Evidence of meeting #34 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was privacy.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

  • Jennifer Stoddart  Privacy Commissioner, Office of the Privacy Commissioner of Canada
  • Chantal Bernier  Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada

11:05 a.m.

NDP

The Chair Pierre-Luc Dusseault

Good morning, everyone.

I want to thank Ms. Stoddart and Ms. Bernier for joining us today.

As you have seen, based on today's agenda, the first hour will be set aside for the two reports. The first is the 2010 annual report on the Personal Information Protection and Electronic Documents Act, and the second is the Privacy Commissioner of Canada's 2010-2011 annual report.

11:05 a.m.

NDP

Alexandre Boulerice Rosemont—La Petite-Patrie, QC

Mr. Chair, I would like to take a moment to announce to the committee and the clerk that today I will put forward a motion I would like us to debate next Tuesday. The motion asks that Claude Benoît, President and CEO of the Old Port of Montreal Corporation, appear in order to justify the corporation's expenditures and the way its budget is managed with regard to a number of aspects—including travelling and meals. I just wanted to inform the chair, the clerk and the whole committee that this motion will be moved today.

11:05 a.m.

NDP

The Chair Pierre-Luc Dusseault

Thank you. You can submit your notice of motion to the clerk if you have it with you, and we can discuss it eventually, given the required 48-hour notice.

So, we will spend the first hour of our meeting discussing the two reports produced by the commissioner. The second hour will be used to discuss the main estimates.

I yield the floor to Ms. Stoddart for a ten-minute presentation on the two reports.

11:05 a.m.

Jennifer Stoddart Privacy Commissioner, Office of the Privacy Commissioner of Canada

Thank you very much, Mr. Chair.

I want to begin by congratulating you on your recent election as chair of this committee.

Mr. Chair and honourable members, good morning. I'm very pleased to have the opportunity to speak with you first about the two annual reports that we lay before the House of Commons every year.

I'm joined here today by Assistant Privacy Commissioner Chantal Bernier. Madam Bernier is in charge of our day-to-day operations, and she's also a specialist on national security questions, so I appreciate her presence with me today.

I will focus my opening remarks largely on our public sector work, although there were certainly interesting developments on the private sector side as well. The principal focus of our annual report on the Privacy Act for the 2010-11 fiscal year was the federal government stewardship of the personal information of Canadians. In particular, we looked at privacy in the context of law enforcement and aviation security. The report examined whether departments and agencies collected, used, and disclosed personal information in a way that complies with the Privacy Act. This is of overwhelming importance, given the highly sensitive nature of so much of the personal data that the state needs in order to govern. Indeed, we're talking here about information related to people's income, their taxes and benefits, their travel patterns, and so many other aspects of their lives. This is not information that individuals would necessarily want to turn over. It is simply collected to fulfill the requirements of various government programs or activities.

In the main, I'm happy to say that we found that the Government of Canada has solid policies and practices in place to safeguard the privacy of Canadians, but we also said that the government is obliged to handle the personal information of Canadians with an uncompromising level of care, not some of the time or even most of the time, but all of the time. The fact is that over-collection, misuse, or inappropriate disclosure of sensitive personal information could carry grave consequences for individuals.

Our annual report summarizes two audits that our office conducted during the year. I'm going to summarize them briefly.

In terms of the auditing, we assessed whether the policies and practices of the Canadian Air Transport Security Authority, better known as CATSA, complied with the Privacy Act.

That audit concluded that the agency collects too much information about air travellers and does not always safeguard it properly. In particular, we found that CATSA collected personal data about traveller activities that do not relate to aviation security and that, in some cases, are perfectly legal and legitimate.

For example, CATSA will note when a passenger on a domestic flight is found to be carrying large sums of cash, even though there is no law prohibiting that. The over-collection of data is worrisome because it can result in undeserved suspicion being cast on an innocent person. In addition, our audit turned up gaps in the measures used to safeguard such records.

Indeed, in our spot checks of several major Canadian airports, incident reports were found on open shelving units and on the floor, in the same location where passengers are taken for further screening.

I'll talk a bit now about the RCMP audit. Our other audit looked at the Royal Canadian Mounted Police's management of two operational databases that are widely shared with other police agencies, government institutions, and other organizations.

You may have heard of CPIC, the Canadian Police Information Centre, and PROS, the police reporting and occurrence system. CPIC has been described as the backbone of the criminal justice system. It provides computerized storage and retrieval of information on crime and criminals and is widely used by the law enforcement and criminal justice community. PROS, meanwhile, is the RCMP's police records management system. It contains information on individuals who have come into contact with police, as a suspect, a victim, a witness, or an offender.

