Information & Ethics Committee on June 5th, 2006

Good afternoon, everyone.

Thank you very much, Mr. Chairman and honourable members, for inviting me here.

On the screen you will see an overview of the presentation that I hope to run in the next 15 minutes, which I hope will give you an initial introduction to our role and mandate, the laws we administer, and some of the key issues.

I'll begin by explaining the role and mandate of the Office of the Privacy Commissioner. Unlike other provincial offices, the OPC is an ombudsman office with several roles, the most important of which, from a resources standpoint, is to conduct investigations.

The OPC also conduct audits under two federal privacy laws. Furthermore, it publishes information about personal information-handling practices in the private sector and brings privacy issues to the attention of Parliament.

Although it requires minimal resources, public education is one of the OPC's most important roles, as is research and policy on emerging privacy issues.

We administer two laws, and you're going to hear a lot about the first one in the coming weeks. This is our basic federal government Privacy Act. It came into force about 25 years ago, and this is your basic set of ground rules for the public sector. It's standard in terms of international data protection. Standards now are fairly low. You can use information collected from the public as long as it's directly related to a program or to an activity. You don't need the consent of Canadian citizens, and you don't need to inform them in any direct way about how you're using their information.

Since 2001, the second law we've been administering is our newest privacy law in Canada known by its acronym, PIPEDA, but you can call it the PIPED Act or...there are various ways of pronouncing it. It is now fully in force and it applies to the jurisdiction where the federal government has authority---federal works and undertakings, federal crown corporations that might have private-sector-related activities, and activities of trade and commerce in Canada under section 91 of the BNA Act. Like its counterpart, it sets out rules. These consent-based rules are far more extensive and the standard for privacy protection is a lot higher.

In the last few years, one of the important goals of the office has been to work cooperatively with the provinces and the territories. Some of you will know that privacy protection is also a provincial jurisdiction because provinces have authority over property and civil rights. Privacy is a civil right. It's a human right in the Canadian context, so it was important for us at the Office of the Privacy Commissioner to work cooperatively with the provinces to make sure Canadians have seamless privacy protection as much as possible. I can give you some examples of various joint efforts with the provinces.

Very briefly, some of our current key issues and concerns are these. Under the Privacy Act, the national security agenda, we appeared on the Anti-terrorism Act last spring. We have been asking questions about the purview or the extent to which the Anti-terrorism Act has reduced the individual right to privacy under the Privacy Act as it is now constituted. We're concerned there's less reason for judicial authorization. We think the judiciary is key, that the judicial authority be there when you're going to regiment individual rights and liberties. And we're giving Canadians less opportunity to challenge the curtailment of their freedoms.

On a separate issue, we're also concerned about the increasing blurring of the lines between the private sector and the public sector. In Canada, we're used to the state carrying out laws, certainly carrying out criminal law and national security issues. With a change to PIPEDA that came about two years ago, organizations in Canada are now mandated to specifically request information, to collect it for the express purpose of giving it to the national security authority. Again, this is a trend we want to watch.

The transborder flow of information has been a constant theme in the last few years. There are two major subsets of issues. The first issue is what happens to our information at the border, information we are specifically sharing at our land and air borders, particularly our land border with the United States, given the flow of people and traffic to the United States. We have just finished a first audit of the handling of personal information at some of the land crossings by the Canada Border Services Agency, and we'll be publishing that in our next annual report on the Privacy Act that will come out at the end of June.

We also just received the draft rules for the do-not-fly list from the Department of Transport. We'll be doing a privacy impact assessment on the ground rules for the do-not-fly list.

The second set of issues is known now as the issues linked to the U.S.A. Patriot Act. They're not a U.S.A. Patriot Act set of issues per se; they are issues of transborder data flow--the global flow of our personal information. It has become accentuated in the last few years. It has existed for decades now, but what happens to Canadians' personal information once it leaves the borders of Canada and Canadian law has just recently come to public attention.

Well, thank you. I'll try to be economical.

One of the requests of this committee as it was constituted in the previous Parliament was that we table a paper on Privacy Act reform. This was the first law. The law is now 25 years old, and I've consistently been criticizing it for its inadequate protection of Canadians' personal information.

At your request, Mr. Chairman, I have formally tabled with you our first paper on Privacy Act reform. Some of the issues have to do with transparency. We talk about transparency and accountability; we're saying the government should be accountable not only for amounts of money, for projects, but should also be accountable for Canadians' personal information.

Canadians should have a right to see what's in their files now, but they virtually have no further rights. They cannot request in front of a court that this information be corrected if it's erroneous. Lord knows, sometimes we all have mistakes in our government files; you have no right of correction if the government does not want to correct it. You have no right of damages, as was recently confirmed by the Federal Court in the Murdoch case.

It is virtually impossible for Canadians to track where their personal information is going now. As blood flows through arteries, it takes experts, and even then.... There's a publication called InfoSource, but InfoSource is out of date and it's often erroneous.

Basically what we're saying, Mr. Chairman, is that the federal government should live by the standards it's imposing on the private sector--ask for the same transparency, accountability, and privacy policies it now asks of companies under PIPEDA.

Apart from the basic reform of the Privacy Act, in the meantime, because this is not perhaps a simple affair....

One of the current key issues is ID management. The call to identify the individual in each transaction and to have a secure, reliable identity that cannot easily be stolen is becoming increasingly prevalent. At the same time, however, measures must not represent an unwarranted invasion of privacy. Nor should there be too many demands made in terms of sharing information with the government or a financial institution. These are just a few of the ways in which identity is used.

Another key concern of ours is surveillance. Recently, we have put particular emphasis on video surveillance. Guidelines have been published on our website. Video-surveillance, which is prevalent just about everywhere in the workplace and on the streets across Canada, falls under both federal and provincial jurisdiction and affects each and every one of us. In Toronto, for example, consideration is being given to installing video-surveillance devices on buses and in the subway system. Other municipalities will likely soon follow suit.

The OPC has reached several conclusions as to the legality of video-surveillance in the workplace, pursuant to private sector legislation. Generally speaking, the direction advocated by the OPC has the backing of the Federal Court.

The third key issue that I bring to your attention is the whole burgeoning issue of health information in Canada. Again, like so many of these issues, it's provincial jurisdiction and also federal jurisdiction, because all this information crosses provincial boundaries. As well, the federal government has its own employees, the veterans hospitals, and so on.

When PIPEDA came into force we worked very closely with health providers, notably the Canadian Medical Association, and developed some 75 frequently asked questions about health information on the website.

The fact that the whole health sector was legislated was a bit of a shock back in 2002-03. I think things have calmed down, and the whole health sector is now used to the idea of having a program for the management of personal information. Ontario has moved to adopt its own health information act, and Quebec has had one for many years. So it's an area where we're working with the provinces.

One of the issues we're monitoring is the unfolding of electronic health records across Canada, notably through Canada Health Infoway. It has a billion-dollar budget to assist with the development of electronic health records. In order to make sure that the framework for the management of electronic health information respects privacy principles, we're working with Canada Health Infoway and the provinces. Those are some of the issues in the public sector.

In the private sector, I'll quickly go to anti-spam issues and the need for strong anti-spam legislation. This is something that preoccupies not only the Office of the Privacy Commissioner but the police, because of what spam now carries. It's not just an annoyance or a giggle, depending on what's in the spam message. It carries serious viruses and spyware, and it is a threat to critical infrastructure security as well. This is an issue of competition and consumer protection, and any spam legislation that comes down would probably give various agencies a different role in enforcing spam threats.

Technology generally is a concern, and you may have heard about our annual report on PIPEDA that we launched just last week. We brought to the public's attention the issue of RFIDs, radio frequency identification chips, that are being rolled out across Canada. At the moment they're only in supply chains, but soon they will be brought down to the consumer level, as they are in Europe. We have done a fact sheet with basic information on this, and we will be developing guidelines for industry and consumers in the next months in cooperation with the provinces, because of their role in regulating privacy.

