Information & Ethics Committee on April 17th, 2008

Thank you, Mr. Chairman. I am certainly very happy to be here and very happy that we have this double session.

I would like to take the opportunity of introducing Assistant Commissioner Elizabeth Denham. This is her first appearance, not only before the committee but on the Hill. We are very pleased that Elizabeth has joined us from the office of the privacy commissioner of Alberta, and she brings a much-needed perspective from the provinces to our functioning.

Also with me is the director general of finance and administration, Mr. Tom Pulcine, whom you have met before.

I have a short opening statement, which I hope will summarize the issues in the document that is set before you and will allow you to approve in principle the credits that go with us.

If I go back now to 2005, where we fixed our mandate of trying to take a more proactive approach to protecting and promoting the privacy rights of Canadians, we have received some increased resources. This has allowed us to reduce our backlog of investigations; reduce turnaround times for privacy impact assessments; be more active in the investigation field; initiate more complaint investigations--most recently, the TJX data breach, the U.S.-based owner of Winners and HomeSense stores; increase the number of audits that we've been able to undertake, and you may have seen the special report to Parliament on the RCMP this winter; and become actively involved in court litigation.

When we received more resources we understood our new vision for the organization, but we underestimated the challenge of implementing it. We now realize that we need to double our efforts to become more efficient in investigating. This is partly due to contextual challenges as well as to our ongoing obligation under both acts to receive and investigate every complaint that comes to us.

Through our work it has become apparent that more targeted and more specialized communications and outreach activities are needed to foster privacy awareness among Canadians.

For example, we've begun the development of a social marketing campaign on children's privacy online. We've embarked on a regional engagement program to better understand the privacy concerns and the awareness levels of citizens across the country.

We recognize the need to address key issues in order to have a real, positive, and measurable impact in niche areas, so we've identified four priority privacy issues on which to focus efforts over the next three years. These are information technology, privacy and national security, identity integrity and protection, and genetic privacy.

These priorities will allow us, we hope, to leverage resources across the organization, to plan concerted and collaborative action with key stakeholders, to build the necessary expertise and capacity, and to adopt a deliberate, multifaceted approach using a number of enforcement tools and research and education efforts to more effectively address these emerging privacy issues.

Finally, the implementation of the Federal Accountability Act last year has resulted in new responsibilities for our office. To handle these responsibilities we've created an office to manage access to information and privacy requests. We are now hiring additional investigators to handle new organizations that are now subject to the Privacy Act, and we are establishing an internal audit program, which is required of all entities.

In recognition of this new vision and our organizational challenges, we have identified five strategic priorities for the new year: continuing to improve service delivery through focus and innovation; strategically advancing global privacy protection for Canadians; supporting Canadians to make informed privacy decisions; building a sustainable organizational capacity; and providing the leadership to advance the four priority privacy issues I've mentioned.

Throughout the next year we will continue the work we began last year in reshaping our organization to make it more modern, responsive, and proactive. As I said, I'm very pleased this year to welcome Elizabeth Denham, who has been our new assistant privacy commissioner since November of last year. As the assistant commissioner with primary responsibility for PIPEDA, Ms. Denham is tasked with raising privacy awareness and ensuring legislative compliance among businesses. She has led the organization's regional engagement efforts, meeting with stakeholders and forging important relationships in the Yukon, in Saskatchewan, and in Nova Scotia in the very short time that she has been in this post.

I'd like to move on now to the theme of building sustainable organizational capacity. We are currently updating our organizational human resources plan, in keeping with our objective of building a sustainable organizational capacity. Our plan has two main components: a staffing strategy that allows us to build our workforce, and a retention strategy to engage, develop and retain our staff.

Our human resource plan is ambitious—as you will note in the graph you've received, we need to substantially grow our organization to adequately address our organizational workload and manage the increase in demand for our services.

Nowhere is the demand for our services greater than in our Investigations Branch. Last year, we reported to this Committee on our efforts to chip away at our backlog of complaints. While the backlog of PIPEDA complaints has been substantially reduced, our backlog of complaints under both the Privacy Act and PIPEDA remains, because we continue to face challenges attracting and retaining investigative personnel. Each year for the past two years, this branch has experienced a 40 per cent turnover in staff.

Along with the staffing and retention strategies I've already mentioned, we are re-engineering our entire business process. Ms. Denham is responsible for this initiative. We are seeing more complaints involving technological and transborder issues. There is an ever-increasing need for cooperation with our provincial and international counterparts. Our goal is to create a branch with the skills, knowledge and processes to respond to these complaints efficiently and well. We anticipate the re-engineering of our processes to be completed in 2009.

