Remarks by the Privacy Commissioner at the OPC Connect event for federal privacy and information officers

November 13, 2024
Ottawa, Ontario

Address by Philippe Dufresne
Privacy Commissioner of Canada
to the Office of the Privacy Commissioner of Canada's Connect event for Chief Privacy Officers and Chief Information Officers

(Check against delivery)

Thank you all for being here, especially our special guest Dominic Rochon, the Chief Information Officer of Canada and Deputy Minister at the Treasury Board of Canada Secretariat (TBS).

I understand that we have participation here today from approximately 35 federal departments and agencies, and I am delighted to see a mix of representatives from the Chief Information Officer (CIO) community as well as Chief Privacy Officers (CPOs).

At a time where more data is being collected, shared, used, and stored online than ever before, it is essential that the information management (IM), information technology (IT), and privacy communities work together.

This is because in your roles, you are at the forefront of leading, developing, and safeguarding the government systems that hold Canadians' sensitive personal information and serve Canadians through the public services and the government's essential public interest work.

In this increasingly digital world, your collective expertise and shared values as public servants will be key to protecting and preserving the trust that Canadians hold in government institutions, programs, and services, knowing that their information is protected - today and for the future.

We know that government institutions are attractive targets for bad actors. Data breaches and cyberattacks have surged over the past decade, in scale, in complexity, and in severity.

Whether it is developing digital services, modernizing case management systems, deploying a cloud network, or managing critical infrastructure, the information and technology systems of the future will always be better and more secure, and of course more trusted and consistent with core values if they are built with privacy protection in mind.

In January, I launched my strategic priorities for the OPC - and this interconnectedness of technology and privacy is reflected in each of our three strategic priorities:

• Protecting and promoting privacy with maximum impact;
• Addressing and advocating for privacy in this time of technological change, in particular in the context of generative AI; and
• Championing children's privacy rights.

Technology offers many benefits for government. These include in the delivery and accessibility of services, in creating operational efficiencies, and in advancing the analysis and use of data to support decision making, and ultimately the public interest and Canada's institutions.

My aim in developing these strategic priorities was to propel the OPC's work on the issues and areas that will have the biggest impact on Canadians and Canadian organizations, and where the greatest risks lie if they are not addressed.

This involves prioritizing activities that can inform and guide innovation in ways that are safe and responsible, and also to leverage innovation to promote and protect individuals' fundamental right to privacy. Just as data fuels innovation, we must use innovation to protect data.

As federal organizations continue to leverage technology, expand their suite of third-party software, and explore the use of artificial intelligence, collaboration between privacy and information technology professionals will only become more and more important.

Privacy to support digital services

CIOs play a central role in delivering digital services, as well as in implementing and managing the enterprise infrastructure and applications that hold Canadians' information. CPOs can identify considerations, risks, and opportunities related to the handling of personal information, as well as provide expertise to support program design in a privacy-friendly manner.

In all circumstances, at the heart of this work lies the public interest as well as the best interests of individuals, or users. We know that privacy matters to Canadians. We all want and need to trust that our privacy rights are being protected.

In the OPC's most recent survey of Canadians, 93% expressed some level of concern about the protection of their privacy. Just over half, 58%, said that they are confident that government respects their privacy rights. A full 30% said that they are not confident about this.

Protecting privacy is a key tool to building public trust in our institutions and public services. And when an individual can have confidence in a service, they are more likely to use it. Privacy by design can help achieve this.

Privacy by design

Privacy by design is intertwined with human-centered design. Research demonstrates that trust is a key factor in positive user experience. Privacy by design supports a positive user experience, as it will contribute to users' perceptions of care, competence, and integrity, which are key drivers of trust in government services.

Creating a culture that embeds privacy considerations from the outset will help to "future proof" your organization, your services, and your information management and information technology systems.

For example, limiting the collection of personal information to just what is needed for a new program, defining a retention period, and planning how the data will be protected can reduce the risk of issues arising at the eleventh hour or once a program has been launched. It may also prevent having to go back to redo work in order to retrofit privacy into the development. Of course, the less personal information you hold, the lower the risks and impact of a breach or cyberattack.

Privacy impact assessments, privacy officers, and the OPC are all resources that can be leveraged to advance privacy protective and security-conscious approaches in organizations. The OPC's Government Advisory Directorate is available to discuss privacy considerations early on in the development cycle.

My Office has also been building internal capacity and is engaged in domestic and international fora to better understand and address the privacy implications of technologies, such as generative AI. For example, the OPC's Technology Analysis Division is evaluating the safe and responsible use of AI to enable our employees to learn how to safely leverage the efficiencies that it may offer.

I have also been working with domestic and international counterparts both in privacy and other regulatory spheres to determine best practices and approaches to the ever-evolving digital environment.

For example, last month I released joint statements with my G7 counterparts on the role of data protection authorities in fostering trustworthy AI, and on child-appropriate AI.

Last December, I hosted an international symposium on privacy and AI, and released joint principles for responsible generative AI with provincial and territorial data protection and privacy authorities. I recently participated in an OECD workshop with international authorities and regulators in the competition, telecommunications and other digital fields.

Breaches

Collaboration between information and privacy officers is also critical when it comes to managing and mitigating the impacts of breaches. As noted earlier, the government's digital infrastructure presents an attractive target for bad actors.

Data breaches have surged over the past decade, and my Office has noted an increase in both the scale and the complexity of breaches. Threat actors are also increasingly sophisticated.

In its latest National Cyber Threat Assessment, the Canadian Security Establishment underscores an expanding and complex cyber threat landscape of malicious state and non-state cyber threat actors, that are becoming more aggressive and evolving their tradecraft, adopting new technologies, and collaborating in an attempt to improve and amplify their malicious activities.

My annual report for 2023-2024 noted that, while the number of breaches reported to my Office for that fiscal year had not changed significantly from the previous year, the number of accounts that were affected by the breaches had doubled, from 12 million to 25 million.

The Ticketmaster breach, which my Office is currently investigating, is an example of this trend: one single breach has affected millions of people worldwide.

Recent high-profile breaches of government departments and agencies further underscore this risk and potential implications.

With a threat environment that is continuously evolving, prioritizing information security is essential, and requires constant attention. Government institutions are stewards of a wealth of personal information and attractive targets. The public needs to trust that their information is being protected.

TBS policy requires that federal institutions report privacy breaches that pose a real risk of significant harm to an individual to my Office. Reporting to the OPC can support an organization's response, and also help the OPC and the organization to learn from breaches so that the same issues are not repeated.

Conclusion

The program for today's event promises to be both interesting and informative.

I hope that one of your key takeaways is that collaboration between us is critical. The leaders here today hold the keys to maintaining trust and confidence in government services in an increasingly digital and data-driven environment.

I encourage you to work with my Office as well. The OPC can help your organizations to achieve their objectives in a privacy-protective manner.

We welcome this opportunity to strengthen collaboration with the CIO and CPO communities. You each play vital roles in ensuring that the government systems and the personal information that the government holds are protected today and for the future.

Public link

Please use the above public link if you want to share this noodl on another website.