It was kind of the Office of the Privacy Commissioner of Canada to release their annual report 2022-23 so that I would have something new to write about this week. Have you had a chance to dive into it?
This is Privacy Commissioner Philippe Dufresne's first report after a full year at the helm of the federal privacy regulator's office. Last year, he did write an introduction to the 2021-22 report, in which he shared with us his vision for privacy, however, the report reflected the work under a previous regime.
In the report tabled in Parliament this week, we learned what the OPC's strategic priorities are going to be moving forward:
- Keeping up with and staying ahead of technological advancements and their impact on privacy, particularly with respect to artificial intelligence and generative AI;
- Protecting children's privacy so that they can benefit from technology and be active online safely and free from fear that they may be targeted, manipulated or harmed as a result; and
- Preparing for potential law reform should Bill C-27, the Digital Charter Implementation Act, be adopted by Parliament.
I think it will be quite interesting to see what the OPC does in practical terms for each of these priority issues. And I think privacy practitioners and others working in the spaces that touch on technology and AI, as well as children's privacy, should be mindful that these topics are in the spotlight.
For this latest annual report, remember that the OPC can release Personal Information Protection and Electronic Documents Act findings throughout the year — and that's what it does. But the office is restricted in how it share Privacy Act findings — those need to be in annual or special reports. Because of this, I always like to spend a bit more time reviewing what public-sector cases the OPC decided to include.
The one that jumps off the page involves Canada Post, which has been building targeted marketing lists by gleaning the packages and envelopes they deliver.
It's clear there is a disagreement between the OPC and Canada Post in terms of whether people are aware and should consent to this activity. The OPC implemented some of the recommendations, but it made a point of flagging its lack of order-making powers keeps the office from requiring Canada Post to implement the mail-out/opt-out approach it would like to see.
Other noteworthy cases out of the public sector include: The Canada Border Services Agency using a genealogy service to confirm the nationality of a person they intended to deport; The Correctional Services Canada collecting an employee's information from their Facebook page; Transport Canada failing to publish an updated personal information bank — yes, these are important; and the Treasury Board — the folks in charge of the rules on reporting breaches — not reporting a material breach.
There is a lot of interesting stuff there. Don't take my word for it — read the report yourself. You can find it here. I'd be interested to know what you think of these Privacy Act cases.