Last fall Canada hosted the 29th annual Conference of Data Protection and Privacy Commissioners under the theme of “Terra Incognita”, bringing together over 700 data commissioners and privacy experts from around the world to share ideas and knowledge.

I think you've all received, Mr. Chairman, this résumé of the proceedings. We were honoured by the presence of Speaker Milliken, who opened the conference. Overall the conference was deemed an overwhelming success by delegates, who left Montreal with a renewed sense of common cause and action.

One prevalent theme that emerged from our conference is that citizens around the world are increasingly concerned about when and how their personal information is shared across international boundaries. To address this growing concern, we have made global privacy protection, with a strong dose of Canadian content, one of our five strategic priorities. One country or jurisdiction alone cannot confront the phenomenon of outsourcing and the range of privacy issues that flow from it. At the international level we have started this work to find solutions to the privacy issues implicit in transborder data flows.

In conclusion, Mr. Chairman, the environment in which our office operates continues to evolve, demanding from us that we evolve along with it so that we may fulfill our mandate of protecting and promoting the privacy rights of individuals.

This year promises to be a dynamic one for our organization. From our internal recalibration of our business processes to our new outreach initiatives, the key word for us is change.

While our current resources have allowed us to take on several major initiatives in support of our new vision, there are still gaps we need to fill and challenges we need to address, many of which I mentioned today. In the coming weeks I look forward to engaging you once more to outline how we plan to meet these outstanding challenges.

Our goal is to become a data protection authority that is modern, proactive, efficient, and sufficiently flexible to adapt to the realities around us, so that we may provide Canadians with the necessary assurance that their personal information is being respected and protected here and elsewhere in the world.

I thank you once again for the opportunity to speak to you today, and I would be pleased to answer your questions.

Thank you.

Mr. Chairman, the credits we will need in order to apply the Federal Accountability Act are calculated automatically by Treasury Board and therefore will be added automatically to the credits we will have in the coming year.

Can I ask the chief financial officer to respond?

They're not currently reflected.

There are multiple sources of information within our reports on plans and priorities. In one of the financial tables, you'll see the amount related to the Federal Accountability Act. On page 7 of the report on plans and priorities, it's identified under “Implementation of the Federal Accountability Act”, a total of $1.1 million.

That's right. It's not currently part of the estimates before you today.

To have those added to our appropriation, we must present a Treasury Board submission. Before we do that, of course, we would present a business case to the new all-party parliamentary panel to get their blessing, and then we'd bring that to Treasury Board through a Treasury Board submission. It would show up in the supplementary estimates.

Yes, I am.

Yes.

To the Privacy Commissioner.

I think there's a theoretical, if not a practical, link between me and the Comptroller General.

Unlike many other government departments and agencies, the Privacy Commissioner, being an officer of Parliament, has a somewhat unique role with Parliament that differs from that of a departmental head.

Yes, I am—certainly, to the best of my knowledge.

I might add that this particular challenge of being an agent of Parliament while making sure that we conform with all applicable government policies, particularly on financial accounting matters, is a matter of active discussion between Treasury Board and the agents of Parliament. Briefly put, we have agreed that we will follow the standards, by agreeing among ourselves to be audited by a single auditor other than Treasury Board. The auditor will lay its report before Treasury Board. So, in fact, we will keep our nominal autonomy, but will follow the same standards.

No, we would go outside to find a third party who would audit...I think all of us are in the discussions.

In terms of an internal audit capacity, but in terms of our audited financial statements, it is the Auditor General who does our audits.

Yes. I was talking about internal audits.

Thank you for that question.

In the material we prepared for you, we have given you some tables at tab 5, because this issue has been a concern of the committee in the past.

The quick answer to your question is, yes, we experience all of those problems, but we experience them no more nor less than the rest of the public service. There is huge turnover in personnel, for all kinds of reasons, which are well known. That has singularly hampered our recruiting and our retention efforts.

Yes, we do. I mentioned it; we are reinforcing our retention plan.

For example, we are developing a questionnaire for exit interviews. Because we're in competition with many other agencies and departments in Ottawa, we're trying to make ourselves an employer of choice. We're trying in particular to look at how to attract and keep the bright, highly technological, and skilful younger people whom we need.

Right now, we have 122.

There are very few in acting positions right now. There are two....

Most of those, or 106, are full-time indeterminate positions. There are nine acting, one student, and two part-time positions, and the rest are either loaned out or loaned to us.