Our audit found that, in general, the RCMP has policies and procedures in place to properly govern access to and use of data in CPIC. However, one-third of the agencies that use CPIC were unable, for technical reasons, to implement the necessary protocols that ensure CPIC is accessed only by authorized users.

With respect to the PROS database, we also discovered that some outdated and erroneous personal information was being retained when it should have been sequestered or purged. Specifically, we found that police and other agencies with access to PROS could continue to view records related to cases that had resulted in a wrongful conviction or a conviction for which a pardon had been granted. This contravenes the data retention provisions of the Privacy Act. It also makes it harder for people to get on with their lives, free from the taint of unfair suspicion.

Both CATSA and the RCMP agreed to address our recommendations. We'll follow up to see how these recommendations will be implemented.

Our last annual report to you discussed follow-up work on three audits we conducted during 2008 and 2009. We wanted to see how many of the 34 recommendations we made in those audits had been implemented. We were happy to find that 32 of those recommendations had been fully or substantially implemented in the intervening years.

The results were, in some cases, significant. For instance, a follow-up to an audit on the RCMP's exempt data bank found that tens of thousands of surplus files had been purged to comply with our recommendations.

I will now turn to our 2010 annual report on the Personal Information Protection and Electronic Documents Act, the PIPEDA. The major issues in that report were online privacy and the disposal of personal information.

We highlighted our audit of a major retailer, Staples Canada Inc.—Bureau en Gros Ltée.

What we found was that Staples Business Depot stores fail to fully wipe customer data from returned devices such as laptops and USB hard drives, which were destined for resale.

That was a particularly disappointing finding, as we had already conducted two earlier investigations involving returned data storage devices at Staples and received assurance that the company would fix the problems we identified.

Although some steps have been taken, the audit showed that those procedures and controls were not consistently applied, nor were they always effective.

As a result, consumers' personal information was at serious risk.

At the end of our audit, we asked Staples to provide a report from an independent third party confirming compliance with the recommendations by the end of this June.

We look forward to hearing about how the company has addressed our recommendations.

The report also describes our investigation into Google's collection of highly sensitive data from unsecured wireless networks in neighbourhoods across Canada. The investigation found that Google's Street View cars had inappropriately collected personal information, such as e-mails, user names, passwords, phone numbers, and addresses.

Google's explanation for this serious violation of Canadians' privacy rights was that an engineer had developed code that included lines allowing for the collection of payload data, but failed to flag this to the company lawyer reviewing the project.

We were concerned about Google's lack of control over processes to ensure that necessary privacy protections were followed. We recommended that Google ensure it had a governance model in place to comply with privacy laws. We also recommended enhanced privacy training for Google employees.

There have been significant developments on that file since we published our annual report. Last year we examined the remedial measures Google had put into place following the investigation. We found the company was well on its way to resolving serious shortcomings. However, we did request that Google undergo an independent third-party audit of its privacy program.

We asked Google to share the audit report with our office within a year. We look forward to reviewing the results in the near future.

We've also started to use the approach of requesting third-party audits of companies with other organizations as well.

In conclusion, I've touched on only a very few of the many issues discussed in our two annual reports. I think both reports illustrate the very broad range of privacy issues that can have significant consequences for all Canadians, and the importance of having strong legislation in Canada to protect our privacy rights.

I thank you very much for your attention. I and any members of my staff who may be able to assist me look forward to answering your questions.

11:10 a.m.

NDP

The Chair Pierre-Luc Dusseault

Thank you very much, Ms. Stoddart.

Mr. Angus has seven minutes to ask questions about your presentation.

11:10 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

Thank you, Mr. Chair.

Madam Stoddart, thank you for your excellent reports. In our business we read many reports. Often it seems reports are just data, but sometimes we come across a report like yours, which has a clear vision of the issues of privacy, the state's role, and the rights of the individual. I think it's a very powerful statement.

You state that security and privacy are not opposing values. You also state:

...the state also has an obligation to treat individuals with respect—to preserve their dignity and to safeguard their personal information.

This is not a mere frill or a “nice-to-have”; it is fundamental to the trust relationship that must exist between citizens and their government.

I think that's a very clear and powerful manifesto with which Canadians would agree. The question is how to ensure that this trust relationship is not eroded.

I'm particularly concerned, for example, with Bill C-30 and the lack of protocols that will exist in terms of being able to collect and hold personal data. People have raised concerns about Bill C-30. I know that you've raised concerns. The minister, Vic Toews, said that people who raise concerns are on the same side as the child pornographers, which I find to be a very offensive statement about the issue of privacy.

What are your concerns about the lack of protocols in Bill C-30 to protect the privacy rights of citizens?

11:15 a.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Thank you very much for that question, honourable member.

In fact in the last few years we've been focusing increasingly on matters of national security and the maintenance of privacy rights because of the various new programs that have been developed.

We published a document that's available on our website called “A Matter of Trust”, which sets forth the principles that we apply and that have been approved over the years within our country and by our courts, in terms of privacy principles and to the extent to which they have been respected. We hope that's a kind of blueprint or a series of suggestions for developing programs on the one hand and for telling Canadians what they can expect on the other hand.

In terms of C-30—in fact, I recently noted in going back over some material—I believe this was introduced under another name and title as far back as April 2009. So for not less than three years we have been commenting on this, both formally and informally. We've been meeting with department officials, and we remain very concerned with the architecture of the bill. Notably—and we have not changed what we've been saying for the last three years—it's with the ability to get personal information of Canadians without authorization, the fact that there is not a proper oversight framework, and that Canadians would remain largely unaware of what is going on.

While we do understand that technology and the access to very complex and efficient technology on the part of people who wish to do no good has complicated the work of our law enforcement forces in Canada, we think we need to see a clear explanation to the public to understand why new enhanced powers would be needed. Once that explanation has been done, we expect to see in any further iteration of the law—or we would hope to see—a more complete supervision framework as well as a role for independent authorization of access to personal information.

11:15 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

Thank you.

You state in your report that “Personal information is available...in unprecedented amounts, and the state's appetite for it is voracious.” It's a very strong statement, so I think with the issue of Bill C-30 there's a concern. But the appetite of private companies for our personal information is equally voracious. I'm concerned about the protocols around how that privacy information is collected, and I see it from your audits of Google and Staples.

But I'm looking at Bill C-12 and the issue of security breaches and the provisions that exist right now—or the lack of provisions—and then the very loosey-goosey provisions the government is bringing in. If someone's data has been compromised, right now under this bill they say if there's significant harm they're obliged to tell the consumer. Significant harm seems to me to be an extremely high bar to set, given that a company is not going to really want to tell consumers that somebody was peeking at their data; they're going to quit the account.

How do you feel Canadians should be protected? Should the breaches be reported to you so that you can set the bar? Should we allow private industry to decide whether or not there's been significant harm? How do we ensure a balance? Is this something that should be reported back to you so you can make that declaration?

11:20 a.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Yes. That's another important question that my office is looking at. In fact, I've expressed my concerns with those parts of Bill C-12 that deal with data breach protection. I think in the time that we've been aware of the magnitude of the data breaches that are happening—both within Canada and outside of Canada—to Canadians' information as it circles the globe...we need stronger provisions in C-12.

I'm concerned if Canada does not set a higher bar—including looking at sanctions for companies that do not take necessary steps to protect personal information—we will have fallen well behind the actual practice in many American states, of countries abroad, like the U.K., where fines are imposed for data breaches. They're mostly to public sector organizations, it seems.

I think we have to send a strong signal—and I sent this a year ago to companies—that data breaches are not acceptable. Some may be almost unavoidable because of the cutting-edge technology and so on, but many just seem to be lack of attention, lack of training, and lack of investment in data breach procedures and equipment.

11:20 a.m.

NDP

The Chair Pierre-Luc Dusseault

Mr. Angus, unfortunately, your time is up.

I now yield the floor to Mr. Del Mastro for seven minutes.

11:20 a.m.

Conservative

Dean Del Mastro Peterborough, ON

Thank you, Mr. Chairman.

Thank you to the witnesses today for very interesting testimony.

I was interested in the statement you made with respect to CATSA. Whenever I talk to law enforcement—and CATSA certainly is a law enforcement agency—what they indicate to me is that the more information they have, the better. They'll never turn down information; they will collect every piece of information they can get.

My question for them is why they need this. You said they were over-collecting data. What was their stated rationale for this? Did they have one? Did they have a reason for why they were asking questions that they weren't actually duty-bound to ask and collect?

11:20 a.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I don't think so, Mr. Chair, but could I ask Assistant Commissioner Chantal Bernier, who is closer to the details of that audit, to answer your question?

11:20 a.m.

Chantal Bernier Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada

Thank you.

Indeed, the relationship we have with CATSA is excellent. In this audit, when we did put to them that finding, they accepted to change the practice, recognizing that indeed they did not need that information, that it was beyond their mandate to collect it.

11:20 a.m.

Conservative

Dean Del Mastro Peterborough, ON

So it really was a situation where if they could get it, they'd take it, whether they needed it or not.

11:20 a.m.

Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada