommendations for regulating AI, and is available on our website.
- We also published a separate report we commissioned by a recognized expert in AI, which informed our recommendations and accounts for stakeholder feedback from the consultation.
- More broadly, OPC collaborates with international data protection authorities in working groups on AI through the Global Privacy Assembly, a forum of international Data Protection and Privacy Commissioners.
Prepared by: PRPA
Cadillac Fairview
Key Messages
- Our investigation into Cadillac Fairview found that the company used embedded inconspicuous cameras in digital information kiosks at 12 shopping malls to collect customers’ images, and used FR technology to guess their age and gender.
- Shoppers had no reason to expect that their sensitive biometric information would be collected and used in this way, and did not consent to this collection or use.
- While the images were deleted, the biometric information of 5 million shoppers was sent to a 3rd party service provider, and was stored in a centralized database for no discernable purpose.
- We remain concerned that Cadillac Fairview refused to commit to ensuring that express, meaningful consent is obtained from shoppers should it choose to redeploy the technology in future.
Background
- Provincial cooperation: This was a joint investigation with AB, BC, and involved info-sharing with QC. Our findings were published in October 2020.
- Collection purposes: Personal information was collected in order to track foot traffic patterns and predict demographic information about mall visitors (e.g. age and gender). Unknown to Cadillac Fairview, a biometric database consisting of 5M numerical representations of faces was also created and maintained by a third-party processor.
- Outcomes: Cadillac Fairview has ceased use of this technology and has advised that they have no current plans to resume its use. We are concerned that Cadillac Fairview could simply recommence this practice, or one similar, requiring us to either go to court or start a new investigation.
- Law reform: Cadillac Fairview’s refusal to commit to obtaining express and meaningful consent for future use of this technology demonstrates our need for stronger enforcement powers, including order making and AMPs to better protect Canadians’ privacy.
Prepared by: Compliance
Clearview AI
Key Messages
- We found Clearview failed to obtain consent for the collection, use and disclosure of millions of images of Canadians it scraped from websites, or of the biometric profiles it generated.
- We also found that its practices amounted to continual mass surveillance, and were for an inappropriate purpose.
- Clearview disputed our findings and refused to follow any of our recommendations. Stronger regulatory tools, including order-making powers and AMPs, are needed to help secure compliance from companies like Clearview. C-11 does not adequately address these shortcomings due to its AMP regime.
Background
- Provincial cooperation: This was a joint investigation with AB, BC and QC. Our RF was published on February 2, 2021.
- Summary: Clearview provided identification services via its Facial Recognition product to 48 Canadian organizations, who collectively conducted thousands of searches. Clearview collected over 3 billion images world-wide.
- Consent: It did not seek consent for the use of individuals’ personal information, claiming that the information was “publicly available”. Social media organizations stated Clearview violated their terms of service with the scraping, and we found that the information was not publicly available, as defined in the Regulations.
- Purposes: Clearview indiscriminately collected, used and disclosed personal information in order to allow third-party organizations who subscribed to its service to identify individuals by uploading photos in search of a match.
- Outcomes: Clearview agreed to exit the Canadian market and cease offering its services to Canadians. At the conclusion of our investigation Clearview refused to follow any of the recommendations made by our Offices, which included that it (i) commit to not re-entering the Canadian market; (ii) cease collection, use and disclosure of images and biometric profiles; and, (iii) delete the images and biometric arrays in its possession.
Prepared by: Compliance
Facebook Breach
Key Messages
- The media reported in April 2021 that information from approximately 533 million Facebook users has been made publicly available.
- The data set is alleged to include information about 3.5 million Canadians. The data set had been posted for sale as early as June 6, 2020.
- Facebook has not submitted a breach report to our Office for this matter and we are currently in communication with the company.
- We have received a complaint related to the matter and are now considering next steps. We are not in a position to provide any additional details at this time.
Background
- The data was scraped from people's Facebook accounts through a vulnerability.
- After Facebook detected this issue in August 2019, it made changes to correct the vulnerability in September 2019.
- The data included a variety of Facebook profile information and contact details. According to Facebook, the data did not include financial information, health information, or passwords.
Prepared by: Compliance
Desjardins Breach Investigation
Key Messages
- In May 2019, Desjardins notified our Office of a breach that ultimately affected close to 9.7 million individuals in Canada and abroad. The OPC launched an investigation in collaboration with la Commission d’accès à l’information du Québec.
- Our investigation concluded that Desjardins violated PIPEDA with regards to accountability, data retention periods, and security safeguard measures.
- Desjardins will be providing the OPC progress reports every six months on its implementation of a comprehensive action plan following this breach.
Background
- The compromised personal information included first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories.
- The breach had been committed by one of Desjardins’ employees, who had been exfiltrating personal information over a period of at least 26 months.
- Our focus was on Desjardins’ security safeguards, and its accountability in terms of policies and training to protect personal information. Also, given that some records were decades old, we also looked at its retention and destruction policies.
- Some key takeaways from this investigation:
- While organizations need to guard against external vectors of attack, they also need to look within.
- For policies and procedures to be effective, employee training and awareness is key to giving them life.
- Risks can be reduced by employing good data retention practices.
