Information & Ethics Committee on April 17th, 2008

It's not even ISO; that's another privacy standard we're working on.

The privacy standard of the Government of Canada is probably medium; we think it should be high. It's probably medium, and what helps us is a strong historical appreciation of the value of privacy by the Canadian people across Canada.

However, it's being strongly and consistently eroded, as you mentioned, by national security, by technology, and by international pressures. You will see that the Secretary of Homeland Security recently said that fingerprints were not personal information, which is absolutely contrary to what is in the Privacy Act. That's letting alone the issue of gathering DNA, which is being debated internationally.

What is of medium.... Many countries don't even have these protections. I'm not saying Canada is far down the list, but the current mechanisms are quickly becoming more and more obsolete as these pressures on governments go ahead from technology, from international situations, from world alignments, from international trade, and so on. That's why I would urge you to look at least for some changes. We've really done our best to try to....

When I look at them, at least half of them are now Treasury Board policies that should be enshrined in the law, and we could provide you with more information if you choose to advance the study. It's not that there doesn't seem to be some consensus in government that this is necessary, but we would argue that Treasury Board policies are more likely to run the risk of being honoured in the breach. If the thinking is there, why don't we say it is the law that you do a privacy impact assessment? Why don't we say it is the law that before you send information abroad, you have to go through the privacy evaluation test Treasury Board has set up, etc.?

Oh, yes, this has to do with the issue of recorded information, which is the DNA issue. It's recommendation 7.

Exactly.

That's right. Some of the DNA banks could be under that level, which is of great concern to me.

The expert is Dr. David Flaherty, the former information and privacy commissioner of British Columbia. He is the author of a pioneering study on surveillance societies across the world. Assistant Privacy Commissioner D'Aoust is working on this.

When is it due, Mr. D'Aoust?

Dr. Flaherty co-authored the 1987 report, “Open and Shut: Enhancing the Right to Know and the Right to Privacy”. So we asked Dr. Flaherty, who is on our external advisory committee, besides being a scholar and an expert in this area, to take stock and write a “20 years later” type of report on what he believes needs to be changed.

We have a rough draft report that we reviewed two weeks ago. I believe the deliverable date is the end of June.

I would defer to the commissioner.

I'm not sure about a draft, but perhaps we could ask him to do an executive summary of his thoughts, which we could then present in both official languages, if the committee wishes. Or you could invite him as a witness. He's a very knowledgeable person.

Can the assistant commissioner answer this?

There is a firm by the name of Symantec. It is one of the best firms that monitor cyber attacks. A few years ago, they put out a report referring to an international survey of 30 or 40 countries. The report had apparently shown that 25% of information used for identity theft and fraud comes from government sources.

They didn't actually point to the federal government, but I suspect that this is probably the reality. Furthermore, this is not the work of hackers. Rather, it's an insider problem—people walking out the door with the information and abusing it.

In response to your question, I would suggest that the best way to tackle this problem would be to strengthen the security requirements around personal information holdings.

I receive incidence reports. An ADM will call to inform us that a laptop containing encrypted personal information has been stolen from an individual's house. That's not good enough—that's not the standard we want to have.