Evidence of meeting #38 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
5:10 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
I don't have much more to add, other than that I'm enjoying reading some of the background that you've given us regarding data matching.
The one example I'd like to run by you is similar to what Mr. Wallace cited as an example. We found this one worrisome. The federal government knew that 300,000 senior citizens were eligible for the guaranteed income supplement but had never applied for it. They knew this by virtue of their income tax returns.
We asked the officials, if they knew these people were eligible, and they knew they were in need, because they had to be really low income to be eligible, why they didn't just tell them that they qualified for another $12,000 a year. Their answer was that it would be a violation of the right to privacy to use income information for any purpose other than assessing taxes on their income.
Does that jibe, does it seem plausible? Given what you know about the Privacy Act, was the government acting properly in not using their income tax information for any purpose other than income tax?
5:10 p.m.
Treasurer, National Privacy and Access Law Section, Canadian Bar Association
I'm not sure I can comment on that specific one. I would expect it has to do with the particular requirements that are not in the Privacy Act but in the Income Tax Act that are specific about the confidentiality of tax return information, which recognizes the high measure of sensitivity and the fact, for example--
5:10 p.m.
Treasurer, National Privacy and Access Law Section, Canadian Bar Association
Because it's a self-reporting system, the legislation allows you to even report criminal sources of income because the interest is seen as being in collecting taxes rather than doing other things.
5:10 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Is that right? I know that's not what we're here to talk about, but you mean under the Income Tax Act, if you did report income from illegal sources, Revenue Canada couldn't use that against you to turn you in, as it were? They wouldn't know, though.
5:10 p.m.
Chair, National Criminal Justice Section, Canadian Bar Association
There are mechanisms for sharing that information.
5:10 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
There are mechanisms, of course, disclosing...money laundering and stuff like that.
As another example, the border guards turned in a carload of people who were on EI, employment insurance. When these people were coming back into Canada, having gone for a day trip to the States, the border guards somehow learned they were on EI and turned them in. You're not allowed to travel out of the country while you're supposed to be actively looking for work in this country. Wouldn't that be a violation of these people's right to privacy?
5:10 p.m.
Treasurer, National Privacy and Access Law Section, Canadian Bar Association
Under the Privacy Act as it's currently structured, it's my understanding that it is not. I believe there is case law whereby if you return to Canada on an aircraft, information from that form you fill out is matched against information in the EI database to determine whether or not you were vacationing in Florida. That was the exact case. So data matching does take place.
5:10 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
So that's not contravening your right to privacy as a Canadian citizen, if I choose to break the law.... I don't think I'm going to go any further down this.... I'm on dangerous territory, I agree.
Is that an example that brings us back to where I started--that's what you call data matching, computer matching?
5:10 p.m.
Treasurer, National Privacy and Access Law Section, Canadian Bar Association
My recollection is the courts found that to be lawful. What we're talking about is not just those particular examples, because data matching can be used for any number of purposes, both in the law enforcement context or immigration enforcement, and in other contexts as well.
We're saying there needs to be some significant thought given to it, because it might simply be a matter of convenience of wanting to match this information, because information is extremely useful. Revenue Canada, the Government of Canada, runs on information, there's no doubt about that.
But when information becomes centralized, it becomes more potent in the sense that it is potentially more dangerous to the privacy interests of individuals. It's potentially more dangerous if that information is leaked. One would probably recall a number of years ago Human Resources Development Canada launched LLFF database that took employment insurance information and income tax information, information from a number of sources. So it had individuals' histories, employment histories, going back from beginning to end, all in one database. It was seen as being lawful, but politically problematic to such an extent that it had to be dismantled because there were very strong feelings that it was not appropriate.
So what we're talking about is not saying that this is okay and that's not; it's making sure there's a framework in place to make sure those important questions are asked at the time.
5:15 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
What specifically was wrong with the RCMP database that the Privacy Commissioner felt compelled to make a special report to Parliament that they had compiled this massive database?
5:15 p.m.
Treasurer, National Privacy and Access Law Section, Canadian Bar Association
I'm not sure I know enough of the specifics to answer that.
5:15 p.m.