Prepared by: Compliance
Identity Verification
Key Messages
- One way identity theft and fraud can be prevented is by verifying a person’s online identity using a trusted and secure digital ID. A digital ID can also help Canadians securely access online services.
- On Sept 15, 2020, the Digital ID & Authentication Council of Canada (DIACC) launched the Pan-Canadian Trust Framework. The Framework is designed to help businesses and governments develop tools and services that enable information to be verified regarding a specific transaction or set of transactions.
- Over the year, our Office have been following the development of the DIACC PCTF and the TBS Public Sector Profile (PSP) PCTF.
- From open banking to e-health, digital ID services is a key enabler for the digital economy. To date, banks and Telco’s have been able to leverage existing digital ID services to support Canadians.
Background
- A digital ID is a collection of features and characteristics associated with a uniquely identifiable individual or organization — stored and authenticated in the digital sphere — and used for transactions, interactions, and representations online.
- The PCTF is at a proof of concept stage. More recently our office has been involved in a DIACC WG on Ethical and Acceptable Use of Biometrics within the Digital ID ecosystem.
- The “CAN/CIOSC 103-1:2020 Digital Trust and Identity - Part 1” is a standard accredited by the SSC. The standard has recently been published and specifies the minimum requirements and set of controls required for creating and maintaining trust in digital systems and services that, as part of an organization’s mandate, assert and or consume Identity and Credentials in data pertaining to people and organization.
Prepared by: TA
Follow-up to Statistics Canada Investigation
Key Messages
- As a follow-up to our 2019 investigation, we provided Statistics Canada with direction to help it redesign the Credit Information Project and the Financial Transactions Project.
- For the Credit Information Project, our investigation found that while Statistics Canada had the legal authority to collect the personal information it had not demonstrated that the collection was necessary or proportional.
- Our investigation raised concerns that the Financial Transactions Project, if implemented, would have exceeded Statistics Canada’s legal authority. The project was halted during our investigation.
- We also noted issues with transparency and internal threat actors. We asked Statistics Canada to increase transparency regarding its collection of personal information, address risks related to internal vulnerabilities and recommended that the above projects be halted and redesigned.
- We are currently advising Statistics Canada as it redesigns these projects.
Background
- OPC dedicated a full-time resource to support StatCan in applying our recommendations to ensure proposed collections of personal information are necessary for a substantial public goal and proportional to the privacy impact.
- In fall 2020 StatCan provided us with redesigned project plans. Progress has been made toward incorporating the principles of necessity and proportionality. However, as StatCan has taken a multi-phased approach, it was not able to answer key questions about the final phases of implementation.
- We have asked StatCan to engage with us when more information is available and before it implements the respective final phases of the projects.
Prepared by: Compliance
Pornhub and MindGeek
Key Messages
- Our Office has been following your study on the “Protection of Privacy and Reputation on Platforms such as Pornhub”. We recognize the many serious concerns that have been raised for privacy and related issues, as it implicates highly sensitive personal information.
- My Office has received a complaint related to consent for collection, use and disclosure of intimate images on the MindGeek websites and has begun an investigation.
- As our investigation is ongoing, I cannot comment further on the details of the complaint at this time.
- That said, it is of the utmost importance that websites collecting, using or disclosing intimate images comply with the law, to minimize privacy harms and respect Canadians’ fundamental right to privacy.
Background
- ETHI began their study on February 1, 2021, and have held over five meetings on the topic with over 20 witnesses. Issues discussed include age and identity verification; non-consensual distribution of intimate images; and manual reviews combined with AI software to remove underage and non-consensual content.
- The Toronto Star published an article on the complaint in question in January 2021.
- As noted in the Ashley Madison investigation (2016) into adult dating websites, it is crucial for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external). This is especially the case where the personal information held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected.
Prepared by: PRPA In Consultation With: PIPEDA Compliance
Complaint against Federal Political Parties (FPPs)
Key Messages
- The OPC has concluded that PIPEDA does not apply to the activities that were the subject of a complaint against the Liberal, Conservative and NDP political parties, as they are not commercial in character.
- Although the sale of merchandise, memberships, and tickets involves an element of exchange, the OPC was not convinced that those transactions qualify as commercial in character given the context in which the federal political parties operate.
- Even if those transactions were considered to be commercial in character, that would not allow the OPC to investigate the general practices of federal political parties in relation to political advertising for voters.
- The OPC has repeatedly called for political parties to be subject to legislation that creates obligations based on internationally recognized privacy principles and provide for an independent third party authority to verify compliance.
Background
- We received the complaint against the three main federal political parties on August 22, 2019. The other recipients of the complaint were: Elections Canada, the Competition Bureau, the CRTC and the BC OIPC.
- Despite the thorough submissions made by the Complainant in this matter, we have concluded that PIPEDA does not apply to the activities of the Federal Political Parties that are the subject of the complaint as they are not commercial in character.
- To come to our conclusion in this matter, the OPC carefully reviewed the complainant’s extensive representations on commercial activity and those received from the NDP and the Liberal Party of Canada. The Conservative Party of Canada did not provide a response.
Prepared by: Compliance
- Date modified: