Information & Ethics Committee on April 29th, 2008

Yes, thank you.

Thank you very much.

We have tabled a document that we hope is helpful. I'd like to remind the members that we have no pretensions that this is the definitive take on the Privacy Act, nor on the problems of Canadians' information rights. This is a very contextual document. It's meant to suggest some very needed and more easily made changes to a document that now dates from 1982. Throughout the world, it is one of the few information rights laws that has not been modified. So in the group of democratic nations--for example, the U.K., Australia, and so on--we find that our public Privacy Act is now very dated.

I'll go through these recommendations and try to indicate to you the implications of each of them. The first one:

Parliament should create a requirement in the Privacy Act for government departments to demonstrate the need for collecting personal information.This “necessity test” is already included in Treasury Board policies as well as PIPEDA. It is an internationally recognized privacy principle found in modern privacy legislation around the world.

Here we're behind our own most recent standard that this House voted on in PIPEDA.

The second one states:

The role of the Federal Court should be broadened to allow it to review all grounds under the Privacy Act, not just denial of access.

That is, people have the right to see what is in their file. That is the only right they have under the current Privacy Act. They have no right of correction. They have no right to ask that it be modified. They have no right to go to the Federal Court if this information is incorrect, if it's incorrectly released. This was discussed in the case of Murdoch v. Murdoch, which was discussed in this committee. This again is unusual in modern privacy legislation, and much below the PIPEDA standard.

The third one simply enshrines into law the current practice that, according to Treasury Board directives, deputy heads are supposed to carry out a privacy impact assessment before a new program or policy is implemented. The most public example of that is the no-fly program.

We can notionally group together sections 4, 5, and 6, because they're already in practice to some extent and are internal to the workings of the government. I don't think they're things that should cause huge debate. One is a public education mandate, which one of the honourable members asked about. We don't have this mandate. Again we have it in PIPEDA. So in budgetary terms, we are not formally given money to do public education on the do-not-fly program, for example, which many Canadians are concerned about. We are spending money, because you'll see something on our website about the do-not-fly program, but that's not the ideal situation.

Number five is the need for increased flexibility for me to report to the public and to Parliament about privacy management practices. I function in a very secretive way. I report to Parliament and make my findings public once a year, and then unusually in a special report. I first made use of the special report in February about the RCMP's exempt banks. But in the world of information management now, you may have gone through several generations of technology. If you wait to report to Parliament until 18 months after something has happened, Parliament may be breaking up for the summer when you report it. So this is something that should not be difficult to fix, and it would allow me greater flexibility in bringing things to public attention and to Parliament's attention.

Number seven is a housekeeping affair. Once again we're below the level of definition of information that is already consecrated in PIPEDA. This is important because it doesn't explicitly cover DNA samples. As you know, the government is increasingly moving into the use of DNA for crime-fighting purposes.

Oh, I'm sorry, yes.

My office would like to have greater discretion to refuse or to discontinue complaints if the investigation we suggest would either serve no purpose or is not in the public interest. This is a power that several commissioners across Canada have, and this is again to focus our available resources.

I don't think the public should throw more and more and more money into investigations that have been done over and over and over again. We could put the information on the website and say if this is your problem, read this on the website and try to correct your situation. That would free up resources for us to do systemic investigations into major problems that may take not only a lot of resources but increasingly outside expertise. I'm thinking of accountants, technologists, informatics people, and so on. So that is to have more discretion in handling complaints.

Right now under the Privacy Act I am formally obliged to investigate every complaint that comes in. This is an unusually heavy burden now. Laws tend to give you more discretion; PIPEDA certainly does.

I go on then to number eight. Perhaps I could ask you to explain this one.

Yes. We believe the annual reporting requirements of government departments should be strengthened. We reviewed section 72 reports for a sample of departments, and the information at best is sketchy, uneven, and completely decontextualized. Even the minimal requirements of the Treasury Board policy as it stands right now are not being met by most departments. We believe that enshrining this in law would ensure a consistent response, if you will, across the federal government.

Number nine is simply to add an ongoing five-year review. Again, that's in PIPEDA. In an area of privacy that is now so highly technologically dependent, I would think the least we should do is review it every five years.

Finally, number ten is the issue that was already discussed here--that is, enshrining the existing Treasury Board guidelines, which are not in the Privacy Act. These guidelines date from about two or three years ago.

The PIA guidelines?

No, the cross-border transfer of personal information, simply enshrining it in the law as law rather than guidelines. But that already is Treasury Board policy.

So you see many of them are things that are policy or are in place in other jurisdictions.

I guess it would depend on the powers I have under the act. If the powers were similar to that of PIPEDA and given that my office is an ombudsman's office, what you want is a solution. You don't necessarily want litigation, you want a solution. So you would investigate. You would ask if this was a problem. Do you recognize--probably in this case would be a government--that this is a problem, and can it be fixed in a way that is acceptable to us and to the complainant? If so, there's no need to go to court. In the very few cases where a solution wasn't possible or was refused, we would then go to court for the complainant.

I could ask the general counsel to give you a very interesting example of a case that's under way in the Ontario courts, because currently government employees can't have recourse under the Privacy Act to the acknowledged and admitted misuse of their personal information.

There are several examples. One is a case where the personal information of prison guards got into the hands of inmates. But to remedy that situation of wrongful disclosure of information under the Privacy Act, there was no possibility of recourse to the Federal Court under that act. The only available means to get enforcement by a court would be to go through the civil courts for civil remedies. There are several possible recourses, none of which the Privacy Act intended to provide individuals in Canada--namely, a more manageable, non-litigious way to try to resolve the issue—and if not available, to proceed to Federal Court as a last resort, under a regime that already allows them a head start when they get there and doesn't require such enormous financial means to be able to sustain protracted litigation.

Those are examples of cases where obviously a remedy or recourse in the context of the Privacy Act would give individuals a head start to get there.

Should that happen, we might need additional legal capacities. We haven't costed that out, because I think we'll wait till we see the law reformed. The idea is not to open the floodgates for everybody to sue the government; the idea is that in the cases you'd have to have no remedy brought by the government, and you'd also have to show some real damage. You can be displeased because the government has mailed something to the wrong address, and so on and so forth, but you would have to show the damage. We would look at that before we got involved in a case. We would look at that very closely.

Mr. D'Aoust is an expert in the area.

Thank you.

There is indeed a very detailed policy, including an analytical grid and a series of questions that the manager must consider in analyzing the privacy impact of a policy or program. It's an extremely exhaustive policy. We've taken the 10 founding principles of the Personal Information Protection and Electronic Documents Act and integrated them into the policy that applies to the public sector. That means that the Treasury Board acknowledged that the Personal Information Protection Act was outdated, and it used the Personal Information and Protection and Electronic Documents Act as a frame of reference. It must therefore be shown that there is a need for collection, security measures, the management framework and we must ensure that there is an obligation for managers to be accountable. It's an extremely rigorous exercise.

The grid exists under a Treasury Board policy adopted in 2002. The act makes no reference to impact studies. That is why we propose to entrench an obligation to conduct such studies in the act.