As regards a number of our business processes, there remain some significant challenges: rethinking our way of carrying out investigations, making more room for mediation and trying to accelerate our processes. And, I would like to highlight that point in relation to the investigations we are currently carrying out. At the present time, we are focussing more and more on the information provided to complainants initially, so that they have the tools they need to resolve their issues. And that clearly relates to investigations, which are a central aspect of our activity.

I mentioned that we have been conducting more investigations that we ourselves initiate. That is an important tool. When you have reasonable grounds to believe that there are problems, you need to be proactive and find out for yourself. In our increasingly technological world, ordinary citizens, and even people in our own offices, may not be aware of existing problems, because they occur in a virtual world. Investigations in the virtual world are therefore one of the important areas where we must get involved. Here are some examples.

We carry out joint audits—for example, with the Auditor General—and we work with the provinces who are interested in cooperating with us.

In order to be fair, the way we currently do investigations is such that we work on the basis of the order in which we receive complaints—one after the other. At least, that is the way it was previously. We have changed our way of doing things. Increasingly, we want to make an intensive effort right from the start, not only to keep citizens and organizations informed, so that they can correct the problems themselves, but also to triage complaints strategically, so as to focus on those that have a significant systemic, social or institutional impact.

We are currently developing a triage factor analysis grid. For example, we're interested in finding out whether a specific problem is raised often by the same individual. Some people are almost like subscribers. Under one of our acts, it is difficult for us to close a complaint file or refuse to deal with complaints made by those who contact us regularly. I think that, for the public, there is a need to put an end to…

Yes, exactly. You put your finger on it.

A citizen or a group can raise an issue which has repercussions, either all across the public service, or in the private sector. It may change the institution's practices as a whole or create a precedent, for example.

Our lawyers recently argued a case in front of the Supreme Court of Canada. It's a case that we are investing a great deal of time and energy in, because it is very important for all Canadians. The question is whether or not we have investigative powers in relation to documents covered by solicitor-client privilege.

Because it wasn't explained exactly in those terms in PIPEDA, there is a debate as to whether or not we can see those documents. The idea is not to use them as evidence, but simply to determine whether client-solicitor privilege applies. This is a very important matter in all the investigations we carry out under that legislation. We have said that when an organization refuses to cooperate with us for the purposes of an investigation, that we need to go further with this, because it will clearly affect everyone that we investigate.

Essentially, yes.

Yes, and we want that to apply not only to individuals, but to institutions—for example, federal government departments. We would like to prepare a more detailed picture of the complaints that we receive in the course of a year. That requires a kind of computer sophistication that we don't have for the time being, but it is part of the retooling.

In a case where, year after year, we receive dozens of complaints from various sources dealing with the same subject, where the problem has been corrected but comes back subsequently, we need to determine whether, ideally, we should continue to process these complaints or simply carry out our own investigation and table a special report with Parliament, given that the legislation is not being complied with.

Yes, I mentioned the case involving TJX, which is an extensive investigation, and the one involving SWIFT, which is global in nature.

Since 2005, we have initiated about 15 investigations.

At the present time, about 1,500 investigations are ongoing. Last year, we received 752 complaints under the Privacy Act and 289 complaints under PIPEDA.

Anything is possible, but the trend seems to be maintaining itself. There are fewer complaints under PIPEDA than under the Privacy Act. I think you have to look at who complains under the Privacy Act and why. Remember that a lot of our complaints under the Privacy Act are against Correctional Services Canada, the Solicitor General, the RCMP, Employment and Immigration, HRDC, and so on. That's one kind of discrete population.

Exactly, Mr. Chairman. In the second hour of our meeting today, that's one of the recommendations I'll be suggesting to you could be rather easily changed in the Privacy Act, and I've already suggested in PIPEDA, in the letter sent to the Minister of Industry in January of this year, that having more discretion--and commissioners around the world are asking for more discretion--would make us more effective in rendering services to a greater number of citizens.

Yes, people who are incarcerated, and there's also a large number from those who work in the Correctional Services institution. We reported on this at great length in one of our last annual reports. There are serious discussions, and personal information is a part of that, in the correctional world, but it's mostly from the people who are incarcerated.

I think it's a generalized problem. In fact, I just came from a presentation, if I may quote her, by the President of the Public Service Commission, Madam Barrados, who also reports to Parliament, and across the public service there's a 40% turnover rate.

Yes. So we're trying to become more refined on how we search for candidates and go to pre-screening, to cross-Canada competitions. We're running one now for a very important job to look at interchanges with other privacy commissioners. It's just a challenge because there are so many other agencies and departments in competition with us for the same pool that we can't hire fast enough, and civil servants are retiring, and so on.

We've had some of those too. We've had people from other data protection agencies come and do a kind of stage or a practicum, but they're not a long-term solution.

Yes. That's for the parliamentary panel to consider in the coming weeks.

Yes.

Yes, unless, Mr. Chairman, you are also a member, as I understand, of the parliamentary panel, which is composed of many of the members of this committee. I don't think its composition is fixed. There are some members of this committee, I know, who've been on the panel. We go before that panel once we've agreed with Treasury Board on the presentation.

No.

If the plan gets approved, I think we're looking at something like around 30 FTEs and around $5 million.

Yes. It's under discussion with Treasury Board.

My recollection is that none lapsed, because of course we have to look at all the ways to compensate for this terrible problem of not being able to hire personnel. So we contracted out to professional and special services a lot of the--

That's right, and then we have a carryover almost to the limit, I think, that we're legally allowed.

That would constitute or relate back to your lapse. All government departments and agencies are allowed to carry forward 5% from one year to the next year.

That's right.

Some people refer to that as a lapse from one year, when actually it becomes automatically a carry forward to the next year.

No, it's identified as temporary resources, per se.

It doesn't, no.

Yes.

No, I think we're just giving more detail.

It's a long and slow process. I understand we have a tentative appearance before the parliamentary panel on May 7--not confirmed--and then processes are a couple of months, I suppose.

We're tentatively scheduled in early May to appear before the parliamentary panel on funding for offices of Parliament. If that takes place, then a Treasury Board submission would be prepared and submitted to the Treasury Board, which may get approval two or three weeks later. Then it would show up in the supplementaries that would be presented to you, probably in October, November, whenever the supplementaries would be presented.

I'm suggesting that the time of the Office of the Privacy Commissioner could be better spent. You could suggest bringing reform to the Privacy Act and also to PIPEDA. We don't even have the possibility of declaring complaints frivolous and vexatious and made in bad faith, as we do under PIPEDA. Even that is not that useful.

We need to pick and choose. I think for some complaints we have to be able to say to citizens, “Okay, this is all the information. This has been decided time and again. Here you are.” Then we can concentrate on something that is going to impact thousands of Canadians.

So yes, I don't think our time is well spent having to investigate every single complaint. And then someone can make a complaint once the organization has not replied within the 30-day time limit. Some populations do that more than others. I don't think it's useful to the concept of privacy rights in Canada.

It is, Mr. Chairman, yes.

Yes, it's one of the recommendations.

I think it's a huge problem. I know that Ms. Barrados, just coming from a presentation she gave, thinks it's a problem for all of us, because when you wait to hire people full time, you may wait a very long time.

We have a very specialized employee we've been waiting for. It's been six months since we made an offer of employment. Now, this is a particular question for us. It's a security clearance. You understand that a lot of our work needs security clearances, and after six months the person doesn't have a security clearance. That's apart from the time it took to go through the hiring process.

So we look at our mandate, what we have to do, and the services we're supposed to render, and we try to get them done. We're all concerned. But we're all competing with each other and making offers and kind of poaching each other's employees. It's a very difficult world. I could hire that person to whom we've made an offer after that person has passed the security clearance, and with two weeks' notice—this is how the rules work—the person can be off to another department. It may take me eight months to hire someone, but the person can leave in two weeks. It's not something I individually can change. So since I have the money, how do I get the work done according to the rules?

That's why we thank you for supporting our immigration policy.

Yes, we're going slightly down, by about $500,000.

Well, there are two things. I did mention that we do have human resources plans in place to increase hiring and to look at the issue of retention. How, within the same rules that apply to everybody, can we make sure people want to stay with us longer or more consistently rather than accepting job offers, as a way, within this context that everybody is faced with, of trying to basically swim against the tide? So we are looking at that.

You mentioned several things. Yes, our budget did decrease slightly, but as we mentioned previously here, we are going to ask for some more resources in order to bring it back up and to deal with new issues, like the federal accountability bill.

From year to year, though, if you look, we have steadily increased the number of permanent, full-time indeterminate positions. It kind of goes like this: people go in, people go out. There's what's called churning, which is very difficult for an organization, but we're working the base up, and I think too we're starting to attract a group of very interesting young employees.

One of the honourable members, Mr. Chairman, made a reference to our past. I think probably in the past that was a deterrent to people wondering what they would get into if they came and worked there. I think we've put that in the past. We have some fascinating issues for people to work on, and I think we're starting to attract more and more talented people. So I'm quite optimistic that we can inch our way up in terms of employees.

Well, one of the elements we're looking at is the type of working conditions people in our organization can benefit from. For example, we're fairly flexible about things like working hours, and we're looking at something many employees are interested in: the work-life balance. So, for example, we're organizing sessions where employees can basically look after their physical condition, sponsored by the office, all within Treasury Board guidelines.

Another example is giving them more direct responsibility, because we're a small organization. I know one talented employee left us and came back, having worked for a large organization. This employee said, “Well, if I go to a large organization, I don't have the direct impact that I can have in working in a small organization like ours”. So those are some of the qualities we can enhance to try to attract and keep talented people.

Yes, those are term employees.

It can be a mixture, Mr. Chair. Occasionally they can be hired back, but best policy says one is not supposed to keep hiring employees under contracts that keep repeating themselves.

But I can't say that it doesn't ever happen, for the reason that we have a talented.... For example, one of the situations that we often meet now is that our own employees retire, but they're interested in working for us part-time. They have all the skills. They know the files. They have the security clearances. I don't think it's unique to the Office of the Privacy Commissioner.

I've never seen a particular study of it, but some of those, for example, on very specialized files, can be useful and may have--

Usually on a contract they stay to the end of the contract. It's the permanent employees who, inversely, Mr. Chair, can leave with two weeks' notice, as I've said.

I do.

We do an increasing number of communications, public education--

--and outreach, where....

And investigation of complaints.

No, we do have some employees who work on contract. They're usually former investigators--in fact, all are.

It's somewhere in the $3 million....

It is, but we have a plethora of figures here--

Not always immediately, though.

Mr. Chair, this year we plan to spend roughly $3.5 million on investigations and inquiries. Last year's figure was probably a bit more because some of our resources sunsetted, and that's why we're going back for supplementaries before the parliamentary committee. I don't have them right here to refer to exactly, but it will be in our forthcoming--

Yes, within half a million it's the same up until now.

For legal services, we hire our own counsel. We're not linked to Justice, as other agencies are. We have our own. Currently we have nine lawyers. Exceptionally, we contract outside counsel.

It seems it's about $300,000 for outside counsel, Mr. Chairman.

That is the projection for this year, but my chief financial officer tells me it's been very consistent year to year.

Backlog is currently defined as unassigned cases.

That's right.

Yes, and in fact many investigators have far too many cases to be very efficient with them, but we assign them, because then possibly they can contact the person and try to help them over the phone and so on.

There are many ways to define this.

In terms of complaints that are unassigned, under the Privacy Act there are 368 now, and under PIPEDA there are 49. As you suggested, Mr. Chairman, there are many ways--and I think some of you are accountants, so you know--that we can divide the definitions of our complaint process. We juggle with those and attempt to see how we can do our job most efficiently with existing resources and within the requirements of the act, given that we cannot, as I've explained, under either act quickly say, “We're not going to deal with that”.

Yes, we do.

We are not doing as well as we might hope. Under the Privacy Act, there are different kinds of service standards. In general, treatment times should be 10 months. We are now at 14.4 months for a Privacy Act complaint. Under PIPEDA, the law says we are supposed to investigate complaints within a year. My latest information says we're taking an average of 16.5 months.

Could we have a change of guard, Mr. Chair?

I could go right to the suggestions, Mr. Chair, if that would be more useful.

I think you know both of the persons accompanying me. Assistant Commissioner Raymond D'Aoust is the commissioner responsible for the Privacy Act. He is the expert on the application of the Privacy Act.

Our general counsel, Maître Patricia Kosseim, you've met before.

Mr. Chair, we have sent quite a bit of material to the committee. You had previously received the study we did on reforming the Privacy Act. We did an addendum of April 2008 and in that made some further observations and suggestions. Maybe I could just suggest, then, in the opening statement, that you turn to immediate changes. It's on page 5, or thereabouts.

It's page 2.

Sorry, it's page 2 in your version, yes. So you have received an addendum through the committee.

That's page 2, immediate changes?

Yes. They're also at the end of the addendum.

We are trying there, in response to this committee's concerns, to single out some changes to the Privacy Act that we think would more reasonably be possible to adopt with less complex considerations, shall we say. They're also ones that seem to us to be the most important. They are a combination of the most important and the most simple, or the less controversial, in possible debates because, personal information being a constitutional right, there are many debates about the role of government in it, and so on.

Yes.

I'm at the addendum, Mr. Chairman, April 2008.

At the very end, “Changes of Immediate Benefit to the Privacy Act.

If that's more convenient to the members.

If we go down that list of the changes...maybe I'll read them out. Number one:

Creating a legislative requirement for government departments to demonstrate the necessity for collecting personal information. This necessity test already exists in Treasury Board policy, as well as in PIPEDA....

It's recognized internationally, for example, in the European Union. The collection must be reasonable, and there must be a demonstrable need for each piece of personal information.

I don't know how you want to proceed, Mr. Chair.

Thank you, Mr. Chairman.

Yes, overall as Privacy Commissioner, first of all, I welcome your interest in this topic. The topic is not new, and over a period of many years, beginning five years after this act was passed, there has been a great hesitation for successive governments to make any changes to the Privacy Act, except in consequence of other legislation.

The reform of this act, I think, is extremely important for all the reasons set out in both of the documents, and Ms. Black may have expressed also her concern with the fact that this act now does not meet modern international standards. Even for the government—the government is not subjecting itself to the standards it imposes on Canadian corporations or the rights it gives Canadian consumers in relation to Canadian corporations or the rights it gives to complainants to our office, who do not like the way they've been treated by Canadian commercial organizations, to take their problems further. You can't do that with the government. I think there's a real issue of equity. There's an issue of modernization. There's an issue, in a society that values something as important as this, of making sure the rights are defined in a way that makes them practically applicable today.

There's also the whole issue of the emergence of the information society in a much stronger way than was even foreseen in the early 1980s. You would be interested to know that something like 25 million Canadians are now very active in the virtual world—for example, on Facebook. There are something like 30 hours a week spent by people who are active on sites like Second Life, who live a kind of parallel virtual life.

I'm just using these examples to say how the reality has changed and how the privacy doesn't, and that the issue of personal information and what is being done with it, and so on, is a real daily issue for Canadians, and we don't have a law that's adequate to face that task. My staff and I have tried to come up with these suggestions that I don't think are extremely radical, if you look at the history of suggestions for reform or if you look at more modern legislation.

There are also two more suggestions I'd like to make: one is fairly easy, about a five-year review, and the other deals with the issue of transborder data flow.

In the real world, ideally one could write a whole new information rights law for Canadians, but I think what is more important now is to take the basis of the act. Remember that the act is not alone in assuring Canadians' privacy rights, fortunately. It's also interpreted by our courts. It's subject to the charter itself. Some privacy rights are defined through the application of the Criminal Code, increasingly, and so on. So I think it is in this context eminently fixable, and I have tried to single out the areas where you could suggest a fairly quick change to it—or a fairly simple change. I don't know how quick it would be.

I'm not sure.... Are you asking me to discuss the merits of both approaches?

You're asking how long this would take. That is not a question I can really answer, because it depends on the priority the department or the government of the day puts on it. It involves ideas. It has to go to legislative drafters and through the usual House process.

Yes, there is. It was looked into by a parliamentary committee in 1987. Then I believe it was debated in the early nineties as well, and more suggestions for change were made at that time. But they were not taken up by the respective governments, as I understand. There's been no change, so....

I don't honestly know. That's not part of the recorded—

I suggest you look seriously at the issues we have suggested. We have also provided the clerk with the names of some witnesses, and it might be interesting for you to hear from them. Then come to a suggestion on what could reasonably and realistically be done in the near future, in terms of changing the most important parts.

The matter of our survival is more related to the debates held by this Committee in the previous session.

If you could recommend those eight changes, as well as two others that I added…

In my written presentation…

The five-year review, as well as…

Yes.

That may be asking a little too much.

Mr. Chairman, could I ask the Assistant Commissioner, who is very well acquainted with the Act, to answer that question?

Thank you, Ms. Stoddart.

First of all, the eight changes and our two suggestions would certainly help us optimize our resources and our impact. We would have greater discretion to investigate systemic complaints, as opposed to individual complaints, which have very little societal impact.

Second, we would like the Federal Court have more opportunity to hear our submissions with respect to all the grounds laid out in the Act, and not only denial of access. That is very important, because the cause of action for a private sector complainant can be any of the grounds laid out in the Act, whereas a public sector complainant can only invoke denial of access to personal information.

The Act provides that any citizen has a right to request access to information contained in a personal file held by the Canada Border Services Agency, for example. So, under the Act, there is a guaranteed right of access. For example, if you believe you have been injured in that regard, you can seek recourse from the Federal Court.

We believe these changes would mean that the public sector legislation would provide for the same level of protection as what exists in the private sector. That is a very strong argument in their favour. Essentially, why should our rights, in terms of the relationship between citizens and government, be any less protected than they are for consumers dealing with merchants?

If you don't mind, I would like to tell you about the work carried out by the Treasury Board in that regard. It has established guidelines on information sharing in the context of agreements federal government departments have signed with public partners.

We would like there to be an in-depth review of this whole area. Let me give you an example. We are in the process of doing an audit, and the information-sharing agreements run in the hundreds in one department in particular. We have not yet completed that study. So, I would like to keep the identity of the department confidential.

Yes, or with other levels of government, private partners, and so on. We are wondering who is in charge and who has an oversight role in terms of all these information-sharing agreements. This is not a new issue. I just want to point out that in 1987, a standing committee looked at this. It devoted an entire chapter to transborder or trans-organization data flows. There was an awareness of the issue in 1987. The committee suggested a number of amendments to the Act at the time, but they were never implemented.

Yes, I think so. We need a framework for managing these agreements. At the present time, the Act is silent on this.

Yes.

For example, there need to be very specific standards with respect to information security, as well as restrictions on secondary uses of that information—in other words, so that it cannot be put together with information from other data banks for verification purposes. They have to be very clear parameters with respect to the use of Canadians' personal information.

I already presented it.

The Assistant Commissioner has just been talking about the principle that underlies the second change we are requesting. That is, the ability to take one's case to the Federal Court on any ground, and not only because you have been refused access to your file. In addition, we are proposing to entrench in the legislation the obligation—which already exists under Treasury Board Guidelines—to carry out privacy impact assessments prior to implementing new programs and policies. This is nothing new. It is simply a matter of enshrining it into law. The fourth change is not new either. The current Act does not give us the mandate to get involved in public education.

Yes, exactly. We do a little of it.

Let me explain, Ms. Lavallée. In 2002, the Canadian government, through the Treasury Board, introduced a policy on privacy impact assessments. In English, it is called

privacy impact assessment.

All deputy heads…

Yes, exactly.

We conducted an in-depth audit of the way that policy is being applied, and realized, first of all, that it is very uneven. Second, impact assessments are often conducted after a program has been introduced, which gives us very little opportunity to manage the risks. Third, we believe that entrenching that obligation in the Act would make for a more effective and efficient policy.

Privacy seals are used in the United States and throughout the Asian world right now, so I've never quite asked myself.... They are usually self-administered. It's like a chamber of commerce--

It's not even ISO; that's another privacy standard we're working on.

The privacy standard of the Government of Canada is probably medium; we think it should be high. It's probably medium, and what helps us is a strong historical appreciation of the value of privacy by the Canadian people across Canada.

However, it's being strongly and consistently eroded, as you mentioned, by national security, by technology, and by international pressures. You will see that the Secretary of Homeland Security recently said that fingerprints were not personal information, which is absolutely contrary to what is in the Privacy Act. That's letting alone the issue of gathering DNA, which is being debated internationally.

What is of medium.... Many countries don't even have these protections. I'm not saying Canada is far down the list, but the current mechanisms are quickly becoming more and more obsolete as these pressures on governments go ahead from technology, from international situations, from world alignments, from international trade, and so on. That's why I would urge you to look at least for some changes. We've really done our best to try to....

When I look at them, at least half of them are now Treasury Board policies that should be enshrined in the law, and we could provide you with more information if you choose to advance the study. It's not that there doesn't seem to be some consensus in government that this is necessary, but we would argue that Treasury Board policies are more likely to run the risk of being honoured in the breach. If the thinking is there, why don't we say it is the law that you do a privacy impact assessment? Why don't we say it is the law that before you send information abroad, you have to go through the privacy evaluation test Treasury Board has set up, etc.?

Oh, yes, this has to do with the issue of recorded information, which is the DNA issue. It's recommendation 7.

Exactly.

That's right. Some of the DNA banks could be under that level, which is of great concern to me.

The expert is Dr. David Flaherty, the former information and privacy commissioner of British Columbia. He is the author of a pioneering study on surveillance societies across the world. Assistant Privacy Commissioner D'Aoust is working on this.

When is it due, Mr. D'Aoust?

Dr. Flaherty co-authored the 1987 report, “Open and Shut: Enhancing the Right to Know and the Right to Privacy”. So we asked Dr. Flaherty, who is on our external advisory committee, besides being a scholar and an expert in this area, to take stock and write a “20 years later” type of report on what he believes needs to be changed.

We have a rough draft report that we reviewed two weeks ago. I believe the deliverable date is the end of June.

I would defer to the commissioner.

I'm not sure about a draft, but perhaps we could ask him to do an executive summary of his thoughts, which we could then present in both official languages, if the committee wishes. Or you could invite him as a witness. He's a very knowledgeable person.

Can the assistant commissioner answer this?

There is a firm by the name of Symantec. It is one of the best firms that monitor cyber attacks. A few years ago, they put out a report referring to an international survey of 30 or 40 countries. The report had apparently shown that 25% of information used for identity theft and fraud comes from government sources.

They didn't actually point to the federal government, but I suspect that this is probably the reality. Furthermore, this is not the work of hackers. Rather, it's an insider problem—people walking out the door with the information and abusing it.

In response to your question, I would suggest that the best way to tackle this problem would be to strengthen the security requirements around personal information holdings.

I receive incidence reports. An ADM will call to inform us that a laptop containing encrypted personal information has been stolen from an individual's house. That's not good enough—that's not the standard we want to have.

I would have difficulty giving a useful answer to the first part of your question, Mr. Chairman. However, one of the recommendations, for example, in regard to the public security and emergency preparedness portfolio, particularly, where we first brought this up, mentions the idea of deputy ministers making an annual report on the privacy challenges and the privacy initiatives they have undertaken. I forget which recommendation it is.

When PSEPC was formed, I made the recommendation that given the amount of personal information washing through that department, it wasn't too much to ask the minister and the deputy minister to specifically report to Parliament on that. I think we could extend it now to most ministries.

Well, that's where I said that without maybe some study, I couldn't give you a useful answer. Part of the difficulty in giving you a useful answer is because of what a privacy commissioner, who has basically the same status as a member of the public vis-à-vis foreign governments, doesn't know.

In terms of mechanisms, I know that my colleague, the U.K. commissioner, Richard Thomas, has been very active on this. I would call attention to the U.K., but the U.K. may not have the same security challenges as Canada. That is not information I'm privy to.

To the first part of your question about whether the government should not data match, particularly in that case, I don't think I'm saying the government should never data match. The issue that came up in that case, which I believe went to the Supreme Court and is known familiarly as the “snowbirds case”, was the fact that the public was unaware of that and did not know, in fact, that their actions and their information were being tracked and matched.

Well, I'm trying to dissociate, I think, the two parts of your question and what happened in that case, which had to do with the expectation of privacy and the interpretation of the Privacy Act and the Customs Act as it then was. I'm saying to you that my predecessor contested that case and lost, obviously, because people did not expect that.

However, it's legitimate, I think, for the government to track fraud. It's legitimate, then, to take reasonable means to track fraud. The question is whether you take excessive means and whether people know about this and expect it, which goes to principles of transparency and open governments.

The issues are as follows. Is the purpose legitimate? For example, I'm suggesting that tracking fraudsters is now accepted as legitimate. Do people know about it--unless, of course, it's a national security issue; that may be something different. Do they expect it? Do they have access rights? If I find that I've been wrongly data-matched with somebody else, somebody who has a similar name and so on, what can I do to contest this?

I suggest there is now very limited recourse for citizens in the act. But you've worked on data matching--

The Treasury Board recognizes the need to review its data-matching policy, which dates back to 1989. A survey done by Treasury Board a few years ago demonstrated that there was very little understanding of that policy. That's the first problem. There's almost a kind of public servant education imperative here.

The second problem is that the policy, as it was defined in 1989, is very limited and very narrow. It allows for front-end and back-end types of matching, but it doesn't include new phenomena like data aggregation and data mining. Basically, there are private vendors selling data mining capacity, and governments are purchasing those services.

We believe a more expansive definition of data matching is needed. We've had repeated discussions with Treasury Board about that. I think they recognize the problem. However, we haven't seen any movement on a renewal of the data-matching policy. Our audit group has written to deputy heads, asking them about their data-mining practices, and we have gotten, I would say, very limited response. So that's an issue.

Do you mean in my spontaneous remarks of a few minutes ago?

Well, it perhaps wasn't the greatest. It's a very good question. It's PIPEDA, in particular. In fact, we're looking at the reach of PIPEDA and the effect these gaming sites may have on privacy rights.

I'm not suggesting that we're going to touch gaming sites by reforming the Privacy Act. I was simply trying to say--I'm making a presentation on it on Monday--that many Canadians now, I realize from the research I did, live in a virtual world, a world in which their privacy rights are increasingly fragile. So it behooves us to make sure that in this world where they're often unaware of their privacy rights--we also know that only 25% of people on social networking sites use the privacy settings--some of us take the leadership to enhance their rights.

No, except in response to both questions,

I believe we have already sent the Committee clerk a list of witnesses you may wish to hear from.

If you want to look at the question of calling witnesses, I believe we've sent a list of witnesses already, given the short timeframe, Mr. Chairman.

Certainly, we would be very happy to come back on the 29th, and perhaps we could look at reorganizing some of the material here to facilitate its study by members and to explain why we've chosen these. Perhaps we should separate out things that are already government policy and that enshrining in law should not be too big a step. And we could make some comments on each of them.

Would that be...?

Yes, with the suggestions.