Evidence of meeting #30 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was employees.
A recording is available from Parliament.
4:10 p.m.
Liberal
The Chair Liberal Paul Szabo
Actually, it's a good segue, because we are going to talk about the Privacy Act and some expansion. We'll also be looking at the capacity problem. You can make all the changes you want to the Privacy Act, but if you don't have the human resources to deliver, we may have our priorities a little askew. So human resources will be relevant to the rest of this.
I think the members have received the document, the proposed media changes. We had indicated that this was a document we wanted to build on. That doesn't mean we won't be able to add anything. I have read it, as you probably have as well, and my assessment is that there are three or four—maybe even five—items that are pretty straight-forward, pretty no-brainer. We won't need a lot of witnesses to corroborate it.
I am suggesting, Madam Commissioner, that we don't have much time. I think the members have read this, have reviewed the document properly. I believe that we should try to go quickly through the ten, spending very little time on the straight-forward ones, particularly those that are mirroring existing legislation in, say, PIPEDA or provincial law. I think they're self-evident.
For the balance of the session, we would like to identify some of the areas where we may need expert witnesses. Questions may very well come up as we move towards reshaping the Privacy Act, at least to the extent that we've covered it in this report. I don't think we want a major presentation, but it would be helpful if you could walk us through. I want to get to the questions of the members first. That's the important thing for us. So we would ask that you go through and suggest which ones really need attention, placing a little less emphasis on those that speak for themselves.
Would that be okay?
4:15 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, thank you.
4:15 p.m.
Liberal
The Chair Liberal Paul Szabo
Please proceed, then. Let's agree to take no more than ten minutes for this, and then we'll go to questions from members.
4:15 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you very much.
We have tabled a document that we hope is helpful. I'd like to remind the members that we have no pretensions that this is the definitive take on the Privacy Act, nor on the problems of Canadians' information rights. This is a very contextual document. It's meant to suggest some very needed and more easily made changes to a document that now dates from 1982. Throughout the world, it is one of the few information rights laws that has not been modified. So in the group of democratic nations--for example, the U.K., Australia, and so on--we find that our public Privacy Act is now very dated.
I'll go through these recommendations and try to indicate to you the implications of each of them. The first one:
Parliament should create a requirement in the Privacy Act for government departments to demonstrate the need for collecting personal information.This “necessity test” is already included in Treasury Board policies as well as PIPEDA. It is an internationally recognized privacy principle found in modern privacy legislation around the world.
Here we're behind our own most recent standard that this House voted on in PIPEDA.
The second one states:
The role of the Federal Court should be broadened to allow it to review all grounds under the Privacy Act, not just denial of access.
That is, people have the right to see what is in their file. That is the only right they have under the current Privacy Act. They have no right of correction. They have no right to ask that it be modified. They have no right to go to the Federal Court if this information is incorrect, if it's incorrectly released. This was discussed in the case of Murdoch v. Murdoch, which was discussed in this committee. This again is unusual in modern privacy legislation, and much below the PIPEDA standard.
The third one simply enshrines into law the current practice that, according to Treasury Board directives, deputy heads are supposed to carry out a privacy impact assessment before a new program or policy is implemented. The most public example of that is the no-fly program.
We can notionally group together sections 4, 5, and 6, because they're already in practice to some extent and are internal to the workings of the government. I don't think they're things that should cause huge debate. One is a public education mandate, which one of the honourable members asked about. We don't have this mandate. Again we have it in PIPEDA. So in budgetary terms, we are not formally given money to do public education on the do-not-fly program, for example, which many Canadians are concerned about. We are spending money, because you'll see something on our website about the do-not-fly program, but that's not the ideal situation.
Number five is the need for increased flexibility for me to report to the public and to Parliament about privacy management practices. I function in a very secretive way. I report to Parliament and make my findings public once a year, and then unusually in a special report. I first made use of the special report in February about the RCMP's exempt banks. But in the world of information management now, you may have gone through several generations of technology. If you wait to report to Parliament until 18 months after something has happened, Parliament may be breaking up for the summer when you report it. So this is something that should not be difficult to fix, and it would allow me greater flexibility in bringing things to public attention and to Parliament's attention.
Number seven is a housekeeping affair. Once again we're below the level of definition of information that is already consecrated in PIPEDA. This is important because it doesn't explicitly cover DNA samples. As you know, the government is increasingly moving into the use of DNA for crime-fighting purposes.
4:20 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Oh, I'm sorry, yes.
My office would like to have greater discretion to refuse or to discontinue complaints if the investigation we suggest would either serve no purpose or is not in the public interest. This is a power that several commissioners across Canada have, and this is again to focus our available resources.
I don't think the public should throw more and more and more money into investigations that have been done over and over and over again. We could put the information on the website and say if this is your problem, read this on the website and try to correct your situation. That would free up resources for us to do systemic investigations into major problems that may take not only a lot of resources but increasingly outside expertise. I'm thinking of accountants, technologists, informatics people, and so on. So that is to have more discretion in handling complaints.
Right now under the Privacy Act I am formally obliged to investigate every complaint that comes in. This is an unusually heavy burden now. Laws tend to give you more discretion; PIPEDA certainly does.
I go on then to number eight. Perhaps I could ask you to explain this one.
4:20 p.m.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes. We believe the annual reporting requirements of government departments should be strengthened. We reviewed section 72 reports for a sample of departments, and the information at best is sketchy, uneven, and completely decontextualized. Even the minimal requirements of the Treasury Board policy as it stands right now are not being met by most departments. We believe that enshrining this in law would ensure a consistent response, if you will, across the federal government.
4:20 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Number nine is simply to add an ongoing five-year review. Again, that's in PIPEDA. In an area of privacy that is now so highly technologically dependent, I would think the least we should do is review it every five years.
Finally, number ten is the issue that was already discussed here--that is, enshrining the existing Treasury Board guidelines, which are not in the Privacy Act. These guidelines date from about two or three years ago.
4:20 p.m.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
The PIA guidelines?
4:25 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
No, the cross-border transfer of personal information, simply enshrining it in the law as law rather than guidelines. But that already is Treasury Board policy.
So you see many of them are things that are policy or are in place in other jurisdictions.
4:25 p.m.
Liberal
The Chair Liberal Paul Szabo
Okay. In their book there is an eleventh one; it's the privacy training issue, and it goes back to the HR responsibilities to make sure people are able to do their job.
I want to go straight to questions. Let's find out where the members are.
We have Mr. Pearson, Madame Lavallée, Mr. Martin, and Mr. Hiebert on the first round.
4:25 p.m.
Liberal
Glen Pearson Liberal London North Centre, ON
Thank you, Mr. Chair.
Welcome, everyone. It's nice to have you with us.
In one of your recommendations you suggest that grounds for an application for Federal Court review be brought to include a full array of privacy rights and protections under the Privacy Act and then to grant the Federal Court the power to award damages under that. I'm interested in that. To what extent would you propose to use that power?
4:25 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I guess it would depend on the powers I have under the act. If the powers were similar to that of PIPEDA and given that my office is an ombudsman's office, what you want is a solution. You don't necessarily want litigation, you want a solution. So you would investigate. You would ask if this was a problem. Do you recognize--probably in this case would be a government--that this is a problem, and can it be fixed in a way that is acceptable to us and to the complainant? If so, there's no need to go to court. In the very few cases where a solution wasn't possible or was refused, we would then go to court for the complainant.
I could ask the general counsel to give you a very interesting example of a case that's under way in the Ontario courts, because currently government employees can't have recourse under the Privacy Act to the acknowledged and admitted misuse of their personal information.
April 29th, 2008 / 4:25 p.m.
Patricia Kosseim General Counsel, Office of the Privacy Commissioner of Canada
There are several examples. One is a case where the personal information of prison guards got into the hands of inmates. But to remedy that situation of wrongful disclosure of information under the Privacy Act, there was no possibility of recourse to the Federal Court under that act. The only available means to get enforcement by a court would be to go through the civil courts for civil remedies. There are several possible recourses, none of which the Privacy Act intended to provide individuals in Canada--namely, a more manageable, non-litigious way to try to resolve the issue—and if not available, to proceed to Federal Court as a last resort, under a regime that already allows them a head start when they get there and doesn't require such enormous financial means to be able to sustain protracted litigation.
Those are examples of cases where obviously a remedy or recourse in the context of the Privacy Act would give individuals a head start to get there.
4:25 p.m.
Liberal
Glen Pearson Liberal London North Centre, ON
Thank you.
Just quickly, then, what would the cost implications be? Also, on the legal services side of things in your department, would you be able to handle the opening up of that into the Federal Court? Do you have those capacities to do that, should that happen?
4:25 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Should that happen, we might need additional legal capacities. We haven't costed that out, because I think we'll wait till we see the law reformed. The idea is not to open the floodgates for everybody to sue the government; the idea is that in the cases you'd have to have no remedy brought by the government, and you'd also have to show some real damage. You can be displeased because the government has mailed something to the wrong address, and so on and so forth, but you would have to show the damage. We would look at that before we got involved in a case. We would look at that very closely.
4:25 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
I have a number of questions on the recommendations. First of all, the third one concerns the evaluation of privacy factors. I asked you this question in your last appearance, and you answered that it was a privacy impact assessment.
Is there an analytical grid for evaluating those factors? Am I being a little too naive?
4:30 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Mr. D'Aoust is an expert in the area.
4:30 p.m.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you.
There is indeed a very detailed policy, including an analytical grid and a series of questions that the manager must consider in analyzing the privacy impact of a policy or program. It's an extremely exhaustive policy. We've taken the 10 founding principles of the Personal Information Protection and Electronic Documents Act and integrated them into the policy that applies to the public sector. That means that the Treasury Board acknowledged that the Personal Information Protection Act was outdated, and it used the Personal Information and Protection and Electronic Documents Act as a frame of reference. It must therefore be shown that there is a need for collection, security measures, the management framework and we must ensure that there is an obligation for managers to be accountable. It's an extremely rigorous exercise.
4:30 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
You say this grid exists under the Personal Information Protection Act. Did I misunderstand?
4:30 p.m.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
The grid exists under a Treasury Board policy adopted in 2002. The act makes no reference to impact studies. That is why we propose to entrench an obligation to conduct such studies in the act.
4:30 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
That's good. However, you're not proposing the grid itself. I imagine that the grid, or something similar, is also used in other countries.