RFIDs is basically a technology that's been around since Word War II, but now it's being adapted to the consumer and supply-chain-level management. I'm not a techie, but I've been told it consists of an antennae, a computer chip, and a casing. It allows this little device to emit a unique signal so that each object is uniquely identified in the universe. That means we can track objects, which is useful in the supply chain for inventory management, national security threats, theft, transportation across continents, and so on. Eventually, because we are linked to the objects we purchase or use, it will allow for the unprecedented tracking of people. They will be entered into a database by linking them with the objects they manipulate or purchase. Therefore there are privacy preoccupations.

To conclude, as an agent of Parliament we can give you policy advice, expert advice, and slants and ideas on some of the legislation that doesn't seem to have privacy implications but may. Of course, we can make appearances, at your request or our request, at various committees.

What will be on in the future? You have our reform proposal with you, and we hope you will invite us back to talk in detail about it. Many months of preparation have gone into our proposal.

We will be bringing out our Privacy Act report in three weeks, and in the fall there will be the review of PIPEDA. We'll see which committee we'll be called to appear before.

The answer is yes.

Thank you, honourable member.

I'd direct you to our latest annual report on RFIDs. Of the companies we surveyed, two indicated already that they've linked goods to personal information and one was using RFIDs to track employees. So it's moving down.

On the accountability bill, we appeared in Parliament last week to point out, notably, that we're concerned that, as it is now presented, this bill will lower the level of personal information protection in three organizations: Atomic Energy of Canada, the CBC, and VIA Rail. All are now covered by PIPEDA, as I said very rapidly. PIPEDA has a better level of personal information protection than the Privacy Act does.

To give you an example, honourable member, if you travel with VIA Rail, under the Privacy Act you have a right to see your file, and you can ask for a correction. But if they don't make the correction and you think you're right, or if there's a slip and somehow your travel information is spilled--published--and it causes you some damage, you have no right of redress. So as we pointed out, why would we take a step backwards? Personal information also needs accountability at the highest level for the Canadian public.

Mr. Chairman, if I may, I'd like to ask Deputy Commissioner Raymond D'Aoust who is responsible for this particular area to answer Mr. Laforest's question.

Yes, sir, we do have a communications and public education plan in place. One of our branches is dedicated entirely to this effort.

To further our understanding of this subject, we commissioned several public opinion polls, one of which will be made public shortly. The findings show that the Canadian public do not have a very clear understanding of privacy and of various related legislative provisions.

We know that the need is great. We have focussed our efforts on small and medium-sized enterprises. Working with an expert-adviser on the subject, we are developing an on-line training module. We hope to develop tools of this nature to help SMEs comply with the legislation.

There's a very complex picture. Maybe I'll start the answer and the assistant commissioner, Heather Black, could complete it, as she was a long-time general counsel and knows....

This is an area of joint jurisdiction, and only three provinces have chosen to go ahead in this area with legislation of their own that meets the test set up in PIPEDA of being substantially similar. I'm sorry, it's three and a half, I guess, if you count health in Ontario.

This law is set up such that the federal legislation applies to the federal sector and commercial activities, unless the province has its own legislation. Quebec has had private sector legislation since 1995. Then Alberta and B.C. have had their own legislation since 2003, and Ontario since 2005.

Do you want to add to that?

There are significant gaps. For example, in the province of Manitoba, where there is no substantially similar law and PIPEDA applies, it applies only to commercial activities. It covers the federally regulated private sector for customer information and employee information. When you move into the provincially regulated private sector—say the retail level, or what have you—it only applies to customer information, so for all of the employees of those organization there is no protection.

The other gap is in areas where the federal law simply cannot go; that is, such areas as health, education, municipalities, schools, hospitals—all of that. That's an enormous gap.