As per the committee's request, we are appearing today before you to give you an overview of the Office of the Privacy Commissioner's investigations process, since your committee is studying issues related to the alleged disclosure of the names of the access to information applicants.
It is our understanding that the Access to Information Act is silent on this front. In other words, there is nothing in the Access to Information Act that specifically indicates that the name of a requester cannot be disclosed. Since there is nothing that says you cannot name the requester, on the surface it would seem that it's not likely a contravention of the Access to Information Act. However, the matter could be a violation of the Privacy Act. This is where our office comes in.
Generally speaking, the name of a requester is considered personal information, and we can investigate to determine whether there has been an inappropriate disclosure of that personal information. The fact that the information happened to be disclosed in an ATIP request to us is incidental, though we do understand and appreciate the larger implications, of course. Whenever personal information is disclosed by a federal department or agency in any context, it may be subject to scrutiny under the Privacy Act.
When faced with any alleged breach, we need to investigate before coming to any kind of determination or conclusion, and each case has to be looked at on a case-by-case basis.
Up until recently, we have not investigated a similar matter for some time and, in the history of our Office, there has only been a handful of cases. Some well-founded, others not. It all depends on the circumstances.
At this point in time we are investigating a matter related to the naming of an ATIP requester and I’m sure you can appreciate that, given this, we are not at liberty to discuss the matter further. Section 33 of the Privacy Act states that our investigations shall be conducted in private, while section 63 of the Privacy Act tells us we have a duty of confidentiality with respect to any information we collect in relation to our investigations. That said, we understand that you would find it useful to have a better understanding of our investigation process under the Privacy Act.
Once we receive a complaint, we begin the process with an initial analysis of whether the allegations fall within our mandate -- whether it’s a matter related to the Privacy Act. Under that law, we can look at cases where a Government department may have improperly collected, used or disclosed an individual’s personal information.
Once we've determined that the matter falls within our jurisdiction, we assign an investigator to the case. We then write to the complainant and the government institution in question to outline key issues in the complaint. We begin to gather all the facts. This process includes interviews with anyone who might have relevant information to offer. We also look at any appropriate documents. The commissioner has the power to summon witnesses, administer oaths, and compel the production of evidence if voluntary cooperation is not forthcoming.
Throughout the course of our investigation we collect all the facts of the case and then follow up with a thorough analysis of that information. The analysis may include discussions between investigators and officials from our legal services, research, and policy branches. The investigator then prepares recommendations to the Privacy Commissioner or her delegate. Those recommendations, along with a summary of the facts gathered during the course of the investigation, are passed on to the complainant and the relevant government department or agency. Both parties can make further comments at this point.
Our ultimate goal is to resolve complaints and stop further privacy breaches. We operate under an ombudsman model, encouraging resolution through negotiation and persuasion. Ultimately it is up to the Privacy Commissioner to objectively decide what the appropriate outcome of the case should be.
The Privacy Commissioner sends letters of findings to the parties and outlines any recommendations she may have.
The commissioner can make a few different kinds of findings. For example, “not well-founded” means she does not believe a person's privacy rights under the law have been breached; “well-founded” means a federal institution violated the Privacy Act; “well-founded but resolved” means there was a privacy breach and the government department has agreed to take steps to prevent a reoccurrence.
Unfortunately, beyond making recommendations, the Privacy Commissioner has no further powers to force government departments to ensure that they implement her recommendations. This is a major gap in the Privacy Act, which is now almost 25 years old and, as you know, badly in need of modernizing. Unlike the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act, PIPEDA, we cannot take the matter to the Federal Court, and no real redress is available to the victim. The only court recourse is for denial of access under the Privacy Act.
The commissioner has outlined her proposal for reform of the Privacy Act in the paper submitted to your committee in June. She looks forward to the opportunity to meet with you again for more in-depth discussion of the Privacy Act reform.
Thank you, Mr. Chairman. I hope this has provided a clear picture of our investigation process. We are pleased to answer any questions.
Mr. Chairman, before continuing, seeing that I have been with the Office of the Privacy Commissioner for a mere seven weeks, although at times it feels like a lifetime, I've asked one of my experienced Privacy Act supervisors to accompany me so as to ensure that accurate information is passed on to the committee. If any question surpasses my present knowledge on a subject, I would, with your permission, defer to Ms. Jan Peszat.
Thank you.