Conservative
The Vice-Chair Conservative David Tilson
I think your time has expired. If you wish to speak again, you can, but we'll go now to Mr. Murphy.
5:15 p.m.
Liberal
Brian Murphy Liberal Moncton—Riverview—Dieppe, NB
Thank you, Mr. Vice-Chair.
I want to get back to this standard review of public-private. I may be fixated on this health issue, but records that were gathered by a public agency were sent to a private company for a process, and I suspect this might happen more and more as governments try to find ways to deliver services more economically.
I'm not starting a diatribe totally against the whole public-private partnership thing, but there has to be an understanding of whether this was a public function or a private function. I live in the world of examples, unfortunately, but when you have a public agency that gathers the information and gives it to a private company.... Back to my question a while ago, do you think there should be any different standard, and whose breach is it?
5:15 p.m.
Treasurer, National Privacy and Access Law Section, Canadian Bar Association
That exact circumstance is not explicitly addressed in the Privacy Act. In PIPEDA it is, because it talks about an organization. If they send information out for processing, the organization remains responsible for it, even if they've handed it off to somebody else for processing.
The scenario you just described is not addressed in the Privacy Act. If there were a requirement that the government institution implement safeguards to protect the information they collect, part and parcel of it is that they make sure of the security of that information wherever it goes, which would make the public body accountable, I would expect, for the information in the hand, for example, of an outsourced processor.
5:15 p.m.
Liberal
Brian Murphy Liberal Moncton—Riverview—Dieppe, NB
Would a contract for the service delivery not impose on the private service deliverer the same obligations as the parent—the government—has?
5:15 p.m.
Treasurer, National Privacy and Access Law Section, Canadian Bar Association
Yes, and that is included in Treasury Board guidelines with respect to outsourcing or third-party processing of personal information.
5:15 p.m.
Liberal
Brian Murphy Liberal Moncton—Riverview—Dieppe, NB
This leads me to another question about crown corporations. A number of MPs are fighting battles with the Canadian Border Services Agency with respect to reports on customs services at airports and so on. That is again too example-specific, but the scope of either the Privacy Act or PIPEDA toward crown corporations leaves them in a sort of no man's land sometimes. Are they explicitly covered by the Privacy Act, or are they occasionally covered by PIPEDA? Is there a gap there?
5:20 p.m.
Treasurer, National Privacy and Access Law Section, Canadian Bar Association
There is the potential. Under the Privacy Act, government institutions come into coverage of the Privacy Act by being listed in the schedule, so if there's a crown corporation that is not listed in the schedule, it is not subject to the Privacy Act. PIPEDA begins to apply if you're a federal work, undertaking, or business, or are engaged in commercial activity. Then it says that if you are subject to the Privacy Act, you're not in.
So you can have a crown corporation that is not engaged in commercial activity and that is not listed in the schedule which is not covered by any privacy legislation. I can imagine that happening.
Just to bring your two scenarios together, we have an increased number of programs being delivered jointly by the federal government and the provincial governments—the Canada-Ontario Business Service Centre, Canada/Nova Scotia Business Services Centre, and the like—and the provincial legislation and the federal legislation don't specifically delineate who is responsible for the information when it's collected by a contractor on behalf of both governments.
5:20 p.m.
Liberal
Brian Murphy Liberal Moncton—Riverview—Dieppe, NB
Do you see any problem with setting up the Canadian equivalent of a centre for disease control as they have it in the United States? Obviously it is very well publicized. In Canada it is patchwork: this hospital reports its outbreak of flu, or whatever. Do you see these two acts prohibiting that sort of setup because of the confidential nature of...?
5:20 p.m.
Treasurer, National Privacy and Access Law Section, Canadian Bar Association
Not particularly. Pretty well every province has public health legislation that explicitly overrides or requires the reporting of communicable diseases. Just about every piece of privacy legislation in Canada says you can disclose information without consent if you legally have to. They're designed to hopefully fit together.
5:20 p.m.
Liberal
5:20 p.m.
Conservative
The Vice-Chair Conservative David Tilson
We have Mr. Hiebert, Mr. Wallace, and Madame Lavallée.
We'll do our best, Madame Lavallée. We'll see how these other fellows do.
